Revert "ServiceWorker: Add WPT to check if CSP sandbox is respected"

This reverts commit 4ffad4c4.

Reason for revert: New test consistently fails on multiple platforms:

* external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html
* virtual/navigation-mojo-response/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html

(https://ci.chromium.org/buildbot/chromium.webkit/WebKit%20Mac10.10/43786)

Original change's description:
> ServiceWorker: Add WPT to check if CSP sandbox is respected
> 
> Bug: 771815
> Change-Id: I11dc3cf67e3e40465f612f71fc318fd7061b6581
> Reviewed-on: https://chromium-review.googlesource.com/915683
> Reviewed-by: Matt Falkenhagen <falken@chromium.org>
> Commit-Queue: Makoto Shimazu <shimazu@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#540467}

TBR=falken@chromium.org,horo@chromium.org,kinuko@chromium.org,clamy@chromium.org,shimazu@chromium.org

Change-Id: I30d4c54e78656e473d0c32622b01004122a3be75
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 771815
Reviewed-on: https://chromium-review.googlesource.com/945828Reviewed-by: Greg Thompson <grt@chromium.org>
Commit-Queue: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540484}

third_party/WebKit/LayoutTests/TestExpectations

@@ -624,7 +624,6 @@ crbug.com/626703 virtual/outofblink-cors/external/wpt/fetch/api/response/respons
 crbug.com/626703 virtual/outofblink-cors/external/wpt/fetch/http-cache/status.html [ Pass Timeout ]
 crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/foreign-fetch-basics.https.html [ Timeout ]
 crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https.html [ Timeout ]
-crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html [ Timeout ]
 
 # Failing tests in dictionary order.
 crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/fetch-canvas-tainting-image-cache.https.html [ Failure ]
@@ -3261,9 +3260,6 @@ crbug.com/783154 [ Mac ] virtual/modern-media-controls/media/controls/modern/dou
 
 crbug.com/802915 css3/blending/isolation-should-include-non-local-background.html [ Failure ]
 
-crbug.com/807838 external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html [ Crash ]
-crbug.com/807838 virtual/navigation-mojo-response/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html [ Crash ]
-
 # Sheriff faulures 2017-12-12
 crbug.com/794180 http/tests/devtools/layers/layer-compositing-reasons.js [ Failure Pass ]
 

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/sandboxed-iframe-fetch-event-iframe.py

@@ -7,9 +7,6 @@ def main(request, response):
       body = f.read()
     return (header, body)
 
-  if 'sandbox' in request.GET:
-    header.append(('Content-Security-Policy',
-                   'sandbox %s' % request.GET['sandbox']))
   with open(os.path.join(os.path.dirname(__file__),
                          'sandboxed-iframe-fetch-event-iframe.html'), 'r') as f:
     body = f.read()

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https-expected.txt

-This is a testharness.js-based test.
-PASS Prepare a service worker.
-PASS Prepare a normal iframe.
-PASS Prepare an iframe sandboxed by <iframe sandbox="allow-scripts">.
-PASS Prepare an iframe sandboxed by <iframe sandbox="allow-scripts allow-same-origin">.
-FAIL Prepare an iframe sandboxed by CSP HTTP header with allow-scripts. assert_false: Service worker should NOT control the sandboxed page expected false got true
-PASS Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin.
-PASS Fetch request from a normal iframe
-PASS Fetch request from a worker in a normal iframe
-PASS Request for an iframe in the normal iframe
-PASS Request for an sandboxed iframe with allow-scripts flag in the normal iframe
-PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the normal iframe
-PASS Fetch request from iframe sandboxed by an attribute with allow-scripts flag
-PASS Fetch request from a worker in iframe sandboxed by an attribute with allow-scripts flag
-PASS Request for an iframe in the iframe sandboxed by an attribute with allow-scripts flag
-PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by an attribute with allow-scripts flag
-PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by an attribute with allow-scripts flag
-PASS Fetch request from iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag
-PASS Fetch request from a worker in iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag
-PASS Request for an iframe in the iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag
-PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by attribute with allow-scripts and allow-same-origin flag
-PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by attribute with allow-scripts and allow-same-origin flag
-FAIL Fetch request from iframe sandboxed by CSP HTTP header with allow-scripts flag assert_equals: The request should NOT be handled by SW. expected 0 but got 1
-PASS Request for an iframe in the iframe sandboxed by CSP HTTP header with allow-scripts flag
-PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by CSP HTTP header with allow-scripts flag
-PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by CSP HTTP header with allow-scripts flag
-PASS Fetch request from iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
-PASS Request for an iframe in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
-PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
-PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
-Harness: the test ran to completion.
-

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https.html

@@ -52,14 +52,6 @@ let sandboxed_frame;
 // An iframe created by <iframe sandbox='allow-scripts allow-same-origin'>.
 // This should be controlled by a service worker.
 let sandboxed_same_origin_frame;
-// An iframe whose response header has
-// 'Content-Security-Policy: allow-scripts'.
-// This should NOT be controlled by a service worker.
-let sandboxed_frame_by_header;
-// An iframe whose response header has
-// 'Content-Security-Policy: allow-scripts allow-same-origin'.
-// This should be controlled by a service worker.
-let sandboxed_same_origin_frame_by_header;
 
 promise_test(t => {
   return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
@@ -118,44 +110,6 @@ promise_test(t => {
 }, 'Prepare an iframe sandboxed by ' +
    '<iframe sandbox="allow-scripts allow-same-origin">.');
 
