feat(a11y-core): cross-origin iframe ad denylist — Type A frame-enumeration gate (AXE-3735)#259
Open
chikara1608 wants to merge 1 commit into
Open
feat(a11y-core): cross-origin iframe ad denylist — Type A frame-enumeration gate (AXE-3735)#259chikara1608 wants to merge 1 commit into
chikara1608 wants to merge 1 commit into
Conversation
…ration gate (AXE-3735)
Skip cross-origin ad iframes on a bundled denylist during Type A traversal.
a11y-engine-core builds the ad-hostname Set from its bundled list and injects
it via axe.configure({ crossOriginDenylist }); the fork drops denied frames at
the single frame-enumeration chokepoint (pushUniqueFrameSelector) so they never
enter context.frames under allowedOrigins:'*' — covering both the sync and async
frame paths. The postMessage layer one level down cannot gate on origin (it has
only a Window), so the gate must act at enumeration where the iframe element and
its readable src are still in hand.
The fork is a separate submodule and cannot import a11y-engine-core, so it
carries its own suffix matcher and receives the already-built Set by reference,
mirroring the existing allowedOrigins plumbing exactly.
- public/configure.js: handle spec.crossOriginDenylist -> audit.setCrossOriginDenylist
- base/audit.js: setCrossOriginDenylist + _init propagation (child-frame audits inherit)
- base/context/parse-selector-array.js: gate pushUniqueFrameSelector on axe._audit.crossOriginDenylist
- utils/is-denied-frame-origin.js: suffix matcher (new) + utils barrel export
- build/tasks/esbuild.js: .txt text loader so a11y-engine-core can inline the denylist
Flag-off is byte-identical to main (Set never set, helper returns false).
Related: AXE-3697 (cross-origin B1), AXE-3735 (denylist). Client-side only.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the Type A gate for the Cross-Origin Iframe Ad Denylist (COI denylist). When Type A cross-origin traversal is armed (
allowCrossOriginIframe), cross-origin ad iframes whose origin is on a curated denylist are skipped at frame enumeration, so they are never traversed underallowedOrigins: '*'.The denylist itself lives in a11y-engine-core (bundled
.txt, parsed into aSetat scan start). This fork cannot import a11y-engine-core, so it:Setby reference viaaxe.configure({ crossOriginDenylist })— mirroring the existingallowedOriginsplumbing exactly, andWhy the gate is at enumeration (not postMessage)
frame-messenger/post-message.jshas only aWindow, not the iframe element — "there is no way to know the origin ofwin, so we'll try them all" — andallowedOriginsthere is an allow-list ('*'when Type A COI is on) that cannot express "all except". So the denylist must act one layer up, atContext.framespopulation (pushUniqueFrameSelector), the single enumeration chokepoint that feeds both the sync (collectResultsFromFrames) and async (getFrameContexts) traversal paths — where the iframe element and its readablesrcare still in hand.Changes
lib/core/public/configure.jsspec.crossOriginDenylist→audit.setCrossOriginDenylist(sibling toallowedOrigins)lib/core/base/audit.jssetCrossOriginDenylist()besidesetAllowedOrigins; propagate in_initso child-frame audits inherit itlib/core/base/context/parse-selector-array.jspushUniqueFrameSelectoronaxe._audit.crossOriginDenylist— denied frames never entercontext.frameslib/core/utils/is-denied-frame-origin.js(new)host === entry||host.endsWith('.' + entry)), fail-open; + utils barrel exportbuild/tasks/esbuild.js.txttext loader so a11y-engine-core can inline its bundled denylist (JS bundling unchanged)All fork edits are tagged
// [a11y-critical]/// [a11y-core]per repo convention.Safety
main. When the Type A flag is off,crossOriginDenylistis never set, the helper returnsfalse, and enumeration is unchanged.axe.configure.src/ non-http(s) / srcless /about:blank→ never denied.Testing
test/core/utils/is-denied-frame-origin.js(exact/subdomain match, no false positive on substring hosts likenotdoubleclick.net, flag-off no-op, fail-open).configure,audit,context,get-frame-contexts, and the new helper (233 passing / 5 skipped).Branched off latest
main.Related: AXE-3697 (cross-origin B1), AXE-3735 (COI denylist). Paired with the a11y-engine-core PR that ships the denylist + Type B1/C gates.
Closes: AXE-3735
🤖 Generated with Claude Code