Fix Allow Scripts Once logic for embedded scripts and iframes.

browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc

@@ -127,7 +127,7 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
   brave_shields_web_contents_observer()->Reset();
   GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
   EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
-  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 1);
+  EXPECT_GT(brave_shields_web_contents_observer()->block_javascript_count(), 0);
 
   // Disable JavaScript blocking again now.
   content_settings()->SetContentSettingCustomScope(
@@ -138,10 +138,30 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
   EXPECT_EQ(CONTENT_SETTING_ALLOW, block_javascript_setting);
 
   // Reload the test page now that JavaScript has been allowed again.
+  // Do it twice, because first reload will still trigger blocked events as
+  // renderer caches AllowScript results in
+  // ContentSettingsAgentImpl::cached_script_permissions_.
+  GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+
   brave_shields_web_contents_observer()->Reset();
   GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
   EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
   EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 0);
 }
 
+IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
+                       EmbeddedJavaScriptTriggersBlockedEvent) {
+  // Enable JavaScript blocking globally.
+  content_settings()->SetContentSettingCustomScope(
+      ContentSettingsPattern::Wildcard(), ContentSettingsPattern::Wildcard(),
+      ContentSettingsType::JAVASCRIPT, CONTENT_SETTING_BLOCK);
+
+  // Load a simple HTML that attempts to run some JavaScript.
+  EXPECT_TRUE(ui_test_utils::NavigateToURL(
+      browser(), embedded_test_server()->GetURL("a.com", "/embedded_js.html")));
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+  EXPECT_GT(brave_shields_web_contents_observer()->block_javascript_count(), 0);
+}
+
 }  // namespace brave_shields

components/content_settings/renderer/brave_content_settings_agent_impl.cc

@@ -87,21 +87,25 @@ BraveContentSettingsAgentImpl::BraveContentSettingsAgentImpl(
 
 BraveContentSettingsAgentImpl::~BraveContentSettingsAgentImpl() {}
 
-void BraveContentSettingsAgentImpl::DidCommitProvisionalLoad(
-    ui::PageTransition transition) {
-  temporarily_allowed_scripts_ =
-      std::move(preloaded_temporarily_allowed_scripts_);
-  ContentSettingsAgentImpl::DidCommitProvisionalLoad(transition);
-}
-
 bool BraveContentSettingsAgentImpl::IsScriptTemporilyAllowed(
     const GURL& script_url) {
   // Check if scripts from this origin are temporily allowed or not.
   // Also matches the full script URL to support data URL cases which we use
   // the full URL to allow it.
-  return base::Contains(temporarily_allowed_scripts_,
-                        url::Origin::Create(script_url).Serialize()) ||
-         base::Contains(temporarily_allowed_scripts_, script_url.spec());
+  bool allow = base::Contains(temporarily_allowed_scripts_,
+                              url::Origin::Create(script_url).Serialize()) ||
+               base::Contains(temporarily_allowed_scripts_, script_url.spec());
+  if (!allow) {
+    // Also check rules in the main frame, because this frame rules may be out
+    // of sync.
+    content::RenderFrame* main_frame = render_frame()->GetMainRenderFrame();
+    if (main_frame && main_frame != render_frame()) {
+      allow = static_cast<BraveContentSettingsAgentImpl*>(
+                  ContentSettingsAgentImpl::Get(main_frame))
+                  ->IsScriptTemporilyAllowed(script_url);
+    }
+  }
+  return allow;
 }
 
 void BraveContentSettingsAgentImpl::BraveSpecificDidBlockJavaScript(
@@ -122,6 +126,10 @@ bool BraveContentSettingsAgentImpl::AllowScript(bool enabled_per_settings) {
   allow = allow || IsBraveShieldsDown(frame, secondary_url) ||
           IsScriptTemporilyAllowed(secondary_url);
 
+  if (!allow) {
+    blocked_script_url_ = secondary_url;
+  }
+
   return allow;
 }
 
@@ -342,7 +350,7 @@ bool BraveContentSettingsAgentImpl::AllowAutoplay(bool play_requested) {
 
 void BraveContentSettingsAgentImpl::SetAllowScriptsFromOriginsOnce(
     const std::vector<std::string>& origins) {
-  preloaded_temporarily_allowed_scripts_ = std::move(origins);
+  temporarily_allowed_scripts_ = origins;
 }
 
 void BraveContentSettingsAgentImpl::BindBraveShieldsReceiver(

components/content_settings/renderer/brave_content_settings_agent_impl.h

@@ -70,12 +70,8 @@ class BraveContentSettingsAgentImpl
   FRIEND_TEST_ALL_PREFIXES(BraveContentSettingsAgentImplAutoplayBrowserTest,
                            AutoplayAllowedByDefault);
 
-  bool IsBraveShieldsDown(
-      const blink::WebFrame* frame,
-      const GURL& secondary_url);
-
-  // RenderFrameObserver
-  void DidCommitProvisionalLoad(ui::PageTransition transition) override;
+  bool IsBraveShieldsDown(const blink::WebFrame* frame,
+                          const GURL& secondary_url);
 
   bool IsScriptTemporilyAllowed(const GURL& script_url);
 
@@ -99,9 +95,6 @@ class BraveContentSettingsAgentImpl
   // cache blocked script url which will later be used in `DidNotAllowScript()`
   GURL blocked_script_url_;
 
-  // temporary allowed script origins we preloaded for the next load
-  base::flat_set<std::string> preloaded_temporarily_allowed_scripts_;
-
   base::flat_map<url::Origin, blink::WebSecurityOrigin>
       cached_ephemeral_storage_origins_;
 

test/data/embedded_js.html

@@ -0,0 +1,4 @@
+<html><head><title>embedded js</title></head>
+<body>
+<script src="data:application/javascript;base64,dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw=="></script>
+</body></html>