[COOP] ReportingObserver [2/M] Add WPT tests for subframes.

Add WPT tests for accesses made from an iframe toward a window that would have been in a different browsing context group if Cross-Origin-Opener-Policy-Report-Only was enforced. Branch: [1/M] https://chromium-review.googlesource.com/c/chromium/src/+/2332257 [2/M] This patch. Bug: 111169 Change-Id: Id42f728fbcc90b10feab2e22c216e29d6546509d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2332258 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Pâris Meuleman <pmeuleman@chromium.org> Cr-Commit-Position: refs/heads/master@{#794927}

[COOP] ReportingObserver [2/M] Add WPT tests for subframes.
Add WPT tests for accesses made from an iframe toward a window that would have been in a different browsing context group if Cross-Origin-Opener-Policy-Report-Only was enforced. Branch: [1/M] https://chromium-review.googlesource.com/c/chromium/src/+/2332257 [2/M] This patch. Bug: 111169 Change-Id: Id42f728fbcc90b10feab2e22c216e29d6546509d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2332258 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Pâris Meuleman <pmeuleman@chromium.org> Cr-Commit-Position: refs/heads/master@{#794927}
64ee41dc · arthursonzogni · Commit Bot · e288fc43 · 64ee41dc · 64ee41dc
Commit 64ee41dc authored Aug 05, 2020 by arthursonzogni Committed by Commit Bot Aug 05, 2020
2 changed files
--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer-expected.txt
 This is a testharness.js-based test.
 FAIL Opener COOP assert_equals: No report received. expected 1 but got 0
 FAIL Openee COOP assert_equals: No report received. expected 1 but got 0
+FAIL Access from same-origin iframe assert_not_equals: No report received. got disallowed value "timeout"
+PASS Access from cross-site iframe
 Harness: the test ran to completion.
--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html
+<!doctype html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
 <title>
  Check the ReportingObserver(s) are notified about the coop-access-violation
  events.
@@ -12,8 +15,10 @@
 const directory = "/html/cross-origin-opener-policy/reporting";
 const executor_path = directory + "/resources/executor.html?pipe=";
-const https = get_host_info().HTTPS_ORIGIN;
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_site = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
 const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)';
+const corp_header = '|header(Cross-Origin-Resource-Policy,cross-origin)';
 promise_test(async t => {
  // This test window.
@@ -22,13 +27,13 @@ promise_test(async t => {
  // The "opener" window, using COOP-Report-Only and a reporter.
  const opener_token = token();
  const opener_reportTo = reportToHeaders(token());
-  const opener_url = https + executor_path + opener_reportTo.header +
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
    opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
    `&uuid=${opener_token}`;
  // The "openee" window, NOT using COOP.
  const openee_token = token();
-  const openee_url = https + executor_path + `&uuid=${openee_token}`;
+  const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
  // 1. Create the opener window.
  window.open(opener_url);
@@ -82,12 +87,12 @@ promise_test(async t => {
  // The "opener" window, NOT using COOP.
  const opener_token = token();
-  const opener_url = https + executor_path + `&uuid=${opener_token}`;
+  const opener_url = same_origin + executor_path + `&uuid=${opener_token}`;
  // The "openee" window, using COOP-Report-Only and a reporter.
  const openee_token = token();
  const openee_reportTo = reportToHeaders(token());
-  const openee_url = https + executor_path + openee_reportTo.header +
+  const openee_url = same_origin + executor_path + openee_reportTo.header +
    openee_reportTo.coopReportOnlySameOriginHeader + coep_header +
    `&uuid=${openee_token}`;
@@ -132,4 +137,126 @@ promise_test(async t => {
  let report_access_to = JSON.parse(await receive(this_window_token));
  assert_equals(report_access_to.length, 0, "Unexpected report received.");
 }, "Openee COOP");
+promise_test(async t => {
+  // This test window.
+  const this_window_token = token();
+  // The "opener" window, using COOP-Report-Only and a reporter.
