[client hints]: Properly apply persisted accept-CH policy in 3P context

What matters here is the policy for the top-level frame, as filtered by Feature Policy; we were simply not using any persistent settings at all. Change-Id: I1435bdc9dfcc6f6643ea737a135e8c0e07e7ecde Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2083671Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Commit-Queue: Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#758544}

[client hints]: Properly apply persisted accept-CH policy in 3P context
What matters here is the policy for the top-level frame, as filtered by Feature Policy; we were simply not using any persistent settings at all. Change-Id: I1435bdc9dfcc6f6643ea737a135e8c0e07e7ecde Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2083671Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Commit-Queue: Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#758544}
03a85d57 · Maks Orlovich · Commit Bot · 1c0623a1 · 03a85d57 · 03a85d57
Commit 03a85d57 authored Apr 13, 2020 by Maks Orlovich Committed by Commit Bot Apr 13, 2020
5 changed files
--- a/third_party/blink/renderer/core/loader/frame_fetch_context.cc
+++ b/third_party/blink/renderer/core/loader/frame_fetch_context.cc
@@ -575,11 +575,16 @@ void FrameFetchContext::AddClientHintsIfNecessary(
    // No client hints for 3p origins.
    return;
  }
-  // Persisted client hints preferences should be read for only the first
+  // Persisted client hints preferences should be read for the top-frame's
-  // party origins.
+  // origin.
-  if (is_1p_origin && GetContentSettingsClient()) {
+  if (GetContentSettingsClient() &&
-    GetContentSettingsClient()->GetAllowedClientHintsFromSource(request.Url(),
+      !GetResourceFetcherProperties().IsDetached()) {
-                                                                &enabled_hints);
+    const SecurityOrigin* top_security_origin =
+        GetFrame()->Tree().Top().GetSecurityContext()->GetSecurityOrigin();
+    if (!top_security_origin->IsOpaque()) {
+      GetContentSettingsClient()->GetAllowedClientHintsFromSource(
+          KURL(top_security_origin->ToString()), &enabled_hints);
+    }
  }
  // The next 4 hints should be enabled if we're allowing legacy hints to third

--- a/third_party/blink/web_tests/external/wpt/client-hints/accept-ch-stickiness/cross-origin-subresource-with-feature-policy.https.html
+++ b/third_party/blink/web_tests/external/wpt/client-hints/accept-ch-stickiness/cross-origin-subresource-with-feature-policy.https.html
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+<script>
+run_test({ name: "cross origin subresources authorized by FP gets it own resources",
+    initial_url: echo,
+    accept_url: accept,
+    expect_url: "resources/feature-policy-with-cross-origin-subresource.html",
+    type: "navigation" });
+</script>
+</body>
+</html>
--- a/third_party/blink/web_tests/external/wpt/client-hints/accept-ch-stickiness/resources/feature-policy-with-cross-origin-subresource.html
+++ b/third_party/blink/web_tests/external/wpt/client-hints/accept-ch-stickiness/resources/feature-policy-with-cross-origin-subresource.html
+<html>
+<body>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+// This test checks if browser attaches the device-memory client hint in the
+// HTTP request headers --- while requesting it from 3P context after
+// settings feature policy to allow it; with Accept-CH coming from a sticky
+// source.
+// echo-client-hints-received.py sets the response headers depending on the set
+// of client hints it receives in the request headers.
+fetch(get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/accept-ch-stickiness/resources/echo-client-hints-received.py").then(r => {
+  if(r.status == 200 && r.headers.has("device-memory-received")) {
+    window.top.opener.postMessage('PASS', '*');
+  }
+  else {
+    window.top.opener.postMessage('FAIL', '*');
+  }
+});
+</script>
+</body>
+</html>
--- a/third_party/blink/web_tests/external/wpt/client-hints/accept-ch-stickiness/resources/feature-policy-with-cross-origin-subresource.html.headers
+++ b/third_party/blink/web_tests/external/wpt/client-hints/accept-ch-stickiness/resources/feature-policy-with-cross-origin-subresource.html.headers
+Feature-Policy: ch-device-memory *;
--- a/third_party/blink/web_tests/virtual/legacy-client-hints-no-fp-delegation/external/wpt/client-hints/accept-ch-stickiness/cross-origin-subresource-with-feature-policy.https-expected.txt
+++ b/third_party/blink/web_tests/virtual/legacy-client-hints-no-fp-delegation/external/wpt/client-hints/accept-ch-stickiness/cross-origin-subresource-with-feature-policy.https-expected.txt
+This is a testharness.js-based test.
+PASS cross origin subresources authorized by FP gets it own resources precondition: Test that the browser does not have client hints preferences cached
+PASS cross origin subresources authorized by FP gets it own resources set Accept-CH
+FAIL cross origin subresources authorized by FP gets it own resources got client hints according to expectations. assert_equals: message from opened page expected "PASS" but got "FAIL"
+Harness: the test ran to completion.