Skip to content

feat(a11y-core): cross-origin iframe ad denylist — Type A frame-enumeration gate (AXE-3735)#259

Open
chikara1608 wants to merge 1 commit into
mainfrom
AXE-3735-coi-denylist
Open

feat(a11y-core): cross-origin iframe ad denylist — Type A frame-enumeration gate (AXE-3735)#259
chikara1608 wants to merge 1 commit into
mainfrom
AXE-3735-coi-denylist

Conversation

@chikara1608

Copy link
Copy Markdown
Collaborator

What

Adds the Type A gate for the Cross-Origin Iframe Ad Denylist (COI denylist). When Type A cross-origin traversal is armed (allowCrossOriginIframe), cross-origin ad iframes whose origin is on a curated denylist are skipped at frame enumeration, so they are never traversed under allowedOrigins: '*'.

The denylist itself lives in a11y-engine-core (bundled .txt, parsed into a Set at scan start). This fork cannot import a11y-engine-core, so it:

  • receives the already-built Set by reference via axe.configure({ crossOriginDenylist }) — mirroring the existing allowedOrigins plumbing exactly, and
  • carries its own small suffix matcher.

Why the gate is at enumeration (not postMessage)

frame-messenger/post-message.js has only a Window, not the iframe element — "there is no way to know the origin of win, so we'll try them all" — and allowedOrigins there is an allow-list ('*' when Type A COI is on) that cannot express "all except". So the denylist must act one layer up, at Context.frames population (pushUniqueFrameSelector), the single enumeration chokepoint that feeds both the sync (collectResultsFromFrames) and async (getFrameContexts) traversal paths — where the iframe element and its readable src are still in hand.

Changes

File Change
lib/core/public/configure.js handle spec.crossOriginDenylistaudit.setCrossOriginDenylist (sibling to allowedOrigins)
lib/core/base/audit.js setCrossOriginDenylist() beside setAllowedOrigins; propagate in _init so child-frame audits inherit it
lib/core/base/context/parse-selector-array.js gate pushUniqueFrameSelector on axe._audit.crossOriginDenylist — denied frames never enter context.frames
lib/core/utils/is-denied-frame-origin.js (new) suffix matcher (host === entry || host.endsWith('.' + entry)), fail-open; + utils barrel export
build/tasks/esbuild.js .txt text loader so a11y-engine-core can inline its bundled denylist (JS bundling unchanged)

All fork edits are tagged // [a11y-critical] / // [a11y-core] per repo convention.

Safety

  • Off ⇒ byte-identical to main. When the Type A flag is off, crossOriginDenylist is never set, the helper returns false, and enumeration is unchanged.
  • Pass-by-reference, no cross-frame serialization of the list — each frame reads its own bundled copy and feeds its own local axe.configure.
  • Fail-open: unparseable src / non-http(s) / srcless / about:blank → never denied.

Testing

  • New unit test test/core/utils/is-denied-frame-origin.js (exact/subdomain match, no false positive on substring hosts like notdoubleclick.net, flag-off no-op, fail-open).
  • Fork unit suite green for configure, audit, context, get-frame-contexts, and the new helper (233 passing / 5 skipped).

Branched off latest main.

Related: AXE-3697 (cross-origin B1), AXE-3735 (COI denylist). Paired with the a11y-engine-core PR that ships the denylist + Type B1/C gates.

Closes: AXE-3735

🤖 Generated with Claude Code

…ration gate (AXE-3735)

Skip cross-origin ad iframes on a bundled denylist during Type A traversal.
a11y-engine-core builds the ad-hostname Set from its bundled list and injects
it via axe.configure({ crossOriginDenylist }); the fork drops denied frames at
the single frame-enumeration chokepoint (pushUniqueFrameSelector) so they never
enter context.frames under allowedOrigins:'*' — covering both the sync and async
frame paths. The postMessage layer one level down cannot gate on origin (it has
only a Window), so the gate must act at enumeration where the iframe element and
its readable src are still in hand.

The fork is a separate submodule and cannot import a11y-engine-core, so it
carries its own suffix matcher and receives the already-built Set by reference,
mirroring the existing allowedOrigins plumbing exactly.

- public/configure.js: handle spec.crossOriginDenylist -> audit.setCrossOriginDenylist
- base/audit.js: setCrossOriginDenylist + _init propagation (child-frame audits inherit)
- base/context/parse-selector-array.js: gate pushUniqueFrameSelector on axe._audit.crossOriginDenylist
- utils/is-denied-frame-origin.js: suffix matcher (new) + utils barrel export
- build/tasks/esbuild.js: .txt text loader so a11y-engine-core can inline the denylist

Flag-off is byte-identical to main (Set never set, helper returns false).
Related: AXE-3697 (cross-origin B1), AXE-3735 (denylist). Client-side only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant