Origin isolation: test location.href access

location.href access is one of the things that is guarded by the "same-origin domain" check, but it goes down a different code path than generic synchronous property access such as we test with window.document. So, it's worth testing it additionally. Bug: 1042415 Change-Id: I92fc222f895bf25fc1767e7ffddd3d7f7f1f1e86 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2255102Reviewed-by: James MacLean <wjmaclean@chromium.org> Commit-Queue: Domenic Denicola <domenic@chromium.org> Cr-Commit-Position: refs/heads/master@{#780787}

Origin isolation: test location.href access
location.href access is one of the things that is guarded by the "same-origin domain" check, but it goes down a different code path than generic synchronous property access such as we test with window.document. So, it's worth testing it additionally. Bug: 1042415 Change-Id: I92fc222f895bf25fc1767e7ffddd3d7f7f1f1e86 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2255102Reviewed-by: James MacLean <wjmaclean@chromium.org> Commit-Queue: Domenic Denicola <domenic@chromium.org> Cr-Commit-Position: refs/heads/master@{#780787}
294050d8 · Domenic Denicola · Commit Bot · f7dcf39e · 294050d8 · 294050d8
Commit 294050d8 authored Jun 22, 2020 by Domenic Denicola Committed by Commit Bot Jun 22, 2020
2 changed files
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs
@@ -83,6 +83,9 @@ export function testSameAgentCluster(testFrames, testLabelPrefix) {

      // Must not throw
      frameWindow.document;
+
+      // Must not throw
+      frameWindow.location.href;
    }, `${prefix}setting document.domain must give sync access`);
  } else {
    // Between the two children at the index given by testFrames[0] and
@@ -90,14 +93,15 @@ export function testSameAgentCluster(testFrames, testLabelPrefix) {

    promise_test(async () => {
      const whatHappened = await sendWasmModuleBetween(testFrames);
-
      assert_equals(whatHappened, "WebAssembly.Module message received");
    }, `${prefix}message event must occur`);

    promise_test(async () => {
-      const whatHappened = await accessDocumentBetween(testFrames);
+      const whatHappened1 = await accessDocumentBetween(testFrames);
+      assert_equals(whatHappened1, "accessed document successfully");

-      assert_equals(whatHappened, "accessed document successfully");
+      const whatHappened2 = await accessLocationHrefBetween(testFrames);
+      assert_equals(whatHappened2, "accessed location.href successfully");
    }, `${prefix}setting document.domain must give sync access`);
  }
 }
@@ -131,6 +135,9 @@ export function testDifferentAgentClusters(testFrames, testLabelPrefix) {
      assert_throws_dom("SecurityError", DOMException, () => {
        frameWindow.document;
      });
+      assert_throws_dom("SecurityError", DOMException, () => {
+        frameWindow.location.href;
+      });
    }, `${prefix}setting document.domain must not give sync access`);
  } else {
    // Between the two children at the index given by testFrames[0] and
@@ -138,14 +145,15 @@ export function testDifferentAgentClusters(testFrames, testLabelPrefix) {

    promise_test(async () => {
      const whatHappened = await sendWasmModuleBetween(testFrames);
-
      assert_equals(whatHappened, "messageerror");
    }, `${prefix}messageerror event must occur`);

    promise_test(async () => {
-      const whatHappened = await accessDocumentBetween(testFrames);
+      const whatHappened1 = await accessDocumentBetween(testFrames);
+      assert_equals(whatHappened1, "SecurityError");

-      assert_equals(whatHappened, "SecurityError");
+      const whatHappened2 = await accessLocationHrefBetween(testFrames);
+      assert_equals(whatHappened2, "SecurityError");
    }, `${prefix}setting document.domain must not give sync access`);
  }
 }
@@ -215,6 +223,14 @@ async function accessDocumentBetween(testFrames) {
  return waitForMessage(sourceFrame);
 }

+async function accessLocationHrefBetween(testFrames) {
+  const sourceFrame = frames[testFrames[0]];
+  const indexIntoParentFrameOfDestination = testFrames[1];
+
+  sourceFrame.postMessage({ command: "access location.href", indexIntoParentFrameOfDestination }, "*");
+  return waitForMessage(sourceFrame);
+}
+
 function waitForMessage(expectedSource) {
  return new Promise(resolve => {
    const handler = e => {

--- a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/send-origin-isolation-header.py
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/send-origin-isolation-header.py
@@ -43,6 +43,14 @@ def main(request, response):
        } catch (e) {
          parent.postMessage(e.name, "*");
        }
+      } else if (e.data.command === "access location.href") {
+        const destinationFrameWindow = parent.frames[e.data.indexIntoParentFrameOfDestination];
+        try {
+          destinationFrameWindow.location.href;
+          parent.postMessage("accessed location.href successfully", "*");
+        } catch (e) {
+          parent.postMessage(e.name, "*");
+        }
      }

      // We could also receive e.data === "WebAssembly.Module message received",