Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 275 insertions, 0 deletions

diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html
new file mode 100644
index 0000000000..375c627d27
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html
@@ -0,0 +1,275 @@
+<!doctype html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<title>
+  Check the ReportingObserver(s) are notified about the coop-access-violation
+  events.
+</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_site = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const corp_header = '|header(Cross-Origin-Resource-Policy,cross-origin)';
+
+promise_test(async t => {
+  // This test window.
+  const this_window_token = token();
+
+  // The "opener" window, using COOP-Report-Only and a reporter.
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(token());
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${opener_token}`;
+
+  // The "openee" window, NOT using COOP.
+  const openee_token = token();
+  const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
+
+  // 1. Create the opener window.
+  window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close();"));
+
+  // 2. The opener opens its openee.
+  send(opener_token, `openee = window.open('${openee_url}');`);
+  t.add_cleanup(() => send(openee_token, `window.close();`));
+
+  // 3. Wait for the openee to load its document.
+  send(openee_token, `send("${this_window_token}", "Ready");`);
+  assert_equals(await receive(this_window_token), "Ready");
+
+  // 4. The opener tries to access its openee. All reports for blocked access
+  //    from the COOP page should notify the ReportingObservers.
+  send(opener_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js", `
+      let observer = new ReportingObserver(()=>{});
+      observer.observe();
+      tryAccess(openee);
+      let reports = observer.takeRecords();
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    `));
+
+  let report_access_from = JSON.parse(await receive(this_window_token));
+  assert_equals(report_access_from.length, 1, "No report received.");
+  assert_equals(report_access_from[0].type, "coop-access-violation");
+  assert_equals(report_access_from[0].url, opener_url.replace(/"/g, '%22'));
+  assert_source_location_found(report_access_from[0])
+  assert_equals(report_access_from[0].body.type,
+                "access-from-coop-page-to-openee");
+  assert_equals(report_access_from[0].body.openeeURL, openee_url);
+  assert_equals(report_access_from[0].body.openerURL, undefined);
+  assert_equals(report_access_from[0].body.otherDocumentURL, undefined);
+
+  // 5. The openee tries to access its opener. No reports for blocked access
+  //    to the COOP page should be dispatched.
+  send(openee_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js", `
+      let observer = new ReportingObserver(()=>{});
+      observer.observe();
+      tryAccess(opener);
+      let reports = observer.takeRecords();
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    `));
+  let report_access_to = JSON.parse(await receive(this_window_token));
+  assert_equals(report_access_to.length, 0, "Unexpected report received.");
+}, "Opener COOP");
+
+promise_test(async t => {
+  // This test window.
+  const this_window_token = token();
+
+  // The "opener" window, NOT using COOP.
+  const opener_token = token();
+  const opener_url = same_origin + executor_path + `&uuid=${opener_token}`;
+
+  // The "openee" window, using COOP-Report-Only and a reporter.
+  const openee_token = token();
+  const openee_reportTo = reportToHeaders(token());
+  const openee_url = same_origin + executor_path + openee_reportTo.header +
+    openee_reportTo.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${openee_token}`;
+
+  // 1. Create the opener window.
+  window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close();"));
+
+  // 2. The opener opens its openee.
+  send(opener_token,
+    `openee = window.open('${openee_url.replace(/,/g, '\\,')}');`);
+  t.add_cleanup(() => send(openee_token, `window.close();`));
+
+  // 3. The openee tries to access its opener. All reports for blocked access
+  //    from the COOP page should notify the ReportingObservers.
+  send(openee_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js", `
+      let observer = new ReportingObserver(()=>{});
+      observer.observe();
+      tryAccess(opener);
+      let reports = observer.takeRecords();
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    `));
+  let report_access_from = JSON.parse(await receive(this_window_token));
+  assert_equals(report_access_from.length, 1, "No report received.");
+  assert_equals(report_access_from[0].type, "coop-access-violation");
+  assert_equals(report_access_from[0].url, openee_url.replace(/"/g, '%22'));
+  assert_true(report_access_from[0].body.sourceFile.includes("try-access.js"));
+  assert_source_location_found(report_access_from[0])
+  assert_equals(report_access_from[0].body.type,
+                "access-from-coop-page-to-opener");
+  assert_equals(report_access_from[0].body.openeeURL, undefined);
+  assert_equals(report_access_from[0].body.openerURL, opener_url);
+  assert_equals(report_access_from[0].body.otherDocumentURL, undefined);
+
+  // 4. The opener tries to access its openee. No reports for blocked access
+  //    to the COOP page should be dispatched.
