-
Notifications
You must be signed in to change notification settings - Fork 2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1618527 [wpt PR 22005] - Introduce COEP reporting for CORP (3/3),…
… a=testonly Automatic update from web-platform-tests Introduce COEP reporting for CORP (3/3) 1: https://crrev.com/c/2074177 2: https://crrev.com/c/2075002 3: [this] This series of CLs implements WICG/cross-origin-embedder-policy#9. We introduce network::mojom::CrossOriginEmbedderPolicyReporter and its implementation content::CrossOriginEmbedderPolicyReporter, implement the reporting logic in content::CrossOriginEmbedderPolicyReporter and the CORP check, and plumb the mojo interface. This CL creates CrossOriginEmbedderPolicyReport during the frame navigation and dedicated worker initialization, and give it to the network service so that (possibly potential) CORP blocks are reported. Bug: 1052764 Change-Id: Ia39ff8277eb23d96025f5e6fba4e5a4fa6ffde70 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2076223 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#747176} -- wpt-commits: 0d183bf3945eda537d23f8d37afbde1dad982544 wpt-pr: 22005
- Loading branch information
1 parent
61ede85
commit f19917f
Showing
7 changed files
with
222 additions
and
0 deletions.
There are no files selected for viewing
86 changes: 86 additions & 0 deletions
86
.../web-platform/tests/html/cross-origin-embedder-policy/report-only-require-corp.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
<!doctype html> | ||
<meta name="timeout" content="long"> | ||
<title>Cross-Origin-Embedder-Policy-Report-Only header does not affect the actual behavior</title> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
<script src=/common/utils.js></script> <!-- Use token() to allow running tests in parallel --> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
<div id=log></div> | ||
<script> | ||
const HOST = get_host_info(); | ||
const BASE = new URL("resources", location).pathname; | ||
|
||
async_test(t => { | ||
const frame = document.createElement("iframe"); | ||
t.add_cleanup(() => frame.remove()); | ||
frame.onload = t.step_func_done(() => { | ||
assert_not_equals(frame.contentDocument, null); | ||
}); | ||
frame.src = "/common/blank.html"; | ||
document.body.append(frame); | ||
assert_equals(frame.contentDocument.body.localName, "body"); | ||
}, `"none" top-level: navigating a frame to "none" should succeed`); | ||
|
||
async_test(t => { | ||
const frame = document.createElement("iframe"); | ||
t.add_cleanup(() => frame.remove()); | ||
const blank = "/common/blank.html"; | ||
let firstNavOk = false; | ||
frame.onload = t.step_func(() => { | ||
if (!firstNavOk) { | ||
assert_not_equals(frame.contentDocument, null); | ||
firstNavOk = true; | ||
} else { | ||
assert_not_equals(frame.contentDocument, null); | ||
assert_equals(frame.contentWindow.location.pathname, blank); | ||
t.done(); | ||
} | ||
}); | ||
frame.src = `resources/navigate-require-corp.sub.html?to=${blank}`; | ||
document.body.append(frame); | ||
assert_equals(frame.contentDocument.body.localName, "body"); | ||
}, `"none" top-level: navigating a frame from "require-corp" to "none" should succeed`); | ||
|
||
async_test(t => { | ||
const w = window.open(`resources/navigate-none.sub.html?to=navigate-require-corp.sub.html`, "window_name"); | ||
t.add_cleanup(() => w.close()); | ||
|
||
w.onload = t.step_func(() => { | ||
w.history.back(); | ||
t.step_timeout(() => { | ||
assert_not_equals(w.document, null); | ||
t.done(); | ||
}, 1500); | ||
}); | ||
}, `"none" top-level: navigating a frame back from "require-corp" should succeed`); | ||
|
||
async_test(t => { | ||
let pageLoaded = false; | ||
const bc = new BroadcastChannel(token()); | ||
let finished = false; | ||
let doneCheck = _ => { | ||
if (finished && pageLoaded) { | ||
t.done(); | ||
} | ||
} | ||
bc.onmessage = t.step_func((event) => { | ||
pageLoaded = true; | ||
let payload = event.data; | ||
assert_equals(payload, "loaded"); | ||
|
||
doneCheck(); | ||
}); | ||
|
||
const bc2 = new BroadcastChannel(token()); | ||
bc2.onmessage = t.step_func((event) => { | ||
finished = true; | ||
let payload = event.data; | ||
assert_equals(payload, "loaded"); | ||
|
||
doneCheck(); | ||
}); | ||
|
||
const win = window.open(`resources/navigate-require-corp.sub.html?channelName=${bc.name}&to=navigate-none.sub.html?channelName=${bc2.name}`, "_blank", "noopener"); | ||
assert_equals(win, null); | ||
}, `"require-corp" top-level noopener popup: navigating to "none" should succeed`); | ||
</script> |
1 change: 1 addition & 0 deletions
1
...tform/tests/html/cross-origin-embedder-policy/report-only-require-corp.https.html.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
cross-origin-embedder-policy-report-only: require-corp |
68 changes: 68 additions & 0 deletions
68
testing/web-platform/tests/html/cross-origin-embedder-policy/reporting.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
<!doctype html> | ||
<html> | ||
<html> | ||
<body> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/common/utils.js"></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
<script> | ||
const HOST = get_host_info(); | ||
function getIframeUrl(filename, token1, token2) { | ||
