test(iframes): Add X-Frame-Options: DENY (#3170) #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This changeset adds tests the more closely match the reported scenario in microsoft#3170. Firefox, both headless and headfull pass completetly in all cases. The other browsers (both headless and headfull) report a successful click (i.e. they get past the await `button.click()`) but fail to pass the navigation check, except for Chromium HeadFULL with a fixed div which fails to even do the click. NB: If you perform this test manually in the production version of Firefox (78.0.2), the navigation to the Wikipedia login page will be blocked due to X-Frame-Options: DENY. The iframe will load on localhost, but clicking login will get you a an error about X-Frame-Options. So, in some ways, even though this test is "passing" for FFOX, in a traditional user environment we'd expect it to fail.
rwoll
added a commit
that referenced
this pull request
Jul 27, 2020
This changeset adds tests the more closely match the reported scenario in microsoft#3170. Firefox, both headless and headfull pass completetly in all cases. The other browsers (both headless and headfull) report a successful click (i.e. they get past the await `button.click()`) but fail to pass the navigation check, except for Chromium HeadFULL with a fixed div which fails to even do the click. NB: If you perform this test manually in the production version of Firefox (78.0.2), the navigation to the Wikipedia login page will be blocked due to X-Frame-Options: DENY. The iframe will load on localhost, but clicking login will get you a an error about X-Frame-Options. So, in some ways, even though this test is "passing" for FFOX, in a traditional user environment we'd expect it to fail.
rwoll
pushed a commit
that referenced
this pull request
Jul 28, 2020
…ft#3070) This patch detects Chromium crash with a sandboxing error and re-writes the error to surface information nicely. #### Error Before: ```sh pwuser@23592d09b3bd:~/tmp$ node a.js (node:324) UnhandledPromiseRejectionWarning: browserType.launch: Protocol error (Browser.getVersion): Target closed. =========================== logs =========================== [browser] <launching> /home/pwuser/.cache/ms-playwright/chromium-790602/chrome-linux/chrome --disable-background-networking --enable-features=NetworkService,NetworkServiceInProcess --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disab le-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=TranslateUI,BlinkGenPropertyTrees,ImprovedCookieControls,SameSiteByDefaultCookies --disable-hang-monitor --disab le-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --user-data-dir=/tmp/playwrig ht_chromiumdev_profile-mjSfr2 --remote-debugging-pipe --headless --hide-scrollbars --mute-audio --no-startup-window [browser] <launched> pid=401 [browser] [0722/170825.030020:FATAL:zygote_host_impl_linux.cc(117)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. [browser] #0 0x55ac4f8c7be9 base::debug::CollectStackTrace() [browser] #1 0x55ac4f841c13 base::debug::StackTrace::StackTrace() [browser] #2 0x55ac4f853680 logging::LogMessage::~LogMessage() [browser] microsoft#3 0x55ac4df2307e content::ZygoteHostImpl::Init() [browser] microsoft#4 0x55ac4f40dd47 content::ContentMainRunnerImpl::Initialize() [browser] microsoft#5 0x55ac4f45c9fa service_manager::Main() [browser] microsoft#6 0x55ac4f40c361 content::ContentMain() [browser] microsoft#7 0x55ac4f45b5bd headless::(anonymous namespace)::RunContentMain() [browser] microsoft#8 0x55ac4f45b2bc headless::HeadlessShellMain() [browser] microsoft#9 0x55ac4ccc22e7 ChromeMain [browser] microsoft#10 0x7f0f3d736b97 __libc_start_main [browser] microsoft#11 0x55ac4ccc212a _start [browser] [browser] Received signal 6 [browser] #0 0x55ac4f8c7be9 base::debug::CollectStackTrace() [browser] #1 0x55ac4f841c13 base::debug::StackTrace::StackTrace() [browser] #2 0x55ac4f8c7785 base::debug::(anonymous namespace)::StackDumpSignalHandler() [browser] microsoft#3 0x7f0f437b3890 (/lib/x86_64-linux-gnu/libpthread-2.27.so+0x1288f) [browser] microsoft#4 0x7f0f3d753e97 gsignal [browser] microsoft#5 0x7f0f3d755801 abort [browser] microsoft#6 0x55ac4f8c66e5 base::debug::BreakDebugger() [browser] microsoft#7 0x55ac4f853aeb logging::LogMessage::~LogMessage() [browser] microsoft#8 0x55ac4df2307e content::ZygoteHostImpl::Init() [browser] microsoft#9 0x55ac4f40dd47 content::ContentMainRunnerImpl::Initialize() [browser] microsoft#10 0x55ac4f45c9fa service_manager::Main() [browser] microsoft#11 0x55ac4f40c361 content::ContentMain() [browser] microsoft#12 0x55ac4f45b5bd headless::(anonymous namespace)::RunContentMain() [browser] microsoft#13 0x55ac4f45b2bc headless::HeadlessShellMain() [browser] microsoft#14 0x55ac4ccc22e7 ChromeMain [browser] microsoft#15 0x7f0f3d736b97 __libc_start_main [browser] microsoft#16 0x55ac4ccc212a _start [browser] r8: 0000000000000000 r9: 00007ffd38a863b0 r10: 0000000000000008 r11: 0000000000000246 [browser] r12: 00007ffd38a87680 r13: 00007ffd38a86610 r14: 00007ffd38a87690 r15: aaaaaaaaaaaaaaaa [browser] di: 0000000000000002 si: 00007ffd38a863b0 bp: 00007ffd38a86600 bx: 00007ffd38a86e44 [browser] dx: 0000000000000000 ax: 0000000000000000 cx: 00007f0f3d753e97 sp: 00007ffd38a863b0 [browser] ip: 00007f0f3d753e97 efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000 [browser] trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 [browser] [end of stack trace] [browser] Calling _exit(1). Core file will not be generated. ============================================================ Note: use DEBUG=pw:api environment variable and rerun to capture Playwright logs.Error at /home/pwuser/tmp/node_modules/playwright/lib/chromium/crConnection.js:131:63 at new Promise (<anonymous>) at CRSession.send (/home/pwuser/tmp/node_modules/playwright/lib/chromium/crConnection.js:130:16) at CRSession.send (/home/pwuser/tmp/node_modules/playwright/lib/helper.js:78:31) at Function.connect (/home/pwuser/tmp/node_modules/playwright/lib/chromium/crBrowser.js:54:39) at Chromium._connectToTransport (/home/pwuser/tmp/node_modules/playwright/lib/server/chromium.js:52:38) at Chromium._innerLaunch (/home/pwuser/tmp/node_modules/playwright/lib/server/browserType.js:87:36) at async ProgressController.run (/home/pwuser/tmp/node_modules/playwright/lib/progress.js:75:28) at async Chromium.launch (/home/pwuser/tmp/node_modules/playwright/lib/server/browserType.js:60:25) at async /home/pwuser/tmp/a.js:4:19 (node:324) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise reject ion, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2) (node:324) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code. ``` #### Error After: ```sh pwuser@23592d09b3bd:~/tmp$ node a.js (node:222) UnhandledPromiseRejectionWarning: browserType.launch: Chromium sandboxing failed! ================================ To workaround sandboxing issues, do either of the following: - (preferred): Configure environment to support sandboxing: https://github.com/microsoft/playwright/blob/master/docs/troubleshooting.md - (alternative): Launch Chromium without sandbox using 'chromiumSandbox: false' option ================================ Error at /home/pwuser/tmp/node_modules/playwright/lib/chromium/crConnection.js:131:63 at new Promise (<anonymous>) at CRSession.send (/home/pwuser/tmp/node_modules/playwright/lib/chromium/crConnection.js:130:16) at CRSession.send (/home/pwuser/tmp/node_modules/playwright/lib/helper.js:78:31) at Function.connect (/home/pwuser/tmp/node_modules/playwright/lib/chromium/crBrowser.js:54:27) at Chromium._connectToTransport (/home/pwuser/tmp/node_modules/playwright/lib/server/chromium.js:53:38) at Chromium._innerLaunch (/home/pwuser/tmp/node_modules/playwright/lib/server/browserType.js:89:36) at async ProgressController.run (/home/pwuser/tmp/node_modules/playwright/lib/progress.js:75:28) at async Chromium.launch (/home/pwuser/tmp/node_modules/playwright/lib/server/browserType.js:61:25) at async /home/pwuser/tmp/a.js:4:19 (node:222) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise reject ion, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2) (node:222) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code. ``` References microsoft#2745
rwoll
added a commit
that referenced
this pull request
Jul 28, 2020
This changeset adds tests the more closely match the reported scenario in microsoft#3170. Firefox, both headless and headfull pass completetly in all cases. The other browsers (both headless and headfull) report a successful click (i.e. they get past the await `button.click()`) but fail to pass the navigation check, except for Chromium HeadFULL with a fixed div which fails to even do the click. NB: If you perform this test manually in the production version of Firefox (78.0.2), the navigation to the Wikipedia login page will be blocked due to X-Frame-Options: DENY. The iframe will load on localhost, but clicking login will get you a an error about X-Frame-Options. So, in some ways, even though this test is "passing" for FFOX, in a traditional user environment we'd expect it to fail.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changeset adds tests the more closely match the reported scenario
in microsoft#3170. Firefox, both headless and headfull pass completetly in all
cases. The other browsers (both headless and headfull) report a
successful click (i.e. they get past the await
button.click()) butfail to pass the navigation check, except for Chromium HeadFULL with a
fixed div which fails to even do the click.
NB: If you perform this test manually in the production version of
Firefox (78.0.2), the navigation to the Wikipedia login page will be
blocked due to X-Frame-Options: DENY. The iframe will load on
localhost, but clicking login will get you a an error about
X-Frame-Options. So, in some ways, even though this test is "passing"
for FFOX, in a traditional user environment we'd expect it to fail.