summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/html/cross-origin-opener-policy
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
commit26a029d407be480d791972afb5975cf62c9360a6 (patch)
treef435a8308119effd964b339f76abb83a57c29483 /testing/web-platform/tests/html/cross-origin-opener-policy
parentInitial commit. (diff)
downloadfirefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz
firefox-26a029d407be480d791972afb5975cf62c9360a6.zip
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/html/cross-origin-opener-policy')
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/META.yml9
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/README.md11
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html40
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html51
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html72
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html68
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html59
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox-navigate.https.html40
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox.https.html24
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html63
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-history-popup.https.html18
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html37
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html84
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-same-origin-allow-popups-document-write.html62
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html66
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-redirects-cuts-opener.https.html68
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html59
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-failures.https.html90
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html17
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html16
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-successes.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/coep-navigate-popup-unsafe-inherit.https.html40
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html88
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html86
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html85
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html88
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html87
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html87
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html85
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/javascript-url.https.html199
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/navigate-to-aboutblank.https.html193
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/navigate-top-to-aboutblank.https.html171
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html21
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-coop-by-sw.https.html136
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-meta-http-equiv.https.html24
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html90
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-same-origin-allow-popups.https.html96
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html17
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-cross-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-origin.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-site.https.html58
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html33
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/META.yml6
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html82
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html85
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html63
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html63
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html92
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html93
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html77
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html79
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html67
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html68
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html82
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html83
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html66
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html71
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html13
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html124
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html275
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html86
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers6
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html124
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html111
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html130
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html86
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers6
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html71
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html96
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers3
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html32
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers3
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html32
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers3
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html73
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html67
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html85
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html126
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers3
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html173
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers4
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html216
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers3
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html110
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html126
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html111
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js422
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/test-access-property.js65
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/try-access.js20
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resource-popup.https.html91
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/call-functionCalledByOpenee.html5
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/common.js86
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-coep.py84
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-same-origin-repeated.asis24
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/csp-sandbox.py29
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/fully-loaded.js10
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/iframe-test.js241
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/popup-test.js99
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html45
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/redirect.py5
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-cleanup.html11
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-popup.html28
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/resources/universal-worker.js2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md9
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html19
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html62
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html71
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html19
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html65
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js144
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html94
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html91
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html90
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html91
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html57
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html37
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html37
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html37
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html37
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html44
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers1
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html62
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html55
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html55
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html43
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers2
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html43
-rw-r--r--testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers2
229 files changed, 10233 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/META.yml b/testing/web-platform/tests/html/cross-origin-opener-policy/META.yml
new file mode 100644
index 0000000000..b9d578d22f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/META.yml
@@ -0,0 +1,9 @@
+spec: https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
+suggested_reviewers:
+ - mikewest
+ - jugglinmike
+ - arturjanc
+ - lweichselbaum
+ - hemeryar
+ - ParisMeuleman
+ - valenting
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/README.md b/testing/web-platform/tests/html/cross-origin-opener-policy/README.md
new file mode 100644
index 0000000000..3f080c82d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/README.md
@@ -0,0 +1,11 @@
+This directory as well as `../cross-origin-embedder-policy/` contains tests for `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy`. Some light background reading:
+
+* [COOP and COEP explained](https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit)
+* [COOP processing model](https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e) (also defines interaction with COEP)
+* [COEP processing model](https://mikewest.github.io/corpp/)
+* [Open COOP issues](https://github.com/whatwg/html/labels/topic%3A%20cross-origin-opener-policy)
+* [Open COEP issues](https://github.com/whatwg/html/labels/topic%3A%20cross-origin-embedder-policy)
+
+Notes:
+
+* Top-level navigation to a `data:` URL does not work in Chrome and Firefox and is therefore not tested. (This should probably be standardized.)
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html
new file mode 100644
index 0000000000..eda150eb34
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and a blob URL popup</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script>
+async_test(t => {
+ window.test = t; // Make the test available globally so the blob URL can use it
+ window.furtherPopup = null;
+
+ const bc = new BroadcastChannel(token());
+ bc.onmessage = t.step_func_done(({ data }) => {
+ assert_equals(data.name.length, 0);
+ assert_false(data.opener);
+ assert_true(furtherPopup.closed);
+ });
+
+ const blobContents = `<script>
+const w = window.open("${get_host_info().HTTPS_REMOTE_ORIGIN}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=x&coep=x&channel=${bc.name}", "${bc.name}");
+window.opener.furtherPopup = w;
+<\/script>`;
+ const blob = new Blob([blobContents], { type: "text/html" });
+ const blobURL = URL.createObjectURL(blob);
+ const popup = window.open(blobURL);
+ t.add_cleanup(() => {
+ // Close the popups once the test is complete.
+ // The browsing context of the second popup is closed hence use the
+ // broadcast channel to trigger the closure.
+ bc.postMessage("close");
+ popup.close();
+ });
+ popup.onload = t.step_func(() => {
+ assert_equals(popup.opener, window);
+ assert_equals(popup.location.href, blobURL);
+ assert_equals(popup.document.URL, blobURL);
+ assert_equals(popup.origin, window.origin);
+ });
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/blob-popup.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html
new file mode 100644
index 0000000000..08f70181fc
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html
@@ -0,0 +1,51 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy: blob URL popup</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=../cross-origin-embedder-policy/resources/script-factory.js></script>
+<script>
+["window.open()", "<a>", "<a rel=noopener>"].forEach(type => {
+ promise_test(t => {
+ const origins = get_host_info();
+ const id = `tut mir leid ${type}`;
+ const blob = new Blob([`<script>${createScript(origins.ORIGIN, origins.HTTPS_REMOTE_ORIGIN, "channel", id)}<\/script>`], {type: "text/html"});
+ const blobURL = URL.createObjectURL(blob);
+ const bc = new BroadcastChannel(id);
+
+ if (type === "window.open()") {
+ const popup = window.open(blobURL);
+ t.add_cleanup(() => popup.close());
+ popup.onload = t.step_func(() => {
+ assert_equals(popup.opener, window);
+ assert_equals(popup.location.href, blobURL);
+ assert_equals(popup.document.URL, blobURL);
+ assert_equals(popup.origin, window.origin);
+ });
+ } else {
+ const a = document.createElement("a");
+ a.target = type;
+ if (type === "<a rel=noopener>") {
+ a.rel = "noopener";
+ }
+ a.href = blobURL;
+ a.click();
+ }
+
+ return new Promise(resolve => {
+ bc.onmessage = t.step_func(({ data }) => {
+ assert_equals(data.id, id);
+ assert_equals(data.origin, window.origin);
+ assert_true(data.sameOriginNoCORPSuccess, "Same-origin without CORP did not succeed");
+ assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail");
+ if (type === "<a rel=noopener>") {
+ assert_false(data.opener, 'opener');
+ } else {
+ assert_true(data.opener, 'opener');
+ }
+ resolve();
+ });
+ });
+ }, `COOP+COEP blob URL popup: ${type}`);
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html.headers
new file mode 100644
index 0000000000..63b60e490f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-blob-popup.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html
new file mode 100644
index 0000000000..714a4b6c42
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html
@@ -0,0 +1,72 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy: a navigating popup</title>
+<meta name=timeout content=long>
+<meta name=variant content=?0-1>
+<meta name=variant content=?2-3>
+<meta name=variant content=?4-last>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/subset-tests.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/common.js"></script>
+<script>
+[
+ {
+ "title": "coop/coep",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": true
+ },
+ {
+ "title": "no coop/coep",
+ "coop": "",
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "coop/no coep",
+ "coop": "same-origin",
+ "coep": "",
+ "opener": false
+ },
+ {
+ "title": "no coop/no coep",
+ "coop": "",
+ "coep": "",
+ "opener": false
+ },
+ {
+ "title": "coop unsafe-none/coep",
+ "coop": "unsafe-none",
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "coop unsafe-none/no coep",
+ "coop": "unsafe-none",
+ "coep": "",
+ "opener": false
+ }
+].forEach((variant, i) => {
+ // Only run specified variants
+ if (!shouldRunSubTest(i)) {
+ return;
+ }
+
+ ["same-origin", "same-site"].forEach(site => {
+ const title = `Popup navigating to ${site} with ${variant.title}`;
+ const channel = title.replace(/ /g,"-");
+ const navigateHost = site === "same-origin" ? SAME_ORIGIN : SAME_SITE;
+ const navigateURL = `${navigateHost.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=${variant.coop}&coep=${variant.coep}&channel=${channel}`;
+ const opener = site === "same-origin" ? variant.opener : false;
+
+ async_test(t => {
+ // For each test we open a COOP: same-origin/COEP: require-corp document in a popup and then
+ // navigate that to either a same-origin (site=="same-origin") or same-site (site=="same-site")
+ // document whose COOP and COEP are set as per the top-most array. We then verify that this
+ // document has the correct opener for its specific setup.
+ url_test(t, `${SAME_ORIGIN.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=same-origin&coep=require-corp&navigate=${encodeURIComponent(navigateURL)}`, channel, opener);
+ }, title);
+ });
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers
new file mode 100644
index 0000000000..63b60e490f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html
new file mode 100644
index 0000000000..83f8f8a33d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html
@@ -0,0 +1,68 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy: redirects</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/common.js"></script>
+<script>
+const coopCOEPPath = new URL("resources/coop-coep.py", window.location).pathname;
+
+[
+ {
+ "title": "coop/coep to coop/coep",
+ "redirectCOOP": "same-origin",
+ "redirectCOEP": "require-corp",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": true
+ },
+ {
+ "title": "coop/coep to no coop/coep",
+ "redirectCOOP": "same-origin",
+ "redirectCOEP": "require-corp",
+ "coop": "",
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "no coop/no coep to coop/coep",
+ "redirectCOOP": "",
+ "redirectCOEP": "",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "coop/no coep to coop/coep",
+ "redirectCOOP": "same-origin",
+ "redirectCOEP": "",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "coop unsafe-none/coep to coop/coep",
+ "redirectCOOP": "unsafe-none",
+ "redirectCOEP": "require-corp",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "coop unsafe-none/coep to coop unsafe-inherit/coep",
+ "redirectCOOP": "unsafe-none",
+ "redirectCOEP": "require-corp",
+ "coop": "unsafe-none",
+ "coep": "require-corp",
+ "opener": false
+ }
+].forEach(variant => {
+ const title = `Redirect from ${variant.title}`;
+ async_test(t => {
+ const channel = title.replace(/ /g,"-");
+ const redirectLocation = `${SAME_ORIGIN.origin}${coopCOEPPath}?coop=${variant.coop}&coep=${variant.coep}&channel=${channel}`;
+ url_test(t, `${SAME_ORIGIN.origin}${coopCOEPPath}?coop=${variant.redirectCOOP}&coep=${variant.redirectCOEP}&redirect=${encodeURIComponent(redirectLocation)}`, channel, variant.opener);
+ }, title);
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html.headers
new file mode 100644
index 0000000000..63b60e490f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-redirect.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html
new file mode 100644
index 0000000000..3f6256bcd2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+[
+ {
+ "title": "popup with coop/coep",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none/coep",
+ "coop": "unsafe-none",
+ "coep": "require-corp",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none without coep",
+ "coop": "unsafe-none",
+ "coep": "",
+ "opener": "severed"
+ },
+ {
+ "title": "popup without coep",
+ "coop": "same-origin",
+ "coep": "",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop, coep: variant.coep }, variant.opener);
+});
+
+test(() => {
+ assert_true(window.crossOriginIsolated);
+}, "Bonus: window.crossOriginIsolated");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..63b60e490f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-cross-origin.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html
new file mode 100644
index 0000000000..66e7aaf88e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+[
+ {
+ "title": "popup with coop/coep",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none/coep",
+ "coop": "unsafe-none",
+ "coep": "require-corp",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none without coep",
+ "coop": "unsafe-none",
+ "coep": "",
+ "opener": "severed"
+ },
+ {
+ "title": "popup without coep",
+ "coop": "same-origin",
+ "coep": "",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop, coep: variant.coep }, variant.opener);
+});
+
+test(() => {
+ assert_true(window.crossOriginIsolated);
+}, "Bonus: window.crossOriginIsolated");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..63b60e490f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-origin.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html
new file mode 100644
index 0000000000..abce659790
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+[
+ {
+ "title": "popup with coop/coep",
+ "coop": "same-origin",
+ "coep": "require-corp",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none/coep",
+ "coop": "unsafe-none",
+ "coep": "require-corp",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none without coep",
+ "coop": "unsafe-none",
+ "coep": "",
+ "opener": "severed"
+ },
+ {
+ "title": "popup without coep",
+ "coop": "same-origin",
+ "coep": "",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop, coep: variant.coep }, variant.opener);
+});
+
+test(() => {
+ assert_true(window.crossOriginIsolated);
+}, "Bonus: window.crossOriginIsolated");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html.headers
new file mode 100644
index 0000000000..63b60e490f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coep-with-same-site.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html
new file mode 100644
index 0000000000..4b94435119
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html
@@ -0,0 +1,59 @@
+<!doctype html>
+<title>Sandboxed Cross-Origin-Opener-Policy popup should result in a network error</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log>
+<script>
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ const frame = document.createElement("iframe");
+ const channel = new BroadcastChannel(token());
+ channel.onmessage = t.unreached_func("A COOP popup was created from a sandboxed frame");
+ t.add_cleanup(() => frame.remove());
+ frame.sandbox = sandboxValue;
+ frame.srcdoc = `<script>
+ const popup = window.open("resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}");
+ <\/script>`;
+ document.body.append(frame);
+ addEventListener('load', t.step_func(() => {
+ // This uses a timeout to give some time for incorrect implementations to broadcast. A
+ // theoretical testdriver.js API for browsing contexts could be used to speed this up.
+ t.step_timeout(() => {
+ t.done()
+ }, 1500);
+ }));
+ }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
+});
+
+// Verify that the popup does not have sandboxing flags set
+async_test(t => {
+ const frame = document.createElement("iframe");
+ const channel = new BroadcastChannel(token());
+ channel.onmessage = t.step_func_done();
+ t.add_cleanup(() => frame.remove());
+ frame.sandbox = "allow-popups allow-scripts allow-popups-to-escape-sandbox";
+ frame.srcdoc = `<script>
+window.open("resources/coop-coep.py?coop=same-origin&coep=require-corp&channel=${channel.name}");
+<\/script>`;
+ document.body.append(frame);
+}, `<iframe sandbox="allow-popups allow-scripts allow-popups-to-escape-sandbox"> ${document.title}`);
+
+async_test(t => {
+ const frame = document.createElement("iframe");
+ const channel = new BroadcastChannel(token());
+ frame.sandbox = "allow-scripts allow-same-origin";
+ frame.name = `iframe-${channel.name}`;
+ frame.src = `resources/coop-coep.py?coop=same-origin&coep=require-corp&channel=${channel.name}`;
+ channel.onmessage = t.step_func( event => {
+ const payload = event.data;
+ assert_equals(payload.name, frame.name, "name");
+ t.done();
+ });
+ t.add_cleanup(() => frame.remove());
+ document.body.append(frame);
+}, `Iframe with sandbox and COOP must load.`);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html.headers
new file mode 100644
index 0000000000..4fff9d9fba
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-coep-sandbox.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp \ No newline at end of file
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox-navigate.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox-navigate.https.html
new file mode 100644
index 0000000000..be2d83214a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox-navigate.https.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<title>CSP sandbox popup navigate to Cross-Origin-Opener-Policy document should work</title>
+<meta name="timeout" content="long">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log>
+<script>
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ const channel = new BroadcastChannel(token());
+ let popup;
+ channel.onmessage = t.step_func_done(e => {
+ assert_equals(e.data.name, '', 'e.data.name');
+ assert_false(e.data.opener, 'e.data.opener');
+ // `popup` is still the WindowProxy that holds the CSP sandbox document, not the
+ // after-navigation COOP document. The CSP sandbox only applies to the before navigation
+ // document/window.
+ assert_true(popup.closed, 'popup.closed');
+ // Same-origin check (with the CSP sandbox document) should not throw when 'allow-same-origin'
+ if (sandboxValue.includes('allow-same-origin')) {
+ assert_true(!!popup.document, 'same-origin check');
+ } else {
+ assert_throws_dom("SecurityError", () => { popup.document; }, 'same-origin check');
+ }
+ });
+ const navigateTo = `/html/cross-origin-opener-policy/resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}`;
+ popup = window.open(`resources/csp-sandbox.py?coop=&coep=&sandbox=${sandboxValue}&channel=&navigate=${encodeURIComponent(navigateTo)}`, sandboxValue.replace(/ /g, '_'));
+ t.add_cleanup(() => { popup.close(); });
+ addEventListener('load', t.step_func(() => {
+ t.step_timeout(() => {
+ assert_unreached('Navigation from CSP sandbox to COOP document failed')
+ }, 10000);
+ }));
+ }, `CSP: sandbox ${sandboxValue}; ${document.title}`);
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox.https.html
new file mode 100644
index 0000000000..259d484df2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-csp-sandbox.https.html
@@ -0,0 +1,24 @@
+<!doctype html>
+<title>CSP sandboxed Cross-Origin-Opener-Policy popup should result in a network error</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log>
+<script>
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ const channel = new BroadcastChannel(token());
+ channel.onmessage = t.unreached_func("A COOP popup was created from a CSP-sandboxed popup");
+ const popup = window.open(`resources/csp-sandbox.py?coop=same-origin&coep=&sandbox=${sandboxValue}&channel=${channel.name}`);
+ t.add_cleanup(() => { popup.close(); });
+ addEventListener('load', t.step_func(() => {
+ t.step_timeout(() => {
+ t.done()
+ }, 1500);
+ }));
+ }, `CSP: sandbox ${sandboxValue}; ${document.title}`);
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html
new file mode 100644
index 0000000000..83113de376
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html
@@ -0,0 +1,63 @@
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="./resources/common.js"></script>
+<script>
+
+const executor_path = '/common/dispatcher/executor.html?pipe=';
+
+const https_origin = get_host_info().HTTPS_ORIGIN;
+const coop_same_origin =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const csp_sandbox =
+ '|header(Content-Security-Policy, sandbox allow-scripts)';
+
+promise_test(async test => {
+ const driver_token = token();
+
+ // 1. Start from a COOP:same-origin document.
+ const opener_token = token();
+ const opener_url = https_origin + executor_path + coop_same_origin +
+ `&uuid=${opener_token}`;
+ const w = window.open(opener_url);
+ add_completion_callback(() => w.close());
+
+ // 2. It opens a popups, and then navigates the popup toward a same-origin
+ // COOP:same-origin document with CSP:sandbox
+ const openee_token = token();
+ const openee_url = https_origin + executor_path + coop_same_origin +
+ csp_sandbox + `&uuid=${openee_token}`;
+ send(opener_token, `
+ openee = window.open("${openee_url}");
+ `);
+ add_completion_callback(() => send(openee_token, "close()"));
+
+ // Because of CSP:sandbox, the popup is not considered same-origin with
+ // its openee. Check the openee/opener relationship is now closed.
+ send(openee_token, `
+ if (opener)
+ send("${driver_token}", "Error: have opener");
+ else
+ send("${driver_token}", "Success: no opener");
+ `);
+ assert_equals(await receive(driver_token), "Success: no opener");
+
+ // Technically, the opener's "openee" WindowProxy should appear as closed at
+ // this time. The popup loaded a new document, and at least two fetch requests
+ // were made. This is more than enough. However, in theory, there is nothing
+ // to guarantee we can observe "openee.close". Wait a bit to ensure this will
+ // never flake.
+ await new Promise(r => test.step_timeout(r, 1000));
+
+ send(opener_token, `
+ if (openee.closed)
+ send("${driver_token}", "Success: openee closed");
+ else
+ send("${driver_token}", "Error: can still access openee");
+ `);
+ assert_equals(await receive(driver_token), "Success: openee closed");
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-history-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-history-popup.https.html
new file mode 100644
index 0000000000..a061be992c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-history-popup.https.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy: a navigating popup that then goes back in history</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/common.js"></script>
+<script>
+const title = `Popup navigating to other origin with COOP: same-origin and back in history`;
+const channel = title.replace(/ /g,"-");
+const opener = false;
+const openerDOMAccess = false;
+const navigateURL = `${CROSS_ORIGIN.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=same-origin&coep=&navHistory=-1`;
+
+async_test(t => {
+ url_test(t, `${SAME_ORIGIN.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=&coep=&navigate=${encodeURIComponent(navigateURL)}&avoidBackAndForth=1&channel=${channel}`, channel, opener, openerDOMAccess);
+}, title);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html
new file mode 100644
index 0000000000..ef610a488f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html
@@ -0,0 +1,37 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy: a navigated popup</title>
+<!-- In particular this is different from coep-navigate-popup.https.html as this document initiates
+ the navigation (and uses same-origin-allow-popups and no COEP as without that it cannot be
+ observed). COOP should work identically, but implementations might have used the wrong
+ authority. -->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<script>
+async_test(t => {
+ const noCOOP = "/common/blank.html";
+ const popupName = token();
+ const popup = window.open(noCOOP, popupName);
+ const channel = new BroadcastChannel(token());
+ // Close the popup once the test is complete.
+ // The browsing context is closed after the navigation hence use the broadcast channel
+ // to trigger the closure.
+ t.add_cleanup(() => {
+ channel.postMessage("close");
+ });
+ popup.onload = t.step_func(() => {
+ assert_equals(popup.name, popupName);
+ assert_equals(new URL(popup.document.URL).pathname, noCOOP);
+ channel.onmessage = t.step_func_done(event => {
+ const payload = event.data;
+ // The name should be empty, but we're checking the length rather than a
+ // string comparison to "" to keep the random token out of error messages.
+ assert_equals(payload.name.length, 0);
+ assert_false(payload.opener);
+ assert_true(popup.closed);
+ });
+ const coop = `resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}`;
+ popup.location = coop;
+ });
+}, "Open a popup to a document without COOP, then navigate it to a document with");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-navigated-popup.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html
new file mode 100644
index 0000000000..a6c63654a9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html
@@ -0,0 +1,84 @@
+<!doctype html>
+<title>
+ Cross-Origin-Opener-Policy: opener is lost because the opener navigates.
+</title>
+<!--
+ COOP tests usually assume that the opener is lost because it navigated to a
+ page that triggered a browsing context group swap. It can also happen when
+ the opener navigates instead. This test verifies the behavior.
+-->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script>
+
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const coop_same_origin_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const coop_unsafe_none_header =
+ '|header(Cross-Origin-Opener-Policy,unsafe-none)';
+
+function getExecutorPath(uuid, origin, coop_header) {
+ return origin.origin + executor_path + coop_header + `&uuid=${uuid}`;
+}
+
+// Note: Because we can not navigate the main page to verify the behavior,
+// we instead create another layer of popup, and navigate the intermediate
+// one. We can verify the opener behavior from this page, and the openee
+// behavior from the second popup.
+promise_test(async t => {
+ // Set up dispatcher communications.
+ const first_popup_token = token();
+ const post_navigate_first_popup_token = token();
+ const second_popup_token = token();
+ const reply_token = token();
+
+ const first_popup_url = getExecutorPath(
+ first_popup_token,
+ SAME_ORIGIN,
+ coop_same_origin_header);
+
+ const post_navigate_first_popup_url = getExecutorPath(
+ post_navigate_first_popup_token,
+ SAME_ORIGIN,
+ coop_unsafe_none_header);
+
+ const second_popup_url = getExecutorPath(
+ second_popup_token,
+ SAME_ORIGIN,
+ coop_same_origin_header);
+
+ // We open the first popup and then ping it, it will respond after loading.
+ const first_popup = window.open(first_popup_url);
+ send(first_popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), "Popup loaded");
+
+ // We open the second popup and the ping it, it will respond after loading.
+ send(first_popup_token,
+ `opener.second_popup_url = window.open('${second_popup_url}');`);
+ send(second_popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), "Popup loaded");
+
+ // Both popups are now loaded. We navigate the middle one to a page that
+ // does not have COOP, this should trigger a browsing context group swap.
+ send(first_popup_token, `location.href = '${post_navigate_first_popup_url}'`);
+ send(post_navigate_first_popup_token,
+ `send('${reply_token}', 'Popup navigated');`);
+ assert_equals(await receive(reply_token), "Popup navigated");
+
+ // Give some time for things to settle across processes etc. before
+ // proceeding with verifications.
+ await new Promise((resolve, reject) => { t.step_timeout(resolve, 1500); });
+
+ // The reference held by the main page to the first popup should be closed.
+ assert_equals(first_popup.closed, true);
+
+ // The second popup, opened by the first one should have its opener unset.
+ send(second_popup_token, `send('${reply_token}', opener);`);
+ assert_equals(await receive(reply_token), "");
+
+}, "Verify that having the opener navigate instead of the openee also triggers COOP swaps.");
+ </script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-popup-opener-navigates.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-same-origin-allow-popups-document-write.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-same-origin-allow-popups-document-write.html
new file mode 100644
index 0000000000..82dd4541b6
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-same-origin-allow-popups-document-write.html
@@ -0,0 +1,62 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script>
+
+/*
+ Regression test for: https://crbug.com/1216244
+ From a window using Cross-Origin-Opener-Policy:same-origin-allow-popup, open
+ a new blank window and navigate it cross-origin using document.write and a
+ meta refresh. The openee/opener relationship must hold.
+*/
+
+const executor_path = '/common/dispatcher/executor.html?pipe=';
+const coep_soap =
+ "|header(Cross-Origin-Opener-Policy,same-origin-allow-popups)";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+promise_test(async t => {
+ // This window:
+ const this_window_token = token();
+
+ // The opener, using COEP:same-origin-allow-popups:
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + coep_soap +
+ `&uuid=${opener_token}`;
+ const opener = window.open(opener_url);
+
+ // Open a blank window, then use document.write and a meta refresh to navigate
+ // cross-origin.
+ const openee_token = token();
+ const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`;
+ send(opener_token, `
+ openee = window.open();
+ openee.document.write(\`
+ <meta http-equiv="refresh" content="0; url=${openee_url}">
+ \`);
+ openee.document.close();
+ `);
+
+ // Check the openee is loaded without access to the opener.
+ send(openee_token, `
+ send("${this_window_token}", opener == null)
+ `);
+ assert_equals(await receive(this_window_token), "true", "opener == null");
+
+ // To get the state of the openee reflected into the opener's process, waiting
+ // for the openee' document to load and the various fetch() with the
+ // dispatcher should be largely enough. However these aren't causal guarantee.
+ // So wait a bit to be sure:
+ await new Promise(r => t.step_timeout(r, 1000));
+
+ // Check the opener see the openee as 'closed' after the navigation.
+ send(opener_token, `
+ send("${this_window_token}", openee.closed)
+ `);
+ assert_equals(await receive(this_window_token), "true", "openee.closed");
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html
new file mode 100644
index 0000000000..47e6d0d6fe
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html
@@ -0,0 +1,66 @@
+<!doctype html>
+<title>
+ Sandboxed Cross-Origin-Opener-Policy popup should cut the opener if necessary
+</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<body>
+<script>
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const coop_same_origin_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const coop_unsafe_none_header =
+ '|header(Cross-Origin-Opener-Policy,unsafe-none)';
+
+function getExecutorPath(uuid, origin, coop_header) {
+ return origin.origin + executor_path + coop_header + `&uuid=${uuid}`;
+}
+
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ // Set up dispatcher communications.
