LibURL: Use a nonce to distinguish opaque origins

Opaque origins are meant to be unique in terms of equality from one another. Since this uniqueness needs to be across processes, use a nonce to implement the uniqueness check.
Author: https://github.com/shannonbooth Commit: 38765fd617 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5193 Reviewed-by: https://github.com/tcl3 ✅
2025-07-30 20:59:16 +00:00 · 2025-06-17 14:49:37 +12:00 · 2025-06-17 14:49:37 +12:00 · 38765fd617 · 2025-06-25 15:48:27 +00:00
commit 38765fd617
parent ee8e4d1eec
7 changed files with 77 additions and 24 deletions
--- a/Tests/LibWeb/Text/input/HTML/opaque-origin-same-origin-equality.html
+++ b/Tests/LibWeb/Text/input/HTML/opaque-origin-same-origin-equality.html
@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<body>
+    <iframe id="iframeOuter"></iframe>
+
+    <script>
+        asyncTest(async done => {
+            const iframeOuter = document.getElementById('iframeOuter');
+
+            window.addEventListener('message', (event) => {
+                println(event.data);
+                done();
+            });
+
+            // Data URLs result in the iframes having an opaque origin, resulting in cross origin access.
+            const iframeOuterContent = `
+                <iframe id="iframeInner" src="data:text/html,<p>Iframe 1 content</p>" style="width: 300px; height: 100px;"></iframe>
+
+                <script>
+                    const iframeInner = document.getElementById('iframeInner');
+
+                    iframeInner.onload = () => {
+                        try {
+                            iframeInner.contentWindow.parent.frames[0].thing;
+                        } catch (e) {
+                            window.top.postMessage(e.message, '*');
+                        }
+                    }
+
+                <\/script>
+            `;
+
+            iframeOuter.src = 'data:text/html,' + encodeURIComponent(iframeOuterContent);
+        })
+    </script>
+</body>