-promise_test(t => {
-  const iframe_full_url = expected_base_url + '?sandbox=allow-scripts&' +
-                          'sandboxed-frame-by-header';
-  return with_iframe(iframe_full_url)
-    .then(f => {
-      sandboxed_frame_by_header = f;
-      add_completion_callback(() => f.remove());
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1,
-                    'Service worker should provide the response');
-      assert_equals(requests[0], iframe_full_url);
-      assert_false(data.clients.includes(iframe_full_url),
-                   'Service worker should NOT control the sandboxed page');
-    });
-}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts.');
-
-promise_test(t => {
-  const iframe_full_url =
-    expected_base_url + '?sandbox=allow-scripts%20allow-same-origin&' +
-    'sandboxed-iframe-same-origin-by-header';
-  return with_iframe(iframe_full_url)
-    .then(f => {
-      sandboxed_same_origin_frame_by_header = f;
-      add_completion_callback(() => f.remove());
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1);
-      assert_equals(requests[0], iframe_full_url);
-      assert_true(data.clients.includes(iframe_full_url));
-    })
-}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and ' +
-   'allow-same-origin.');
-
 promise_test(t => {
   let frame = normal_frame;
   return doTest(frame, 'fetch')
@@ -399,137 +353,5 @@ promise_test(t => {
 }, 'Request for an sandboxed iframe with allow-scripts and ' +
    'allow-same-origin flag in the iframe sandboxed by attribute with ' +
    'allow-scripts and allow-same-origin flag');
-
-promise_test(t => {
-  let frame = sandboxed_frame_by_header;
-  return doTest(frame, 'fetch')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      assert_equals(data.requests.length, 0,
-                    'The request should NOT be handled by SW.');
-    });
-}, 'Fetch request from iframe sandboxed by CSP HTTP header with ' +
-   'allow-scripts flag');
-
-promise_test(t => {
-  let frame = sandboxed_frame_by_header;
-  return doTest(frame, 'iframe')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      assert_equals(data.requests.length, 0,
-                    'The request should NOT be handled by SW.');
-      assert_false(data.clients.includes(frame.src + '&test=iframe'));
-    });
-}, 'Request for an iframe in the iframe sandboxed by CSP HTTP header with ' +
-   'allow-scripts flag');
-
-promise_test(t => {
-  let frame = sandboxed_frame_by_header;
-  return doTest(frame, 'sandboxed-iframe')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      assert_equals(data.requests.length, 0,
-                    'The request should NOT be handled by SW.');
-      assert_false(data.clients.includes(
-        frame.src + '&test=sandboxed-iframe'));
-    });
-}, 'Request for an sandboxed iframe with allow-scripts flag in the iframe ' +
-   'sandboxed by CSP HTTP header with allow-scripts flag');
-
-promise_test(t => {
-  let frame = sandboxed_frame_by_header;
-  return doTest(frame, 'sandboxed-iframe-same-origin')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      assert_equals(data.requests.length, 0,
-                    'The request should NOT be handled by SW.');
-      assert_false(data.clients.includes(
-        frame.src + '&test=sandboxed-iframe-same-origin'));
-    });
-}, 'Request for an sandboxed iframe with allow-scripts and ' +
-   'allow-same-origin flag in the iframe sandboxed by CSP HTTP header with ' +
-   'allow-scripts flag');
-
-promise_test(t => {
-  let frame = sandboxed_same_origin_frame_by_header;
-  return doTest(frame, 'fetch')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1,
-                    'The request should be handled by SW.');
-      assert_equals(requests[0], frame.src + '&test=fetch');
-    });
-}, 'Fetch request from iframe sandboxed by CSP HTTP header with ' +
-   'allow-scripts and allow-same-origin flag');
-
-promise_test(t => {
-  let frame = sandboxed_same_origin_frame_by_header;
-  return doTest(frame, 'iframe')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1,
-                    'The request should be handled by SW.');
-      assert_equals(requests[0], frame.src + '&test=iframe');
-      assert_true(data.clients.includes(frame.src + '&test=iframe'));
-    });
-}, 'Request for an iframe in the iframe sandboxed by CSP HTTP header with ' +
-   'allow-scripts and allow-same-origin flag');
-
-promise_test(t => {
-  let frame = sandboxed_same_origin_frame_by_header;
-  return doTest(frame, 'sandboxed-iframe')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      assert_equals(data.requests.length, 0,
-                    'The request should NOT be handled by SW.');
-      assert_false(
-        data.clients.includes(frame.src + '&test=sandboxed-iframe'));
-    });
-}, 'Request for an sandboxed iframe with allow-scripts flag in the ' +
-   'iframe sandboxed by CSP HTTP header with allow-scripts and ' +
-   'allow-same-origin flag');
-
-promise_test(t => {
-  let frame = sandboxed_same_origin_frame_by_header;
-  return doTest(frame, 'sandboxed-iframe-same-origin')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1,
-                    'The request should be handled by SW.');
-      assert_equals(requests[0],
-                    frame.src + '&test=sandboxed-iframe-same-origin');
-      assert_true(data.clients.includes(
-        frame.src + '&test=sandboxed-iframe-same-origin'));
-    });
-}, 'Request for an sandboxed iframe with allow-scripts and ' +
-   'allow-same-origin flag in the iframe sandboxed by CSP HTTP header with ' +
-   'allow-scripts and allow-same-origin flag');
 </script>
 </body>