+  send(opener_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js", `
+      let observer = new ReportingObserver(()=>{});
+      observer.observe();
+      tryAccess(openee);
+      let reports = observer.takeRecords();
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    `));
+  let report_access_to = JSON.parse(await receive(this_window_token));
+  assert_equals(report_access_to.length, 0, "Unexpected report received.");
+}, "Openee COOP");
+
+promise_test(async t => {
+  // This test window.
+  const this_window_token = token();
+
+  // The "opener" window, using COOP-Report-Only and a reporter.
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(token());
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${opener_token}`;
+
+  // The "opener's iframe", same-origin with its parent.
+  const opener_iframe_token = token();
+  const opener_iframe_url = same_origin + executor_path + coep_header +
+    `&uuid=${opener_iframe_token}`;
+
+  // The "openee" window, NOT using COOP.
+  const openee_token = token();
+  const openee_url = same_origin + executor_path + coep_header +
+    `&uuid=${openee_token}`;
+
+  // 1. Create the opener window.
+  window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close();"));
+
+  // 2. The opener opens an iframe, and install a ReportingObserver to catch
+  //    future accesses.
+  send(opener_token, `
+    iframe = document.createElement("iframe");
+    iframe.src = "${opener_iframe_url}";
+    document.body.appendChild(iframe);
+
+    let observer = new ReportingObserver(reports => {
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    });
+    observer.observe();
+  `);
+
+  // 3. The iframe opens the openee.
+  send(opener_iframe_token, `openee = window.open('${openee_url}');`);
+  t.add_cleanup(() => send(openee_token, `window.close();`));
+
+  // 4. Wait for the openee to load its document.
+  send(openee_token, `send("${this_window_token}", "Ready");`);
+  assert_equals(await receive(this_window_token), "Ready");
+
+  // 4. The opener's iframe tries to access the openee. This is an
+  //    "access-from-coop-page" from a same-origin iframe, so the
+  //    ReportingObserver(s) are notified.
+  send(opener_iframe_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js", `tryAccess(openee);`));
+
+  let reports = await receive(this_window_token);
+  reports = JSON.parse(reports);
+  assert_equals(reports.length, 1, "No report received.");
+  assert_equals(reports[0].type, "coop-access-violation");
+  assert_equals(reports[0].url, opener_url.replace(/"/g, '%22'));
+  assert_true(reports[0].body.sourceFile.includes("try-access.js"));
+  assert_source_location_found(reports[0]);
+  assert_equals(reports[0].body.type,
+                "access-from-coop-page-to-openee");
+  assert_equals(reports[0].body.openeeURL, openee_url);
+  assert_equals(reports[0].body.openerURL, undefined);
+  assert_equals(reports[0].body.otherDocumentURL, undefined);
+}, "Access from same-origin iframe")
+
+promise_test(async t => {
+  // This test window.
+  const this_window_token = token();
+
+  // The "opener" window, using COOP-Report-Only and a reporter.
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(token());
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${opener_token}`;
+
+  // The "opener's iframe", same-origin with its parent.
+  const opener_iframe_token = token();
+  const opener_iframe_url = cross_site + executor_path + coep_header +
+    corp_header +
+    `&uuid=${opener_iframe_token}`;
+
+  // The "openee" window, NOT using COOP.
+  const openee_token = token();
+  const openee_url = same_origin + executor_path + coep_header +
+    `&uuid=${openee_token}`;
+
+  // 1. Create the opener window.
+  window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close();"));
+
+  // 2. The opener opens an iframe, and install a ReportingObserver to catch
+  //    future accesses.
+  send(opener_token, `
+    iframe = document.createElement("iframe");
+    iframe.src = "${opener_iframe_url}";
+    document.body.appendChild(iframe);
+
+    let observer = new ReportingObserver(reports => {
+      send("${this_window_token}", JSON.stringify(reports));
+      observer.disconnect();
+    });
+    observer.observe();
+  `);
+
+  // 3. The iframe opens the openee.
+  send(opener_iframe_token, `openee = window.open('${openee_url}');`);
+  t.add_cleanup(() => send(openee_token, `window.close();`));
+
+  // 4. Wait for the openee to load its document.
+  send(openee_token, `send("${this_window_token}", "Ready");`);
+  assert_equals(await receive(this_window_token), "Ready");
+
+  // 5. The opener's iframe tries to access the openee. This is an
+  //    "access-from-coop-page" from a cross-site iframe. The ReportingObservers
+  //    from the main document aren't notified.
+  send(opener_iframe_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js", `tryAccess(openee);`));
+
+  let reports = await receive(this_window_token, 2000);
+  assert_equals(reports, "timeout", "Unexpected report received.");
+}, "Access from cross-site iframe")
+
+</script>