+ const iframe_token = token();
+ const popup_token = token();
+ const main_frame_token_for_popup = token();
+ const main_frame_token_for_iframe = token();
+
+ // Create a sandboxed iframe.
+ const iframe = document.createElement("iframe");
+ iframe.sandbox = sandboxValue;
+ iframe.src = getExecutorPath(iframe_token, SAME_ORIGIN,
+ coop_unsafe_none_header);
+ document.body.append(iframe);
+ t.add_cleanup(() => iframe.remove());
+
+ // Open a COOP popup from the sandboxed iframe.
+ const popup_url = getExecutorPath(popup_token,
+ SAME_ORIGIN,
+ coop_same_origin_header);
+ send(iframe_token, `window.popup = window.open('${popup_url}')`);
+
+ // This should fail. We ping the popup, if we get an answer it loaded.
+ send(popup_token, `
+ send('${main_frame_token_for_popup}', 'Popup loaded');
+ `);
+ receive(main_frame_token_for_popup)
+ .then(t.unreached_func("A COOP popup was created from a sandboxed frame"));
+
+ // We delay probing the popup.closed property to give it time to settle.
+ t.step_timeout(() => {
+ send(iframe_token,
+ `send('${main_frame_token_for_iframe}', window.popup.closed);`);
+ }, 1500);
+ receive(main_frame_token_for_iframe)
+ .then(t.step_func_done(data => assert_equals(data, "true")));
+
+ }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-redirects-cuts-opener.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-redirects-cuts-opener.https.html
new file mode 100644
index 0000000000..01f60b425d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox-redirects-cuts-opener.https.html
@@ -0,0 +1,68 @@
+<!doctype html>
+<title>
+ Sandboxed Cross-Origin-Opener-Policy popup should cut the opener if necessary
+ including during redirects.
+</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<body>
+<script>
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const coop_same_origin_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const coop_unsafe_none_header =
+ '|header(Cross-Origin-Opener-Policy,unsafe-none)';
+
+function getExecutorPath(uuid, origin) {
+ return origin.origin + executor_path + `&uuid=${uuid}`;
+}
+
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ // Set up dispatcher communications.
+ const iframe_token = token();
+ const popup_token = token();
+ const main_frame_token_for_popup = token();
+ const main_frame_token_for_iframe = token();
+
+ // Create a sandboxed iframe.
+ const iframe = document.createElement("iframe");
+ iframe.sandbox = sandboxValue;
+ iframe.src = getExecutorPath(iframe_token, SAME_ORIGIN);
+ document.body.append(iframe);
+ t.add_cleanup(() => iframe.remove());
+
+ // Open a COOP popup from the sandboxed iframe.
+ // Instead of navigating directly we go through a redirect.
+ const popup_url = getExecutorPath(popup_token, SAME_ORIGIN);
+ const redirect_url = SAME_ORIGIN.origin + "/common/redirect.py?pipe=" +
+ coop_same_origin_header + "&location=" +
+ encodeURIComponent(popup_url);
+ send(iframe_token, `window.popup = window.open('${redirect_url}')`);
+
+ // This should fail. We ping the popup, if we get an answer it loaded.
+ send(popup_token, `
+ send('${main_frame_token_for_popup}', 'Popup loaded');
+ `);
+ receive(main_frame_token_for_popup)
+ .then(t.unreached_func("A COOP popup was created from a sandboxed frame"));
+
+ // We delay probing the popup.closed property to give it time to settle.
+ t.step_timeout(() => {
+ send(iframe_token,
+ `send('${main_frame_token_for_iframe}', window.popup.closed);`);
+ }, 1500);
+ receive(main_frame_token_for_iframe)
+ .then(t.step_func_done(data => assert_equals(data, "true")));
+
+ }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html
new file mode 100644
index 0000000000..6f250c1b09
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html
@@ -0,0 +1,59 @@
+<!doctype html>
+<title>Sandboxed Cross-Origin-Opener-Policy popup should result in a network error</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log>
+<script>
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ const frame = document.createElement("iframe");
+ const channel = new BroadcastChannel(token());
+ channel.onmessage = t.unreached_func("A COOP popup was created from a sandboxed frame");
+ t.add_cleanup(() => frame.remove());
+ frame.sandbox = sandboxValue;
+ frame.srcdoc = `<script>
+ const popup = window.open("resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}");
+ <\/script>`;
+ document.body.append(frame);
+ addEventListener('load', t.step_func(() => {
+ // This uses a timeout to give some time for incorrect implementations to broadcast. A
+ // theoretical testdriver.js API for browsing contexts could be used to speed this up.
+ t.step_timeout(() => {
+ t.done()
+ }, 1500);
+ }));
+ }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
+});
+
+// Verify that the popup does not have sandboxing flags set
+async_test(t => {
+ const frame = document.createElement("iframe");
+ const channel = new BroadcastChannel(token());
+ channel.onmessage = t.step_func_done();
+ t.add_cleanup(() => frame.remove());
+ frame.sandbox = "allow-popups allow-scripts allow-popups-to-escape-sandbox";
+ frame.srcdoc = `<script>
+window.open("resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}");
+<\/script>`;
+ document.body.append(frame);
+}, `<iframe sandbox="allow-popups allow-scripts allow-popups-to-escape-sandbox"> ${document.title}`);
+
+async_test(t => {
+ const frame = document.createElement("iframe");
+ const channel = new BroadcastChannel(token());
+ frame.sandbox = "allow-scripts allow-same-origin";
+ frame.name = `iframe-${channel.name}`;
+ frame.src = `resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}`;
+ channel.onmessage = t.step_func( event => {
+ const payload = event.data;
+ assert_equals(payload.name, frame.name, "name");
+ t.done();
+ });
+ t.add_cleanup(() => frame.remove());
+ document.body.append(frame);
+}, `Iframe with sandbox and COOP must load.`);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/coop-sandbox.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-failures.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-failures.https.html
new file mode 100644
index 0000000000..55b126ff37
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-failures.https.html
@@ -0,0 +1,90 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-4">
+<meta name="variant" content="?5-8">
+<meta name="variant" content="?9-12">
+<meta name="variant" content="?12-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/subset-tests.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ // None of the following should be recognized as "same-origin" (hence the
+ // preserved opener).
+ {
+ "title": "coop with semi-column",
+ "coop": "same-origin;",
+ },
+ {
+ "title": "coop with vertical tab",
+ "coop": "\u000bsame-origin\u000b",
+ },
+ {
+ "title": "coop with form feed",
+ "coop": "\u000csame-origin\u000c",
+ },
+ {
+ "title": "coop with carriage return",
+ "coop": "\u000dsame-origin\u000d",
+ },
+ {
+ "title": "coop with capital letter",
+ "coop": "Same-origin",
+ },
+ {
+ "title": "coop with bad structured header 1",
+ "coop": "same-origin;\tfoo=bar",
+ },
+ {
+ "title": "coop with bad structured header 2",
+ "coop": "same-origin ;foo=bar",
+ },
+ {
+ "title": "coop with bad structured header 3",
+ "coop": "same-origin; foo=bar;",
+ },
+ {
+ "title": "coop as a structured header 'string' item",
+ "coop": "\"same-origin\"",
+ },
+ {
+ "title": "coop as a structured header 'byte sequence' item",
+ "coop": ":c2FtZS1vcmlnaW4=:",
+ },
+ {
+ "title": "coop as a structured header 'boolean' item",
+ "coop": "?1",
+ },
+ {
+ "title": "coop as a structured header 'integer or decimal' item",
+ "coop": "1",
+ },
+ {
+ "title": "coop as an unrecognized structured header type",
+ "coop": "$same-origin",
+ },
+ {
+ "title": "coop with duplicate value",
+ "coop": "same-origin same-origin",
+ },
+ {
+ // Note: comma must be escaped here to not mess with the WPT pipe function.
+ "title": "coop with duplicate value, separated by a comma",
+ "coop": "same-origin\\,same-origin",
+ },
+ {
+ "title": "coop with preceding asterisk character",
+ "coop": "*same-origin ",
+ }
+].forEach(variant => {
+ subsetTest(popup_test, `Parsing ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, "preserved");
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html
new file mode 100644
index 0000000000..b5f20f88f4
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html
@@ -0,0 +1,17 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+ popup_test(
+ `Simple document with non-ascii COOP header opening a same-origin popup`,
+ SAME_ORIGIN,
+ "unsafe-none",
+ "preserved");
+</script>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html.headers
new file mode 100644
index 0000000000..54e44a7113
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-non-ascii.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same%FForigin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html
new file mode 100644
index 0000000000..a1430cbf57
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html
@@ -0,0 +1,16 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+ popup_test(
+ `Simple document with duplicated COOP header opening a same-origin popup`,
+ SAME_ORIGIN,
+ "unsafe-none",
+ "preserved");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html.headers
new file mode 100644
index 0000000000..85c58be8a1
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-repeated.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-successes.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-successes.https.html
new file mode 100644
index 0000000000..8e055669ad
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/header-parsing-successes.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ // All of the following should be recognized as "same-origin" (hence the
+ // severed opener link).
+ {
+ "title": "coop with leading space",
+ "coop": " same-origin",
+ },
+ {
+ "title": "coop with trailing space",
+ "coop": "same-origin ",
+ },
+ {
+ "title": "coop with leading tab",
+ "coop": "\tsame-origin",
+ },
+ {
+ "title": "coop with trailing tab",
+ "coop": "same-origin\t",
+ },
+ {
+ "title": "coop with duplicate value, separated by semi-column",
+ "coop": "same-origin;same-origin",
+ },
+ {
+ "title": "coop with valid structured header",
+ "coop": "same-origin; foo=bar",
+ }
+].forEach(variant => {
+ popup_test(`Parsing ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, "severed");
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/coep-navigate-popup-unsafe-inherit.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/coep-navigate-popup-unsafe-inherit.https.html
new file mode 100644
index 0000000000..8368dc4c81
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/coep-navigate-popup-unsafe-inherit.https.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<title>Historical: Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy: a navigating popup</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="../resources/common.js"></script>
+<script src="/common/subset-tests.js"></script>
+<script>
+[
+ {
+ "title": "coop unsafe-inherit/coep",
+ "coop": "unsafe-inherit", // historical value, equivalent to "unsafe-none"
+ "coep": "require-corp",
+ "opener": false
+ },
+ {
+ "title": "coop unsafe-inherit/no coep",
+ "coop": "unsafe-inherit", // historical value, equivalent to "unsafe-none"
+ "coep": "",
+ "opener": false
+ }
+].forEach((variant) => {
+ ["same-origin", "same-site"].forEach((site) => {
+ const title = `Popup navigating to ${site} with ${variant.title}`;
+ const channel = title.replace(/ /g,"-");
+ const navigateHost = site === "same-origin" ? SAME_ORIGIN : SAME_SITE;
+ const navigateURL = `${navigateHost.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=${variant.coop}&coep=${variant.coep}&channel=${channel}`;
+ const opener = site === "same-origin" ? variant.opener : false;
+
+ async_test(t => {
+ // For each test we open a COOP: same-origin/COEP: require-corp document in a popup and then
+ // navigate that to either a document with same origin (site=="same-origin") or
+ // not-same-origin (site=="same-site") whose COOP and COEP are set as per the top-most array.
+ // We then verify that this document has the correct opener for its specific setup.
+ url_test(t, `${SAME_ORIGIN.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=same-origin&coep=require-corp&navigate=${encodeURIComponent(navigateURL)}`, channel, opener);
+ }, title);
+ });
+});
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html
new file mode 100644
index 0000000000..21e0875f41
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..a19f4400ce
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin unsafe-allow-outgoing
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html
new file mode 100644
index 0000000000..89b0b4934e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..a19f4400ce
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin unsafe-allow-outgoing
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html
new file mode 100644
index 0000000000..fb3330365f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html.headers
new file mode 100644
index 0000000000..a19f4400ce
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin unsafe-allow-outgoing
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html
new file mode 100644
index 0000000000..21e0875f41
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..ab7b289481
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-site unsafe-allow-outgoing
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html
new file mode 100644
index 0000000000..89b0b4934e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..ab7b289481
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-site unsafe-allow-outgoing
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html
new file mode 100644
index 0000000000..fb3330365f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html.headers
new file mode 100644
index 0000000000..ab7b289481
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-site unsafe-allow-outgoing
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html
new file mode 100644
index 0000000000..21e0875f41
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..34bd099a30
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-site
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html
new file mode 100644
index 0000000000..89b0b4934e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..34bd099a30
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-site
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html
new file mode 100644
index 0000000000..fb3330365f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/common.js"></script>
+<script src="../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html.headers
new file mode 100644
index 0000000000..34bd099a30
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-site
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html
new file mode 100644
index 0000000000..099424790a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html
@@ -0,0 +1,88 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+// This document has COOP: same-origin-allow-popups. The popup has COOP:
+// same-origin-allow-popups. Therefore there should only be an opener and name
+// if the frameOrigin and popupOrigin are same-origin with this document.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: same-origin-allow-popups to popup COOP: same-origin-allow-popups via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'same-origin-allow-popups' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html
new file mode 100644
index 0000000000..34699c8d08
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html
@@ -0,0 +1,86 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: same-origin-allow-popups to popup COOP: same-origin via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'same-origin' },
+ variant.opener);
+});
+</script>
+</body>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html
new file mode 100644
index 0000000000..29fb5cfa2d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html
@@ -0,0 +1,85 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "preserved"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "preserved"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: same-origin-allow-popups to popup COOP: unsafe-none via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'unsafe-none' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-unsafe-none.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html
new file mode 100644
index 0000000000..7d31256584
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html
@@ -0,0 +1,88 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+
+// This document has COOP "same-origin". The popup has COOP "same-origin". Therefore there should
+// only be an opener and name if the frameOrigin and popupOrigin are same-origin with this document.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "noopener"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "noopener"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "noopener"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "noopener"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "noopener"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "noopener"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: same-origin to popup COOP: same-origin via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'same-origin' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html
new file mode 100644
index 0000000000..847f75665b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html
@@ -0,0 +1,87 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+// This document has COOP: same-origin. The popup has no COOP. Therefore there
+// should be no opener or name.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "noopener"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "noopener"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "noopener"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "noopener"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "noopener"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "noopener"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: same-origin to popup COOP: unsafe-none via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'unsafe-none' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html
new file mode 100644
index 0000000000..8158b9f4d5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html
@@ -0,0 +1,87 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+// This document has COOP: unsafe-none. The popup has COOP: same-origin.
+// Therefore there should be no opener or name.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: unsafe-none to popup COOP: same-origin via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'same-origin' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html
new file mode 100644
index 0000000000..74ceeb290d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html
@@ -0,0 +1,85 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="resources/common.js"></script>
+<script src="resources/iframe-test.js"></script>
+
+<body>
+<script>
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "preserved"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "preserved"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: unsafe-none to popup COOP: unsafe-none via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'unsafe-none' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-unsafe-none.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/javascript-url.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/javascript-url.https.html
new file mode 100644
index 0000000000..8ebb3ccd4a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/javascript-url.https.html
@@ -0,0 +1,199 @@
+<!DOCTYPE html>
+<title>Cross-Origin-Opener-Policy and a "javascript:" URL popup</title>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-10">
+<meta name="variant" content="?11-12">
+<meta name="variant" content="?13-14">
+<meta name="variant" content="?15-16">
+<meta name="variant" content="?17-last">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/subset-tests.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+
+<p>According to HTML's navigate algorithm, requests to <code>javascript:</code>
+URLs should inherit the cross-origin opener policy of the active document. To
+observe this, each subtest uses the following procedure.</p>
+
+<ol>
+ <li>create popup with a given COOP (the <code>parentCOOP</code>)</li>
+ <li>navigate the popup to a <code>javascript:</code> URL (the new document is
+ expected to inherit the <code>parentCOOP</code>)</li>
+ <li>from the popup, create a second popup window with a given COOP (the
+ <code>childCOOP</code>)</li>
+</ol>
+
+<p>Both popup windows inspect state and report back to the test.</p>
+
+<pre>
+ .---- test ----.
+ | open(https:) |
+ | parentCOOP | .----- subject -------.
+ | '---------> | --------. |
+ | | | v |
+ | | | assign(javascript:) |
+ | | | (COOP under test) |
+ | | | | |
+ | | | open(https:) |
+ | | | childCOOP | .- child -.
+ | | | '--------------> | |
+ | | '---------------------' '---------'
+ | | | |
+ | validate | <--status---+---------------------'
+ '--------------'
+</pre>
+
+<script>
+'use strict';
+
+function getExecutorPath(uuid, origin, coopHeader) {
+ const executorPath = '/common/dispatcher/executor.html?';
+ const coopHeaderPipe =
+ `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(coopHeader)})`;
+ return origin + executorPath + `uuid=${uuid}` + '&pipe=' + coopHeaderPipe;
+}
+
+function assert_isolated(results) {
+ assert_equals(results.childName, '', 'child name');
+ assert_false(results.childOpener, 'child opener');
+ // The test subject's reference to the "child" window must report "closed"
+ // when COOP enforces isolation because the document initially created during
+ // the window open steps must be discarded when a new document object is
+ // created at the end of the navigation.
+ assert_true(results.childClosed, 'child closed');
+}
+
+function assert_not_isolated(results, expectedName) {
+ assert_equals(results.childName, expectedName, 'child name');
+ assert_true(results.childOpener, 'child opener');
+ assert_false(results.childClosed, 'child closed');
+}
+
+async function javascript_url_test(parentCOOP, childCOOP, origin, resultsVerification) {
+ promise_test(async t => {
+ const parentToken = token();
+ const childToken = token();
+ const responseToken = token();
+
+ const parentURL = getExecutorPath(
+ parentToken,
+ SAME_ORIGIN.origin,
+ parentCOOP);
+ const childURL = getExecutorPath(
+ childToken,
+ origin.origin,
+ childCOOP);
+
+ // Open a first popup, referred to as the parent popup, and wait for it to
+ // load.
+ window.open(parentURL);
+ send(parentToken, `send('${responseToken}', 'Done loading');`);
+ assert_equals(await receive(responseToken), 'Done loading');
+
+ // Make sure the parent popup is removed once the test has run, keeping a
+ // clean state.
+ add_completion_callback(() => {
+ send(parentToken, 'close');
+ });
+
+ // Navigate the popup to the javascript URL. It should inherit the current
+ // document's COOP. Because we're navigating to a page that is not an
+ // executor, we lose access to easy messaging, making things a bit more
+ // complicated. We use a predetermined scenario of communication that
+ // enables us to retrieve whether the child popup appears closed from the
+ // parent popup.
+ //
+ // Notes:
+ // - Splitting the script tag prevents HTML parsing to kick in.
+ // - The innermost double quotes need a triple backslash, because it goes
+ // through two rounds of consuming escape characters (\\\" -> \" -> ").
+ // - The javascript URL does not accept \n characters so we need to use
+ // a new template literal for each line.
+ send(parentToken,
+ `location.assign("javascript:'` +
+ // Include dispatcher.js to have access to send() and receive().
+ `<script src=\\\"/common/dispatcher/dispatcher.js\\\"></scr` + `ipt>` +
+ `<script> (async () => {` +
+
+ // Open the child popup and keep a handle to it.
+ `const w = open(\\\"${childURL}\\\", \\\"${childToken}\\\");` +
+
+ // We wait for the main frame to query the w.closed property.
+ `await receive(\\\"${parentToken}\\\");` +
+ `send(\\\"${responseToken}\\\", w.closed);` +
+
+ // Finally we wait for the cleanup indicating that this popup can be
+ // closed.
+ `await receive(\\\"${parentToken}\\\");` +
+ `close();` +
+ `})()</scr` + `ipt>'");`
+ );
+
+ // Make sure the javascript navigation ran, and the child popup was created.
+ send(childToken, `send('${responseToken}', 'Done loading');`);
+ assert_equals(await receive(responseToken), 'Done loading');
+
+ // Make sure the child popup is removed once the test has run, keeping a
+ // clean state.
+ add_completion_callback(() => {
+ send(childToken, `close()`);
+ });
+
+ // Give some time for things to settle across processes etc. before
+ // proceeding with verifications.
+ await new Promise(resolve => { t.step_timeout(resolve, 500); });
+
+ // Gather information about the child popup and verify that they match what
+ // we expect.
+ const results = {};
+ send(parentToken, 'query');
+ results.childClosed = await receive(responseToken) === 'true';
+
+ send(childToken, `send('${responseToken}', opener != null);`);
+ results.childOpener = await receive(responseToken) === 'true';
+
+ send(childToken, `send('${responseToken}', name);`);
+ results.childName = await receive(responseToken);
+
+ resultsVerification(results, childToken);
+ }, `navigation: ${origin.name}; ` + `parentCOOP: ${parentCOOP}; ` +
+ `childCOOP: ${childCOOP}`);
+}
+
+const tests = [
+ ['unsafe-none', 'unsafe-none', SAME_ORIGIN, assert_not_isolated],
+ ['unsafe-none', 'unsafe-none', SAME_SITE, assert_not_isolated],
+ ['unsafe-none', 'same-origin-allow-popups', SAME_ORIGIN, assert_isolated],
+ ['unsafe-none', 'same-origin-allow-popups', SAME_SITE, assert_isolated],
+ ['unsafe-none', 'same-origin', SAME_ORIGIN, assert_isolated],
+ ['unsafe-none', 'same-origin', SAME_SITE, assert_isolated],
+ ['same-origin-allow-popups', 'unsafe-none', SAME_ORIGIN, assert_not_isolated],
+ ['same-origin-allow-popups', 'unsafe-none', SAME_SITE, assert_not_isolated],
+ ['same-origin-allow-popups', 'same-origin-allow-popups', SAME_ORIGIN, assert_not_isolated],
+ ['same-origin-allow-popups', 'same-origin-allow-popups', SAME_SITE, assert_isolated],
+ ['same-origin-allow-popups', 'same-origin', SAME_ORIGIN, assert_isolated],
+ ['same-origin-allow-popups', 'same-origin', SAME_SITE, assert_isolated],
+ ['same-origin', 'unsafe-none', SAME_ORIGIN, assert_isolated],
+ ['same-origin', 'unsafe-none', SAME_SITE, assert_isolated],
+ ['same-origin', 'same-origin-allow-popups', SAME_ORIGIN, assert_isolated],
+ ['same-origin', 'same-origin-allow-popups', SAME_SITE, assert_isolated],
+ ['same-origin', 'same-origin', SAME_ORIGIN, assert_not_isolated],
+ ['same-origin', 'same-origin', SAME_SITE, assert_isolated],
+].forEach(([parentCOOP, childCOOP, origin, expectation]) => {
+ subsetTest(
+ javascript_url_test,
+ parentCOOP,
+ childCOOP,
+ origin,
+ expectation);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/navigate-to-aboutblank.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/navigate-to-aboutblank.https.html
new file mode 100644
index 0000000000..b2145cfa56
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/navigate-to-aboutblank.https.html
@@ -0,0 +1,193 @@
+<title>
+ This tests the inheritance of COOP for navigations to about:blank.
+</title>
+<meta name=timeout content=long>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+
+<p>Non-initial empty documents (about:blank) should inherit their
+ cross-origin-opener-policy from the navigation's initiator top level document,
+ if the initiator and its top level document are same-origin, or default
+ (unsafe-none) otherwise.
+</p>
+
+<ol>
+ <li>Create the opener popup with a given COOP <code>openerCOOP</code>.</li>
+ <li>Add iframe to the opener popup that is either same-origin or
+ cross-origin.
+ </li>
+ <li>Opener's iframe opens a new window, to a network document with <code>openeeCOOP</code>.</li>
+ <li>Opener's iframe navigates the openee popup to about:blank.</li>
+</ol>
+
+<script>
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const coop_same_origin_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const coep_require_corp_header =
+ '|header(Cross-Origin-Embedder-Policy,require-corp)';
+const coop_same_origin_plus_coep_header =
+ coop_same_origin_header + coep_require_corp_header;
+const coop_same_origin_allow_popups_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin-allow-popups)';
+const coop_unsafe_none_header =
+ '|header(Cross-Origin-Opener-Policy,unsafe-none)';
+
+function navigateToAboutBlankTest(
+ opener_COOP_header,
+ iframe_origin,
+ openee_COOP_header,
+ openee_origin,
+ iframe_header,
+ expect_openee_closed
+){
+ return promise_test(async t => {
+ const this_window_token = token();
+ const opener_token = token();
+ const openee_token = token();
+ const iframe_token = token();
+
+ const opener_url = same_origin + executor_path + opener_COOP_header +
+ `&uuid=${opener_token}`;
+ const openee_url = openee_origin + executor_path + openee_COOP_header +
+ `&uuid=${openee_token}`;
+ const iframe_url = iframe_origin + executor_path + iframe_header + `&uuid=${iframe_token}`;
+
+ t.add_cleanup(() => {
+ send(openee_token, "window.close()");
+ send(opener_token, "window.close()");
+ });
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url, opener_token);
+
+ // 2. Create the iframe.
+ send(opener_token, `
+ iframe = document.createElement('iframe');
+ iframe.src = "${iframe_url}";
+ document.body.appendChild(iframe);
+ `);
+
+ // 3. The iframe opens its openee window.
+ send(iframe_token, `
+ window.openee = window.open(
+ '${openee_url.replace(/,/g, '\\,')}',
+ "${openee_token}"
+ );
+ `);
+
+ // 4. Ensure the popup is fully loaded.
+ send(openee_token, `send("${this_window_token}", "Ack");`);
+ assert_equals(await receive(this_window_token), "Ack");
+
+ // 5. The iframe navigates openee to about:blank.
+ send(iframe_token, `
+ window.openee_blank = window.open('about:blank', "${openee_token}");
+ (async function() {
+ const timeout = 2000;
+ const retry_delay = 100;
+ for(let i = 0; i * retry_delay < timeout; ++i) {
+ // A try-catch block is used, because of same-origin policy,
+ // preventing access to the document before committing about:blank.
+ try {
+ if (window.openee_blank.closed ||
+ window.openee_blank.document.location.href == "about:blank") {
+ send("${this_window_token}", "about:blank loaded");
+ return;
+ }
+ } catch(e) {}
+ await new Promise(resolve => setTimeout(resolve, retry_delay));
+ }
+ send("${this_window_token}", "about:blank not loaded");
+ })()
+ `);
+ assert_equals(await receive(this_window_token), "about:blank loaded");
+
+ // 6. Retrieve and check the results.
+ send(iframe_token, `
+ send("${this_window_token}", window.openee.closed);
+ `);
+ assert_equals(await receive(this_window_token), `${expect_openee_closed}`);
+ }, `Navigate to about:blank from iframe with opener.top \
+COOP: ${opener_COOP_header}, iframe origin: ${iframe_origin}, \
+openee COOP: ${openee_COOP_header}, openee origin: ${openee_origin}.`);
+};
+
+// iframe same-origin with its top-level embedder:
+// initial empty document and about:blank navigations initiated from the
+// same-origin iframe will inherit the COOP from the iframe's top-level embedder.
+
+// Since all navigations of openee are within same-origin pages with the
+// same COOP value, there are no browsing context group switches.
+navigateToAboutBlankTest(
+ coop_same_origin_header,
+ same_origin,
+ coop_same_origin_header,
+ same_origin,
+ "",
+ false
+);
+
+// Since all navigations of openee are within same-origin pages with the
+// same COOP value, there are no browsing context group switches.
+// Test with both COOP and COEP.