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(token());
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${opener_token}`;
+  // The "opener's iframe", same-origin with its parent.
+  const opener_iframe_token = token();
+  const opener_iframe_url = same_origin + executor_path + coep_header +
+    `&uuid=${opener_iframe_token}`;
+  // The "openee" window, NOT using COOP.
+  const openee_token = token();
+  const openee_url = same_origin + executor_path + coep_header +
+    `&uuid=${openee_token}`;
+  // 1. Create the opener window.
+  window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close();"));
+  // 2. The opener opens an iframe, and install a ReportingObserver to catch
+  //    future accesses.
+  send(opener_token, `
+    iframe = document.createElement("iframe");
+    iframe.src = "${opener_iframe_url}";
+    document.body.appendChild(iframe);
+    let observer = new ReportingObserver(reports => {
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    });
+    observer.observe();
+  `);
+  // 3. The iframe opens the openee.
+  send(opener_iframe_token, `openee = window.open('${openee_url}');`);
+  t.add_cleanup(() => send(openee_token, `window.close();`));
+  // 4. Wait for the openee to load its document.
+  send(openee_token, `send("${this_window_token}", "Ready");`);
+  assert_equals(await receive(this_window_token), "Ready");
+  // 4. The opener's iframe tries to access the openee. This is an
+  //    "access-from-coop-page" from a same-origin iframe, so the
+  //    ReportingObserver(s) are notified.
+  send(opener_iframe_token, `tryAccess(openee);`);
+  let reports = await receive(this_window_token);
+  assert_not_equals(reports, "timeout", "No report received.");
+  reports = JSON.parse(reports);
+  assert_equals(reports.length, 1, "No report received.");
+  assert_equals(reports[0].type, "coop-access-violation");
+  assert_equals(reports[0].url, opener_url.replace(/"/g, '%22'));
+  assert_true(reports[0].body.sourceFile.includes("try-access.js"));
+  assert_equals(reports[0].body.lineNumber, 6);
+  assert_equals(reports[0].body.columnNumber, 7);
+  assert_equals(reports[0].body.property, "blur");
+}, "Access from same-origin iframe")
+promise_test(async t => {
+  // This test window.
+  const this_window_token = token();
+  // The "opener" window, using COOP-Report-Only and a reporter.
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(token());
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${opener_token}`;
+  // The "opener's iframe", same-origin with its parent.
+  const opener_iframe_token = token();
+  const opener_iframe_url = cross_site + executor_path + coep_header +
+    corp_header +
+    `&uuid=${opener_iframe_token}`;
+  // The "openee" window, NOT using COOP.
+  const openee_token = token();
+  const openee_url = same_origin + executor_path + coep_header +
+    `&uuid=${openee_token}`;
+  // 1. Create the opener window.
+  window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close();"));
+  // 2. The opener opens an iframe, and install a ReportingObserver to catch
+  //    future accesses.
+  send(opener_token, `
+    iframe = document.createElement("iframe");
+    iframe.src = "${opener_iframe_url}";
+    document.body.appendChild(iframe);
+    let observer = new ReportingObserver(reports => {
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    });
+    observer.observe();
+  `);
+  // 3. The iframe opens the openee.
+  send(opener_iframe_token, `openee = window.open('${openee_url}');`);
+  t.add_cleanup(() => send(openee_token, `window.close();`));
+  // 4. Wait for the openee to load its document.
+  send(openee_token, `send("${this_window_token}", "Ready");`);
+  assert_equals(await receive(this_window_token), "Ready");
+  // 5. The opener's iframe tries to access the openee. This is an
+  //    "access-from-coop-page" from a cross-site iframe. The ReportingObservers
+  //    from the main document aren't notified.
+  send(opener_iframe_token, `tryAccess(openee);`);
+  let reports = await receive(this_window_token);
+  assert_equals(reports, "timeout", "Unexpected report received.");
+}, "Access from cross-site iframe")
 </script>