diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting')
5 files changed, 457 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html new file mode 100644 index 0000000000..7bfdab1330 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html @@ -0,0 +1,86 @@ + +<meta name=timeout content=long> +<title>A test with both COOP and COOP report only setup using Reporting-Endpoints header</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=2aee31d2-cd11-43bd-b34d-5f081ca3b2b4&report_only_id=d18f1779-e2ab-4a7a-8b1c-44e3a6f440f5"></script> + +<script> +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a cross-origin popup with both normal and report-only COOP. Four + // reports are sent. + [ + CROSS_ORIGIN, + `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`, + "require-corp", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "require-corp", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": reportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + }, + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ] +]; + +runNavigationDocumentReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers new file mode 100644 index 0000000000..de48445f38 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers @@ -0,0 +1,6 @@ +Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint" +Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint" +Cross-Origin-Embedder-Policy: require-corp +Cross-Origin-Embedder-Policy-Report-Only: require-corp +Referrer-Policy: origin +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=2aee31d2-cd11-43bd-b34d-5f081ca3b2b4", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=d18f1779-e2ab-4a7a-8b1c-44e3a6f440f5" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html new file mode 100644 index 0000000000..409628c15c --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html @@ -0,0 +1,124 @@ +<title> + Both the openee and the opener have a COOP reporter. The report are sent to + both side. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const origin_opener = get_host_info().HTTPS_ORIGIN; +const origin_openee = get_host_info().HTTPS_REMOTE_ORIGIN; + +let escapeComma = url => url.replace(/,/g, '\\,'); + +let genericSetup = async function(test) { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_token = token(); + const opener_report_token = reportToken(); + const opener_reporting = reportingEndpointsHeaders(opener_report_token); + const opener_url = origin_opener+ executor_path + opener_reporting.header + + opener_reporting.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. This has COOP and a reporter. + const openee_token = token(); + const openee_report_token = reportToken(); + const openee_reporting = reportingEndpointsHeaders(openee_report_token); + const openee_url = origin_openee + executor_path + openee_reporting.header + + openee_reporting.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // Cleanup at the end of the test. + test.add_cleanup(() => { + send(openee_token, 'window.close()'); + send(opener_token, 'window.close()'); + }); + + // 1. Spawn the opener and the openee windows. + window.open(opener_url); + send(opener_token, ` + openee = window.open('${escapeComma(openee_url)}'); + `); + + // 2. Wait for both to be loaded. + send(openee_token, `send('${this_window_token}', 'ACK');`); + assert_equals(await receive(this_window_token), 'ACK'); + + return [ + this_window_token, + opener_token, opener_report_token, opener_url, + openee_token, openee_report_token, openee_url, + ]; +} + +let assert_generic_coop_report = function(report) { + assert_equals(report.type, "coop"); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); +} + +promise_test(async test => { + let [ + this_window_token, + opener_token, opener_report_token, opener_url, + openee_token, openee_report_token, openee_url, + ] = await genericSetup(test); + + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(openee);") + ); + + let report_opener = + await receiveReport(opener_report_token, "access-from-coop-page-to-openee") + let report_openee = + await receiveReport(openee_report_token, "access-to-coop-page-from-opener") + + assert_generic_coop_report(report_openee); + assert_generic_coop_report(report_opener); + + assert_equals(report_opener.url, opener_url.replace(/"/g, '%22')); + assert_equals(report_openee.url, openee_url.replace(/"/g, '%22')); + assert_source_location_found(report_opener); + assert_source_location_missing(report_openee); +}, "Access from opener") + +promise_test(async