Bug 1621139 [wpt PR 22149] - Reland "Origin policy: implement window.originPolicyIds", a=testonly
authorDomenic Denicola <domenic@chromium.org>
Thu, 12 Mar 2020 12:10:55 +0000
changeset 518620 95cfa6e59942bea4aae3496c76ea938f7e19cad3
parent 518619 662784afddd0409a2206fbedf08c0b43d13a9f9e
child 518621 24822adcfc927541985ba54a808782e945ee319f
push id110076
push userwptsync@mozilla.com
push dateFri, 13 Mar 2020 16:50:09 +0000
treeherderautoland@7381ff2b16e7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1621139, 22149, 2089994, 2093453, 856601, 1057123, 2095706, 748551
milestone76.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1621139 [wpt PR 22149] - Reland "Origin policy: implement window.originPolicyIds", a=testonly Automatic update from web-platform-tests Reland "Origin policy: implement window.originPolicyIds" This plumbs the origin policy IDs from the net-side OriginPolicyContents through to the renderer, where they get exposed on Window. This does not yet tackle WorkerGlobalScope, but it does add idlharness tests for it, which fail for now. This is a re-land of https://chromium-review.googlesource.com/c/chromium/src/+/2089994 which was reverted in https://chromium-review.googlesource.com/c/chromium/src/+/2093453. The re-land adds MSAN test expectations per https://crbug.com/856601. Bug: 1057123 Change-Id: I30053986f3dfc634399c8e0f3fc1578e062c67f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2095706 Auto-Submit: Domenic Denicola <domenic@chromium.org> Commit-Queue: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#748551} -- wpt-commits: 30cc91f77bce732e9bf145afdc752b9c0918377b wpt-pr: 22149
testing/web-platform/tests/origin-policy/idlharness.any.js
testing/web-platform/tests/origin-policy/ids/empty-ids-after-nonempty.https.html
testing/web-platform/tests/origin-policy/ids/empty-ids.https.html
testing/web-platform/tests/origin-policy/ids/mix-of-ids.https.html
testing/web-platform/tests/origin-policy/ids/no-ids.https.html
testing/web-platform/tests/origin-policy/ids/non-array-id.https.html
testing/web-platform/tests/origin-policy/ids/same-object-returned.https.html
testing/web-platform/tests/origin-policy/ids/still-present-in-http.html
testing/web-platform/tests/origin-policy/ids/two-ids.https.html
testing/web-platform/tests/origin-policy/policies/op11 no-ids.json
testing/web-platform/tests/origin-policy/policies/op12 empty-ids.json
testing/web-platform/tests/origin-policy/policies/op13 empty-ids-after-nonempty.json
testing/web-platform/tests/origin-policy/policies/op14 non-array-id.json
testing/web-platform/tests/origin-policy/policies/op15 mix-of-ids.json
testing/web-platform/tests/origin-policy/policies/op16 two-ids.json
testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js
testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/idlharness.any.js
@@ -0,0 +1,17 @@
+// META: global=window,worker
+// META: script=/resources/WebIDLParser.js
+// META: script=/resources/idlharness.js
+
+'use strict';
+
+idl_test(
+  ['origin-policy'],
+  ['html', 'dom'],
+  idl_array => {
+    if (self.Window) {
+      idl_array.add_objects({ Window: ['self'] });
+    } else {
+      idl_array.add_objects({ WorkerGlobalScope: ['self'] });
+    }
+  }
+);
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/empty-ids-after-nonempty.https.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy with empty-array "ids" member that occurs after a non-empty "ids" member must be ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op13",
+  testJS: "../content-security/resources/allow-unsafe-eval.mjs",
+  expectedIds: []
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/empty-ids.https.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy with empty-array "ids" member must be ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op12",
+  testJS: "../content-security/resources/allow-unsafe-eval.mjs",
+  expectedIds: []
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/mix-of-ids.https.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy must include valid IDs and exclude non-strings and invalid strings</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op15",
+  testJS: "../content-security/resources/disallow-unsafe-eval-disallow-images.mjs",
+  expectedIds: [
+    "my-policy-1",
+    "my-policy-2",
+    "~",
+    " ",
+    "!\"#$%&'()*+,-./:;<=>?@{|}~",
+    "azAZ",
+    "my~policy"
+  ]
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/no-ids.https.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy with no "ids" member must be ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op11",
+  testJS: "../content-security/resources/allow-unsafe-eval.mjs",
+  expectedIds: []
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/non-array-id.https.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy a non-array "ids" member must be ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op14",
+  testJS: "../content-security/resources/allow-unsafe-eval.mjs",
+  expectedIds: []
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/same-object-returned.https.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>originPolicyIds must return the same object each time</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<script>
+"use strict";
+test(() => {
+  // Failing this test is a common failure mode for FrozenArray attributes,
+  // so let's be sure implementations get it right.
+  assert_equals(window.originPolicyIds, window.originPolicyIds);
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/still-present-in-http.html
@@ -0,0 +1,16 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>originPolicyIds must return an empty array in http: pages</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<script>
+"use strict";
+test(() => {
+  assert_equals(location.protocol, "http:");
+}, "Prerequisite check: running on HTTP, not HTTPS");
+
+test(() => {
+  assert_array_equals(window.originPolicyIds, []);
+}, "The attribute is still present and returns an empty frozen array");
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/ids/two-ids.https.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Origin policy second "ids" member must take precedence</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op16",
+  testJS: "../content-security/resources/disallow-unsafe-eval-disallow-images.mjs",
+  expectedIds: [
+    "3",
+    "4"
+  ]
+});
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op11 no-ids.json	
@@ -0,0 +1,7 @@
+{
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ]
+  }
+}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op12 empty-ids.json	
@@ -0,0 +1,8 @@
+{
+  "ids": [],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ]
+  }
+}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op13 empty-ids-after-nonempty.json	
@@ -0,0 +1,11 @@
+{
+  "ids": [
+    "this should be overwritten by the subsequent one"
+  ],
+  "ids": [],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ]
+  }
+}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op14 non-array-id.json	
@@ -0,0 +1,8 @@
+{
+  "ids": "this is not an array",
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ]
+  }
+}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op15 mix-of-ids.json	
@@ -0,0 +1,28 @@
+{
+  "ids": [
+    "my-policy-1",
+    ["my-policy-array"],
+    5,
+    null,
+    { "id": "my-policy-object" },
+    "my-policy-2",
+    true,
+    "~",
+    " ",
+    "\u0000",
+    "\t",
+    "my\tpolicy",
+    "!\"#$%&'()*+,-./:;<=>?@{|}~",
+    "my\u007Fpolicy",
+    "azAZ",
+    "my\u0080policy",
+    "my~policy",
+    "my\u1234policy"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'",
+      "img-src 'none'"
+    ]
+  }
+}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op16 two-ids.json	
@@ -0,0 +1,16 @@
+{
+  "ids": [
+    "1",
+    "2"
+  ],
+  "ids": [
+    "3",
+    "4"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'",
+      "img-src 'none'"
+    ]
+  }
+}
--- a/testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js
+++ b/testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js
@@ -1,22 +1,24 @@
-window.runTestsInSubframe = ({ hostname, testJS }) => {
+window.runTestsInSubframe = ({ hostname, testJS, expectedIds }) => {
   test(() => {
     assert_equals(location.protocol, "https:");
   }, "Prerequisite check: running on HTTPS");
 
