OOR-CORS: Update cors-and-webview-api.md for asset/res file URLs

This change removes the last TODO in the cors-and-webview-api.md.
file:///android_asset/ and file:///android_res/ are almost same
with other usual file:// URLs, but still can be accessible even
if AllowFileAccess is set to false.

Test cases mentioned in the doc are also added to ensure legacy
and current CORS behaviors.

TEST=./out/a/bin/run_webview_instrumentation_test_apk -A Feature=CORS

Bug: 1035366
Change-Id: I5bdb7c54e261136d099944ed3690e6892fe72c19
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2253262
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Reviewed-by: Nate Fischer <ntfschr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#781138}

android_webview/docs/cors-and-webview-api.md

@@ -58,7 +58,18 @@ Pages loaded with any scheme other than `content://` can't load `content://`
 page in iframes and they can not specify `content://` URLs for sub-resources.
 
 ### file:///android\_{asset,res}/ URLs
-TODO
+Android assets and resources are accessible using `file:///android_asset/` and
+`file:///android_res/` URLs. WebView handles these special `file://` URLs as it
+does other `file://` URLs. Only difference is these special paths are accessible
+even if `setAllowFileAccess` is called with `false`. Even so, still CORS-enabled
+requests are not permitted until these are explicitly permitted by
+`setAllowFileAccessFromFileURLs`.
+
+*** note
+**Note:** `file:///android_asset,res}/` URLs are discouraged. Apps are
+encouraged to use [WebViewAssetLoader](https://developer.android.com/reference/androidx/webkit/WebViewAssetLoader)
+instead, for better compatibility with the Same-Origin policy.
+***
 
 ## WebView APIs
 
@@ -82,6 +93,10 @@ does not allow to access `content://` and `file://` URLs.
 
 The requests from service workers also don't care for this setting.
 
+*** note
+**Note:** `setAllowFileAccessFromFileURLs` is deprecated in API level 30.
+***
+
 ### setAllowUniversalAccessFromFileURLs
 When this API is called with `true`, URLs starting with file:// will have a
 scheme based origin, and can access other scheme based URLs over XMLHttpRequest.
@@ -95,6 +110,10 @@ does not allow to access `content://` and `file://` URLs.
 
 The requests from service workers also don't care for this setting.
 
+*** note
+**Note:** `setAllowUniversalAccessFromFileURLs` is deprecated in API level 30.
+***
+
 ### shouldInterceptRequest
 Custom scheme should not be permitted for CORS-enabled requests usually.
 However, when `shouldInterceptRequest` is used, the API allows developers to

android_webview/test/BUILD.gn

@@ -112,6 +112,7 @@ android_assets("webview_instrumentation_apk_assets") {
     "shell/assets/asset_icon.png",
     "shell/assets/autofill.html",
     "shell/assets/cookie_test.html",
+    "shell/assets/cors.html",
     "shell/assets/full_screen_video.js",
     "shell/assets/full_screen_video_inside_div_test.html",
     "shell/assets/full_screen_video_test.html",

android_webview/test/shell/assets/cors.html

+<!doctype html>
+<html>
+<head><title>running</title></head>
+<body><script>
+window.onload = function () {
+  const params = new URL(document.location).searchParams;
+  const api = params.get('api');
+  if (api == "xhr") {
+    const xhr = new XMLHttpRequest();
+    xhr.open('get', params.get('url'), true);
+    xhr.onload = e => document.title = 'load';
+    xhr.onerror = e => document.title = 'error';
+    xhr.onabort = e => document.title = 'abort';
+    xhr.send();
+  } else if (api == "fetch") {
+    fetch(params.get('url')).then(
+      e => document.title = 'load',
+      e => document.title = 'error');
+  } else {
+    document.title = "unknown api";
+  }
+};
+</script></body>
+</html>