Bug 1719635 [wpt PR 29608] - [COEP] Always allow anonymous iframes to load, a=testonly
☠☠ backed out by dec0a179f851 ☠ ☠
authorAntonio Sartori <antoniosartori@chromium.org>
Sat, 17 Jul 2021 09:52:08 +0000
changeset 585845 78b09de6fdfc30c5550e3f9615b0399edecff48f
parent 585844 5761d24ca1e7bee996ac880d67da3b10c7cd3160
child 585846 9b65a80d90872f8bf70022b57cd61a731ede21b3
push id38620
push usercsabou@mozilla.com
push dateSun, 18 Jul 2021 09:08:29 +0000
treeherdermozilla-central@cc4e5ea0c986 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1719635, 29608, 1226469, 3009318, 901408
milestone92.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1719635 [wpt PR 29608] - [COEP] Always allow anonymous iframes to load, a=testonly Automatic update from web-platform-tests [COEP] Always allow anonymous iframes to load This CL is a step of the anonymous iframe implementation. Anonymous iframes are always allowed to load, regardless of their parent Cross Origin Embedder Policy. Note that anonymous iframes are implemented behind the blink runtime feature AnonymousIframe, which is disabled by default. All the code introduced by this CL does not do anything unless that feature flag is enabled. Bug: 1226469 Change-Id: Ia05c2ff6f1b869fa27571f9b529d89a5b64c4dd4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3009318 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Cr-Commit-Position: refs/heads/master@{#901408} -- wpt-commits: 6f7552921abb51b1bfafbce7cd5bd46ca7618d7a wpt-pr: 29608
testing/web-platform/tests/html/cross-origin-embedder-policy/anonymous-iframe/require-corp-embed-anonymous-iframe.tentative.https.html
testing/web-platform/tests/html/cross-origin-embedder-policy/anonymous-iframe/require-corp-embed-anonymous-iframe.tentative.https.html.headers
testing/web-platform/tests/html/cross-origin-embedder-policy/resources/navigate-none.sub.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-embedder-policy/anonymous-iframe/require-corp-embed-anonymous-iframe.tentative.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<body>
+<script>
+
+promise_test(async t => {
+  let iframe_allowed = (iframe, bc) => new Promise(async resolve => {
+    bc.onmessage = t.step_func(event => {
+      assert_equals(event.data, "loaded",
+                    "Unexpected message from broadcast channel.");
+      resolve(true);
+    });
+
+    // To see whether the iframe was blocked, we check whether it
+    // becomes cross-origin (since error pages are loaded cross-origin).
+    await t.step_wait(() => {
+      try {
+        // Accessing contentWindow.location.href cross-origin throws.
+        iframe.contentWindow.location.href === null;
+        return false;
+      } catch {
+        return true;
+      }
+    });
+    resolve(false);
+  });
+
+  // Create an anonymous child iframe.
+  const child = document.createElement("iframe");
+  child.anonymous = true;
+  t.add_cleanup(() => child.remove());
+
+  const bc_child = new BroadcastChannel(token());
+  child.src =
+    `../resources/navigate-none.sub.html?channelName=${bc_child.name}`;
+  document.body.append(child);
+
+  assert_true(await iframe_allowed(child, bc_child),
+              "The anonymous iframe should be allowed.");
+
+  // Create a child of the anonymous iframe. Even if the grandchild
+  // does not have the 'anonymous' attribute set, it inherits the
+  // anonymous property from the parent.
+  const grandchild = child.contentDocument.createElement("iframe");
+  const bc_grandchild = new BroadcastChannel(token());
+
+  grandchild.src =
+    `../resources/navigate-none.sub.html?channelName=${bc_grandchild.name}`;
+  child.contentDocument.body.append(grandchild);
+
+  assert_true(await iframe_allowed(grandchild, bc_grandchild),
+             "The child of the anonymous iframe should be allowed.");
+}, 'Loading an anonymous iframe with COEP: require-corp is allowed.');
+
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-embedder-policy/anonymous-iframe/require-corp-embed-anonymous-iframe.tentative.https.html.headers
@@ -0,0 +1,1 @@
+Cross-Origin-Embedder-Policy: require-corp
--- a/testing/web-platform/tests/html/cross-origin-embedder-policy/resources/navigate-none.sub.html
+++ b/testing/web-platform/tests/html/cross-origin-embedder-policy/resources/navigate-none.sub.html
@@ -8,17 +8,21 @@
     let next = new URL(navigateTo, current);
     window.addEventListener("load", () => {
       window.location.href = next.href;
     });
   }
 
   if (channelName) {
     let bc = new BroadcastChannel(channelName);
-    bc.postMessage("loaded");
+
+    // Broadcast only once the DOM is loaded, so that the caller can
+    // access reliably this document's body.
+    window.addEventListener("DOMContentLoaded", () =>
+    bc.postMessage("loaded"));
 
     // The page can also be restored from the back-forward cache:
     window.addEventListener('pageshow', function(event) {
       if (event.persisted)
         bc.postMessage("loaded");
     });
   }
 </script>