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html

-<!DOCTYPE html>
-<title>ServiceWorker FetchEvent issued from workers in an iframe sandboxed via CSP HTTP response header.</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="resources/test-helpers.sub.js"></script>
-<body>
-<script>
-let lastCallbackId = 0;
-let callbacks = {};
-function doTest(frame, type) {
-  return new Promise(function(resolve) {
-    var id = ++lastCallbackId;
-    callbacks[id] = resolve;
-    frame.contentWindow.postMessage({id: id, type: type}, '*');
-  });
-}
-
-// Asks the service worker for data about requests and clients seen. The
-// worker posts a message back with |data| where:
-// |data.requests|: the requests the worker received FetchEvents for
-// |data.clients|: the URLs of all the worker's clients
-// The worker clears its data after responding.
-function getResultsFromWorker(worker) {
-  return new Promise(resolve => {
-    let channel = new MessageChannel();
-    channel.port1.onmessage = msg => {
-      resolve(msg.data);
-    };
-    worker.postMessage({port: channel.port2}, [channel.port2]);
-  });
-}
-
-window.onmessage = function (e) {
-  message = e.data;
-  let id = message['id'];
-  let callback = callbacks[id];
-  delete callbacks[id];
-  callback(message['result']);
-};
-
-const SCOPE = 'resources/sandboxed-iframe-fetch-event-iframe.py';
-const SCRIPT = 'resources/sandboxed-iframe-fetch-event-worker.js';
-const expected_base_url = new URL(SCOPE, location.href);
-// A service worker controlling |SCOPE|.
-let worker;
-// An iframe whose response header has
-// 'Content-Security-Policy: allow-scripts'.
-// This should NOT be controlled by a service worker.
-let sandboxed_frame_by_header;
-// An iframe whose response header has
-// 'Content-Security-Policy: allow-scripts allow-same-origin'.
-// This should be controlled by a service worker.
-let sandboxed_same_origin_frame_by_header;
-
-promise_test(t => {
-  return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
-    .then(function(registration) {
-      add_completion_callback(() => registration.unregister());
-      worker = registration.installing;
-      return wait_for_state(t, registration.installing, 'activated');
-    });
-}, 'Prepare a service worker.');
-
-promise_test(t => {
-  const iframe_full_url = expected_base_url + '?sandbox=allow-scripts&' +
-                          'sandboxed-frame-by-header';
-  return with_iframe(iframe_full_url)
-    .then(f => {
-      sandboxed_frame_by_header = f;
-      add_completion_callback(() => f.remove());
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1,
-                    'Service worker should provide the response');
-      assert_equals(requests[0], iframe_full_url);
-      assert_false(data.clients.includes(iframe_full_url),
-                   'Service worker should NOT control the sandboxed page');
-    });
-}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts.');
-
-promise_test(t => {
-  const iframe_full_url =
-    expected_base_url + '?sandbox=allow-scripts%20allow-same-origin&' +
-    'sandboxed-iframe-same-origin-by-header';
-  return with_iframe(iframe_full_url)
-    .then(f => {
-      sandboxed_same_origin_frame_by_header = f;
-      add_completion_callback(() => f.remove());
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1);
-      assert_equals(requests[0], iframe_full_url);
-      assert_true(data.clients.includes(iframe_full_url));
-    })
-}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and ' +
-   'allow-same-origin.');
-
-promise_test(t => {
-  let frame = sandboxed_frame_by_header;
-  return doTest(frame, 'fetch-from-worker')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      assert_equals(data.requests.length, 0,
-                    'The request should NOT be handled by SW.');
-    });
-}, 'Fetch request from a worker in iframe sandboxed by CSP HTTP header ' +
-   'allow-scripts flag');
-
-promise_test(t => {
-  let frame = sandboxed_same_origin_frame_by_header;
-  return doTest(frame, 'fetch-from-worker')
-    .then(result => {
-      assert_equals(result, 'done');
-      return getResultsFromWorker(worker);
-    })
-    .then(data => {
-      let requests = data.requests;
-      assert_equals(requests.length, 1,
-                    'The request should be handled by SW.');
-      assert_equals(requests[0], frame.src + '&test=fetch-from-worker');
-    });
-}, 'Fetch request from a worker in iframe sandboxed by CSP HTTP header ' +
-   'with allow-scripts and allow-same-origin flag');
-</script>
-</body>