+navigateToAboutBlankTest(
+ coop_same_origin_plus_coep_header,
+ same_origin,
+ coop_same_origin_plus_coep_header,
+ same_origin,
+ coep_require_corp_header,
+ false
+);
+
+// Since all navigations of openee are within same-origin pages with the
+// same COOP value, there are no browsing context group switches.
+navigateToAboutBlankTest(
+ coop_same_origin_allow_popups_header,
+ same_origin,
+ coop_same_origin_allow_popups_header,
+ same_origin,
+ "",
+ false
+);
+
+// The first openee navigation, from initial empty document to
+// cross-origin will not switch the browsing context group, thanks to the
+// same-origin-allow-popups behavior.
+// The second openee navigation, to about:blank, will inherit from the
+// iniatiator's, the iframe, top. Navigating from a COOP: unsafe-none page to
+// a COOP: same-origin-allow-popups page causes a browsing context group
+// switch.
+navigateToAboutBlankTest(
+ coop_same_origin_allow_popups_header,
+ same_origin,
+ coop_unsafe_none_header,
+ cross_origin,
+ "",
+ true
+);
+
+// iframe cross-origin with its top-level embedder:
+// initial empty document and about:blank navigations initiated from the
+// cross-origin iframe will default COOP to unsafe-none.
+
+// The navigation from the initial empty document and the cross_origin url
+// does not cause a browsing context group switch
+// (both have COOP: unsafe-none).
+// The navigation from the cross-origin url to about:blank does not cause a
+// browsing context group swich, about:blank defaulted its COOP value to
+// unsafe-none.
+navigateToAboutBlankTest(
+ coop_same_origin_allow_popups_header,
+ cross_origin,
+ coop_unsafe_none_header,
+ cross_origin,
+ "",
+ false
+);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/navigate-top-to-aboutblank.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/navigate-top-to-aboutblank.https.html
new file mode 100644
index 0000000000..fe605baf45
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/navigate-top-to-aboutblank.https.html
@@ -0,0 +1,171 @@
+<title>
+ This tests the inheritance of COOP for navigations of the top document to about:blank.
+</title>
+<meta name=timeout content=long>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+
+
+<p>Non-initial empty documents (about:blank) should inherit their
+ cross-origin-opener-policy from the navigation's initiator top level document,
+ if the initiator and its top level document are same-origin, or default (to
+ unsafe-none) otherwise.
+</p>
+
+<ol>
+ <li>Create the opener popup with a given COOP <code>openerCOOP</code>.</li>
+ <li>Add iframe to the opener popup that is either same-origin or
+ cross-origin.
+ </li>
+ <li>Opener opens a new window, to a network document with the same origin and
+ COOP value as opener.</li>
+ <li>Opener's iframe navigates its parent frame (opener) to about:blank.</li>
+ <li>Verify the openee still has access to its opener.</li>
+</ol>
+
+<script>
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const coop_same_origin_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const coop_same_origin_allow_popups_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin-allow-popups)';
+const coop_unsafe_none_header =
+ '|header(Cross-Origin-Opener-Policy,unsafe-none)';
+
+function navigateToAboutBlankTest(
+ COOP_header,
+ iframe_origin,
+ expect_opener_closed
+){
+ return promise_test(async t => {
+ const this_window_token = token();
+ const opener_token = token();
+ const openee_token = token();
+ const iframe_token = token();
+
+ const opener_url = same_origin + executor_path + COOP_header +
+ `&uuid=${opener_token}`;
+ const openee_url = same_origin + executor_path + COOP_header +
+ `&uuid=${openee_token}`;
+ const iframe_url = iframe_origin + executor_path + `&uuid=${iframe_token}`;
+
+ t.add_cleanup(() => {
+ send(opener_token, "window.close()");
+ send(openee_token, "window.close()");
+ });
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url, opener_token);
+
+ // 2. Create the iframe.
+ send(opener_token, `
+ iframe = document.createElement('iframe');
+ iframe.src = "${iframe_url}";
+ document.body.appendChild(iframe);
+ `);
+
+ // 3. The opener opens openee window.
+ send(opener_token, `
+ window.openee = window.open(
+ '${openee_url.replace(/,/g, '\\,')}'
+ );
+ `);
+
+ // 4. Ensure the popup is fully loaded.
+ send(openee_token, `send("${this_window_token}", "Ack");`);
+ assert_equals(await receive(this_window_token), "Ack");
+
+ // 5. The iframe navigates its top-level document to about:blank. It needs
+ // to receive a user action as it may be cross-origin and it navigates top
+ // to a cross-origin document.
+ // https://github.com/WICG/interventions/issues/16
+ send(iframe_token, addScriptAndTriggerOnload(
+ "/resources/testdriver.js",
+ `${addScriptAndTriggerOnload("/resources/testdriver-vendor.js",
+ `
+ test_driver.bless('navigate top to about:blank', () => {
+ open("about:blank", "_top");
+ });
+ `)}
+ `));
+
+ // 6. Ensure opener is fully loaded and then retrieve the results.
+ send(openee_token, `
+ (async function() {
+ const timeout = 2000;
+ const retry_delay = 100;
+ for(let i = 0; i * retry_delay < timeout; ++i) {
+ // A try-catch block is used, because of same-origin policy,
+ // which may prevent the access to the opener if its origin changed,
+ // after a navigation to about:blank from the cross origin iframe.
+ try {
+ if (
+ window.opener === null ||
+ window.opener.closed ||
+ window.opener.document.location.href == "about:blank") {
+ send("${this_window_token}", "about:blank loaded");
+ return;
+ }
+ } catch(e) {
+ // The exception is thrown when about:blank is loaded and is
+ // cross-origin with openee.
+ send("${this_window_token}", "about:blank loaded");
+ return;
+ }
+ await new Promise(resolve => setTimeout(resolve, retry_delay));
+ }
+ send("${this_window_token}", "about:blank NOT loaded");
+ })()
+ `);
+ assert_equals(await receive(this_window_token), "about:blank loaded");
+
+ // 7. Retrieve and check the results.
+ send(openee_token, `
+ send(
+ "${this_window_token}",
+ window.opener === null || window.opener.closed);
+ `);
+
+ assert_equals(await receive(this_window_token), `${expect_opener_closed}`);
+ }, `Navigate top to about:blank from iframe with \
+opener COOP: ${COOP_header}, iframe origin: ${iframe_origin}`);
+};
+
+// iframe same-origin with its top-level embedder:
+// initial empty document and about:blank navigations initiated from the
+// same-origin iframe will inherit COOP from the iframe's top-level embedder.
+
+// Opener's navigation to about:blank stays in the same browsing context group.
+navigateToAboutBlankTest(
+ coop_same_origin_header,
+ same_origin,
+ false
+);
+
+// iframe cross-origin with its top-level embedder:
+// initial empty document and about:blank navigations initiated from the
+// cross-origin iframe will default COOP to unsafe-none.
+
+// Opener's navigation to about:blank doesn't inherit COOP, leading to a
+// browsing context group switch.
+navigateToAboutBlankTest(
+ coop_same_origin_header,
+ cross_origin,
+ true
+);
+
+// Same origin allow popups allows the navigation of top to the cross-origin
+// about:blank (origin inherited from the iframe) page, which does not have COOP
+// (initiator is a cross origin iframe).
+navigateToAboutBlankTest(
+ coop_same_origin_allow_popups_header,
+ cross_origin,
+ false
+);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html
new file mode 100644
index 0000000000..db15d5c676
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html
@@ -0,0 +1,21 @@
+<!doctype html>
+<meta name=timeout content=long>
+<title>Cross-Origin-Opener-Policy requires secure contexts</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script>
+async_test(t => {
+ const popup = window.open("resources/call-functionCalledByOpenee.html");
+ t.add_cleanup(() => {
+ popup.close();
+ });
+ window.functionCalledByOpenee = t.step_func_done(() => {
+ assert_false(popup.closed);
+ });
+ assert_equals(window, popup.opener);
+}, "Cross-Origin-Opener-Policy only works over secure contexts");
+
+test(() => {
+ assert_false(window.crossOriginIsolated);
+}, "Bonus: window.crossOriginIsolated");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/no-https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-coop-by-sw.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-coop-by-sw.https.html
new file mode 100644
index 0000000000..69c2db1ad9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-coop-by-sw.https.html
@@ -0,0 +1,136 @@
+<meta name="timeout" content="long">
+<meta name="variant" content="?1-4">
+<meta name="variant" content="?5-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/subset-tests.js"></script>
+<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+
+const executor_path = '/common/dispatcher/executor.html?pipe=';
+const executor_service_worker_path = '/common/dispatcher/executor-service-worker.js?pipe=';
+
+const coop_header = `|header(Cross-Origin-Opener-Policy,same-origin)`;
+const coep_header = `|header(Cross-Origin-Embedder-Policy,require-corp)`;
+
+const https_origin = get_host_info().HTTPS_ORIGIN;
+
+const swap_browsing_context_group = true;
+const keep_browsing_context_group = false;
+
+const opener_basic = "";
+const opener_coi = coop_header + coep_header;
+
+const sw_basic = "";
+const sw_coi = coop_header + coep_header;
+
+const openee_basic = {
+ 'content-type': 'text/html',
+};
+const openee_coi = {
+ 'content-type': 'text/html',
+ 'cross-origin-embedder-policy': 'require-corp',
+ 'cross-origin-opener-policy': 'same-origin',
+};
+
+// A document opens a popup. The popup's document is served from a synthetic
+// response by a ServiceWorker. Check how cross-origin isolation works in this
+// case.
+const popupCoopBySwTest = (
+ description,
+ // Test parameters:
+ opener_headers,
+ openee_headers,
+ sw_headers,
+ // Test expectations:
+ expected_browing_context_group
+) => {
+ subsetTest(promise_test, async test => {
+ const driver_token = token();
+
+ // 1. Create the opener.
+ const opener_token = token();
+ const opener_url = https_origin + executor_path + opener_headers +
+ `&uuid=${opener_token}`;
+ const opener_window = window.open(opener_url);
+ test.add_cleanup(() => opener_window.close());
+
+ // 2. Define the openee's URL as being served by the service worker.
+ const openee_url = https_origin + "/common/dispatcher/proxied?" + token();
+
+ // 3. Register, install and activate a ServiceWorker serving the openee_url.
+ const sw_token = token();
+ const sw_url = https_origin + executor_service_worker_path + sw_headers +
+ `&uuid=${sw_token}`;
+ const sw_scope = openee_url; // One-time scope, because of the token.
+
+ const sw_registration =
+ await service_worker_unregister_and_register(test, sw_url, sw_scope);
+ test.add_cleanup(() => sw_registration.unregister());
+ await wait_for_state(test, sw_registration.installing, 'activated');
+
+ send(sw_token, `
+ fetchHandler = event => {
+ if (!event.request.url.includes("proxied"))
+ return;
+
+ const response = new Response(\`
+ <script src="/common/dispatcher/dispatcher.js"></scr\`+\`ipt>
+ <script>
+ send("${driver_token}", opener ? "opener is set"
+ : "opener is null");
+ </scr\` + \`ipt>
+ \`, {
+ status: 200,
+ headers: ${JSON.stringify(openee_headers)},
+ });
+ event.respondWith(response);
+ }
+
+ await clients.claim();
+
+ send("${driver_token}", serviceWorker.state);
+ `)
+ assert_equals(await receive(driver_token), "activated");
+
+ // 4. The opener opens a popup. Its document is a synthetic response served
+ // from the Service Worker.
+ send(opener_token, `
+ window.open("${openee_url}");
+ `);
+
+ assert_equals(await receive(driver_token),
+ (expected_browing_context_group == swap_browsing_context_group)
+ ? "opener is null"
+ : "opener is set");
+ }, description);
+};
+
+popupCoopBySwTest("opener:basic, openee:basic, sw:basic",
+ opener_basic, openee_basic, sw_basic,
+ keep_browsing_context_group);
+popupCoopBySwTest("opener:basic, openee:basic, sw:coi",
+ opener_basic, openee_basic, sw_coi,
+ keep_browsing_context_group);
+popupCoopBySwTest("opener:basic, openee:coi, sw:basic",
+ opener_basic, openee_coi, sw_basic,
+ swap_browsing_context_group);
+popupCoopBySwTest("opener:basic, openee:coi, sw:coi",
+ opener_basic, openee_coi, sw_coi,
+ swap_browsing_context_group);
+popupCoopBySwTest("opener:coi, openee:basic, sw:basic",
+ opener_coi, openee_basic, sw_basic,
+ swap_browsing_context_group);
+popupCoopBySwTest("opener:coi, openee:basic, sw:coi",
+ opener_coi, openee_basic, sw_coi,
+ swap_browsing_context_group);
+popupCoopBySwTest("opener:coi, openee:coi, sw:basic",
+ opener_coi, openee_coi, sw_basic,
+ keep_browsing_context_group);
+popupCoopBySwTest("opener:coi, openee:coi, sw:coi",
+ opener_coi, openee_coi, sw_coi,
+ keep_browsing_context_group);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-meta-http-equiv.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-meta-http-equiv.https.html
new file mode 100644
index 0000000000..157f7aef46
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-meta-http-equiv.https.html
@@ -0,0 +1,24 @@
+<!doctype html>
+<meta http-equiv="Cross-Origin-Opener-Policy" content="same-origin"><!-- should not be supported -->
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup without coop",
+ "coop": "",
+ "same_origin_opener": "preserved",
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, variant.coop, variant.same_origin_opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html
new file mode 100644
index 0000000000..6568ac3fdb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html
@@ -0,0 +1,90 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name="timeout" content="long">
+<meta name="variant" content="?0-1">
+<meta name="variant" content="?2-3">
+<meta name="variant" content="?4-5">
+<meta name="variant" content="?6-7">
+<meta name="variant" content="?8-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/subset-tests.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+
+<div id=log></div>
+<script>
+
+function url_test_cache(t, url, responseToken, iframeToken, hasOpener) {
+ return new Promise(async (resolve, reject) => {
+ try {
+ await dispatcher_url_test(t, url, responseToken, iframeToken, hasOpener, undefined /* OpenerDomAccess */, resolve);
+ } catch(e) {
+ reject(e);
+ }
+ }).then(() => {
+ return new Promise(async (resolve, reject) => {
+ try {
+ // Test the same url for cache.
+ // Note that at this point the popup from the first
+ // `dispatcher_url_test()` call hasn't been closed yet, but once this
+ // test has finished both will be cleaned up.
+ await dispatcher_url_test(t, url, responseToken, iframeToken, hasOpener, undefined /* OpenerDomAccess */, resolve);
+ } catch(e) {
+ reject(e);
+ }
+ });
+ });
+}
+
+// Redirect from hostA to hostB with same coop and coep.
+// Cache the hostA page if redirectCache is true.
+// Cache the hostB page if destCache is true.
+function coop_redirect_cache_test(t, hostA, hostB, coop, coep, redirectCache, destCache, hasOpener) {
+ let redirectUrl = `${hostA.origin}/html/cross-origin-opener-policy/resources/coop-coep.py`;
+ let redirectCacheString = redirectCache ? "&cache=1" : "";
+ let destCacheString = destCache ? "&cache=1" : "";
+ let responseToken = token();
+ let iframeToken = token();
+ let destUrl = `${hostB.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=${coop}&coep=${coep}${destCacheString}&responseToken=${responseToken}&iframeToken=${iframeToken}`;
+ let url = `${redirectUrl}?coop=${coop}&coep=${coep}${redirectCacheString}&redirect=${encodeURIComponent(destUrl)}`;
+
+ return url_test_cache(t, url, responseToken, iframeToken, hasOpener);
+}
+
+function run_redirect_cache_tests(documentCOOPValueTitle, testArray) {
+ testArray.forEach((test, i) => {
+ // Only run specified variants
+ if (!shouldRunSubTest(i)) {
+ return;
+ }
+
+ promise_test(t => {
+ return coop_redirect_cache_test(t, test[0], test[1], "same-origin", "require-corp", test[2], test[3], test[4]);
+ }, `${documentCOOPValueTitle} document opening popup redirect from ${test[0].origin} to ${test[1].origin} with redirectCache ${test[2]} and destCache ${test[3]}`);
+ });
+}
+
+const tests = [
+ // popup Origin, final Origin, isCacheRedirect, isCacheDestination, hasOpener
+ // Origin A->A->B
+ [SAME_ORIGIN, CROSS_ORIGIN, true, false, false],
+ [SAME_ORIGIN, CROSS_ORIGIN, false, true, false],
+ [SAME_ORIGIN, CROSS_ORIGIN, true, true, false],
+
+ // Origin A->B->B
+ [CROSS_ORIGIN, SAME_ORIGIN, true, false, false],
+ [CROSS_ORIGIN, SAME_ORIGIN, false, true, false],
+ [CROSS_ORIGIN, SAME_ORIGIN, true, true, false],
+
+ // Origin A->B->C
+ [SAME_SITE, CROSS_ORIGIN, true, false, false],
+ [SAME_SITE, CROSS_ORIGIN, false, true, false],
+ [SAME_SITE, CROSS_ORIGIN, true, true, false],
+];
+
+run_redirect_cache_tests("same-origin", tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-cache.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-same-origin-allow-popups.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-same-origin-allow-popups.https.html
new file mode 100644
index 0000000000..73119a76f8
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-redirect-same-origin-allow-popups.https.html
@@ -0,0 +1,96 @@
+<title>
+ Tests the interaction of COOP same-origin-allow-popups with redirects in a
+ newly opened popup.
+</title>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+
+<div id=log></div>
+<script>
+
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const same_origin = {
+ host: get_host_info().HTTPS_ORIGIN,
+ name: "Same origin"
+};
+const cross_origin = {
+ host: get_host_info().HTTPS_REMOTE_ORIGIN,
+ name: "Cross origin"
+};
+const coep_header = '|header(Cross-Origin-Embedder-Policy,unsafe-none)';
+
+// Tests the interaction of COOP same-origin-allow-popups with redirects in a
+// newly created popup.
+// 1- Creates a page with origin SAME_ORIGIN and COOP same-origin-allow-popups.
+// 2- This page opens a popup.
+// 3- The popup navigates and gets a redirect response with COOP unsafe none
+// and origin either SAME_ORIGIN or CROSS_ORIGIN
+// 4- The popup follows the redirect and ends up on a final page with COOP
+// same-origin-allow-popups and origin SAME_ORIGIN
+// 5- The popup and its opener should no longer be in the same browsing context
+// group (ie the popup doesn't have an opener and the window that opened the
+// popup sees it as closed).
+function redirect_test(popup_redirect_origin) {
+ promise_test(async t => {
+ // Identifies the test window.
+ const this_window_token = token();
+
+ // Identifies the first window that will open the popup. It has COOP
+ // same-origin-allow-popups.
+ const opener_token= token();
+ const same_origin_allow_popups_header =
+ `|header(Cross-Origin-Opener-Policy,same-origin-allow-popups)`;
+ const opener_url = same_origin.host + executor_path +
+ same_origin_allow_popups_header + `&uuid=${opener_token}`;
+
+ // Identifies the popup. It will initial try to navigate to
+ // popup_redirect_origin, which has COOP unsafe-none. The navigation is
+ // then redirected to a final response of SAME_ORIGIN and COOP
+ // same-origin-allow-popups.
+ const popup_token = token();
+ const popup_final_url = same_origin.host + executor_path +
+ same_origin_allow_popups_header + `&uuid=${popup_token}`;
+ const redirect_header = 'status(302)' +
+ `|header(Location,${encodeURIComponent(
+ popup_final_url
+ .replace(/,/g, "\\,")
+ .replace(/\\\\,/g, "\\\\\\,")
+ .replace(/\(/g, "%28")
+ .replace(/\)/g, "%29"))})`;
+ const popup_initial_url = popup_redirect_origin.host + executor_path +
+ redirect_header + `&uuid=${popup_token}`;
+
+ // 1. Create the initial window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The initial window opens a popup.
+ send(opener_token, `
+ popup = window.open("${popup_initial_url}");
+ `);
+ t.add_cleanup(() => send(popup_token, "window.close()"));
+
+ // 3. Check the opener status on the popup.
+ send(popup_token, `
+ send("${this_window_token}", window.opener !== null);
+ `);
+ assert_equals(await receive(this_window_token), "false", "opener");
+
+ // 4. Check the status of the popup from the initial window.
+ send(opener_token, `
+ send("${this_window_token}", popup.closed);
+ `);
+ assert_equals(await receive(this_window_token), "true", "popup.closed");
+
+ }, `${popup_redirect_origin.name} popup redirects to same-origin with same-origin-allow-popups`);
+}
+
+redirect_test(same_origin);
+redirect_test(cross_origin);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html
new file mode 100644
index 0000000000..d025faeb67
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop : variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html
new file mode 100644
index 0000000000..438e424284
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "preserved"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop : variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html
new file mode 100644
index 0000000000..d1b6b60d7c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html
new file mode 100644
index 0000000000..2e58ea4553
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html
@@ -0,0 +1,17 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy: about:blank</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script>
+async_test(t => {
+ const popup = window.open("resources/coop-coep.py?coop=same-origin&coep=&navigate=about:blank");
+ t.add_cleanup(() => popup.close());
+ assert_equals(window, popup.opener);
+
+ popup.onload = t.step_func(() => {
+ assert_true(popup.location.href.endsWith("&navigate=about:blank"));
+ // Use wait_for_callback as about:blank cannot message back.
+ t.step_wait_func_done(() => popup.location.href === "about:blank");
+ });
+}, "Navigating a popup to about:blank");
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html
new file mode 100644
index 0000000000..bd1e6848c4
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html
new file mode 100644
index 0000000000..caf4b173c2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html
new file mode 100644
index 0000000000..93ba9c9888
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html
new file mode 100644
index 0000000000..31ac569491
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html
new file mode 100644
index 0000000000..18f87048c3
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html
new file mode 100644
index 0000000000..d1b6b60d7c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-cross-origin.https.html
new file mode 100644
index 0000000000..31ac569491
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-cross-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-origin.https.html
new file mode 100644
index 0000000000..18f87048c3
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-origin.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-site.https.html
new file mode 100644
index 0000000000..d1b6b60d7c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-unspecified-with-same-site.https.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with jibberish coop",
+ "coop": "jibberish",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop",
+ "coop": "same-site",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 2",
+ "coop": "same-site unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with obsolete coop 3",
+ "coop": "same-origin unsafe-allow-outgoing",
+ "opener": "preserved"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html
new file mode 100644
index 0000000000..e337e69cc0
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html
@@ -0,0 +1,33 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<script src="resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with structured coop unsafe-none",
+ "coop": "unsafe-none; report-to=endpoint",
+ "opener": "severed",
+ },
+ {
+ "title": "popup with structured coop same-origin",
+ "coop": "same-origin; report-to=endpoint",
+ "opener": "preserved",
+ },
+ {
+ "title": "popup with structured coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups; report-to=endpoint",
+ "opener": "severed",
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/popup-with-structured-header.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/META.yml b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/META.yml
new file mode 100644
index 0000000000..0db28208a6
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/META.yml
@@ -0,0 +1,6 @@
+suggested_reviewers:
+ - ArthurSonzogni
+ - ParisMeuleman
+ - camillelamy
+ - hemeryar
+ - mikewest
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html
new file mode 100644
index 0000000000..a7e83cc0d9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html
@@ -0,0 +1,82 @@
+<title>
+ COOP reports are to the opener when the opener used COOP-RO+COEP and then it
+ tries to access a same-origin openee.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_report_token= token();
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(opener_report_token);
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This is same origin with the "opener".
+ const openee_report_token = token();
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens it openee.
+ send(opener_token, `
+ openee = window.open("${openee_requested_url}");
+ send("${this_window_token}", "ACK 1");
+ `);
+ assert_equals("ACK 1", await receive(this_window_token));
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. Ensure the openee's document to be loaded.
+ send(openee_token, `
+ send("${this_window_token}", "ACK 2");
+ `);
+ assert_equals("ACK 2", await receive(this_window_token));
+
+ // 4. The opener tries to access its openee.
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(openee);")
+ );
+ // 5. Check a report sent to the opener.
+ let report =
+ await receiveReport(opener_report_token, "access-from-coop-page-to-openee")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_found(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, openee_url);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, openee_requested_url);
+}, name);
+
+runTest(false, "access-from-coop-page-to-openee, same-origin");
+runTest(true , "access-from-coop-page-to-openee, same-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html
new file mode 100644
index 0000000000..fe72a2299f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html
@@ -0,0 +1,85 @@
+<title>
+ COOP reports are to the opener when the opener used COOP-RO+COEP and then it
+ tries to access a cross-origin openee.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_report_token= token();
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(opener_report_token);
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This is cross origin with the "opener".
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens it openee.
+ send(opener_token, `
+ openee = window.open("${openee_requested_url}");
+ send("${this_window_token}", "ACK 1");
+ `);
+ assert_equals("ACK 1", await receive(this_window_token));
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. Ensure the openee's document to be loaded.
+ send(openee_token, `
+ send("${this_window_token}", "ACK 2");
+ `);
+ assert_equals("ACK 2", await receive(this_window_token));
+
+ // 4. The opener tries to access its openee.
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(openee);")
+ );
+
+
+ // 5. Check a report sent to the opener.
+ let report =
+ await receiveReport(opener_report_token, "access-from-coop-page-to-openee")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_found(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, "");
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, openee_requested_url);
+}, name);
+
+runTest(false, "access-from-coop-page-to-openee, cross-origin");
+runTest(true , "access-from-coop-page-to-openee, cross-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html
new file mode 100644
index 0000000000..005339a06e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html
@@ -0,0 +1,63 @@
+<title>
+ COOP reports are sent when the openee used COOP-RO+COEP and then tries to
+ access its same-origin opener.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ const report_token = token();
+ const openee_token = token();
+
+ const opener_url = location.href;
+
+ const reportTo = reportToHeaders(report_token);
+ const openee_url = same_origin + executor_path +
+ reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+ const openee = window.open(openee_requested_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Try to access the opener. A report is sent, because of COOP-RO+COEP.
+
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ // 2. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-from-coop-page-to-opener")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_found(report);
+ assert_equals(report.body.openerURL, opener_url);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, opener_url);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, name);
+
+runTest(false, "access-from-coop-page-to-opener, same-origin");
+runTest(true , "access-from-coop-page-to-opener, same-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html
new file mode 100644
index 0000000000..eedfaa557f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html
@@ -0,0 +1,63 @@
+<title>
+ COOP reports are sent when the openee used COOP-RO+COEP and then tries to
+ access its cross-origin opener.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ const report_token = token();
+ const openee_token = token();
+
+ const opener_origin = location.origin + '/';
+
+ const reportTo = reportToHeaders(report_token);
+ const openee_url = cross_origin + executor_path +
+ reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+ const openee = window.open(openee_requested_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Try to access the opener. A report is sent, because of COOP-RO+COEP.
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ // 2. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-from-coop-page-to-opener")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_found(report);
+ assert_equals(report.body.openerURL, "");
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, opener_origin);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, name);
+
+runTest(false, "access-from-coop-page-to-opener, cross-origin");
+runTest(true , "access-from-coop-page-to-opener, cross-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html
new file mode 100644
index 0000000000..90df0e4e99
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html
@@ -0,0 +1,92 @@
+<title>
+ One window accesses a second one. They are aren't related by an opener/openee
+ relationship. The first window has set
+ Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a
+ "access-from-coop-page-to-other" report.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+promise_test(async t => {
+ const report_token= token();
+ const report_to = reportToHeaders(report_token);
+
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. With COOP:same-origin + reporter.
