Origin policy: test that the manifest is always UTF-8 decoded

Fixed: 1051170
Change-Id: I50cc48e9e6acaa3e8b8d835be048ebeff041dfb1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2106568Reviewed-by: James MacLean <wjmaclean@chromium.org>
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#757047}

third_party/blink/web_tests/external/wpt/.well-known/origin-policy

@@ -15,10 +15,18 @@ def main(request, response):
     # Default mime type for returned data.
     content_type = "application/originpolicy+json"
 
-    # Reserve 'op100' for testing incorrect mime type for manifest file.
+    # op100 tests an invalid MIME type.
     if host_piece == "op100":
         content_type = "text/plain"
 
+    # op98 tests that charset is ignored and the result is always processed as UTF-8.
+    if host_piece == "op98":
+        content_type = "application/originpolicy+json;charset=utf-16"
+
+    # op97 tests that adding charset=utf-8 (and a BOM) does not break anything.
+    if host_piece == "op97":
+        content_type = "application/originpolicy+json;charset=utf-8"
+
     filepath_pattern = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(
         __file__)), "../origin-policy/policies/", "{} *.json".format(host_piece)))
 

third_party/blink/web_tests/external/wpt/origin-policy/bad-server/manifest-utf16le.https.html

+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy manifests authored as UTF-16LE must not work</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op98",
+  testJS: "../content-security/resources/allow-unsafe-eval.mjs",
+  expectedIds: []
+});
+</script>

third_party/blink/web_tests/external/wpt/origin-policy/bad-server/manifest-utf8-with-bom.https.html

+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy manifests delivered with a UTF-8 BOM must work (the BOM is ignored)</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op97",
+  testJS: "../content-security/resources/disallow-unsafe-eval-disallow-images.mjs",
+  expectedIds: ["this-file-has-a-utf8-bom"]
+});
+</script>

third_party/blink/web_tests/external/wpt/origin-policy/policies/README.md

@@ -3,3 +3,5 @@ These policies are served via the Python script at /.well-known/origin-policy. T
 The human-facing string has no impact on the tests, and just makes it easier to scroll through the list.
 
 The list of potential hostnames is created by `tools/serve/serve.py`'s `_make_origin_policy_subdomains` function, and can be expanded as necessary.
+
+At the moment, the origin policies starting at 100 downward have special handling in the `/.well-known/origin-policy` handler, and might require consulting that file to get the full context. The ones starting at 1 upward are handled generically. If they ever start meeting in the middle we can reevaluate this scheme.

third_party/blink/web_tests/external/wpt/origin-policy/policies/op97 utf-8-with-bom.json

+{
+  "ids" : ["this-file-has-a-utf8-bom"],
+  "content_security" : {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'",
+      "img-src 'none'"
+    ]
+  }
+}

third_party/blink/web_tests/external/wpt/origin-policy/policies/op98 utf-16le.json

 {