search

dart-lang / sdk

The Dart SDK, including the VM, JS and Wasm compilers, analysis, core libraries, and more.
https://dart.dev
BSD 3-Clause "New" or "Revised" License
10.21k stars 1.57k forks source link

test_runner doesn't report violations of same-origin policy #56772

Open srujzs opened 4 weeks ago

srujzs commented 4 weeks ago

This is a similar issue as https://github.com/dart-lang/test/issues/2282.

Running the following code:

import 'dart:js_interop';

@JS()
external JSAny? get window;

void main() {
  final w = window.open('https://www.google.com');
  if (w == null) throw Exception();
  w.devicePixelRatio;
}

extension on JSAny? {
  external JSAny? open(String url);
  external int devicePixelRatio;
}

does not result in a SecurityError when run with tools/test.py -r chrome -c dart2js <test_path>. devicePixelRatio is a disallowed API on cross-origin windows. When I single-stepped the test however, the test does throw that error:

SecurityError: Failed to read a named property 'devicePixelRatio' from 'Window': Blocked a frame with origin "http://127.0.0.1:61457" from accessing a cross-origin frame.

It's possible we may need to enable same-origin policy (if possible) for this. It'd be useful to enable this so that we can run interop tests like cross_origin_test correctly.

dart-github-bot commented 4 weeks ago

Summary: The test_runner does not report violations of the same-origin policy when running tests that access cross-origin windows using JS interop. This leads to incorrect test results, as the code should throw a SecurityError but does not.