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + report_to.header +
+ report_to.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. With COOP:same-origin + reporter.
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + report_to.header +
+ report_to.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // The "other" window.
+ const other_token = token();
+ const other_url = same_origin + executor_path + report_to.header +
+ `&uuid=${other_token}`;
+
+ t.add_cleanup(() => {
+ send(opener_token, "window.close()")
+ send(openee_token, "window.close()")
+ send(other_token, "window.close()")
+ })
+
+ // 1. Create the "opener" window.
+ let opener_window_proxy = window.open(opener_url);
+
+ // 2. Create the "openee" window.
+ send(opener_token, `
+ window.openee = window.open('${escapeComma(openee_url)}');
+ `);
+
+ // 3. Create the "other" window.
+ send(openee_token, `
+ window.other = window.open('${escapeComma(other_url)}');
+ `);
+
+ // 4. Wait for "other" to load its document.
+ send(other_token, `send('${this_window_token}', "Loaded");`);
+ assert_equals(await receive(this_window_token), "Loaded");
+
+ // 5. "opener" accesses "other" window, through "openee".
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(openee.other);")
+ );
+
+ // 6. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-from-coop-page-to-other")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_found(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, other_url.replace(/"/g, '%22'));
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, "access-from-coop-page-to-other (COOP-RO)");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html
new file mode 100644
index 0000000000..f0d60c2531
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html
@@ -0,0 +1,93 @@
+<title>
+ One window accesses a second one. They are aren't related by an opener/openee
+ relationship. The first window has set
+ Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a
+ "access-from-coop-page-to-other" report.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin= get_host_info().HTTPS_ORIGIN;
+const cross_origin= get_host_info().HTTPS_REMOTE_ORIGIN;
+
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+promise_test(async t => {
+ const report_token= token();
+ const report_to = reportToHeaders(report_token);
+
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. With COOP:same-origin + reporter.
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + report_to.header +
+ report_to.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. With COOP:same-origin + reporter.
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + report_to.header +
+ report_to.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // The "other" window.
+ const other_token = token();
+ const other_url = cross_origin + executor_path + report_to.header +
+ `&uuid=${other_token}`;
+
+ t.add_cleanup(() => {
+ send(opener_token, "window.close()")
+ send(openee_token, "window.close()")
+ send(other_token, "window.close()")
+ })
+
+ // 1. Create the "opener" window.
+ let opener_window_proxy = window.open(opener_url);
+
+ // 2. Create the "openee" window.
+ send(opener_token, `
+ window.openee = window.open('${escapeComma(openee_url)}');
+ `);
+
+ // 3. Create the "other" window.
+ send(openee_token, `
+ window.other = window.open('${escapeComma(other_url)}');
+ `);
+
+ // 4. Wait for "other" to load its document.
+ send(other_token, `send('${this_window_token}', "Loaded");`);
+ assert_equals(await receive(this_window_token), "Loaded");
+
+ // 5. "opener" accesses "other" window, through "openee".
+
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(openee.other);")
+ );
+
+ // 6. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-from-coop-page-to-other")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_found(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, "");
+ assert_equals(report.body.referrer, undefined);
+}, "access-from-coop-page-to-other (COOP-RO)");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html
new file mode 100644
index 0000000000..9f0a8821a4
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html
@@ -0,0 +1,77 @@
+<title>
+ COOP reports are to the opener when the opener used COOP-RO+COEP and then its
+ same-origin openee tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_report_token= token();
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(opener_report_token);
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This is same origin with the "opener".
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `
+ openee = window.open("${openee_requested_url}");
+ send("${this_window_token}", "ACK 1");
+ `);
+ assert_equals("ACK 1", await receive(this_window_token));
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. The openee tries to access its opener.
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ // 4. Check a report sent to the opener.
+ let report =
+ await receiveReport(opener_report_token, "access-to-coop-page-from-openee")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, openee_url);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, openee_requested_url);
+}, name);
+
+runTest(false, "access-to-coop-page-from-openee, same-origin");
+runTest(true , "access-to-coop-page-from-openee, same-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html
new file mode 100644
index 0000000000..d9577836d9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html
@@ -0,0 +1,79 @@
+<title>
+ COOP reports are to the opener when the opener used COOP-RO+COEP and then its
+ cross-origin openee tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const cross_origin= get_host_info().HTTPS_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_report_token= token();
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(opener_report_token);
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This is cross origin with the "opener".
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `
+ openee = window.open("${openee_requested_url}");
+ send("${this_window_token}", "ACK 1");
+ `);
+ assert_equals("ACK 1", await receive(this_window_token));
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. The openee tries to access its opener.
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ // 4. Check a report sent to the opener.
+ let report =
+ await receiveReport(opener_report_token, "access-to-coop-page-from-openee")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, "");
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, openee_requested_url);
+}, name);
+
+runTest(false, "access-to-coop-page-from-openee, cross-origin");
+runTest(true , "access-to-coop-page-from-openee, cross-origin + redirect)");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html
new file mode 100644
index 0000000000..8a643d762c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html
@@ -0,0 +1,67 @@
+<title>
+ COOP reports are sent when the openee used COOP-RO+COEP and then its
+ same-origin opener tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ const report_token = token();
+ const openee_token = token();
+ const opener_token = token(); // The current test window.
+
+ const opener_url = location.href;
+
+ const reportTo = reportToHeaders(report_token);
+ const openee_url = same_origin + executor_path + reportTo.header +
+ reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+
+ const openee = window.open(openee_requested_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Make sure the new document to be loaded.
+ send(openee_token, `
+ send("${opener_token}", "Ready");
+ `);
+ let reply = await receive(opener_token);
+ assert_equals(reply, "Ready");
+
+ // 2. Try to access the openee. A report is sent, because of COOP-RO+COEP.
+ tryAccess(openee);
+
+ // 3. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-to-coop-page-from-opener")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, opener_url);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, opener_url);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, name);
+
+runTest(false, "access-to-coop-page-from-opener, same-origin");
+runTest(true , "access-to-coop-page-from-opener, same-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html
new file mode 100644
index 0000000000..7e1ae870a7
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html
@@ -0,0 +1,68 @@
+<title>
+ COOP reports are sent when the openee used COOP-RO+COEP and then its
+ cross-origin opener tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const redirect_path = directory + "/resources/redirect.py?";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+let runTest = (openee_redirect, name) => promise_test(async t => {
+ const report_token = token();
+ const openee_token = token();
+ const opener_token = token(); // The current test window.
+
+ const opener_origin = location.origin + '/';
+
+ const reportTo = reportToHeaders(report_token);
+ const openee_url = cross_origin + executor_path +
+ reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+ const openee_redirect_url = same_origin + redirect_path + openee_url
+ const openee_requested_url = openee_redirect ? openee_redirect_url
+ : openee_url;
+
+
+ const openee = window.open(openee_requested_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Make sure the new document to be loaded.
+ send(openee_token, `
+ send("${opener_token}", "Ready");
+ `);
+ let reply = await receive(opener_token);
+ assert_equals(reply, "Ready");
+
+ // 2. Try to access the openee. A report is sent, because of COOP-RO+COEP.
+ tryAccess(openee);
+
+ // 3. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-to-coop-page-from-opener")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, "");
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, opener_origin);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, name);
+
+runTest(false, "access-to-coop-page-from-opener, cross-origin");
+runTest(true , "access-to-coop-page-from-opener, cross-origin + redirect");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html
new file mode 100644
index 0000000000..b73bab8610
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html
@@ -0,0 +1,82 @@
+<title>
+ One window accesses a second one. They are aren't related by an opener/openee
+ relationship. The second window has set
+ Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a
+ "access-to-coop-page-from-other" report.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window.
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + `&uuid=${opener_token}`;
+
+ // The "openee" window. With COOP:same-origin + reporter.
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_reportTo = reportToHeaders(openee_report_token);
+ const openee_url = same_origin + executor_path + openee_reportTo.header +
+ openee_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // The "other" window.
+ const other_token = token();
+ const other_url = same_origin + executor_path + `&uuid=${other_token}`;
+
+ t.add_cleanup(() => {
+ send(opener_token, "window.close()")
+ send(openee_token, "window.close()")
+ send(other_token, "window.close()")
+ })
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+
+ // 2. The opener opens its openee and the other window.
+ send(opener_token, `
+ window.openee = window.open('${openee_url.replace(/,/g, '\\,')}');
+ window.other = window.open('${other_url}');
+ `);
+
+ // 3. Make sure the openee is loaded.
+ send(openee_token, `send("${this_window_token}", "Loaded");`);
+ assert_equals(await receive(this_window_token), "Loaded");
+
+ // 4. The "other" window attempts to access the openee though the opener.
+ send(other_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener.openee);")
+ );
+
+ // 4. Check a report sent to the openee.
+ let report =
+ await receiveReport(openee_report_token, "access-to-coop-page-from-other")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, other_url);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, "access-to-coop-page-from-other (COOP-RO)");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html
new file mode 100644
index 0000000000..c86daa3dca
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html
@@ -0,0 +1,83 @@
+<title>
+ One window accesses a second one. They are aren't related by an opener/openee
+ relationship. The second window has set
+ Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a
+ "access-to-coop-page-from-other" report.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window.
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + `&uuid=${opener_token}`;
+
+ // The "openee" window. With COOP:same-origin + reporter.
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_reportTo = reportToHeaders(openee_report_token);
+ const openee_url = cross_origin + executor_path + openee_reportTo.header +
+ openee_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // The "other" window.
+ const other_token = token();
+ const other_url = same_origin + executor_path + `&uuid=${other_token}`;
+
+ t.add_cleanup(() => {
+ send(opener_token, "window.close()")
+ send(openee_token, "window.close()")
+ send(other_token, "window.close()")
+ })
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+
+ // 2. The opener opens its openee and the other window.
+ send(opener_token, `
+ window.openee = window.open('${openee_url.replace(/,/g, '\\,')}');
+ window.other = window.open('${other_url}');
+ `);
+
+ // 3. Make sure the openee is loaded.
+ send(openee_token, `send("${this_window_token}", "Loaded");`);
+ assert_equals(await receive(this_window_token), "Loaded");
+
+ // 4. The "other" window attempts to access the openee though the opener.
+ send(other_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener.openee);")
+ );
+
+ // 4. Check a report sent to the openee.
+ let report =
+ await receiveReport(openee_report_token, "access-to-coop-page-from-other")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, "");
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, "access-to-coop-page-from-other (COOP-RO)");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html
new file mode 100644
index 0000000000..849bf6579a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.blur() access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("blur", w => w.blur());
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html
new file mode 100644
index 0000000000..7696600488
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.close() access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("close", w => w.close());
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html
new file mode 100644
index 0000000000..c678d18a80
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.closed access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("closed", w => w.closed);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html
new file mode 100644
index 0000000000..363c0d294f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.focus() access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("focus", w => w.focus());
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html
new file mode 100644
index 0000000000..fc1925045f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.frames access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("frames", w => w.frames);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html
new file mode 100644
index 0000000000..b6c5f5acb1
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html
@@ -0,0 +1,66 @@
+<title> Check reports are sent for the indexed getter</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)';
+
+let origin = [
+ ["cross-origin" , get_host_info().HTTPS_REMOTE_ORIGIN ] ,
+ ["same-site" , get_host_info().HTTPS_ORIGIN ] ,
+];
+
+let testCase = [
+//[operation , expectReport ] ,
+ [w => w[0] , true ], // Existing iframe.
+ [w => w[1] , false ], // Out of bounds (positive).
+ [w => w[-1] , false ], // Out of bounds (negative).
+];
+
+origin.forEach(([origin_name, origin]) => {
+ testCase.forEach(([op, expectReport]) => {
+ promise_test(async t => {
+ const opener_token = token();
+ const openee_token = token();
+
+ const openee_url = origin+ executor_path + `&uuid=${openee_token}`;
+ const openee = window.open(openee_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Create an iframe in the openee.
+ send(openee_token, `
+ let iframe = document.createElement("iframe");
+ document.body.appendChild(iframe);
+
+ send("${opener_token}", "openee loaded");
+ `);
+ let reply = await receive(opener_token);
+ assert_equals(reply, "openee loaded");
+
+ // 2. Try to access the openee.
+ let observer = new ReportingObserver(()=>{});
+ observer.observe();
+ try {op(openee)} catch(e) {}
+ let reports = observer.takeRecords();
+ observer.disconnect();
+
+ // 3. Check the received reports.
+ if (expectReport) {
+ assert_equals(reports.length, 1);
+ assert_equals(reports[0].type, "coop-access-violation");
+ assert_equals(reports[0].body.property, "indexed");
+ } else {
+ assert_equals(reports.length, 0);
+ }
+
+ }, `${origin_name} > ${op}`);
+});
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers
new file mode 100644
index 0000000000..64f4d5fedf
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="none"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html
new file mode 100644
index 0000000000..a9f3614cb5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.length access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("length", w => w.length);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html
new file mode 100644
index 0000000000..442817748d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.location access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("location", w => w.location);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html
new file mode 100644
index 0000000000..e42f084821
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.location access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("location", w => w.location = "#");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html
new file mode 100644
index 0000000000..27be9a48d1
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html
@@ -0,0 +1,71 @@
+<title> Check reports are sent for the indexed getter</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script>
+
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+let crossOrigin = ["cross-origin" , get_host_info().HTTPS_REMOTE_ORIGIN ];
+let sameOrigin = ["same-site" , get_host_info().HTTPS_ORIGIN ];
+
+let testCase = [
+//[ operation , origin , expectReport ],
+ [ w => w["iframeName"] , sameOrigin , true ],
+ [ w => w["iframeName"] , crossOrigin , true ],
+ [ w => w["divID"] , sameOrigin , true ],
+ [ w => w["divID"] , crossOrigin , false ],
+ [ w => w["existingGlobal"] , sameOrigin , false ],
+ [ w => w["existingGlobal"] , crossOrigin , false ],
+ [ w => w["missingGlobal"] , sameOrigin , false ],
+ [ w => w["missingGlobal"] , crossOrigin , false ],
+];
+
+testCase.forEach(([op, [origin_name, origin], expectReport]) => {
+ promise_test(async t => {
+ const opener_token = token();
+ const openee_token = token();
+
+ const openee_url = origin + executor_path + `&uuid=${openee_token}`;
+ const openee = window.open(openee_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Make sure the new document to be loaded. Populate the document.
+ send(openee_token, `
+ let iframe = document.createElement("iframe");
+ iframe.name = "iframeName";
+ document.body.appendChild(iframe);
+
+ let div = document.createElement("div");
+ div.id = "divID";
+ document.body.appendChild(div);
+
+ window.existingGlobal = "test";
+
+ send("${opener_token}", "Ready");
+ `);
+ let reply = await receive(opener_token);
+ assert_equals(reply, "Ready");
+
+ // 2. Try to access the openee.
+ let observer = new ReportingObserver(()=>{});
+ observer.observe();
+ try {op(openee)} catch(e) {}
+ let reports = observer.takeRecords();
+ observer.disconnect();
+
+ // 3. Check the received reports.
+ if (expectReport) {
+ assert_equals(reports.length, 1);
+ assert_equals(reports[0].type, "coop-access-violation");
+ assert_equals(reports[0].body.property, "named");
+ } else {
+ assert_equals(reports.length, 0);
+ }
+
+ }, `${origin_name} > ${op}`);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers
new file mode 100644
index 0000000000..64f4d5fedf
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="none"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html
new file mode 100644
index 0000000000..b99dfdc562
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.opener access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("opener", w => w.opener);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html
new file mode 100644
index 0000000000..10c251140b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.opener access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("opener", w => w.opener = "", /* expectReport = */false);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html
new file mode 100644
index 0000000000..a9168fdaa5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.postMessage(arg1, arg2) access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("postMessage", w => w.postMessage("", ""));
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html
new file mode 100644
index 0000000000..4341f245d5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.postMessage(arg1) access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("postMessage", w => w.postMessage(""));
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html
new file mode 100644
index 0000000000..7a7d5a3fec
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.self access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("self", w => w.self);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html
new file mode 100644
index 0000000000..1b75ecc105
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.top access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("top", w => w.top);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html
new file mode 100644
index 0000000000..07278b4a11
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html
@@ -0,0 +1,13 @@
+<title> Check openee.window access is checked</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty("window", w => w.window);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html
new file mode 100644
index 0000000000..46cdc6eb27
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html
@@ -0,0 +1,124 @@
+<title>
+ Both the openee and the opener have a COOP reporter. The report are sent to
+ both side.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const origin_opener = get_host_info().HTTPS_ORIGIN;
+const origin_openee = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+let genericSetup = async function(test) {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_report_token= token();
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(opener_report_token);
+ const opener_url = origin_opener+ executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This has COOP and a reporter.
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_reportTo = reportToHeaders(openee_report_token);
+ const openee_url = origin_openee + executor_path + openee_reportTo.header +
+ openee_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // Cleanup at the end of the test.
+ test.add_cleanup(() => {
+ send(openee_token, 'window.close()');
+ send(opener_token, 'window.close()');
+ });
+
+ // 1. Spawn the opener and the openee windows.
+ window.open(opener_url);
+ send(opener_token, `
+ openee = window.open('${escapeComma(openee_url)}');
+ `);
+
+ // 2. Wait for both to be loaded.
+ send(openee_token, `send('${this_window_token}', 'ACK');`);
+ assert_equals(await receive(this_window_token), 'ACK');
+
+ return [
+ this_window_token,
+ opener_token, opener_report_token, opener_url,
+ openee_token, openee_report_token, openee_url,
+ ];
+}
+
+let assert_generic_coop_report = function(report) {
+ assert_equals(report.type, "coop");
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+}
+
+promise_test(async test => {
+ let [
+ this_window_token,
+ opener_token, opener_report_token, opener_url,
+ openee_token, openee_report_token, openee_url,
+ ] = await genericSetup(test);
+
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(openee);")
+ );
+
+ let report_opener =
+ await receiveReport(opener_report_token, "access-from-coop-page-to-openee")
+ let report_openee =
+ await receiveReport(openee_report_token, "access-to-coop-page-from-opener")
+
+ assert_generic_coop_report(report_openee);
+ assert_generic_coop_report(report_opener);
+
+ assert_equals(report_opener.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report_openee.url, openee_url.replace(/"/g, '%22'));
+ assert_source_location_found(report_opener);
+ assert_source_location_missing(report_openee);
+}, "Access from opener")
+
+promise_test(async test => {
+ let [
+ this_window_token,
+ opener_token, opener_report_token, opener_url,
+ openee_token, openee_report_token, openee_url,
+ ] = await genericSetup(test);
+
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ let report_opener =
+ await receiveReport(opener_report_token, "access-to-coop-page-from-openee")
+ let report_openee =
+ await receiveReport(openee_report_token, "access-from-coop-page-to-opener")
+
+ assert_generic_coop_report(report_openee);
+ assert_generic_coop_report(report_opener);
+
+ assert_equals(report_opener.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report_openee.url, openee_url.replace(/"/g, '%22'));
+ assert_source_location_missing(report_opener);
+ assert_source_location_found(report_openee);
+}, "Access from openee")
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html
new file mode 100644
index 0000000000..375c627d27
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html
@@ -0,0 +1,275 @@
+<!doctype html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<title>
+ Check the ReportingObserver(s) are notified about the coop-access-violation
+ events.
+</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_site = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const corp_header = '|header(Cross-Origin-Resource-Policy,cross-origin)';
+
+promise_test(async t => {
+ // This test window.
+ const this_window_token = token();
+
+ // The "opener" window, using COOP-Report-Only and a reporter.
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(token());
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window, NOT using COOP.
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
+
+ // 1. Create the opener window.
+ window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close();"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `openee = window.open('${openee_url}');`);
+ t.add_cleanup(() => send(openee_token, `window.close();`));
+
+ // 3. Wait for the openee to load its document.
+ send(openee_token, `send("${this_window_token}", "Ready");`);
+ assert_equals(await receive(this_window_token), "Ready");
+
+ // 4. The opener tries to access its openee. All reports for blocked access
+ // from the COOP page should notify the ReportingObservers.
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js", `
+ let observer = new ReportingObserver(()=>{});
+ observer.observe();
+ tryAccess(openee);
+ let reports = observer.takeRecords();
+ send("${this_window_token}", JSON.stringify(reports));
+ observer.disconnect();
+ `));
+
+ let report_access_from = JSON.parse(await receive(this_window_token));
+ assert_equals(report_access_from.length, 1, "No report received.");
+ assert_equals(report_access_from[0].type, "coop-access-violation");
+ assert_equals(report_access_from[0].url, opener_url.replace(/"/g, '%22'));
+ assert_source_location_found(report_access_from[0])
+ assert_equals(report_access_from[0].body.type,
+ "access-from-coop-page-to-openee");
+ assert_equals(report_access_from[0].body.openeeURL, openee_url);
+ assert_equals(report_access_from[0].body.openerURL, undefined);
+ assert_equals(report_access_from[0].body.otherDocumentURL, undefined);
+
+ // 5. The openee tries to access its opener. No reports for blocked access
+ // to the COOP page should be dispatched.
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js", `
+ let observer = new ReportingObserver(()=>{});
+ observer.observe();
+ tryAccess(opener);
+ let reports = observer.takeRecords();
+ send("${this_window_token}", JSON.stringify(reports));
+ observer.disconnect();
+ `));
+ let report_access_to = JSON.parse(await receive(this_window_token));
+ assert_equals(report_access_to.length, 0, "Unexpected report received.");
+}, "Opener COOP");
+
+promise_test(async t => {
+ // This test window.
+ const this_window_token = token();
+
+ // The "opener" window, NOT using COOP.
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + `&uuid=${opener_token}`;
+
+ // The "openee" window, using COOP-Report-Only and a reporter.
+ const openee_token = token();
+ const openee_reportTo = reportToHeaders(token());
+ const openee_url = same_origin + executor_path + openee_reportTo.header +
+ openee_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // 1. Create the opener window.
+ window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close();"));
+
+ // 2. The opener opens its openee.
+ send(opener_token,
+ `openee = window.open('${openee_url.replace(/,/g, '\\,')}');`);
+ t.add_cleanup(() => send(openee_token, `window.close();`));
+
+ // 3. The openee tries to access its opener. All reports for blocked access
+ // from the COOP page should notify the ReportingObservers.
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js", `
+ let observer = new ReportingObserver(()=>{});
+ observer.observe();
+ tryAccess(opener);
+ let reports = observer.takeRecords();
+ send("${this_window_token}", JSON.stringify(reports));
+ observer.disconnect();
+ `));
+ let report_access_from = JSON.parse(await receive(this_window_token));
+ assert_equals(report_access_from.length, 1, "No report received.");
+ assert_equals(report_access_from[0].type, "coop-access-violation");
+ assert_equals(report_access_from[0].url, openee_url.replace(/"/g, '%22'));
+ assert_true(report_access_from[0].body.sourceFile.includes("try-access.js"));
+ assert_source_location_found(report_access_from[0])
+ assert_equals(report_access_from[0].body.type,
+ "access-from-coop-page-to-opener");
+ assert_equals(report_access_from[0].body.openeeURL, undefined);
+ assert_equals(report_access_from[0].body.openerURL, opener_url);
+ assert_equals(report_access_from[0].body.otherDocumentURL, undefined);
+
+ // 4. The opener tries to access its openee. No reports for blocked access
+ // to the COOP page should be dispatched.
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js", `
+ let observer = new ReportingObserver(()=>{});
+ observer.observe();
+ tryAccess(openee);
+ let reports = observer.takeRecords();
+ send("${this_window_token}", JSON.stringify(reports));
+ observer.disconnect();
+ `));
+ let report_access_to = JSON.parse(await receive(this_window_token));
+ assert_equals(report_access_to.length, 0, "Unexpected report received.");
+}, "Openee COOP");
+
+promise_test(async t => {
+ // This test window.
+ const this_window_token = token();
+
+ // The "opener" window, using COOP-Report-Only and a reporter.
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(token());
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "opener's iframe", same-origin with its parent.
+ const opener_iframe_token = token();
+ const opener_iframe_url = same_origin + executor_path + coep_header +
+ `&uuid=${opener_iframe_token}`;
+
+ // The "openee" window, NOT using COOP.
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + coep_header +
+ `&uuid=${openee_token}`;
+
+ // 1. Create the opener window.
+ window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close();"));
+
+ // 2. The opener opens an iframe, and install a ReportingObserver to catch
+ // future accesses.
+ send(opener_token, `
+ iframe = document.createElement("iframe");
+ iframe.src = "${opener_iframe_url}";
+ document.body.appendChild(iframe);
+
+ let observer = new ReportingObserver(reports => {
+ send("${this_window_token}", JSON.stringify(reports));
+ observer.disconnect();
+ });
+ observer.observe();
+ `);
+
+ // 3. The iframe opens the openee.
+ send(opener_iframe_token, `openee = window.open('${openee_url}');`);
+ t.add_cleanup(() => send(openee_token, `window.close();`));
+
+ // 4. Wait for the openee to load its document.
+ send(openee_token, `send("${this_window_token}", "Ready");`);
+ assert_equals(await receive(this_window_token), "Ready");
+
+ // 4. The opener's iframe tries to access the openee. This is an
+ // "access-from-coop-page" from a same-origin iframe, so the
+ // ReportingObserver(s) are notified.
+ send(opener_iframe_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js", `tryAccess(openee);`));
+
+ let reports = await receive(this_window_token);
+ reports = JSON.parse(reports);
+ assert_equals(reports.length, 1, "No report received.");
+ assert_equals(reports[0].type, "coop-access-violation");
+ assert_equals(reports[0].url, opener_url.replace(/"/g, '%22'));
+ assert_true(reports[0].body.sourceFile.includes("try-access.js"));
+ assert_source_location_found(reports[0]);
+ assert_equals(reports[0].body.type,
+ "access-from-coop-page-to-openee");
+ assert_equals(reports[0].body.openeeURL, openee_url);
+ assert_equals(reports[0].body.openerURL, undefined);
+ assert_equals(reports[0].body.otherDocumentURL, undefined);
+}, "Access from same-origin iframe")
+
+promise_test(async t => {
+ // This test window.
+ const this_window_token = token();
+
+ // The "opener" window, using COOP-Report-Only and a reporter.
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(token());
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "opener's iframe", same-origin with its parent.
+ const opener_iframe_token = token();
+ const opener_iframe_url = cross_site + executor_path + coep_header +
+ corp_header +
+ `&uuid=${opener_iframe_token}`;
+
+ // The "openee" window, NOT using COOP.
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + coep_header +
+ `&uuid=${openee_token}`;
+
+ // 1. Create the opener window.
+ window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close();"));
+
+ // 2. The opener opens an iframe, and install a ReportingObserver to catch
+ // future accesses.
+ send(opener_token, `
+ iframe = document.createElement("iframe");
+ iframe.src = "${opener_iframe_url}";
+ document.body.appendChild(iframe);
+
+ let observer = new ReportingObserver(reports => {
+ send("${this_window_token}", JSON.stringify(reports));
+ observer.disconnect();
+ });
+ observer.observe();
+ `);
+
+ // 3. The iframe opens the openee.
+ send(opener_iframe_token, `openee = window.open('${openee_url}');`);
+ t.add_cleanup(() => send(openee_token, `window.close();`));
+
+ // 4. Wait for the openee to load its document.
+ send(openee_token, `send("${this_window_token}", "Ready");`);
+ assert_equals(await receive(this_window_token), "Ready");
+
+ // 5. The opener's iframe tries to access the openee. This is an
+ // "access-from-coop-page" from a cross-site iframe. The ReportingObservers
+ // from the main document aren't notified.
