Bug 1636952 [wpt PR 23506] - [Security][Coop] Use COOP only if this is top level, a=testonly
authorPâris Meuleman <pmeuleman@chromium.org>
Wed, 13 May 2020 10:01:55 +0000
changeset 531194 347d148c23a4cea3b26a4989dfd47e2ef94746ff
parent 531193 fd50a1838a8af5b8b4ec59052908104229661ef1
child 531195 b792933b266539113ee78315f33f94b75a53a023
push id37435
push userapavel@mozilla.com
push dateWed, 20 May 2020 15:28:23 +0000
treeherdermozilla-central@5415da14ec9a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1636952, 23506, 1081169, 2193771, 767761
milestone78.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1636952 [wpt PR 23506] - [Security][Coop] Use COOP only if this is top level, a=testonly Automatic update from web-platform-tests [Security][Coop] Use COOP only if this is top level COOP is used only in top level document, and COOP headers from iframes are ignored. This led to an issue in the linked bug, where COOP prevents a sandboxed iframe to load. The spec change corresponding to this is under review here: https://whatpr.org/html/5334/browsing-the-web.html with this relevant extract: ``` Let navigationCOOP be "unsafe-none". If browsingContext is a top-level browsing context, then: Set navigationCOOP to the result of obtaining a cross-origin opener policy given response and reservedEnvironment. If sandboxFlags is not empty and navigationCOOP is not "unsafe-none", then display the inline content with an appropriate error shown to the user, with the newly created Document object's origin set to a new opaque origin, run the environment discarding steps for reservedEnvironment, and return. ``` Bug: 1081169 Change-Id: I2c0b59c84ca52f63436a2312529a4bb0351fff30 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2193771 Commit-Queue: Pâris Meuleman <pmeuleman@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Auto-Submit: Pâris Meuleman <pmeuleman@chromium.org> Cr-Commit-Position: refs/heads/master@{#767761} -- wpt-commits: e98a46978594a745b61c70fa3aae84878a081b3b wpt-pr: 23506
testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html
--- a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html
@@ -21,9 +21,25 @@
     document.body.append(frame);
     addEventListener('load', t.step_func(() => {
       t.step_timeout(() => {
         t.done()
       }, 1500);
     }));
   }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
 });
+
+async_test(t => {
+  const frame = document.createElement("iframe");
+  const channel = new BroadcastChannel(token());
+  frame.sandbox = "allow-scripts allow-same-origin";
+  frame.name = `iframe-${channel.name}`;
+  frame.src = `resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}`;
+  channel.onmessage = t.step_func( event => {
+    const payload = event.data;
+    assert_equals(payload.name, frame.name, "name");
+    t.done();
+  });
+  t.step_timeout(t.unreached_func("Timed out while waiting for iframe's message"), 1500);
+  t.add_cleanup(() => frame.remove());
+  document.body.append(frame);
+}, `Iframe with sandbox and COOP must load.`);
 </script>