   promise_test(() => new Promise((resolve, reject) => {
     const url = new URL(window.location.href);
     url.hostname = `${hostname}.${document.domain}`;
     url.pathname = "/origin-policy/resources/subframe-with-origin-policy.py";
 
     // Normalize the URL so that callers can idiomatically give values relative
     // to themselves.
     url.searchParams.append("test", new URL(testJS, document.baseURI).pathname);
 
+    url.searchParams.append("expectedIds", JSON.stringify(expectedIds));
+
     const iframe = document.createElement("iframe");
     iframe.src = url.href;
 
     // We need to delegate anything we plan to toggle with FP otherwise it will
     // be locked to disallowed.
     iframe.allow = "camera *; geolocation *";
 
     iframe.onload = resolve;
--- a/testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py
+++ b/testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py
@@ -4,23 +4,36 @@ def main(request, response):
        to be loaded into an iframe by origin-policy-test-runner.js.
 
        The ?test= argument is best given as an absolute path (starting with /)
        since it will otherwise be interpreted relative to where this file is
        served.
     """
     test_file = request.GET.first("test")
 
+    expected_ids = request.GET.first("expectedIds")
+
     response.headers.set("Origin-Policy", "allowed=(latest)")
     response.headers.set("Content-Type", "text/html")
 
-    return """
+    ret_val = """
     <!DOCTYPE html>
     <meta charset="utf-8">
     <title>Origin policy subframe</title>
 
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
 
     <div id="log"></div>
 
     <script type="module" src="%s"></script>
   """ % test_file
+
+    if expected_ids != "undefined":
+      ret_val += """
+      <script type="module">
+        test(() => {
+          assert_array_equals(originPolicyIds, %s);
+        }, "Expected originPolicyIDs check");
+      </script>
+      """ % expected_ids
+
+    return ret_val