+ send(opener_iframe_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js", `tryAccess(openee);`));
+
+ let reports = await receive(this_window_token, 2000);
+ assert_equals(reports, "timeout", "Unexpected report received.");
+}, "Access from cross-site iframe")
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html
new file mode 100644
index 0000000000..7bfdab1330
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html
@@ -0,0 +1,86 @@
+
+<meta name=timeout content=long>
+<title>A test with both COOP and COOP report only setup using Reporting-Endpoints header</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=2aee31d2-cd11-43bd-b34d-5f081ca3b2b4&report_only_id=d18f1779-e2ab-4a7a-8b1c-44e3a6f440f5"></script>
+
+<script>
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a cross-origin popup with both normal and report-only COOP. Four
+ // reports are sent.
+ [
+ CROSS_ORIGIN,
+ `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`,
+ "require-corp",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "require-corp",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": reportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ]
+];
+
+runNavigationDocumentReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers
new file mode 100644
index 0000000000..de48445f38
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers
@@ -0,0 +1,6 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint"
+Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint"
+Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Embedder-Policy-Report-Only: require-corp
+Referrer-Policy: origin
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=2aee31d2-cd11-43bd-b34d-5f081ca3b2b4", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=d18f1779-e2ab-4a7a-8b1c-44e3a6f440f5"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html
new file mode 100644
index 0000000000..409628c15c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html
@@ -0,0 +1,124 @@
+<title>
+ Both the openee and the opener have a COOP reporter. The report are sent to
+ both side.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const origin_opener = get_host_info().HTTPS_ORIGIN;
+const origin_openee = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+let genericSetup = async function(test) {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_token = token();
+ const opener_report_token = reportToken();
+ const opener_reporting = reportingEndpointsHeaders(opener_report_token);
+ const opener_url = origin_opener+ executor_path + opener_reporting.header +
+ opener_reporting.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This has COOP and a reporter.
+ const openee_token = token();
+ const openee_report_token = reportToken();
+ const openee_reporting = reportingEndpointsHeaders(openee_report_token);
+ const openee_url = origin_openee + executor_path + openee_reporting.header +
+ openee_reporting.coopReportOnlySameOriginHeader + coep_header +
+ `&uuid=${openee_token}`;
+
+ // Cleanup at the end of the test.
+ test.add_cleanup(() => {
+ send(openee_token, 'window.close()');
+ send(opener_token, 'window.close()');
+ });
+
+ // 1. Spawn the opener and the openee windows.
+ window.open(opener_url);
+ send(opener_token, `
+ openee = window.open('${escapeComma(openee_url)}');
+ `);
+
+ // 2. Wait for both to be loaded.
+ send(openee_token, `send('${this_window_token}', 'ACK');`);
+ assert_equals(await receive(this_window_token), 'ACK');
+
+ return [
+ this_window_token,
+ opener_token, opener_report_token, opener_url,
+ openee_token, openee_report_token, openee_url,
+ ];
+}
+
+let assert_generic_coop_report = function(report) {
+ assert_equals(report.type, "coop");
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+ assert_equals(report.body.property, "blur");
+}
+
+promise_test(async test => {
+ let [
+ this_window_token,
+ opener_token, opener_report_token, opener_url,
+ openee_token, openee_report_token, openee_url,
+ ] = await genericSetup(test);
+
+ send(opener_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(openee);")
+ );
+
+ let report_opener =
+ await receiveReport(opener_report_token, "access-from-coop-page-to-openee")
+ let report_openee =
+ await receiveReport(openee_report_token, "access-to-coop-page-from-opener")
+
+ assert_generic_coop_report(report_openee);
+ assert_generic_coop_report(report_opener);
+
+ assert_equals(report_opener.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report_openee.url, openee_url.replace(/"/g, '%22'));
+ assert_source_location_found(report_opener);
+ assert_source_location_missing(report_openee);
+}, "Access from opener")
+
+promise_test(async test => {
+ let [
+ this_window_token,
+ opener_token, opener_report_token, opener_url,
+ openee_token, openee_report_token, openee_url,
+ ] = await genericSetup(test);
+
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ let report_opener =
+ await receiveReport(opener_report_token, "access-to-coop-page-from-openee")
+ let report_openee =
+ await receiveReport(openee_report_token, "access-from-coop-page-to-opener")
+
+ assert_generic_coop_report(report_openee);
+ assert_generic_coop_report(report_opener);
+
+ assert_equals(report_opener.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report_openee.url, openee_url.replace(/"/g, '%22'));
+ assert_source_location_missing(report_opener);
+ assert_source_location_found(report_openee);
+}, "Access from openee")
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
new file mode 100644
index 0000000000..b2ff818d56
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
@@ -0,0 +1,111 @@
+<title>
+ Tests the redirect interaction with COOP same-origin-allow-popups.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script>
+
+const same_origin = {
+ host: get_host_info().HTTPS_ORIGIN,
+ name: "Same origin"
+};
+const cross_origin = {
+ host: get_host_info().HTTPS_REMOTE_ORIGIN,
+ name: "Cross origin"
+};
+
+// Tests the redirect interaction with COOP same-origin-allow-popups and
+// reporting:
+// 1 - open the opener document on origin same_origin wit COOP
+// same-origin-allow-popups.
+// 2 - opener opens popup with document on origin popup_origin, no COOP and a
+// redirect header (HTTP 302, location).
+// 3 - redirection to a document with origin same_origin and COOP
+// same-origin-allow-popups.
+//
+// The navigation (2) to the first document of the popup stays in the same
+// browsing context group due to the same-origin-allow-popups COOP of the
+// opener.
+// The redirect (3) to the final document does since it compares the
+// popup_origin/unsafe-none document with the
+// same-origin/same-origin-allow-popups document.
+//
+// A opens B, B redirects to C.
+//
+// Document Origin COOP
+// -------- ------------ ------------------------
+// A same-origin same-origin-allow-popups
+// B popup-origin unsafe-none
+// C same-origin same-origin-allow-popups
+function redirect_test(popup_origin) {
+ promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP same-origin-allow-popups and a
+ // reporter.
+ const opener_token = token();
+ const opener_report_token = reportToken();
+ const opener_reporting = reportingEndpointsHeaders(opener_report_token);
+ const opener_url = same_origin.host + executor_path +
+ opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window.
+ // The initial document does not have COOP and is on popup_origin, it
+ // redirects to a same-origin (with the opener) document with COOP
+ // same-origin-allow-popups.
+ const openee_token = token();
+ const openee_redirect_url = same_origin.host + executor_path +
+ opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader +
+ `&uuid=${openee_token}`;
+ const redirect_header = 'status(302)' +
+ `|header(Location,${encodeURIComponent(
+ openee_redirect_url
+ .replace(/,/g, "\\,")
+ .replace(/\\\\,/g, "\\\\\\,")
+ .replace(/\(/g, "%28")
+ .replace(/\)/g, "%29"))})`;
+ const openee_url = popup_origin.host + executor_path + redirect_header +
+ `&uuid=${openee_token}`;
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `
+ openee = window.open("${openee_url}");
+ `);
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. Check the opener status on the openee.
+ send(openee_token, `
+ send("${this_window_token}", opener !== null);
+ `);
+ assert_equals(await receive(this_window_token), "false", "opener");
+
+ // 4. Check the openee status on the opener.
+ send(opener_token, `
+ send("${this_window_token}", openee.closed);
+ `);
+ assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+ // 5. Check a report sent to the openee.
+ let report = await receiveReport(
+ opener_report_token,
+ "navigation-to-response");
+ assert_equals(report.type, "coop");
+ assert_equals(report.body.disposition, "enforce");
+ assert_equals(report.body.effectivePolicy, "same-origin-allow-popups");
+ }, `${popup_origin.name} openee redirected to same-origin with same-origin-allow-popups`);
+}
+
+redirect_test(same_origin);
+redirect_test(cross_origin);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html
new file mode 100644
index 0000000000..bd89856305
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html
@@ -0,0 +1,130 @@
+<title>
+ Tests the redirect interaction with COOP unsafe-none.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script>
+
+const same_origin = {
+ host: get_host_info().HTTPS_ORIGIN,
+ name: "Same origin"
+};
+const cross_origin = {
+ host: get_host_info().HTTPS_REMOTE_ORIGIN,
+ name: "Cross origin"
+};
+
+// Repeated call receive() to fetch all reports received within 1 second.
+async function fetchReportsByID(uuid){
+ let timeStart = new Date().getTime();
+ const reports = [];
+ while(new Date().getTime() - timeStart < 1000) {
+ // Promise.race is used to timeout since receive() has no timeout mechanism.
+ reports.push(...await Promise.race([
+ receive(uuid).then(JSON.parse),
+ new Promise(resolve => step_timeout(resolve, 1000, []))
+ ]));
+ }
+ return reports;
+}
+
+function fetchReportByType(reports, type){
+ return reports.filter((report)=> (report.body.type === type));
+}
+
+ // Tests the redirect interaction with COOP unsafe-none and reporting:
+ // 1 - open the opener document on origin same_origin with COOP
+ // unsafe-none.
+ // 2 - opener opens popup with document on origin popup_origin, with COOP
+ // same-origin, Reporting-Endpoints header and a redirect header
+ // (HTTP 302, location).
+ // 3 - redirection to a document with origin same-origin and COOP
+ // unsafe-none.
+ //
+ // Navigation 2) should generate a report sent to B's reporter(navigation-to).
+ // Navigation 3) should generate a report sent to B's reporter(navigation-from).
+ //
+ // A opens B, B redirects to C.
+ //
+ // Document Origin COOP
+ // -------- ------------ ------------------------
+ // A same-origin unsafe-none
+ // B popup-origin same-origin
+ // C same-origin unsafe-none
+function redirect_test(popup_origin) {
+ promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP unsafe-none and no reporter.
+ const opener_token = token();
+ const opener_url = same_origin.host + executor_path +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window.
+ // The initial document have COOP, reporter and is on popup_origin, it
+ // redirects to a same-origin (with the opener) document with no COOP.
+ const openee_token = token();
+ const openee_report_token = reportToken();
+ const openee_reporting = reportingEndpointsHeaders(openee_report_token);
+ const openee_redirect_url = same_origin.host + executor_path +
+ `&uuid=${openee_token}`;
+ const redirect_header = '|status(302)' +
+ `|header(Location,${encodeURIComponent(
+ openee_redirect_url)})`;
+ const openee_url = (popup_origin.host + executor_path
+ + openee_reporting.header + openee_reporting.coopSameOriginHeader
+ + redirect_header + `&uuid=${openee_token}`)
+ .replace(/,/g, "\\,")
+ .replace(/\\\\,/g, "\\\\\\,")
+ .replace(/\(/g, "%28")
+ .replace(/\)/g, "%29");
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `
+ openee = window.open(\`${openee_url}\`);
+ `);
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. Check the opener status on the openee.
+ send(openee_token, `
+ send("${this_window_token}", opener !== null);
+ `);
+ assert_equals(await receive(this_window_token), "false", "opener");
+
+ // 4. Check the openee status on the opener.
+ send(opener_token, `
+ send("${this_window_token}", openee.closed);
+ `);
+ assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+ // 5. Check a report sent to B's reporting endpoint when A opens B.
+ const reports = await fetchReportsByID(openee_report_token);
+ const navigationToReport = fetchReportByType(
+ reports, "navigation-to-response");
+ assert_equals(navigationToReport.length, 1);
+ assert_equals(navigationToReport[0].type, "coop");
+ assert_equals(navigationToReport[0].body.disposition, "enforce");
+ assert_equals(navigationToReport[0].body.effectivePolicy, "same-origin");
+ // 6. Check a report sent to B's reporting endpoint when B redirects to C.
+ const navigationFromReport = fetchReportByType(
+ reports, "navigation-from-response");
+ assert_equals(navigationFromReport.length, 1);
+ assert_equals(navigationFromReport[0].type, "coop");
+ assert_equals(navigationFromReport[0].body.disposition, "enforce");
+ assert_equals(navigationFromReport[0].body.effectivePolicy, "same-origin");
+ }, `${popup_origin.name} openee redirected to same-origin with unsafe-none`);
+}
+
+redirect_test(same_origin);
+redirect_test(cross_origin);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html
new file mode 100644
index 0000000000..ca1471ccc0
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html
@@ -0,0 +1,86 @@
+<meta name=timeout content=long>
+<title>A test with both COOP and COOP report only setup</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=47b45e17-51c5-4691-bdd5-8f343bbfcf42&report_only_id=3eb3ad1d-872e-4ea8-8b40-0e98783a0683"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a cross-origin popup with both normal and report-only COOP. Four
+ // reports are sent.
+ [
+ CROSS_ORIGIN,
+ `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`,
+ "require-corp",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "require-corp",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": reportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ]
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers
new file mode 100644
index 0000000000..50c3045bb6
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers
@@ -0,0 +1,6 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint"
+Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint"
+Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Embedder-Policy-Report-Only: require-corp
+Referrer-Policy: origin
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=47b45e17-51c5-4691-bdd5-8f343bbfcf42", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=3eb3ad1d-872e-4ea8-8b40-0e98783a0683" \ No newline at end of file
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html
new file mode 100644
index 0000000000..cca2e7e1ae
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html
@@ -0,0 +1,71 @@
+
+<meta name=timeout content=long>
+<title>Report only tests for an opener without any COOP/COOP report only set</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a same-origin popup with a same-origin COOP report-only value, which
+ // would cause a browsing context group swap, hence a report is sent.
+ [
+ SAME_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ [
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": `${location.href}`, // previous documnent url
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin COOP report-only value, which
+ // would cause a browsing context group swap, hence a report is sent.
+ [
+ CROSS_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ [
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers
new file mode 100644
index 0000000000..5b29739bbd
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers
@@ -0,0 +1 @@
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html
new file mode 100644
index 0000000000..52b1f2a09f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html
@@ -0,0 +1,96 @@
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=380ca360-d1ae-4329-b1dd-69cea49cd705&report_only_id=cf9ac91d-6c5d-4489-a420-10be9402ef84"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a cross-origin popup without any COOP setup, the current document
+ // (opener) report-only would cause a browsing context group swap, hence a
+ // report is sent to the corresponding endpoint.
+ [
+ CROSS_ORIGIN,
+ "",
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin COOP report-only value, which
+ // would cause a browsing context group swap, hence a report is sent to both
+ // endpoints.
+ [
+ CROSS_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ [
+ {
+ "endpoint": reportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a same-origin COOP report-only value, the two
+ // COOP-report-only values match, hence no virtual browsing context group swap
+ // happens and no report is sent.
+ [
+ SAME_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers
new file mode 100644
index 0000000000..04bc49906b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers
@@ -0,0 +1,3 @@
+Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint"
+Referrer-Policy: origin
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=380ca360-d1ae-4329-b1dd-69cea49cd705", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=cf9ac91d-6c5d-4489-a420-10be9402ef84"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html
new file mode 100644
index 0000000000..148c700ee5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html
@@ -0,0 +1,32 @@
+
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a cross-origin popup with COOP report-only with coep, which mismatches
+ // with the current document (opener) COOP (unsafe-none) and COOP report-only
+ // (same-origin) values.
+ [
+ SAME_ORIGIN,
+ "",
+ "require-corp",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers
new file mode 100644
index 0000000000..58ab03394a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers
@@ -0,0 +1,3 @@
+Cross-Origin-Opener-Policy-Report-Only: same-origin
+Cross-Origin-Embedder-Policy-Report-Only: require-corp
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html
new file mode 100644
index 0000000000..148c700ee5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html
@@ -0,0 +1,32 @@
+
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a cross-origin popup with COOP report-only with coep, which mismatches
+ // with the current document (opener) COOP (unsafe-none) and COOP report-only
+ // (same-origin) values.
+ [
+ SAME_ORIGIN,
+ "",
+ "require-corp",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers
new file mode 100644
index 0000000000..2ba7ffb592
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers
@@ -0,0 +1,3 @@
+Cross-Origin-Opener-Policy-Report-Only: same-origin
+Cross-Origin-Embedder-Policy: require-corp
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html
new file mode 100644
index 0000000000..8a63682c69
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html
@@ -0,0 +1,73 @@
+
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a cross-origin popup with COOP report-only with coep, which mismatches
+ // with the current document (opener) COOP (unsafe-none) and COOP report-only
+ // (same-origin) values.
+ [
+ SAME_ORIGIN,
+ "",
+ "require-corp",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ [
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": `${location.href}`,
+ "referrer": `${location.origin}/`,
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with COOP report-only with coep report-only,
+ // which mismatches with the current document (opener) COOP (unsafe-none) and
+ // COOP report-only (same-origin) values.
+ [
+ SAME_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "require-corp",
+ [
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": `${location.href}`,
+ "referrer": `${location.origin}/`,
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers
new file mode 100644
index 0000000000..9a8445a43e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy-Report-Only: same-origin
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html
new file mode 100644
index 0000000000..893dfa20b8
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html
@@ -0,0 +1,67 @@
+<title>
+ Reports a browsing context group switch when an opener with COOP navigates.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window.
+ const opener_token = token();
+ const opener_url = same_origin + executor_path + `&uuid=${opener_token}`;
+
+ // The "openee" window.
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
+
+ // The "final" url the opener will navigate to. It has COOP and a reporter.
+ const final_report_token = reportToken();
+ const final_token = token();
+ const final_reportTo = reportingEndpointsHeaders(final_report_token);
+ const final_url = same_origin + executor_path + final_reportTo.header +
+ final_reportTo.coopSameOriginHeader +`&uuid=${final_token}`;
+
+ // 1. Create the opener window and ensure it doesn't have an opener.
+ let opener_window_proxy = window.open(opener_url, '_blank', 'noopener');
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens a window.
+ send(opener_token, `
+ openee = window.open('${escapeComma(openee_url)}');
+ `);
+
+ // 3. Ensure the openee loads.
+ send(openee_token, `
+ send("${this_window_token}", "ACK");
+ `);
+ assert_equals("ACK", await receive(this_window_token));
+
+ // 4. The opener navigates.
+ send(opener_token, `
+ location.replace('${escapeComma(final_url)}');
+ `);
+
+ // 5. Check a report was sent to the opener.
+ let report =
+ await receiveReport(final_report_token, "navigation-to-response")
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, final_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "enforce");
+ assert_equals(report.body.effectivePolicy, "same-origin");
+ assert_equals(report.body.previousResponseURL, opener_url.replace(/"/g, '%22'));
+}, "navigation-report-from-opener-navigation");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html
new file mode 100644
index 0000000000..b625b285cf
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html
@@ -0,0 +1,85 @@
+<title>Cross-Origin-Opener-Policy: a navigated popup with reporting</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=df3cde15-b00b-4a59-b6e2-498b67a6146e&report_only_id=ebf3a415-7a74-42e1-92d1-e600b1bbe22e"></script>
+
+<script>
+
+// This test does the following:
+// 1 - This document has COOP: same-origin-allow-popups; report-to="coop-report-endpoint"
+// 2 - Open a popup on a same-origin page without COOP, with the coop-popup-report-endpoint
+// 3 - Navigate the popup to a same-origin page with COOP, with the coop-redirect-report-endpoint
+// it verifies that the reports are properly send for the browsing context switch
+// during the navigation in the popup (step 3). The current document (the opener)
+// endpoint should not receive any report as no switch ocurred on 2.
+promise_test( async t => {
+ const callbackToken = token();
+ const noCoopToken = token();
+ const coopToken= token();
+ await reportingTest(async resolve => {
+ const noCOOPUrl = executor_path +
+ convertToWPTHeaderPipe(getReportingEndpointsHeader(location.origin)) +
+ `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(`unsafe-none; report-to="${popupReportEndpoint.name}"`)})` +
+ `&uuid=${noCoopToken}`;
+ const coopUrl = executor_path +
+ convertToWPTHeaderPipe(getReportingEndpointsHeader(location.origin)) +
+ `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(`same-origin; report-to="${redirectReportEndpoint.name}"`)})` +
+ `&uuid=${coopToken}`;
+
+ // 1. Open a popup without COOP and with reporting. COOP does not trigger
+ // a browsing context group switch because the current document is
+ // same-origin-allow-popups
+ const popup = window.open(noCOOPUrl);
+ t.add_cleanup(() => send(noCoopToken, "window.close()"));
+
+ // 2. Navigate the popup to a COOP document, which switches the browsing
+ // context group.
+ send(noCoopToken, `window.location = "${coopUrl}";`);
+ t.add_cleanup(() => send(coopToken, "window.close()"));
+
+ // 3. Make sure the new document is loaded.
+ send(coopToken, `
+ send("${callbackToken}", "Ready");
+ `);
+ let reply = await receive(callbackToken);
+ resolve();
+ },
+ "", // executor token for the report replacements, unused in this test
+ [
+ // Reports expected for the navigation from "noCOOP" to "coop"
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "nextResponseURL": RegExp(`uuid=${coopToken}$`),
+ "type": "navigation-from-response"
+ },
+ "url": RegExp(`uuid=${noCoopToken}$`),
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": redirectReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": RegExp(`uuid=${noCoopToken}$`),
+ "referrer": RegExp(`uuid=${noCoopToken}$`),
+ "type": "navigation-to-response"
+ },
+ "url": RegExp(`uuid=${coopToken}$`),
+ "type": "coop"
+ }
+ },
+ ]);
+}, "Open a popup to a document without COOP, then navigate it to a document with");
+
+verifyRemainingReports();
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers
new file mode 100644
index 0000000000..a6a27c2d3e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint"
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=df3cde15-b00b-4a59-b6e2-498b67a6146e", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=ebf3a415-7a74-42e1-92d1-e600b1bbe22e"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html
new file mode 100644
index 0000000000..d674e2e449
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html
@@ -0,0 +1,126 @@
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=6a739c25-0ec5-4832-b4a3-847281006857&report_only_id=f91209ee-b3a3-474b-b337-d663533745fb"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
+
+ // Open a same-origin popup with a same-origin COOP and no COEP. Produces two
+ // reports (one from and one to). Both pages being same origin, the
+ // next/pervious document urls are available.
+ [
+ SAME_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": `${location.href}`, // previous documnent url
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin-allow-popup COOP and noCOEP.
+ // Produces two reports (one from and one to). Both pages being cross origin,
+ // the next/pervious document urls are not available and the initial document
+ // url/referrer are used instead.
+ [
+ CROSS_ORIGIN,
+ `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`,
+ "require-corp",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "previousResponseURL": ``,
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin COOP and COEP, and no reporting.
+ // Produces one navigation-from-report for this document (the opener). The
+ // pages being cross origin, the next/pervious document urls are not available
+ // and the initial document url/referrer are used instead.
+ [
+ CROSS_ORIGIN,
+ `same-origin`,
+ "require-corp",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-allow-popups",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers
new file mode 100644
index 0000000000..3e213a95a3
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers
@@ -0,0 +1,3 @@
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=6a739c25-0ec5-4832-b4a3-847281006857", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=f91209ee-b3a3-474b-b337-d663533745fb"
+Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint"
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html
new file mode 100644
index 0000000000..88b180702f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html
@@ -0,0 +1,173 @@
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=edbbace3-40ca-4640-8d50-dc6e52acc1da&report_only_id=f65cf51a-ca6f-4028-a2c3-0c06183faa13"></script>
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
+
+ // Open and navigate a popup to a same-origin page with the same COOP-COEP
+ // settings: no browsing context group switch hence no report expected.
+ [
+ SAME_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "require-corp",
+ "",
+ "",
+ []
+ ],
+ // Open a same-origin popup with a same-origin COOP but no COEP. Produces two
+ // reports (one from and one to). The from report has an effectivePolicy of
+ // same-origin-plus-coep, both pages being same origin, the entire
+ // next/pervious document urls are available.
+ [
+ SAME_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-plus-coep",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next destination url
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": `${location.href}`, // previous document url
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin COOP and COEP. Produces two
+ // reports (one from and one to). The from report has an effectivePolicy of
+ // same-origin-plus-coep, both pages being cross origin, the next/pervious
+ // document urls are not available and the initial document url/referrer are
+ // used instead.
+ [
+ CROSS_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "require-corp",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-plus-coep",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation url
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": ``,
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a same-origin COOP report only. One report
+ // is sent to this page's endpoint, but none to the report-only endpoint.
+ [
+ SAME_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "require-corp",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-plus-coep",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation url
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin COOP report only. A report is
+ // sent to both this page's endpoint and the popup's.
+ [
+ CROSS_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "require-corp",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-plus-coep",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation url
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportOnlyEndpoint,
+ "report": {
+ "body": {
+ "disposition": "reporting",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": ``,
+ "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers
new file mode 100644
index 0000000000..0f78bdb2d0
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers
@@ -0,0 +1,4 @@
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=edbbace3-40ca-4640-8d50-dc6e52acc1da", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=f65cf51a-ca6f-4028-a2c3-0c06183faa13"
+Cross-Origin-Opener-Policy: same-origin; report-to="coop-report-endpoint"
+Cross-Origin-Embedder-Policy: require-corp
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html
new file mode 100644
index 0000000000..47bb67cc4b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html
@@ -0,0 +1,216 @@
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=6aad9729-8642-4894-91d9-a4d44707cd4a&report_only_id=69eb1838-6a03-4cda-97b0-c126ffcb9e8a"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
+
+ // Open a popup on a same-origin page, with a compatible COOP.
+ // This is a sanity check that no report are produced.
+ [
+ SAME_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ []
+ ],
+ // Open a cross-origin popup with a same-origin COOP. Produces two
+ // reports (one from and one to). The from report has an effectivePolicy of
+ // same-origin (corresponding to the current document), both pages being
+ // cross origin, the next/pervious document urls are not available and the
+ // initial document url/referrer are used instead.
+ [
+ CROSS_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/,
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": "",
+ "referrer": '', // referrer (empty due to the Referrer Policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a unsafe-none COOP and no COEP. COOP switches
+ // the browsing context group and hence produces two reports (one from and one
+ // to). This test verifies that unsafe-none properly sends report.
+ [
+ SAME_ORIGIN,
+ `unsafe-none; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/,
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "previousResponseURL": `${location.href}`,
+ "referrer": '', // referrer (empty due to the Referrer Policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a same-origin COOP and COEP. The difference
+ // of COEP values leads to the browsing context group switch and produces two
+ // reports. This verifies that the navigation-to-document report has an
+ // effectivePolicy of same-origin-plus-coep.
+ [
+ SAME_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "require-corp",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/,
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin-plus-coep",
+ "previousResponseURL": `${location.href}`,
+ "referrer": '', // referrer (empty due to the Referrer Policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with no COOP (but reporting) and no COEP.
+ // Produces two reports. The pages being cross origin, the next/pervious
+ // document urls are not available and the initial document url/referrer are
+ // used instead.
+ [
+ CROSS_ORIGIN,
+ `unsafe-none; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/,
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "previousResponseURL": "",
+ "referrer": '', // referrer (empty due to the Referrer Policy)
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with no COOP (without reporting) and no COEP.
+ // Produces one report to this page (opener) endpoint.
+ // This verifies that the navigated-to-document's COOP report values do not
+ // impact the navigated-from-document's COOP.
+ [
+ SAME_ORIGIN,
+ "unsafe-none",
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/,
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ }
+ ]
+ ]
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers
new file mode 100644
index 0000000000..79c851a86c
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers
@@ -0,0 +1,3 @@
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=6aad9729-8642-4894-91d9-a4d44707cd4a", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=69eb1838-6a03-4cda-97b0-c126ffcb9e8a"
+Cross-Origin-Opener-Policy: same-origin; report-to="coop-report-endpoint"
+Referrer-Policy: no-referrer
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html
new file mode 100644
index 0000000000..3a8f343f37
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html
@@ -0,0 +1,110 @@
+<meta name=timeout content=long>
+<title>reporting same origin</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
+
+ // Open a cross-origin popup with a same-origin COOP and no COEP. COOP
+ // switches the browsing context group and hence produces one report.
+ // This test verifies that the navigated to document properly sends a
+ // navigation-to report. The navigationURI is the referrer.
+ [
+ CROSS_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a unsafe-none COOP and no COEP. COOP switches
+ // the browsing context group and hence produces one report.
+ // This test verifies that having different policies on same origin documents
+ // still properly produces report to the navigated-to-document.
+ [
+ SAME_ORIGIN,
+ `unsafe-none; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "previousResponseURL": `${location.href}`,
+ "referrer": `${location.href}`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a unsafe-none COOP (with reporting) and no
+ // COEP. COOP switches the browsing context group and hence produces one
+ // reports to the unsafe-none document. This test verifies that unsafe-none
+ // properly sends report in that configuration.
+ [
+ CROSS_ORIGIN,
+ `unsafe-none; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "previousResponseURL": "",
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a same-origin COOP Report only value, the
+ // report only matches the previous document COOP value, no report is sent.
+ [
+ SAME_ORIGIN,
+ "",
+ "",
+ `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html
new file mode 100644
index 0000000000..2563dbb01f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html
@@ -0,0 +1,126 @@
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=1f79b0d5-c2a2-4e0b-8e8c-651af2321964&report_only_id=c50700c8-db1e-4224-b06f-4c6a95a5f4be"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
+
+ // Open a same-origin popup with a same-origin COOP with reporting and no COEP.
+ // COOP switches the browsing context group and hence produces two reports
+ // (one from and one to). This test verifies that unsafe-none (from the opener)
+ // properly sends a report.
+ [
+ SAME_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": `${location.href}`, // previous document url
+ "referrer": `${location.href}`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a same-origin popup with a same-origin COOP (no reporting)and no COEP.
+ // COOP switches the browsing context group and hence produces one report for
+ // the navigated from document (this page, the opener). This test differs with
+ // the previous one as it assert that the navigated to document's COOP reporting
+ // values do not interfere.
+ [
+ SAME_ORIGIN,
+ `same-origin`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ }
+ ]
+ ],
+ // Open a cross-origin popup with a same-origin COOP and no COEP. COOP switches
+ // the browsing context group and hence produces two reports.
+ [
+ CROSS_ORIGIN,
+ `same-origin; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ [
+ {
+ "endpoint": reportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "unsafe-none",
+ "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+ "type": "navigation-from-response"
+ },
+ "url": `${location.href}`,
+ "type": "coop"
+ }
+ },
+ {
+ "endpoint": popupReportEndpoint,
+ "report": {
+ "body": {
+ "disposition": "enforce",
+ "effectivePolicy": "same-origin",
+ "previousResponseURL": ``,
+ "referrer": `${location.origin}/`, // referrer
+ "type": "navigation-to-response"
+ },
+ "url": /uuid=EXECUTOR_UUID$/,
+ "type": "coop"
+ }
+ }
+ ]
+ ]
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers
new file mode 100644
index 0000000000..f1f18d6708
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers
@@ -0,0 +1,2 @@
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=1f79b0d5-c2a2-4e0b-8e8c-651af2321964", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=c50700c8-db1e-4224-b06f-4c6a95a5f4be"
+Cross-Origin-Opener-Policy: unsafe-none; report-to="coop-report-endpoint"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
new file mode 100644
index 0000000000..cd2f6b67b3
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
@@ -0,0 +1,111 @@
+<title>
+ Tests the redirect interaction with COOP same-origin-allow-popups.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = {
+ host: get_host_info().HTTPS_ORIGIN,
+ name: "Same origin"
+};
+const cross_origin = {
+ host: get_host_info().HTTPS_REMOTE_ORIGIN,
+ name: "Cross origin"
+};
+
+// Tests the redirect interaction with COOP same-origin-allow-popups and
+// reporting:
+// 1 - open the opener document on origin same_origin with COOP
+// same-origin-allow-popups.
+// 2 - opener opens popup with document on origin popup_origin, no COOP and a
+// redirect header (HTTP 302, location).
+// 3 - redirection to a document with origin same_origin and COOP
+// same-origin-allow-popups.
+//
+// The navigation (2) to the first document of the popup stays in the same
+// browsing context group due to the same-origin-allow-popups COOP of the
+// opener.
+// The redirect (3) to the final document does since it compares the
+// popup_origin/unsafe-none document with the
+// same-origin/same-origin-allow-popups document.
+//
+// A opens B, B redirects to C.
+//
+// Document Origin COOP
+// -------- ------------ ------------------------
+// A same-origin same-origin-allow-popups
+// B popup-origin unsafe-none
+// C same-origin same-origin-allow-popups
+function redirect_test( popup_origin ) {
+ promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP same-origin-allow-popups and a
+ // reporter.
+ const opener_report_token = reportToken();
+ const opener_token = token();
+ const opener_reportTo = reportingEndpointsHeaders(opener_report_token);
+ const opener_url = same_origin.host + executor_path +
+ opener_reportTo.header + opener_reportTo.coopSameOriginAllowPopupsHeader +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window.
+ // The initial document does not have COOP and is on popup_origin, it
+ // redirects to a same-origin (with the opener) document with COOP
+ // same-origin-allow-popups.
+ const openee_token = token();
+ const openee_redirect_url = same_origin.host + executor_path +
+ opener_reportTo.header + opener_reportTo.coopSameOriginAllowPopupsHeader +
+ `&uuid=${openee_token}`;
+ const redirect_header = 'status(302)' +
+ `|header(Location,${encodeURIComponent(
+ openee_redirect_url
+ .replace(/,/g, "\\,")
+ .replace(/\\\\,/g, "\\\\\\,")
+ .replace(/\(/g, "%28")
+ .replace(/\)/g, "%29"))})`;
+ const openee_url = popup_origin.host + executor_path + redirect_header +
+ `&uuid=${openee_token}`;
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `
+ openee = window.open("${openee_url}");
+ `);
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. Check the opener status on the openee.
+ send(openee_token, `
+ send("${this_window_token}", opener !== null);
+ `);
+ assert_equals(await receive(this_window_token), "false", "opener");
+
+ // 4. Check the openee status on the opener.
+ send(opener_token, `
+ send("${this_window_token}", openee.closed);
+ `);
+ assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+ // 5. Check a report sent to the openee.
+ let report = await receiveReport(
+ opener_report_token,
+ "navigation-to-response");
+ assert_equals(report.type, "coop");
+ assert_equals(report.body.disposition, "enforce");
+ assert_equals(report.body.effectivePolicy, "same-origin-allow-popups");
+ }, `${popup_origin.name} openee redirected to same-origin with same-origin-allow-popups`);
+}
+
+redirect_test(same_origin);
+redirect_test(cross_origin);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js
new file mode 100644
index 0000000000..70bb4897f5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js
@@ -0,0 +1,422 @@
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)';
+
+// Report endpoint keys must start with a lower case alphabet character.
+// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-15#section-4.2.3.3
+const reportToken = () => {
+ return token().replace(/./, 'a');
+}
+
+const isWPTSubEnabled = "{{GET[pipe]}}".includes("sub");
+
+const getReportEndpointURL = (reportID) =>
+ `/reporting/resources/report.py?reportID=${reportID}`;
+
+const reportEndpoint = {
+ name: "coop-report-endpoint",
+ reportID: isWPTSubEnabled ? "{{GET[report_id]}}" : token(),
+ reports: []
+};
+const reportOnlyEndpoint = {
+ name: "coop-report-only-endpoint",
+ reportID: isWPTSubEnabled ? "{{GET[report_only_id]}}" : token(),
+ reports: []
+};
+const popupReportEndpoint = {
+ name: "coop-popup-report-endpoint",
+ reportID: token(),
+ reports: []
+};
+const popupReportOnlyEndpoint = {
+ name: "coop-popup-report-only-endpoint",
+ reportID: token(),
+ reports: []
+};
+const redirectReportEndpoint = {
+ name: "coop-redirect-report-endpoint",
+ reportID: token(),
+ reports: []
+};
+const redirectReportOnlyEndpoint = {
+ name: "coop-redirect-report-only-endpoint",
+ reportID: token(),
+ reports: []
+};
+
+const reportEndpoints = [
+ reportEndpoint,
+ reportOnlyEndpoint,
+ popupReportEndpoint,
+ popupReportOnlyEndpoint,
+ redirectReportEndpoint,
+ redirectReportOnlyEndpoint
+];
+
+// Allows RegExps to be pretty printed when printing unmatched expected reports.
+Object.defineProperty(RegExp.prototype, "toJSON", {
+ value: RegExp.prototype.toString
+});
+
+function wait(ms) {
+ return new Promise(resolve => step_timeout(resolve, ms));
+}
+
+// Check whether a |report| is a "opener breakage" COOP report.
+function isCoopOpenerBreakageReport(report) {
+ if (report.type != "coop")
+ return false;
+
+ if (report.body.type != "navigation-from-response" &&
+ report.body.type != "navigation-to-response") {
+ return false;
+ }
+
+ return true;
+}
+
+async function clearReportsOnServer(host) {
+ const res = await fetch(
+ '/reporting/resources/report.py', {
+ method: "POST",
+ body: JSON.stringify({
+ op: "DELETE",
+ reportIDs: reportEndpoints.map(endpoint => endpoint.reportID)
+ })
+ });
+ assert_equals(res.status, 200, "reports cleared");
+}
+
+async function pollReports(endpoint) {
+ const res = await fetch(getReportEndpointURL(endpoint.reportID),
+ { cache: 'no-store' });
+ if (res.status !== 200) {
+ return;
+ }
+ for (const report of await res.json()) {
+ if (isCoopOpenerBreakageReport(report))
+ endpoint.reports.push(report);
+ }
+}
+
+// Recursively check that all members of expectedReport are present or matched
+// in report.
+// Report may have members not explicitly expected by expectedReport.
+function isObjectAsExpected(report, expectedReport) {
+ if (( report === undefined || report === null
+ || expectedReport === undefined || expectedReport === null )
+ && report !== expectedReport ) {
+ return false;
+ }
+ if (expectedReport instanceof RegExp && typeof report === "string") {
+ return expectedReport.test(report);
+ }
+ // Perform this check now, as RegExp and strings above have different typeof.
+ if (typeof report !== typeof expectedReport)
+ return false;
+ if (typeof expectedReport === 'object') {
+ return Object.keys(expectedReport).every(key => {
+ return isObjectAsExpected(report[key], expectedReport[key]);
+ });
+ }
+ return report == expectedReport;
+}
+
+async function checkForExpectedReport(expectedReport) {
+ return new Promise( async (resolve, reject) => {
+ const polls = 20;
+ const waitTime = 200;
+ for (var i=0; i < polls; ++i) {
+ pollReports(expectedReport.endpoint);
+ for (var j=0; j<expectedReport.endpoint.reports.length; ++j){
+ if (isObjectAsExpected(expectedReport.endpoint.reports[j],
+ expectedReport.report)){
+ expectedReport.endpoint.reports.splice(j,1);
+ resolve();
+ return;
+ }
+ };
+ await wait(waitTime);
+ }
+ reject(
+ replaceTokensInReceivedReport(
+ "No report matched the expected report for endpoint: "
+ + expectedReport.endpoint.name
+ + ", expected report: " + JSON.stringify(expectedReport.report)
+ + ", within available reports: "
+ + JSON.stringify(expectedReport.endpoint.reports)
+ ));
+ });
+}
+
+function replaceFromRegexOrString(str, match, value) {
+ if (str instanceof RegExp) {
+ return RegExp(str.source.replace(match, value));
+ }
+ return str.replace(match, value);
+}
+
+// Replace generated values in regexes and strings of an expected report:
+// EXECUTOR_UUID: the uuid generated with token().
+function replaceValuesInExpectedReport(expectedReport, executorUuid) {
+ if (expectedReport.report.body !== undefined) {
+ if (expectedReport.report.body.nextResponseURL !== undefined) {
+ expectedReport.report.body.nextResponseURL = replaceFromRegexOrString(
+ expectedReport.report.body.nextResponseURL, "EXECUTOR_UUID",
+ executorUuid);
+ }
+ if (expectedReport.report.body.previousResponseURL !== undefined) {
+ expectedReport.report.body.previousResponseURL = replaceFromRegexOrString(
+ expectedReport.report.body.previousResponseURL, "EXECUTOR_UUID",
+ executorUuid);
+ }
+ if (expectedReport.report.body.referrer !== undefined) {
+ expectedReport.report.body.referrer = replaceFromRegexOrString(
+ expectedReport.report.body.referrer, "EXECUTOR_UUID",
+ executorUuid);
+ }
+ }
+ if (expectedReport.report.url !== undefined) {
+ expectedReport.report.url = replaceFromRegexOrString(
+ expectedReport.report.url, "EXECUTOR_UUID", executorUuid);
+ }
+ return expectedReport;
+}
+
+function replaceTokensInReceivedReport(str) {
+ return str.replace(/.{8}-.{4}-.{4}-.{4}-.{12}/g, `(uuid)`);
+}
+
+// Run a test then check that all expected reports are present.
+async function reportingTest(testFunction, executorToken, expectedReports) {
+ await new Promise(testFunction);
+ expectedReports = Array.from(
+ expectedReports,
+ report => replaceValuesInExpectedReport(report, executorToken) );
+ await Promise.all(Array.from(expectedReports, checkForExpectedReport));
+}
+
+function convertToWPTHeaderPipe([name, value]) {
+ return `header(${name}, ${encodeURIComponent(value)})`;
+}
+
+function getReportToHeader(host) {
+ return [
+ "Report-To",
+ reportEndpoints.map(
+ reportEndpoint => {
+ const reportToJSON = {
+ 'group': `${reportEndpoint.name}`,
+ 'max_age': 3600,
+ 'endpoints': [{
+ 'url': `${host}${getReportEndpointURL(reportEndpoint.reportID)}`
+ }]
+ };
+ // Escape comma as required by wpt pipes.
+ return JSON.stringify(reportToJSON)
+ .replace(/,/g, '\\,')
+ .replace(/\(/g, '\\\(')
+ .replace(/\)/g, '\\\)=');
+ }
+ ).join("\\, ")];
+}
+
+function getReportingEndpointsHeader(host) {
+ return [
+ "Reporting-Endpoints",
+ reportEndpoints.map(reportEndpoint => {
+ return `${reportEndpoint.name}="${host}${getReportEndpointURL(reportEndpoint.reportID)}"`;
+ }).join("\\, ")];
+}
+
+// Return Report and Report-Only policy headers.
+function getPolicyHeaders(coop, coep, coopRo, coepRo) {
+ return [
+ [`Cross-Origin-Opener-Policy`, coop],
+ [`Cross-Origin-Embedder-Policy`, coep],
+ [`Cross-Origin-Opener-Policy-Report-Only`, coopRo],
+ [`Cross-Origin-Embedder-Policy-Report-Only`, coepRo]];
+}
+
+function navigationReportingTest(testName, host, coop, coep, coopRo, coepRo,
+ expectedReports) {
+ const executorToken = token();
+ const callbackToken = token();
+ promise_test(async t => {
+ await reportingTest(async resolve => {
+ const openee_headers = [
+ getReportingEndpointsHeader(host.origin),
+ ...getPolicyHeaders(coop, coep, coopRo, coepRo)
+ ].map(convertToWPTHeaderPipe);
+ const openee_url = host.origin + executor_path +
+ openee_headers.join('|') + `&uuid=${executorToken}`;
+ const openee = window.open(openee_url);
+ const uuid = token();
+ t.add_cleanup(() => send(uuid, "window.close()"));
+
+ // 1. Make sure the new document is loaded.
+ send(executorToken, `
+ send("${callbackToken}", "Ready");
+ `);
+ let reply = await receive(callbackToken);
+ assert_equals(reply, "Ready");
+ resolve();
+ }, executorToken, expectedReports);
+ }, `coop reporting test ${testName} to ${host.name} with ${coop}, ${coep}, ${coopRo}, ${coepRo}`);
+}
+
+function navigationDocumentReportingTest(testName, host, coop, coep, coopRo,
+ coepRo, expectedReports) {
+ const executorToken = token();
+ const callbackToken = token();
+ promise_test(async t => {
+ const openee_headers = [
+ getReportingEndpointsHeader(host.origin),
+ ...getPolicyHeaders(coop, coep, coopRo, coepRo)
+ ].map(convertToWPTHeaderPipe);
+ const openee_url = host.origin + executor_path +
+ openee_headers.join('|') + `&uuid=${executorToken}`;
+ window.open(openee_url);
+ t.add_cleanup(() => send(executorToken, "window.close()"));
+ // Have openee window send a message through dispatcher, once we receive
+ // the Ready message from dispatcher it means the openee is fully loaded.
+ send(executorToken, `
+ send("${callbackToken}", "Ready");
+ `);
+ let reply = await receive(callbackToken);
+ assert_equals(reply, "Ready");
+
+ await wait(1000);
+
+ expectedReports = expectedReports.map(
+ (report) => replaceValuesInExpectedReport(report, executorToken));
+ return Promise.all(expectedReports.map(
+ async ({ endpoint, report: expectedReport }) => {
+ await pollReports(endpoint);
+ for (let report of endpoint.reports) {
+ assert_true(isObjectAsExpected(report, expectedReport),
+ `report received for endpoint: ${endpoint.name} ${JSON.stringify(report)} should match ${JSON.stringify(expectedReport)}`);
+ }
+ assert_equals(endpoint.reports.length, 1, `has exactly one report for ${endpoint.name}`)
+ }));
+ }, `coop document reporting test ${testName} to ${host.name} with ${coop}, ${coep}, ${coopRo}, ${coepRo}`);
+}
+
+// Run an array of reporting tests then verify there's no reports that were not
+// expected.
+// Tests' elements contain: host, coop, coep, coop-report-only,
+// coep-report-only, expectedReports.
+// See isObjectAsExpected for explanations regarding the matching behavior.
+async function runNavigationReportingTests(testName, tests) {
+ await clearReportsOnServer();
+ tests.forEach(test => {
+ navigationReportingTest(testName, ...test);
+ });
+ verifyRemainingReports();
+}
+
+// Run an array of reporting tests using Reporting-Endpoints header then
+// verify there's no reports that were not expected.
+// Tests' elements contain: host, coop, coep, coop-report-only,
+// coep-report-only, expectedReports.
+// See isObjectAsExpected for explanations regarding the matching behavior.
+function runNavigationDocumentReportingTests(testName, tests) {
+ clearReportsOnServer();
+ tests.forEach(test => {
+ navigationDocumentReportingTest(testName, ...test);
+ });
+}
+
+function verifyRemainingReports() {
+ promise_test(t => {
+ return Promise.all(reportEndpoints.map(async (endpoint) => {
+ await pollReports(endpoint);
+ assert_equals(endpoint.reports.length, 0, `${endpoint.name} should be empty`);
+ }));
+ }, "verify remaining reports");
+}
+
+const receiveReport = async function(uuid, type) {
+ while(true) {
+ let reports = await Promise.race([
+ receive(uuid),
+ new Promise(resolve => {
+ step_timeout(resolve, 1000, "timeout");
+ })
+ ]);
+ if (reports == "timeout")
+ return "timeout";
+ reports = JSON.parse(reports);
+ for(report of reports) {
+ if (report?.body?.type == type)
+ return report;
+ }
+ }
+}
+
+const coopHeaders = function (uuid) {
+ // Use a custom function instead of convertToWPTHeaderPipe(), to avoid
+ // encoding double quotes as %22, which messes with the reporting endpoint
+ // registration.
+ let getHeader = (uuid, coop_value, is_report_only) => {
+ const header_name =
+ is_report_only ?
+ "Cross-Origin-Opener-Policy-Report-Only":
+ "Cross-Origin-Opener-Policy";
+ return `|header(${header_name},${coop_value}%3Breport-to="${uuid}")`;
+ }
+
+ return {
+ coopSameOriginHeader:
+ getHeader(uuid, "same-origin", is_report_only = false),
+ coopSameOriginAllowPopupsHeader:
+ getHeader(uuid, "same-origin-allow-popups", is_report_only = false),
+ coopRestrictPropertiesHeader:
+ getHeader(uuid, "restrict-properties", is_report_only = false),
+ coopReportOnlySameOriginHeader:
+ getHeader(uuid, "same-origin", is_report_only = true),
+ coopReportOnlySameOriginAllowPopupsHeader:
+ getHeader(uuid, "same-origin-allow-popups", is_report_only = true),
+ coopReportOnlyRestrictPropertiesHeader:
+ getHeader(uuid, "restrict-properties", is_report_only = true),
+ };
+}
+
+// Build a set of headers to tests the reporting API. This defines a set of
+// matching 'Report-To', 'Cross-Origin-Opener-Policy' and
+// 'Cross-Origin-Opener-Policy-Report-Only' headers.
+const reportToHeaders = function(uuid) {
+ const report_endpoint_url = dispatcher_path + `?uuid=${uuid}`;
+ let reportToJSON = {
+ 'group': `${uuid}`,
+ 'max_age': 3600,
+ 'endpoints': [
+ {'url': report_endpoint_url.toString()},
+ ]
+ };
+ reportToJSON = JSON.stringify(reportToJSON)
+ .replace(/,/g, '\\,')
+ .replace(/\(/g, '\\\(')
+ .replace(/\)/g, '\\\)=');
+
+ return {
+ header: `|header(report-to,${reportToJSON})`,
+ ...coopHeaders(uuid)
+ };
+};
+
+// Build a set of headers to tests the reporting API. This defines a set of
+// matching 'Reporting-Endpoints', 'Cross-Origin-Opener-Policy' and
+// 'Cross-Origin-Opener-Policy-Report-Only' headers.
+const reportingEndpointsHeaders = function (uuid) {
+ // Report endpoint keys must start with a lower case alphabet:
+ // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-15#section-4.2.3.3
+ assert_true(uuid.match(/^[a-z].*/) != null, 'Use reportToken() instead.');
+
+ const report_endpoint_url = dispatcher_path + `?uuid=${uuid}`;
+ const reporting_endpoints_header = `${uuid}="${report_endpoint_url}"`;
+
+ return {
+ header: `|header(Reporting-Endpoints,${reporting_endpoints_header})`,
+ ...coopHeaders(uuid)
+ };
+};
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/test-access-property.js b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/test-access-property.js
new file mode 100644
index 0000000000..a405202431
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/test-access-property.js
@@ -0,0 +1,65 @@
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+const origin = [
+ ["same-origin" , same_origin ],
+ ["cross-origin", cross_origin],
+];
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+let testAccessProperty = (
+ property,
+ op,
+ expectReport = true,
+ use_restrict_properties = false,
+) => {
+ origin.forEach(([origin_name, origin]) => {
+ promise_test(async t => {
+ const this_window_token = token();
+
+ // The opener window:
+ const opener_token = token();
+ const opener_url = get_host_info().HTTP_ORIGIN + executor_path +
+ `&uuid=${opener_token}`;
+
+ // The openee window:
+ const openee_token = token();
+ const openee_report_token = token();
+ const openee_report_to = reportToHeaders(openee_report_token);
+ const coop_ro_header =
+ use_restrict_properties
+ ? openee_report_to.coopReportOnlyRestrictPropertiesHeader
+ : openee_report_to.coopReportOnlySameOriginHeader;
+ const openee_url = origin + executor_path + openee_report_to.header +
+ coop_ro_header + coep_header + `&uuid=${openee_token}`;
+
+ t.add_cleanup(() => {
+ send(opener_token, "window.close()")
+ send(openee_token, "window.close()")
+ });
+
+ // Open the two windows. Wait for them to be loaded.
+ window.open(opener_url);
+ send(opener_token, `
+ window.openee = window.open('${escapeComma(openee_url)}');
+ `);
+ send(openee_token, `send("${this_window_token}", "Ready");`);
+ assert_equals(await receive(this_window_token), "Ready");
+
+ // 2. Try to access the openee.
+ send(opener_token, `(${op})(openee);`);
+
+ // 3. Fetch reports sent to the openee.
+ let report = await receiveReport(openee_report_token,
+ "access-to-coop-page-from-opener");
+ if (expectReport) {
+ assert_equals(report.body.property, property);
+ } else {
+ // "timeout" should be returned if no such reports are received.
+ assert_equals(report, "timeout");
+ }
+
+
+ }, `${origin_name} > ${op}`);
+ })
+};
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/try-access.js b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/try-access.js
new file mode 100644
index 0000000000..a06cb07904
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/resources/try-access.js
@@ -0,0 +1,20 @@
+// A function trying to access to |w| through a "CrossOrigin" attribute (blur).
+// This function is kept in its own file to ensure the source location of the
+// call stays constant.
+function tryAccess(w) {
+ try {
+ w.blur();
+ } catch(e) {}
+}
+
+function assert_source_location_found(report) {
+ assert_true(report.body.sourceFile.includes("try-access.js"));
+ assert_equals(report.body.lineNumber, 6);
+ assert_equals(report.body.columnNumber, 7);
+}
+
+function assert_source_location_missing(report) {
+ assert_equals(report.body.sourceFile, undefined);
+ assert_equals(report.body.lineNumber, undefined);
+ assert_equals(report.body.columnNumber, undefined);
+}
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resource-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/resource-popup.https.html
new file mode 100644
index 0000000000..481cceb72f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resource-popup.https.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html lang="en">
+<meta charset="utf-8">
+<title>Cross-Origin-Opener-Policy forces browsing context switch in various popup document types</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+
+<p>These tests create a "parent" popup window which is an HTML document with a
+specific Cross-Origin-Opener-Policy. The parent creates a "child" popup window
+which is a non-HTML document with a Cross-Origin-Opener-Policy of its own. The
+parent waits for the child's location to change from "<code>about:blank</code>"
+and then inspects its <code>name</code> and <code>closed</code> properties
+which it reports back to the test context.</p>
+
+<p>The HTTP `Refresh` header is used to ensure the child eventually closes
+itself (since proper observance of COOP will prevent the parent from closing
+the child in some cases).</p>
+
+<script>
+'use strict';
+
+const coop_resource_test = ({parentCoop, resourceCoop, resource, resourceName, validate}) => {
+ async_test((t) => {
+ const bc = new BroadcastChannel(token());
+ bc.onmessage = t.step_func_done(({data}) => validate(data));
+ const childLocation = resource +
+ `?pipe=header(Refresh,2;url=/html/cross-origin-opener-policy/resources/resource-cleanup.html?channel=${bc.name})` +
+ (resourceCoop ? `|header(Cross-Origin-Opener-Policy,${resourceCoop})` : '');
+ const parentLocation = 'resources/resource-popup.html' +
+ `?channel_name=${bc.name}` +
+ `&resource=${encodeURIComponent(childLocation)}` +
+ `&resource_name=${resourceName}` +
+ (parentCoop ? `&pipe=header(Cross-Origin-Opener-Policy,${parentCoop})` : '');
+
+ open(parentLocation);
+
+ t.add_cleanup(() => {
+ // Close the "parent" popup and the "child" popup if it has already
+ // redirected to the HTML document.
+ bc.postMessage(null);
+ // Prepare to close the "child" popup in the case that it has not yet
+ // redirected to the the HTML document.
+ bc.onmessage = () => bc.postMessage(null);
+ });
+ }, `${resource} - parent COOP: "${parentCoop}"; child COOP: "${resourceCoop}"`);
+};
+
+const resources = [
+ '/common/dummy.xml',
+ '/images/red.png',
+ '/common/text-plain.txt',
+ '/media/2x2-green.mp4',
+];
+
+for (const resource of resources) {
+ coop_resource_test({
+ parentCoop: '',
+ resourceCoop: 'same-origin',
+ resource,
+ resourceName: 'foobar',
+ validate(data) {
+ assert_equals(data.name, null);
+ assert_equals(data.closed, true);
+ }
+ });
+
+ coop_resource_test({
+ parentCoop: 'same-origin',
+ resourceCoop: '',
+ resource,
+ resourceName: 'foobar',
+ validate(data) {
+ assert_equals(data.name, null);
+ assert_equals(data.closed, true);
+ }
+ });
+
+ coop_resource_test({
+ parentCoop: 'same-origin',
+ resourceCoop: 'same-origin',
+ resource,
+ resourceName: 'foobar',
+ validate(data) {
+ assert_equals(data.name, 'foobar');
+ assert_equals(data.closed, false);
+ }
+ });
+}
+</script>
+</html>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/call-functionCalledByOpenee.html b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/call-functionCalledByOpenee.html
new file mode 100644
index 0000000000..d0ff0b723e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/call-functionCalledByOpenee.html
@@ -0,0 +1,5 @@
+<!doctype html>
+<meta charset=utf-8>
+<script>
+window.opener.functionCalledByOpenee();
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/common.js b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/common.js
new file mode 100644
index 0000000000..a005cb8a20
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/common.js
@@ -0,0 +1,86 @@
+// To use the functions below, be sure to include the following files in your
+// test:
+// - "/common/get-host-info.sub.js" to get the different origin values.
+
+const SAME_ORIGIN = {origin: get_host_info().HTTPS_ORIGIN, name: "SAME_ORIGIN"};
+const SAME_SITE = {origin: get_host_info().HTTPS_REMOTE_ORIGIN, name: "SAME_SITE"};
+const CROSS_ORIGIN = {origin: get_host_info().HTTPS_NOTSAMESITE_ORIGIN, name: "CROSS_ORIGIN"}
+
+function addScriptAndTriggerOnload(src, onload){
+ return `script = document.createElement("script");
+ script.src= "${src}" ;
+ script.onload = () => {
+ ${onload}
+ };
+ document.head.append(script);`
+}
+
+function verify_window(callback, w, hasOpener) {
+ // If there's no opener, the w must be closed:
+ assert_equals(w.closed, !hasOpener, 'w.closed');
+ // Opener's access on w.length is possible only if hasOpener:
+ assert_equals(w.length, hasOpener? 1: 0, 'w.length');
+ callback();
+}
+
+function validate_results(callback, test, w, channelName, hasOpener, openerDOMAccess, payload) {
+ assert_equals(payload.name, hasOpener ? channelName : "", 'name');
+ assert_equals(payload.opener, hasOpener, 'opener');
+ // TODO(zcorpan): add openerDOMAccess expectations to all tests
+ if (openerDOMAccess !== undefined) {
+ assert_equals(payload.openerDOMAccess, openerDOMAccess, 'openerDOMAccess');
+ }
+
+ // The window proxy in Chromium might still reflect the previous frame,
+ // until its unloaded. This delays the verification of w here.
+ if( !w.closed && w.length == 0) {
+ test.step_timeout( () => {
+ verify_window(callback, w, hasOpener);
+ }, 500);
+ } else {
+ verify_window(callback, w, hasOpener);
+ }
+}
+
+// Note: This function is deprecated and should not be used by new tests.
+// Instead, use `dispatcher_url_test()`.
+function url_test(t, url, channelName, hasOpener, openerDOMAccess, callback) {
+ if (callback === undefined) {
+ callback = () => { t.done(); };
+ }
+ const bc = new BroadcastChannel(channelName);
+ bc.onmessage = t.step_func(event => {
+ const payload = event.data;
+ validate_results(callback, t, w, channelName, hasOpener, openerDOMAccess, payload);
+ });
+
+ const w = window.open(url, channelName);
+
+ // Close the popup once the test is complete.
+ // The browsing context might be closed hence use the broadcast channel
+ // to trigger the closure.
+ t.add_cleanup(() => {
+ bc.postMessage("close");
+ });
+}
+
+// Similar to `url_test()` above except that this uses a dispatcher instead of
+// BroadcastChannel (useful in cases where the context we are testing in is a
+// third-party iframe that doesn't share a partition with the top-level
+// site).
+async function dispatcher_url_test(t, url, responseToken, iframeToken, hasOpener, openerDOMAccess, callback) {
+
+ const w = window.open(url, responseToken);
+
+ // Close the popup once the test is complete.
+ // The browsing context might be closed hence we'll have the iframe trigger
+ // the closure by sending it a 'close' message.
+ t.add_cleanup(async () => {
+ await send(iframeToken, "close");
+ });
+
+ var payload = await receive(responseToken);
+ payload = JSON.parse(payload);
+ validate_results(callback, t, w, responseToken, hasOpener, openerDOMAccess, payload);
+}
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-coep.py b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-coep.py
new file mode 100644
index 0000000000..d8e3bf0d42
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-coep.py
@@ -0,0 +1,84 @@
+import json
+
+def main(request, response):
+ requestData = request.GET
+ if request.method == u"POST":
+ requestData = request.POST
+
+ coop = requestData.first(b"coop")
+ coopReportOnly = requestData.first(b"coop-report-only", None)
+ coep = requestData.first(b"coep")
+ coepReportOnly = requestData.first(b"coep-report-only", None)
+ redirect = requestData.first(b"redirect", None)
+ if coop != b"":
+ response.headers.set(b"Cross-Origin-Opener-Policy", coop)
+ if coopReportOnly is not None:
+ response.headers.set(b"Cross-Origin-Opener-Policy-Report-Only", coopReportOnly)
+ if coep != b"":
+ response.headers.set(b"Cross-Origin-Embedder-Policy", coep)
+ if coepReportOnly is not None:
+ response.headers.set(b"Cross-Origin-Embedder-Policy-Report-Only", coepReportOnly)
+ if b'cache' in requestData:
+ response.headers.set(b'Cache-Control', b'max-age=3600')
+ host = request.url_parts[1]
+
+ if redirect != None:
+ response.status = 302
+ response.headers.set(b"Location", redirect)
+ return
+
+ # Collect relevant params to be visible to response JS
+ params = {}
+ for key in (b"navHistory", b"avoidBackAndForth", b"navigate", b"channel", b"responseToken", b"iframeToken"):
+ value = requestData.first(key, None)
+ params[key.decode()] = value and value.decode()
+
+ response.content = b"""
+<!doctype html>
+<meta charset=utf-8>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/fully-loaded.js"></script>
+<body>
+<script>
+ const params = %s;
+ const navHistory = params.navHistory;
+ const avoidBackAndForth = params.avoidBackAndForth;
+ const navigate = params.navigate;
+ if (navHistory !== null) {
+ fullyLoaded().then(() => {
+ history.go(Number(navHistory));
+ });
+ } else if (navigate !== null && (history.length === 1 || !avoidBackAndForth)) {
+ fullyLoaded().then(() => {
+ self.location = navigate;
+ });
+ } else {
+ let openerDOMAccessAllowed = false;
+ try {
+ openerDOMAccessAllowed = !!self.opener.document.URL;
+ } catch(ex) {
+ }
+ // Handle the response from the frame, closing the popup once the
+ // test completes.
+ addEventListener("message", event => {
+ if (event.data == "close") {
+ close();
+ }
+ });
+ iframe = document.createElement("iframe");
+ iframe.onload = () => {
+ const payload = { name: self.name, opener: !!self.opener, openerDOMAccess: openerDOMAccessAllowed };
+ iframe.contentWindow.postMessage(payload, "*");
+ };
+ const channelName = params.channel;
+ const responseToken = params.responseToken;
+ const iframeToken = params.iframeToken;
+ iframe.src = `${get_host_info().HTTPS_ORIGIN}/html/cross-origin-opener-policy/resources/postback.html` +
+ `?channel=${encodeURIComponent(channelName)}` +
+ `&responseToken=${responseToken}` +
+ `&iframeToken=${iframeToken}`;
+ document.body.appendChild(iframe);
+ }
+</script>
+</body>
+""" % json.dumps(params).encode("utf-8")
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-same-origin-repeated.asis b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-same-origin-repeated.asis
new file mode 100644
index 0000000000..082478e159
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/coop-same-origin-repeated.asis
@@ -0,0 +1,24 @@
+HTTP/1.1 200 OK
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Opener-Policy: same-origin
+Server: BaseHTTP/0.3 Python/2.7.15+
+Date: Wed, 18 Dec 2019 00:47:08 GMT
+
+<!doctype html>
+<meta charset=utf-8>
+<script src="/common/get-host-info.sub.js"></script>
+<iframe></iframe>
+<script>
+ const navigate = new URL(location).searchParams.get("navigate");
+ if (navigate !== null) {
+ self.location = navigate;
+ } else {
+ const iframe = document.querySelector("iframe");
+ iframe.onload = () => {
+ const payload = { name: self.name, opener: !!self.opener };
+ iframe.contentWindow.postMessage(payload, "*");
+ };
+ const channelName = new URL(location).searchParams.get("channel");
+ iframe.src = `${get_host_info().HTTPS_ORIGIN}/html/cross-origin-opener-policy/resources/postback.html?channel=${channelName}`;
+ }
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/csp-sandbox.py b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/csp-sandbox.py
new file mode 100644
index 0000000000..6cf21aeccf
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/csp-sandbox.py
@@ -0,0 +1,29 @@
+def main(request, response):
+ coop = request.GET.first(b"coop")
+ coep = request.GET.first(b"coep")
+ sandbox = request.GET.first(b"sandbox")
+ if coop != "":
+ response.headers.set(b"Cross-Origin-Opener-Policy", coop)
+ if coep != "":
+ response.headers.set(b"Cross-Origin-Embedder-Policy", coep)
+ response.headers.set(b"Content-Security-Policy", b"sandbox " + sandbox + b";")
+
+ # Open a popup to coop-coep.py with the same parameters (except sandbox)
+ response.content = b"""
+<!doctype html>
+<meta charset=utf-8>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/fully-loaded.js"></script>
+<script>
+ const params = new URL(location).searchParams;
+ params.delete("sandbox");
+ const navigate = params.get("navigate");
+ if (navigate) {
+ fullyLoaded().then(() => {
+ self.location = navigate;
+ });
+ } else {
+ window.open(`/html/cross-origin-opener-policy/resources/coop-coep.py?${params}`);
+ }
+</script>
+"""
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/fully-loaded.js b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/fully-loaded.js
new file mode 100644
index 0000000000..d40e00af43
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/fully-loaded.js
@@ -0,0 +1,10 @@
+// Return a promise, which resolves when new navigations aren't considered
+// client-side redirects anymore.
+//
+// Note: A long `setTimeout` is used, because client-side redirect is an
+// heuristic and isn't clearly specified.
+function fullyLoaded() {
+ return new Promise((resolve, reject) => {
+ addEventListener('load', () => setTimeout(resolve, 2000))
+ });
+}
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/iframe-test.js b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/iframe-test.js
new file mode 100644
index 0000000000..f13e768690
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/iframe-test.js
@@ -0,0 +1,241 @@
+// To use the functions below, be sure to include the following files in your
+// test:
+// - "/common/get-host-info.sub.js" to get the different origin values.
+// - "common.js" to have the origins easily available.
+// - "/common/dispatcher/dispatcher.js" for cross-origin messaging.
+// - "/common/utils.js" for token().
+
+function getBaseExecutorPath(origin) {
+ return origin + '/common/dispatcher/executor.html';
+}
+
+function getHeadersPipe(headers) {
+ const coop_header = headers.coop ?
+ `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(headers.coop)})` : '';
+ const coep_header = headers.coep ?
+ `|header(Cross-Origin-Embedder-Policy,${encodeURIComponent(headers.coep)})` : '';
+ return coop_header + coep_header;
+}
+
+function getExecutorPath(uuid, origin, headers) {
+ return getBaseExecutorPath(origin) +
+ `?uuid=${uuid}` +
+ `&pipe=${getHeadersPipe(headers)}`;
+}
+
+function evaluate(target_token, script) {
+ const reply_token = token();
+ send(target_token, `send('${reply_token}', ${script});`);
+ return receive(reply_token);
+}
+
+// Return true if an opened iframe can access |property| on a stored
+// window.popup object without throwing an error.
+function iframeCanAccessProperty(iframe_token, property) {
+ const reply_token = token();
+ send(iframe_token,
+ `try {
+ const unused = window.popup['${property}'];
+ send('${reply_token}', 'true')
+ } catch (errors) {
+ send('${reply_token}', 'false')
+ }`);
+ return receive(reply_token);
+}
+
+// Returns the script necessary to open a popup, given the method in
+// `popup_via`. Supported methods are 'window_open' that leverages
+// window.open(), 'anchor' that creates an <a> HTML element and clicks on it,
+// and 'form' that creates a form and submits it.
+function popupOpeningScript(popup_via, popup_url, popup_origin, headers,
+ popup_token) {
+ if (popup_via === 'window_open')
+ return `window.popup = window.open('${popup_url}', '${popup_token}');`;
+
+ if (popup_via === 'anchor') {
+ return `
+ const anchor = document.createElement('a');
+ anchor.href = '${popup_url}';
+ anchor.rel = "opener";
+ anchor.target = '${popup_token}';
+ anchor.innerText = "anchor";
+ document.body.appendChild(anchor);
+ anchor.click();
+ `;
+ }
+
+ if (popup_via === "form") {
+ return `
+ const form = document.createElement("form");
+ form.action = '${getBaseExecutorPath(popup_origin.origin)}';
+ form.target = '${popup_token}';
+ form.method = 'GET';
+ const add_param = (name, value) => {
+ const input = document.createElement("input");
+ input.name = name;
+ input.value = value;
+ form.appendChild(input);
+ };
+ add_param("uuid", "${popup_token}");
+ add_param("pipe", "${getHeadersPipe(headers)}");
+ document.body.appendChild(form);
+ form.submit();
+ `;
+ }
+
+ assert_not_reached('Unrecognized popup opening method.');
+}
+
+function promise_test_parallel(promise, description) {
+ async_test(test => {
+ promise(test)
+ .then(() => test.done())
+ .catch(test.step_func(error => { throw error; }));
+ }, description);
+};
+
+// Verifies that a popup with origin `popup_origin` and headers `headers` has
+// the expected `opener_state` after being opened from an iframe with origin
+// `iframe_origin`.
+function iframe_test(description, iframe_origin, popup_origin, headers,
+ expected_opener_state) {
+ for (const popup_via of ['window_open', 'anchor','form']) {
+ promise_test_parallel(async t => {
+ const iframe_token = token();
+ const popup_token = token();
+ const reply_token = token();
+
+ const frame = document.createElement("iframe");
+ const iframe_url = getExecutorPath(
+ iframe_token,
+ iframe_origin.origin,
+ {});
+
+ frame.src = iframe_url;
+ document.body.append(frame);
+
+ send(iframe_token, `send('${reply_token}', 'Iframe loaded');`);
+ assert_equals(await receive(reply_token), 'Iframe loaded');
+
+ const popup_url = getExecutorPath(
+ popup_token,
+ popup_origin.origin,
+ headers);
+
+ // We open popup and then ping it, it will respond after loading.
+ send(iframe_token, popupOpeningScript(popup_via, popup_url, popup_origin,
+ headers, popup_token));
+ send(popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), 'Popup loaded');
+
+ // Make sure the popup and the iframe are removed once the test has run,
+ // keeping a clean state.
+ add_completion_callback(() => {
+ frame.remove();
+ send(popup_token, `close()`);
+ });
+
+ // Give some time for things to settle across processes etc. before
+ // proceeding with verifications.
+ await new Promise(resolve => { t.step_timeout(resolve, 500); });
+
+ // Verify that the opener is in the state we expect it to be in.
+ switch (expected_opener_state) {
+ case 'preserved': {
+ assert_equals(
+ await evaluate(popup_token, 'opener != null'), "true",
+ 'Popup has an opener?');
+ assert_equals(
+ await evaluate(popup_token, `name === '${popup_token}'`), "true",
+ 'Popup has a name?');
+
+ // When the popup was created using window.open, we've kept a handle
+ // and we can do extra verifications.
+ if (popup_via === 'window_open') {
+ assert_equals(
+ await evaluate(iframe_token, 'popup != null'), "true",
+ 'Popup handle is non-null in iframe?');
+ assert_equals(
+ await evaluate(iframe_token, 'popup.closed'), "false",
+ 'Popup appears closed from iframe?');
+ assert_equals(
+ await iframeCanAccessProperty(iframe_token, "document"),
+ popup_origin === iframe_origin ? "true" : "false",
+ 'Iframe has dom access to the popup?');
+ assert_equals(
+ await iframeCanAccessProperty(iframe_token, "frames"), "true",
+ 'Iframe has cross origin access to the popup?');
+ }
+ break;
+ }
+ case 'restricted': {
+ assert_equals(
+ await evaluate(popup_token, 'opener != null'), "true",
+ 'Popup has an opener?');
+ assert_equals(
+ await evaluate(popup_token, `name === ''`), "true",
+ 'Popup name is cleared?');
+
+ // When the popup was created using window.open, we've kept a handle
+ // and we can do extra verifications.
+ if (popup_via === 'window_open') {
+ assert_equals(
+ await evaluate(iframe_token, 'popup != null'), "true",
+ 'Popup handle is non-null in iframe?');
+ assert_equals(
+ await evaluate(iframe_token, 'popup.closed'), "false",
+ 'Popup appears closed from iframe?');
+ assert_equals(
+ await iframeCanAccessProperty(iframe_token, "document"), "false",
+ 'Iframe has dom access to the popup?');
+ assert_equals(
+ await iframeCanAccessProperty(iframe_token, "frames"), "false",
+ 'Iframe has cross origin access to the popup?');
+ assert_equals(
+ await iframeCanAccessProperty(iframe_token, "closed"), "true",
+ 'Iframe has limited cross origin access to the popup?');
+ }
+ break;
+ }
+ case 'severed': {
+ assert_equals(await evaluate(popup_token, 'opener != null'), "false",
+ 'Popup has an opener?');
+ assert_equals(
+ await evaluate(popup_token, `name === ''`), "true",
+ 'Popup name is cleared?');
+
+ // When the popup was created using window.open, we've kept a handle
+ // and we can do extra verifications.
+ if (popup_via === 'window_open') {
+ assert_equals(
+ await evaluate(iframe_token, 'popup != null'), "true",
+ 'Popup handle is non-null in iframe?');
+ assert_equals(
+ await evaluate(iframe_token, 'popup.closed'), "true",
+ 'Popup appears closed from iframe?');
+ }
+ break;
+ }
+ case 'noopener': {
+ assert_equals(await evaluate(popup_token, 'opener != null'), "false",
+ 'Popup has an opener?');
+ assert_equals(
+ await evaluate(popup_token, `name === ''`), "true",
+ 'Popup name is cleared?');
+
+ // When the popup was created using window.open, we've kept a handle
+ // and we can do extra verifications.
+ if (popup_via === 'window_open') {
+ assert_equals(
+ await evaluate(iframe_token, 'popup == null'), "true",
+ 'Popup handle is null in iframe?');
+ }
+ break;
+ }
+ default:
+ assert_not_reached('Unrecognized opener state: ' +
+ expected_opener_state);
+ }
+ }, `${description} with ${popup_via}`);
+ }
+}
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/popup-test.js b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/popup-test.js
new file mode 100644
index 0000000000..c2717bb135
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/popup-test.js
@@ -0,0 +1,99 @@
+// To use the functions below, be sure to include the following files in your
+// test:
+// - "/common/get-host-info.sub.js" to get the different origin values.
+// - "common.js" to have the origins easily available.
+// - "/common/dispatcher/dispatcher.js" for cross-origin messaging.
+// - "/common/utils.js" for token().
+
+function getExecutorPath(uuid, origin, headers) {
+ const executor_path = '/common/dispatcher/executor.html?';
+ const coop_header = headers.coop ?
+ `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(headers.coop)})` : '';
+ const coep_header = headers.coep ?
+ `|header(Cross-Origin-Embedder-Policy,${encodeURIComponent(headers.coep)})` : '';
+ return origin +
+ executor_path +
+ `uuid=${uuid}` +
+ '&pipe=' + coop_header + coep_header;
+}
+
+function getPopupHasOpener(popup_token) {
+ const reply_token = token();
+ send(popup_token, `send('${reply_token}', window.opener != null);`);
+ return receive(reply_token);
+}
+
+// Return true if |object|.|property| can be called without throwing an error.
+function canAccessProperty(object, property) {
+ try {
+ const unused = object[property];
+ return true;
+ } catch (errors) {
+ return false;
+ }
+}
+
+// Verifies that a popup with origin `origin` and headers `headers` has
+// the expected `opener_state` after being opened.
+async function popup_test(description, origin, headers, expected_opener_state) {
+ promise_test(async t => {
+ const popup_token = token();
+ const reply_token = token();
+
+ const popup_url = getExecutorPath(
+ popup_token,
+ origin.origin,
+ headers);
+
+ // We open popup and then ping it, it will respond after loading.
+ const popup = window.open(popup_url);
+ send(popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), 'Popup loaded');
+
+ // Make sure the popup will be closed once the test has run, keeping a clean
+ // state.
+ t.add_cleanup(() => {
+ send(popup_token, `close()`);
+ });
+
+ // Give some time for things to settle across processes etc. before
+ // proceeding with verifications.
+ await new Promise(resolve => { t.step_timeout(resolve, 500); });
+
+ // Verify that the opener is in the state we expect it to be in.
+ switch (expected_opener_state) {
+ case 'preserved': {
+ assert_false(popup.closed, 'Popup is closed from opener?');
+ assert_true(await getPopupHasOpener(popup_token) === "true",
+ 'Popup has nulled opener?');
+ assert_equals(canAccessProperty(popup, "document"),
+ origin === SAME_ORIGIN,
+ 'Main page has dom access to the popup?');
+ assert_true(canAccessProperty(popup, "frames"),
+ 'Main page has cross origin access to the popup?');
+ break;
+ }
+ case 'restricted': {
+ assert_false(popup.closed, 'Popup is closed from opener?');
+ assert_true(await getPopupHasOpener(popup_token) === "true",
+ 'Popup has nulled opener?');
+ assert_false(canAccessProperty(popup, "document"),
+ 'Main page has dom access to the popup?');
+ assert_false(canAccessProperty(popup, "frames"),
+ 'Main page has cross origin access to the popup?');
+ assert_true(canAccessProperty(popup, "closed"),
+ 'Main page has limited cross origin access to the popup?');
+ break;
+ }
+ case 'severed': {
+ assert_true(popup.closed, 'Popup is closed from opener?');
+ assert_false(await getPopupHasOpener(popup_token) === "true",
+ 'Popup has nulled opener?');
+ break;
+ }
+ default:
+ assert_unreached(true, "Unrecognized opener relationship: " + expected_opener_state);
+ }
+ }, description);
+}
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html
new file mode 100644
index 0000000000..35b3be5c93
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script>
+const params = new URL(location).searchParams;
+const channelName = params.get("channel");
+const responseToken = params.get("responseToken");
+const iframeToken = params.get("iframeToken");
+
+// If the channel parameter is set, use the BroadcastChannel-based communication
+// method. Otherwise, use the dispatcher (useful in cases where this is embedded
+// in a third-party iframe that doesn't share a partition with the top-level
+// site).
+if (channelName != "null") {
+ const bc = new BroadcastChannel(channelName);
+ // Handle the close message from the test-cleanup, forwarding it to the
+ // top level document, as this iframe and the opening document might not
+ // be able to close the popup.
+ bc.onmessage = event => {
+ if (event.data == "close") {
+ top.postMessage("close", "*");
+ }
+ };
+
+ window.addEventListener("message", event => {
+ bc.postMessage(event.data);
+ });
+
+} else {
+ window.addEventListener("message", event => {
+ send(responseToken, JSON.stringify(event.data));
+ });
+
+ async function waitToClose() {
+ response = await receive(iframeToken);
+ // Handle the close message from the test-cleanup, forwarding it to the
+ // top level document, as this iframe and the opening document might not
+ // be able to close the popup.
+ if (response == "close") {
+ top.postMessage("close", "*");
+ }
+ }
+ waitToClose();
+}
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html.headers
new file mode 100644
index 0000000000..4e798cd9f5
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/postback.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Resource-Policy: cross-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/redirect.py b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/redirect.py
new file mode 100644
index 0000000000..88dbd60fae
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/redirect.py
@@ -0,0 +1,5 @@
+from wptserve.utils import isomorphic_encode
+
+def main(request, response):
+ response.status = 302
+ response.headers.set(b"Location", isomorphic_encode(request.url[request.url.find(u'?')+1:]))
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-cleanup.html b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-cleanup.html
new file mode 100644
index 0000000000..3ae5587c7d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-cleanup.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<meta charset="utf-8">
+<title>Redirect destination for non-HTML documents to close themselves</title>
+<script>
+'use strict';
+const channel = new URL(location).searchParams.get('channel');
+const bc = new BroadcastChannel(channel);
+bc.onmessage = () => close();
+bc.postMessage({name: 'FAIL', closed: 'FAIL' });
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-popup.html b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-popup.html
new file mode 100644
index 0000000000..ee08bcb496
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/resource-popup.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html lang="en">
+<meta charset="utf-8">
+<title></title>
+<script>
+'use strict';
+const params = new URL(location).searchParams;
+const bc = new BroadcastChannel(params.get('channel_name'));
+const win = open(params.get('resource'), params.get('resource_name'));
+
+bc.onmessage = () => {
+ win.close();
+ close();
+};
+const id = setInterval(() => {
+ if (win.closed || win.location.href !== 'about:blank') {
+ clearInterval(id);
+ const winName = (() => {
+ try {
+ return win.name;
+ } catch (e) {
+ return null;
+ }
+ })();
+ bc.postMessage({name: winName || null, closed: win.closed});
+ }
+}, 100);
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/resources/universal-worker.js b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/universal-worker.js
new file mode 100644
index 0000000000..2441679372
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/resources/universal-worker.js
@@ -0,0 +1,2 @@
+onmessage = message => eval(message.data);
+onfetch = event => fetchHandler(event);
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md
new file mode 100644
index 0000000000..b3c24c3f82
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md
@@ -0,0 +1,9 @@
+Because this test suite is run as a virtual suite and it's quite deep in the
+folders, we have to use abbreviations for the test names to not run over 200
+characters, which is problematic on Windows.
+
+* unspecified -> "u"
+* unsafe-none -> "un"
+* same-origin -> "so"
+* same-origin-allow-popups -> "soap"
+* restrict-properties -> omitted
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html
new file mode 100644
index 0000000000..1c315b35d7
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html
@@ -0,0 +1,19 @@
+<!doctype html>
+<title> Check openee.closed access is allowed for COOP: restrict-properties</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty(
+ "closed",
+ w => w.closed,
+ expectReport = false,
+ use_restrict_properties = true
+);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html
new file mode 100644
index 0000000000..7a96f4f576
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html
@@ -0,0 +1,62 @@
+<!doctype html>
+<title>
+ COOP reports are sent to the openee when the openee used COOP-RO:
+ restrict-properties and its same-origin opener tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+promise_test(async t => {
+ const report_token = token();
+ const openee_token = token();
+ const opener_token = token(); // The current test window.
