Bug 1642054 [wpt PR 23878] - Origin isolation: parse the header, a=testonly
authorDomenic Denicola <domenic@chromium.org>
Thu, 04 Jun 2020 16:05:04 +0000
changeset 533933 ad07df70f1852659443eb5ddbdba4063cad11fc4
parent 533932 84c15726921dd168d53e599762a33a2753247ca7
child 533934 87dddc685945a32d4f25ed24f1b9515c88a2674f
push id37480
push userncsoregi@mozilla.com
push dateThu, 04 Jun 2020 22:00:12 +0000
treeherdermozilla-central@e33aea19d0c5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1642054, 23878, 1066930, 2222692, 773706
milestone79.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1642054 [wpt PR 23878] - Origin isolation: parse the header, a=testonly Automatic update from web-platform-tests Origin isolation: parse the header Bug: 1066930 Change-Id: Ib1c79f8c9218821c7da3640e012cf042666e6d50 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2222692 Commit-Queue: Domenic Denicola <domenic@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#773706} -- wpt-commits: d3ea88514a93b7b69687837de19b1ca6da15cf91 wpt-pr: 23878 Differential Revision: https://phabricator.services.mozilla.com/D78332
testing/web-platform/tests/origin-isolation/parent-no-child-bad-subdomain.sub.https.html
testing/web-platform/tests/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-isolation/parent-no-child-bad-subdomain.sub.https.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Parent is not isolated, child attempts to isolate but uses a bad header value, child is a subdomain of the parent</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import { insertIframe, sendWasmModule, setBothDocumentDomains } from "./resources/helpers.mjs";
+
+for (const badValue of ["", "?0", "true", "\"?1\"", "1", "?2", "(?1)"]) {
+  let frameWindow;
+  promise_test(async () => {
+    frameWindow = await insertIframe("{{hosts[][www]}}", badValue);
+  }, `"${badValue}": frame insertion`);
+
+  // Since the header values are bad there should be no isolation
+
+  promise_test(async () => {
+    const whatHappened = await sendWasmModule(frameWindow);
+
+    assert_equals(whatHappened, "WebAssembly.Module message received");
+  }, `"${badValue}": message event must occur for`);
+
+  promise_test(async () => {
+    await setBothDocumentDomains(frameWindow);
+
+    // Must not throw
+    frameWindow.document;
+  }, `"${badValue}": setting document.domain must give sync access`);
+}
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Parent is not isolated, child is isolated using parameters on its structured header, child is a subdomain of the parent</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import { insertIframe, sendWasmModule, setBothDocumentDomains } from "./resources/helpers.mjs";
+
+let frameWindow;
+promise_setup(async () => {
+  frameWindow = await insertIframe("{{hosts[][www]}}", "?1;param1;param2=value2");
+});
+
+// Since they're different-origin, the child's isolation request is respected,
+// so the parent ends up in the site-keyed agent cluster and the child in the
+// origin-keyed one.
+
+promise_test(async () => {
+  const whatHappened = await sendWasmModule(frameWindow);
+
+  assert_equals(whatHappened, "messageerror");
+}, "messageerror event must occur");
+
+promise_test(async () => {
+  await setBothDocumentDomains(frameWindow);
+
+  assert_throws_dom("SecurityError", DOMException, () => {
+    frameWindow.document;
+  });
+}, "setting document.domain should no-op instead of giving sync access");
+</script>