test => { + let [ + this_window_token, + opener_token, opener_report_token, opener_url, + openee_token, openee_report_token, openee_url, + ] = await genericSetup(test); + + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + let report_opener = + await receiveReport(opener_report_token, "access-to-coop-page-from-openee") + let report_openee = + await receiveReport(openee_report_token, "access-from-coop-page-to-opener") + + assert_generic_coop_report(report_openee); + assert_generic_coop_report(report_opener); + + assert_equals(report_opener.url, opener_url.replace(/"/g, '%22')); + assert_equals(report_openee.url, openee_url.replace(/"/g, '%22')); + assert_source_location_missing(report_opener); + assert_source_location_found(report_openee); +}, "Access from openee") + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html new file mode 100644 index 0000000000..b2ff818d56 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html @@ -0,0 +1,111 @@ +<title> + Tests the redirect interaction with COOP same-origin-allow-popups. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script> + +const same_origin = { + host: get_host_info().HTTPS_ORIGIN, + name: "Same origin" +}; +const cross_origin = { + host: get_host_info().HTTPS_REMOTE_ORIGIN, + name: "Cross origin" +}; + +// Tests the redirect interaction with COOP same-origin-allow-popups and +// reporting: +// 1 - open the opener document on origin same_origin wit COOP +// same-origin-allow-popups. +// 2 - opener opens popup with document on origin popup_origin, no COOP and a +// redirect header (HTTP 302, location). +// 3 - redirection to a document with origin same_origin and COOP +// same-origin-allow-popups. +// +// The navigation (2) to the first document of the popup stays in the same +// browsing context group due to the same-origin-allow-popups COOP of the +// opener. +// The redirect (3) to the final document does since it compares the +// popup_origin/unsafe-none document with the +// same-origin/same-origin-allow-popups document. +// +// A opens B, B redirects to C. +// +// Document Origin COOP +// -------- ------------ ------------------------ +// A same-origin same-origin-allow-popups +// B popup-origin unsafe-none +// C same-origin same-origin-allow-popups +function redirect_test(popup_origin) { + promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP same-origin-allow-popups and a + // reporter. + const opener_token = token(); + const opener_report_token = reportToken(); + const opener_reporting = reportingEndpointsHeaders(opener_report_token); + const opener_url = same_origin.host + executor_path + + opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader + + `&uuid=${opener_token}`; + + // The "openee" window. + // The initial document does not have COOP and is on popup_origin, it + // redirects to a same-origin (with the opener) document with COOP + // same-origin-allow-popups. + const openee_token = token(); + const openee_redirect_url = same_origin.host + executor_path + + opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader + + `&uuid=${openee_token}`; + const redirect_header = 'status(302)' + + `|header(Location,${encodeURIComponent( + openee_redirect_url + .replace(/,/g, "\\,") + .replace(/\\\\,/g, "\\\\\\,") + .replace(/\(/g, "%28") + .replace(/\)/g, "%29"))})`; + const openee_url = popup_origin.host + executor_path + redirect_header + + `&uuid=${openee_token}`; + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens its openee. + send(opener_token, ` + openee = window.open("${openee_url}"); + `); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. Check the opener status on the openee. + send(openee_token, ` + send("${this_window_token}", opener !== null); + `); + assert_equals(await receive(this_window_token), "false", "opener"); + + // 4. Check the openee status on the opener. + send(opener_token, ` + send("${this_window_token}", openee.closed); + `); + assert_equals(await receive(this_window_token), "true", "openee.closed"); + + // 5. Check a report sent to the openee. + let report = await receiveReport( + opener_report_token, + "navigation-to-response"); + assert_equals(report.type, "coop"); + assert_equals(report.body.disposition, "enforce"); + assert_equals(report.body.effectivePolicy, "same-origin-allow-popups"); + }, `${popup_origin.name} openee redirected to same-origin with same-origin-allow-popups`); +} + +redirect_test(same_origin); +redirect_test(cross_origin); +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html new file mode 100644 index 0000000000..bd89856305 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html @@ -0,0 +1,130 @@ +<title> + Tests the redirect interaction with COOP unsafe-none. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script> + +const same_origin = { + host: get_host_info().HTTPS_ORIGIN, + name: "Same origin" +}; +const cross_origin = { + host: get_host_info().HTTPS_REMOTE_ORIGIN, + name: "Cross origin" +}; + +// Repeated call receive() to fetch all reports received within 1 second. +async function fetchReportsByID(uuid){ + let timeStart = new Date().getTime(); + const reports = []; + while(new Date().getTime() - timeStart < 1000) { + // Promise.race is used to timeout since receive() has no timeout mechanism. + reports.push(...await Promise.race([ + receive(uuid).then(JSON.parse), + new Promise(resolve => step_timeout(resolve, 1000, [])) + ])); + } + return reports; +} + +function fetchReportByType(reports, type){ + return reports.filter((report)=> (report.body.type === type)); +} + + // Tests the redirect interaction with COOP unsafe-none and reporting: + // 1 - open the opener document on origin same_origin with COOP + // unsafe-none. + // 2 - opener opens popup with document on origin popup_origin, with COOP + // same-origin, Reporting-Endpoints header and a redirect header + // (HTTP 302, location). + // 3 - redirection to a document with origin same-origin and COOP + // unsafe-none. + // + // Navigation 2) should generate a report sent to B's reporter(navigation-to). + // Navigation 3) should generate a report sent to B's reporter(navigation-from). + // + // A opens B, B redirects to C. + // + // Document Origin COOP + // -------- ------------ ------------------------ + // A same-origin unsafe-none + // B popup-origin same-origin + // C same-origin unsafe-none +function redirect_test(popup_origin) { + promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP unsafe-none and no reporter. + const opener_token = token(); + const opener_url = same_origin.host + executor_path + + `&uuid=${opener_token}`; + + // The "openee" window. + // The initial document have COOP, reporter and is on popup_origin, it + // redirects to a same-origin (with the opener) document with no COOP. + const openee_token = token(); + const openee_report_token = reportToken(); + const openee_reporting = reportingEndpointsHeaders(openee_report_token); + const openee_redirect_url = same_origin.host + executor_path + + `&uuid=${openee_token}`; + const redirect_header = '|status(302)' + + `|header(Location,${encodeURIComponent( + openee_redirect_url)})`; + const openee_url = (popup_origin.host + executor_path + + openee_reporting.header + openee_reporting.coopSameOriginHeader + + redirect_header + `&uuid=${openee_token}`) + .replace(/,/g, "\\,") + .replace(/\\\\,/g, "\\\\\\,") + .replace(/\(/g, "%28") + .replace(/\)/g, "%29"); + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens its openee. + send(opener_token, ` + openee = window.open(\`${openee_url}\`); + `); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. Check the opener status on the openee. + send(openee_token, ` + send("${this_window_token}", opener !== null); + `); + assert_equals(await receive(this_window_token), "false", "opener"); + + // 4. Check the openee status on the opener. + send(opener_token, ` + send("${this_window_token}", openee.closed); + `); + assert_equals(await receive(this_window_token), "true", "openee.closed"); + + // 5. Check a report sent to B's reporting endpoint when A opens B. + const reports = await fetchReportsByID(openee_report_token); + const navigationToReport = fetchReportByType( + reports, "navigation-to-response"); + assert_equals(navigationToReport.length, 1); + assert_equals(navigationToReport[0].type, "coop"); + assert_equals(navigationToReport[0].body.disposition, "enforce"); + assert_equals(navigationToReport[0].body.effectivePolicy, "same-origin"); + // 6. Check a report sent to B's reporting endpoint when B redirects to C. + const navigationFromReport = fetchReportByType( + reports, "navigation-from-response"); + assert_equals(navigationFromReport.length, 1); + assert_equals(navigationFromReport[0].type, "coop"); + assert_equals(navigationFromReport[0].body.disposition, "enforce"); + assert_equals(navigationFromReport[0].body.effectivePolicy, "same-origin"); + }, `${popup_origin.name} openee redirected to same-origin with unsafe-none`); +} + +redirect_test(same_origin); +redirect_test(cross_origin); +</script> |