+
+ const opener_url = location.href;
+
+ const reportTo = reportToHeaders(report_token);
+ const openee_url = same_origin + executor_path + reportTo.header +
+ reportTo.coopReportOnlyRestrictPropertiesHeader +
+ `&uuid=${openee_token}`;
+
+ const openee = window.open(openee_url);
+ t.add_cleanup(() => send(openee_token, "window.close()"))
+
+ // 1. Make sure the new document to be loaded.
+ send(openee_token, `
+ send("${opener_token}", "Ready");
+ `);
+ let reply = await receive(opener_token);
+ assert_equals(reply, "Ready");
+
+ // 2. Try to access the openee. A report is sent, because of COOP-RO:
+ // restrict-properties.
+ tryAccess(openee);
+
+ // 3. Check a report is sent to the openee.
+ let report =
+ await receiveReport(report_token, "access-to-coop-page-from-opener");
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, openee_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "restrict-properties");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, opener_url);
+ assert_equals(report.body.openeeURL, undefined);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, opener_url);
+ assert_equals(report.body.initialPopupURL, undefined);
+}, "access-reporting-openee-rp-ro");
+
+</script>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html
new file mode 100644
index 0000000000..9e1e85b16a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html
@@ -0,0 +1,71 @@
+<!doctype html>
+<title>
+ COOP reports are sent to the opener when the opener used COOP-RO:
+ restrict-properties and its same-origin openee tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+
+promise_test(async t => {
+ // The test window.
+ const this_window_token = token();
+
+ // The "opener" window. This has COOP and a reporter.
+ const opener_report_token= token();
+ const opener_token = token();
+ const opener_reportTo = reportToHeaders(opener_report_token);
+ const opener_url = same_origin + executor_path + opener_reportTo.header +
+ opener_reportTo.coopReportOnlyRestrictPropertiesHeader +
+ `&uuid=${opener_token}`;
+
+ // The "openee" window. This is same origin with the "opener".
+ const openee_report_token= token();
+ const openee_token = token();
+ const openee_url = same_origin + executor_path + `&uuid=${openee_token}`;
+
+ // 1. Create the opener window.
+ let opener_window_proxy = window.open(opener_url);
+ t.add_cleanup(() => send(opener_token, "window.close()"));
+
+ // 2. The opener opens its openee.
+ send(opener_token, `
+ openee = window.open("${openee_url}");
+ send("${this_window_token}", "ACK 1");
+ `);
+ assert_equals("ACK 1", await receive(this_window_token));
+ t.add_cleanup(() => send(openee_token, "window.close()"));
+
+ // 3. The openee tries to access its opener.
+ send(openee_token, addScriptAndTriggerOnload(
+ directory + "/reporting/resources/try-access.js",
+ "tryAccess(opener);")
+ );
+
+ // 4. Check a report sent to the opener.
+ let report =
+ await receiveReport(opener_report_token, "access-to-coop-page-from-openee");
+ assert_equals(report.type, "coop");
+ assert_equals(report.url, opener_url.replace(/"/g, '%22'));
+ assert_equals(report.body.disposition, "reporting");
+ assert_equals(report.body.effectivePolicy, "restrict-properties");
+ assert_equals(report.body.property, "blur");
+ assert_source_location_missing(report);
+ assert_equals(report.body.openerURL, undefined);
+ assert_equals(report.body.openeeURL, openee_url);
+ assert_equals(report.body.otherDocumentURL, undefined);
+ assert_equals(report.body.referrer, undefined);
+ assert_equals(report.body.initialPopupURL, openee_url);
+}, "access-reporting-opener-rp-ro");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html
new file mode 100644
index 0000000000..5bc718e2a8
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html
@@ -0,0 +1,19 @@
+<!doctype html>
+<title> Check openee.postMessage() access is allowed for COOP: restrict-properties</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script>
+<script>
+
+testAccessProperty(
+ "postMessage",
+ w => w.postMessage("message", "*"),
+ expectReport = false,
+ use_restrict_properties = true
+);
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html
new file mode 100644
index 0000000000..e5c8775174
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html
@@ -0,0 +1,65 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+promise_test(async t => {
+ const popup_token = token();
+ const second_popup_token = token();
+ const reply_token = token();
+
+ const unsafe_none_url = getExecutorPath(
+ popup_token,
+ SAME_ORIGIN.origin,
+ { coop: "unsafe-none"});
+
+ const restrict_properties_url = getExecutorPath(
+ second_popup_token,
+ SAME_ORIGIN.origin,
+ { coop: "restrict-properties"});
+
+ // We open popup and then ping it, it will respond after loading.
+ const popup = window.open(unsafe_none_url);
+ send(popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), 'Popup loaded');
+
+ // Make sure the popup will be closed once the test has run, keeping a clean
+ // state.
+ t.add_cleanup(() => {
+ send(popup_token, `close()`);
+ });
+
+ // Now navigate this popup to a restrict-properties page.
+ send(popup_token, `document.location = '${restrict_properties_url}'`);
+ send(second_popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), 'Popup loaded');
+
+ // Navigate again to the original page.
+ send(second_popup_token, `document.location = '${unsafe_none_url}'`);
+ send(popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), 'Popup loaded');
+
+ // Give some time for things to settle across processes etc. before
+ // proceeding with verifications.
+ await new Promise(resolve => { t.step_timeout(resolve, 500); });
+
+ // Verify that we have full access to the popup.
+ assert_false(popup.closed, 'Popup is closed from opener?');
+ assert_true(await getPopupHasOpener(popup_token) === "true",
+ 'Popup has nulled opener?');
+ assert_true(canAccessProperty(popup, "document"),
+ 'Main page has dom access to the popup?');
+ assert_true(canAccessProperty(popup, "frames"),
+ 'Main page has cross origin access to the popup?');
+
+}, "COOP: restrict-properties has no impact in a navigation chain between " +
+ "multiple unsafe-none pages.");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js
new file mode 100644
index 0000000000..1247400a4e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js
@@ -0,0 +1,144 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/common/dispatcher/dispatcher.js
+
+const executor_path = '/common/dispatcher/executor.html?pipe=';
+const cross_origin = get_host_info().OTHER_ORIGIN;
+const same_origin = get_host_info().ORIGIN;
+const coep_require_corp_header =
+ '|header(Cross-Origin-Embedder-Policy,require-corp)';
+const corp_cross_origin_header =
+ '|header(Cross-Origin-Resource-Policy,cross-origin)';
+const coop_restrict_properties_header =
+ '|header(Cross-Origin-Opener-Policy,restrict-properties)';
+
+function iframePopupAboutBlankTest(
+ origin, {expectedCrossOriginIsolated}, description) {
+ promise_test(async t => {
+ assert_true(crossOriginIsolated, 'Is main frame crossOriginIsolated?');
+ assert_true(
+ 'SharedArrayBuffer' in globalThis,
+ 'Is SharedArrayBuffer defined in main frame?');
+
+ const reply_token = token();
+ const iframe_token = token();
+
+ const iframe = document.createElement('iframe');
+ iframe.src = origin + executor_path + coep_require_corp_header +
+ corp_cross_origin_header + `&uuid=${iframe_token}`;
+ document.body.appendChild(iframe);
+
+ send(iframe_token, `send('${reply_token}', 'Iframe loaded');`);
+ assert_equals(await receive(reply_token), 'Iframe loaded');
+
+ send(iframe_token, `
+ window.popup = window.open();
+ send('${reply_token}', popup === null);
+ `);
+ assert_equals(await receive(reply_token), 'false', 'Is popup handle null?');
+
+ send(
+ iframe_token,
+ `send('${reply_token}', popup.window.crossOriginIsolated);`);
+ assert_equals(
+ await receive(reply_token), `${expectedCrossOriginIsolated}`,
+ 'Is popup crossOriginIsolated?');
+
+ send(iframe_token, `
+ send('${reply_token}', 'SharedArrayBuffer' in popup.window.globalThis);
+ `);
+ assert_equals(
+ await receive(reply_token), `${expectedCrossOriginIsolated}`,
+ 'Is SharedArrayBuffer defined in popup?');
+
+ // Test whether the popup's subframe is crossOriginIsolated
+ const popup_iframe_token = token();
+ const popup_iframe_src = origin + executor_path + coep_require_corp_header +
+ corp_cross_origin_header + `&uuid=${popup_iframe_token}`;
+ send(iframe_token, `
+ const iframe = window.popup.document.createElement('iframe');
+ iframe.src = '${popup_iframe_src}';
+ popup.document.body.appendChild(iframe);
+ `);
+
+ send(popup_iframe_token, `
+ send('${reply_token}', 'Iframe in popup loaded');
+ `);
+ assert_equals(await receive(reply_token), 'Iframe in popup loaded');
+
+ send(popup_iframe_token, `
+ send('${reply_token}', crossOriginIsolated);
+ `);
+ assert_equals(
+ await receive(reply_token), `${expectedCrossOriginIsolated}`,
+ 'Is iframe in popup crossOriginIsolated?');
+
+ send(popup_iframe_token, `
+ send('${reply_token}', 'SharedArrayBuffer' in globalThis);
+ `);
+ assert_equals(
+ await receive(reply_token), `${expectedCrossOriginIsolated}`,
+ 'Is SharedArrayBuffer defined in iframe in popup?');
+
+ // Test whether a nested iframe is crossOriginIsolated
+ const popup_nested_iframe_token = token();
+ const popup_nested_iframe_src = origin + executor_path +
+ coep_require_corp_header + corp_cross_origin_header +
+ `&uuid=${popup_nested_iframe_token}`;
+ send(iframe_token, `
+ blank_iframe = popup.document.createElement('iframe');
+ blank_iframe.src = '';
+ popup.document.body.appendChild(blank_iframe);
+ nested_iframe =
+ blank_iframe.contentDocument.createElement('iframe');
+ nested_iframe.src = '${popup_nested_iframe_src}';
+ blank_iframe.contentDocument.body.appendChild(nested_iframe);
+ `);
+
+ send(popup_nested_iframe_token, `
+ send('${reply_token}', 'Nested iframe in popup loaded');
+ `);
+ assert_equals(await receive(reply_token), 'Nested iframe in popup loaded');
+
+ send(popup_nested_iframe_token, `
+ send('${reply_token}', crossOriginIsolated);
+ `);
+ assert_equals(
+ await receive(reply_token), `${expectedCrossOriginIsolated}`,
+ 'Is nested iframe in popup crossOriginIsolated?');
+
+ send(popup_nested_iframe_token, `
+ send('${reply_token}', 'SharedArrayBuffer' in globalThis);
+ `);
+ assert_equals(
+ await receive(reply_token), `${expectedCrossOriginIsolated}`,
+ 'Is SharedArrayBuffer defined in nested iframe in popup?');
+
+ // Navigate the popup out of the initial empty document, with COOP:RP and
+ // COEP: require-corp. Expect to be crossOriginIsolated.
+ const popup_token = token();
+ const popup_src = origin + executor_path + coop_restrict_properties_header +
+ coep_require_corp_header + `&uuid=${popup_token}`;
+ send(iframe_token, `popup.window.location = '${popup_src}';`);
+
+ send(popup_token, `send('${reply_token}', 'Popup loaded');`);
+ assert_equals(await receive(reply_token), 'Popup loaded');
+
+ send(popup_token, `send('${reply_token}', crossOriginIsolated);`);
+ assert_equals(
+ await receive(reply_token), 'true',
+ 'Is popup crossOriginIsolated after navigation?');
+
+ send(popup_token, `
+ send('${reply_token}', 'SharedArrayBuffer' in globalThis);
+ `);
+ assert_equals(
+ await receive(reply_token), 'true',
+ 'Is SharedArrayBuffer defined in popup after navigation?');
+ }, description);
+}
+
+iframePopupAboutBlankTest(
+ cross_origin, {expectedCrossOriginIsolated: false}, 'Cross-origin iframe');
+iframePopupAboutBlankTest(
+ same_origin, {expectedCrossOriginIsolated: true}, 'Same-origin iframe');
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers
new file mode 100644
index 0000000000..19d0dbe4e1
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: restrict-properties
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html
new file mode 100644
index 0000000000..8cf2679e19
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html
@@ -0,0 +1,94 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-1">
+<meta name="variant" content="?2-2">
+<meta name="variant" content="?3-3">
+<meta name="variant" content="?4-4">
+<meta name="variant" content="?5-5">
+<meta name="variant" content="?6-6">
+<meta name="variant" content="?7-7">
+<meta name="variant" content="?8-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/iframe-test.js"></script>
+
+<body>
+<script>
+
+// This document has COOP: restrict-properties. The popup has COOP: same-origin.
+// Opening from an iframe should not be different from opening from the main
+// frame and the opener should be severed.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: restrict-properties to popup COOP: same-origin via an iframe, ` +
+ `with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'same-origin' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html
new file mode 100644
index 0000000000..f3af3ca7db
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html
@@ -0,0 +1,91 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/iframe-test.js"></script>
+
+<body>
+<script>
+
+
+// This document has COOP: restrict-properties. The popup has COOP:
+// same-origin-allow-popups. Opening from an iframe should not be different from
+// opening from the main frame and the opener should be severed.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "severed"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "severed"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: restrict-properties to popup COOP: same-origin-allow-popups ` +
+ `via an iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'same-origin-allow-popups' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html
new file mode 100644
index 0000000000..560dfd9051
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html
@@ -0,0 +1,90 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/iframe-test.js"></script>
+
+<body>
+<script>
+
+// This document has COOP: restrict-properties. The popup has COOP: unsafe-none.
+// Opening from an iframe should not be different from opening from the main
+// frame and the opener should be severed.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "restricted"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "restricted"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "restricted"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "restricted"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: restrict-properties to popup COOP: unsafe-none via an iframe, ` +
+ `with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'unsafe-none' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html
new file mode 100644
index 0000000000..17840724d9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html
@@ -0,0 +1,91 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name="variant" content="?1-2">
+<meta name="variant" content="?3-4">
+<meta name="variant" content="?5-6">
+<meta name="variant" content="?7-8">
+<meta name="variant" content="?9-last">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/dispatcher/dispatcher.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src=/common/subset-tests.js></script>
+<script src=/common/utils.js></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/iframe-test.js"></script>
+
+<body>
+<script>
+
+// This document has COOP: restrict-properties. The popup has COOP:
+// restrict-properties. Opening from an iframe should not be different from
+// opening from the main frame and the opener should be restricted if
+// cross-origin.
+[
+ {
+ "title": "same origin iframe, same origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same site iframe, same origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "cross origin iframe, same origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_ORIGIN,
+ "opener": "preserved"
+ },
+ {
+ "title": "same origin iframe, same site popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "restricted"
+ },
+ {
+ "title": "same site iframe, same site popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": SAME_SITE,
+ "opener": "restricted"
+ },
+ {
+ "title": "cross origin iframe, same site popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": SAME_SITE,
+ "opener": "restricted"
+ },
+ {
+ "title": "same origin iframe, cross origin popup",
+ "iframeOrigin": SAME_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "same site iframe, cross origin popup",
+ "iframeOrigin": SAME_SITE,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "restricted"
+ },
+ {
+ "title": "cross origin iframe, cross origin popup",
+ "iframeOrigin": CROSS_ORIGIN,
+ "popupOrigin": CROSS_ORIGIN,
+ "opener": "restricted"
+ }
+].forEach(variant => {
+ subsetTest(
+ iframe_test,
+ `COOP: restrict-properties to popup COOP: restrict-properties via an ` +
+ `iframe, with ${variant.title}`,
+ variant.iframeOrigin,
+ variant.popupOrigin,
+ { coop: 'restrict-properties' },
+ variant.opener);
+});
+</script>
+</body>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html
new file mode 100644
index 0000000000..10929847ee
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html
@@ -0,0 +1,57 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+
+<script>
+
+async function createCoopRestrictPropertiesPopup(popupToken, name) {
+ const url = SAME_ORIGIN.origin + '/common/dispatcher/executor.html' +
+ `?uuid=${popupToken}` +
+ '&pipe=|header(Cross-Origin-Opener-Policy, restrict-properties)';
+ const popup = window.open(url, name);
+ add_completion_callback(() => popup.close());
+
+ // Wait for the popup to be loaded.
+ const replyToken = token();
+ send(popupToken, `send('${replyToken}', 'Done loading')`);
+ assert_equals(await receive(replyToken), 'Done loading');
+
+ return popup;
+}
+
+promise_test(async t => {
+ // Start by opening a first COOP: restrict-properties popup. No name is set to
+ // begin with.
+ const popupToken1 = token();
+ const popup1 = await createCoopRestrictPropertiesPopup(popupToken1, '');
+
+ // Once the popup is live, explicitly set a name.
+ const name = token();
+ send(popupToken1, `window.name = '${name}'`);
+
+ // To make sure this name has been propagated to other processes, send a dummy
+ // message from the popup to the main page, and wait for it to be received.
+ // It should be delivered after the name change is replicated.
+ const message_waiter = new Promise(resolve => {
+ onmessage = (event) => {
+ if (event.data == 'Waited enough') { resolve(); }
+ }
+ });
+ send(popupToken1, `opener.postMessage('Waited enough', '*')`);
+ await message_waiter;
+
+ // Finally, call window.open with the same name. This should not resolve
+ // across browsing context groups, and create a brand new popup.
+ const popupToken2 = token();
+ const popup2 = await createCoopRestrictPropertiesPopup(popupToken2, name);
+ assert_not_equals(popup1, popup2,
+ 'Named targeting resolved across isolation boundaries');
+
+}, 'Verify that named targeting does not work across isolation boundaries.');
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html
new file mode 100644
index 0000000000..e5313a6e22
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html
@@ -0,0 +1,37 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "severed",
+ "origin": SAME_ORIGIN
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "severed",
+ "origin": SAME_SITE
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "severed",
+ "origin": CROSS_ORIGIN
+ }
+].forEach(variant => {
+ popup_test(`${variant.origin.name} ${variant.title}`, variant.origin,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers
new file mode 100644
index 0000000000..46ad58d83b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html
new file mode 100644
index 0000000000..595a10a84b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html
@@ -0,0 +1,37 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": SAME_ORIGIN
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": SAME_SITE
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": CROSS_ORIGIN
+ }
+].forEach(variant => {
+ popup_test(`${variant.origin.name} ${variant.title}`, variant.origin,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers
new file mode 100644
index 0000000000..d83ed86fb9
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html
new file mode 100644
index 0000000000..595a10a84b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html
@@ -0,0 +1,37 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": SAME_ORIGIN
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": SAME_SITE
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": CROSS_ORIGIN
+ }
+].forEach(variant => {
+ popup_test(`${variant.origin.name} ${variant.title}`, variant.origin,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html
new file mode 100644
index 0000000000..595a10a84b
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html
@@ -0,0 +1,37 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": SAME_ORIGIN
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": SAME_SITE
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted",
+ "origin": CROSS_ORIGIN
+ }
+].forEach(variant => {
+ popup_test(`${variant.origin.name} ${variant.title}`, variant.origin,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers
new file mode 100644
index 0000000000..073ce7adfb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: unsafe-none
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html
new file mode 100644
index 0000000000..a84d52584e
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "restricted"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "restricted"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted"
+ }
+].forEach(variant => {
+ popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html
new file mode 100644
index 0000000000..c0020fa23a
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "restricted"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "restricted"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "preserved"
+ }
+].forEach(variant => {
+ popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html
new file mode 100644
index 0000000000..7d115ac7e6
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="../../resources/common.js"></script>
+<script src="../../resources/popup-test.js"></script>
+<script>
+
+[
+ {
+ "title": "popup with empty coop",
+ "coop": "",
+ "opener": "restricted"
+ },
+ {
+ "title": "popup with coop unsafe-none",
+ "coop": "unsafe-none",
+ "opener": "restricted"
+ },
+ {
+ "title": "popup with coop same-origin",
+ "coop": "same-origin",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop same-origin-allow-popups",
+ "coop": "same-origin-allow-popups",
+ "opener": "severed"
+ },
+ {
+ "title": "popup with coop restrict-properties",
+ "coop": "restrict-properties",
+ "opener": "restricted"
+ }
+].forEach(variant => {
+ popup_test(`Same-site ${variant.title}`, SAME_SITE,
+ { coop: variant.coop }, variant.opener);
+});
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers
new file mode 100644
index 0000000000..d5c99062d2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: restrict-properties
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html
new file mode 100644
index 0000000000..9bc171a269
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html
@@ -0,0 +1,62 @@
+<!doctype html>
+<title>
+ Verify that we consider browsing context group reuse for COOP reporting.
+</title>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=f1e361ab5854f2dcfe0224b19bc53199&report_only_id=b6fe666b74547291d52d72790adde05c"></script>
+<script>
+
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+promise_test(async test => {
+ // To receive reports use the same hard-coded value as the one passed in the
+ // headers and to "reporting-common.js".
+ const report_token = "b6fe666b74547291d52d72790adde05c";
+ const reportTo = reportToHeaders(report_token);
+
+ // 1. Open a popup without any COOP. It should be in a
+ // different virtual browsing context group.
+ const opener_token = token(); // For this window.
+ const initial_openee_token = token();
+ const initial_openee_url = cross_origin + executor_path +
+ `&uuid=${initial_openee_token}`;
+ let openee = window.open(initial_openee_url);
+
+ // 2. Navigate the openee to a COOP-RO: restrict-properties page. If the
+ // policy was enforced, it would live in the same browsing context group as
+ // this page. The virtual browsing context group should similarly be equal.
+ // Note: We omit the reporting endpoint header, because it is not possible to
+ // easily escape it. Since it is not necessary in this test, we skip it.
+ const final_openee_token = token();
+ const final_openee_url = same_origin + executor_path +
+ reportTo.coopReportOnlyRestrictPropertiesHeader +
+ `&uuid=${final_openee_token}`;
+
+ send(initial_openee_token, `location.href = '${final_openee_url}';`);
+ test.add_cleanup(() => send(final_openee_token, "window.close()"));
+
+ // Wait for the final openee to load.
+ send(final_openee_token,
+ `send("${opener_token}", "Ready");
+ `);
+ assert_equals(await receive(opener_token), "Ready");
+
+ // 3. Try to access the openee from the opener. No report should be sent.
+ tryAccess(openee);
+
+ let report =
+ await receiveReport(report_token, "access-from-coop-page-to-openee")
+ assert_equals(report, "timeout");
+
+}, "access-reporting-browsing-context-group-reuse");
+
+</script>
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers
new file mode 100644
index 0000000000..33abadd83d
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy-Report-Only: restrict-properties; report-to="coop-report-only-endpoint"
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=f1e361ab5854f2dcfe0224b19bc53199", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=b6fe666b74547291d52d72790adde05c"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html
new file mode 100644
index 0000000000..b89030f218
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html
@@ -0,0 +1,55 @@
+<!doctype html>
+<meta name=timeout content=long>
+<title>Opening a restrict-properties</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=fb054dadb3a9ec17b5cd5c0152d2a7dd&report_only_id=c265b07fbb3bffa2cd2a5179d686ced2"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a same-origin popup with COOP unsafe-none, which mismatches with the
+ // current document (opener) COOP report-only (restrict-properties) values.
+ [
+ SAME_ORIGIN,
+ "unsafe-none",
+ "",
+ "",
+ "",
+ []
+ ],
+
+ // Open a cross-origin popup with COOP unsafe-none, which mismatches with the
+ // current document (opener) COOP report-only (restrict-properties) values.
+ [
+ CROSS_ORIGIN,
+ "unsafe-none",
+ "",
+ "",
+ "",
+ []
+ ],
+
+ // Open a same-origin popup with COOP restrict-properties, which matches with
+ // the current document (opener) COOP report-only (restrict-properties) value.
+ [
+ SAME_ORIGIN,
+ "restrict-properties",
+ "",
+ "",
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers
new file mode 100644
index 0000000000..07ecad96f2
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy-Report-Only: restrict-properties; report-to="coop-report-only-endpoint"
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=fb054dadb3a9ec17b5cd5c0152d2a7dd", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=c265b07fbb3bffa2cd2a5179d686ced2"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html
new file mode 100644
index 0000000000..6b31f7e009
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html
@@ -0,0 +1,55 @@
+<!doctype html>
+<meta name=timeout content=long>
+<title>Opening a restrict-properties</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+ src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=ed5a8be35e4e21c2ba960e6574e0a32c&report_only_id=fa22ddc676642edae42c75defb82ba2e"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a same-origin popup with COOP unsafe-none, which mismatches
+ // with the current document (opener) COOP (restrict-properties) values.
+ [
+ SAME_ORIGIN,
+ "unsafe-none",
+ "",
+ "",
+ "",
+ []
+ ],
+
+ // Open a cross-origin popup with COOP unsafe-none, which mismatches
+ // with the current document (opener) COOP (restrict-properties) values.
+ [
+ CROSS_ORIGIN,
+ "unsafe-none",
+ "",
+ "",
+ "",
+ []
+ ],
+
+ // Open a same-origin popup with COOP restrict-properties, which matches with
+ // the current document (opener) COOP (restrict-properties) value.
+ [
+ SAME_ORIGIN,
+ "restrict-properties",
+ "",
+ "",
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers
new file mode 100644
index 0000000000..a61e2919c8
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: restrict-properties; report-to="coop-report-endpoint"
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=ed5a8be35e4e21c2ba960e6574e0a32c", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=fa22ddc676642edae42c75defb82ba2e"
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html
new file mode 100644
index 0000000000..c47e59cd8f
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html
@@ -0,0 +1,43 @@
+<!doctype html>
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a same-origin popup with COOP report-only restrict-properties, which
+ // mismatches with the current document (opener) COOP (unsafe-none).
+ [
+ SAME_ORIGIN,
+ "",
+ "",
+ `restrict-properties; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ []
+ ],
+
+ // Open a cross-origin popup with COOP report-only restrict-properties, which
+ // mismatches with the current document (opener) COOP (unsafe-none).
+ [
+ CROSS_ORIGIN,
+ "",
+ "",
+ `restrict-properties; report-to="${popupReportOnlyEndpoint.name}"`,
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers
new file mode 100644
index 0000000000..16903320bb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: unsafe-none
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html
new file mode 100644
index 0000000000..ff60e8c5af
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html
@@ -0,0 +1,43 @@
+<!doctype html>
+<meta name=timeout content=long>
+<title>reporting same origin with report-to</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+
+<script>
+
+let tests = [
+ // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+ // Open a same-origin popup with COOP report-only restrict-properties, which
+ // mismatches with the current document (opener) COOP (unsafe-none).
+ [
+ SAME_ORIGIN,
+ `restrict-properties; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ []
+ ],
+
+ // Open a cross-origin popup with COOP report-only restrict-properties, which
+ // mismatches with the current document (opener) COOP (unsafe-none).
+ [
+ CROSS_ORIGIN,
+ `restrict-properties; report-to="${popupReportEndpoint.name}"`,
+ "",
+ "",
+ "",
+ []
+ ],
+];
+
+runNavigationReportingTests(document.title, tests);
+
+</script>
+
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers
new file mode 100644
index 0000000000..16903320bb
--- /dev/null
+++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: unsafe-none
+Referrer-Policy: origin