let query = `template=${filename}`; | ||
if (token1) { | ||
query += `&coep=${token1}` | ||
} | ||
if (token2) { | ||
query += `&coep-report-only=${token2}` | ||
} | ||
return `resources/reporting-iframe.py?${query}`; | ||
} | ||
|
||
function checkReports(reports, contextUrl) { | ||
assert_not_equals(reports, null); | ||
assert_equals(reports.length, 2); | ||
assert_equals(reports[0].type, 'coep'); | ||
assert_equals(reports[0].url, contextUrl); | ||
assert_equals(reports[0].body.type, 'corp'); | ||
assert_equals(reports[1].type, 'coep'); | ||
assert_equals(reports[1].url, contextUrl); | ||
assert_equals(reports[1].body.type, 'corp'); | ||
|
||
// The order of the reports is non-deterministic. | ||
const actualBlockedUrls = reports.map((r) => r.body['blocked-url']).sort(); | ||
const expectedBlockedUrls = [ | ||
`${HOST.REMOTE_ORIGIN}/common/text-plain.txt`, | ||
`${HOST.ORIGIN}/common/redirect.py?location=${HOST.REMOTE_ORIGIN}/common/text-plain.txt`, | ||
]; | ||
assert_array_equals(actualBlockedUrls.sort(), expectedBlockedUrls.sort()); | ||
} | ||
|
||
async_test(async (t) => { | ||
try { | ||
const iframe = document.createElement('iframe'); | ||
t.add_cleanup(() => iframe.remove()); | ||
const token1 = token(); | ||
const token2 = token(); | ||
|
||
iframe.src = `resources/subresource-corp.html?token1=${token1}&token2=${token2}`; | ||
document.body.appendChild(iframe); | ||
|
||
await new Promise(resolve => t.step_timeout(resolve, 3000)); | ||
|
||
const res1 = await fetch(`resources/stash-take.py?key=${token1}`); | ||
const res2 = await fetch(`resources/stash-take.py?key=${token2}`); | ||
|
||
const reports = JSON.parse(await res1.text()); | ||
const reportsForReportOnly = JSON.parse(await res2.text()); | ||
|
||
checkReports(reports, iframe.src); | ||
checkReports(reportsForReportOnly, iframe.src); | ||
|
||
t.done(); | ||
} catch (e) { | ||
t.step(() => { throw e }); | ||
}; | ||
}, 'report-to parameter for COEP and COEP-report-only'); | ||
|
||
</script> |
19 changes: 19 additions & 0 deletions
19
testing/web-platform/tests/html/cross-origin-embedder-policy/resources/report.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
import json | ||
|
||
|
||
def main(request, response): | ||
if request.method == 'OPTIONS': | ||
# CORS preflight | ||
response.headers.set('Access-Control-Allow-Origin', '*') | ||
response.headers.set('Access-Control-Allow-Methods', 'POST') | ||
response.headers.set('Access-Control-Allow-Headers', 'content-type') | ||
return '' | ||
|
||
url_dir = '/'.join(request.url_parts.path.split('/')[:-1]) + '/' | ||
key = request.GET.first('key') | ||
reports = request.server.stash.take(key, url_dir) or [] | ||
for report in json.loads(request.body): | ||
reports.append(report) | ||
request.server.stash.put(key, reports, url_dir) | ||
response.headers.set('Access-Control-Allow-Origin', '*') | ||
return 'done' |
9 changes: 9 additions & 0 deletions
9
testing/web-platform/tests/html/cross-origin-embedder-policy/resources/stash-take.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
from wptserve.handlers import json_handler | ||
|
||
|
||
@json_handler | ||
def main(request, response): | ||
path = '/'.join(request.url_parts.path.split('/')[:-1]) + '/' | ||
key = request.GET.first('key') | ||
response.headers.set('Access-Control-Allow-Origin', '*') | ||
return request.server.stash.take(key, path) |
35 changes: 35 additions & 0 deletions
35
testing/web-platform/tests/html/cross-origin-embedder-policy/resources/subresource-corp.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
<!doctype html> | ||
<html> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
<script> | ||
const HOST = get_host_info(); | ||
const current = new URL(window.location.href); | ||
const token = current.searchParams.get("token"); | ||
|
||
const cache = 'no-store'; | ||
const mode = 'no-cors'; | ||
|
||
async function run() { | ||
const init = { mode, cache }; | ||
// This is not blocked. | ||
await fetch('/common/text-plain.txt', init); | ||
// This is blocked but not due to COEP. | ||
try { | ||
await fetch('nothing-same-origin-corp.txt', init); | ||
} catch (e) { | ||
} | ||
|
||
try { | ||
await fetch(`${HOST.REMOTE_ORIGIN}/common/text-plain.txt`, init); | ||
} catch (e) { | ||
} | ||
try { | ||
await fetch(`/common/redirect.py?location=${HOST.REMOTE_ORIGIN}/common/text-plain.txt`, init); | ||
} catch (e) { | ||
} | ||
} | ||
|
||
run(); | ||
|
||
</script> | ||
</html> |
4 changes: 4 additions & 0 deletions
4
...tform/tests/html/cross-origin-embedder-policy/resources/subresource-corp.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
cache-control: no-store, no-cache | ||
report-to: { "group": "endpoint", "max_age": 3600, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/html/cross-origin-embedder-policy/resources/report.py?key={{GET[token1]}}" }] }, { "group": "report-only-endpoint", "max_age": 3600, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/html/cross-origin-embedder-policy/resources/report.py?key={{GET[token2]}}" }] } | ||
cross-origin-embedder-policy: require-corp; report-to="endpoint" | ||
cross-origin-embedder-policy-report-only: require-corp; report-to="report-only-endpoint" |