Merging upstream version 125.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

10 files changed, 173 insertions, 41 deletions

diff --git a/testing/web-platform/tests/storage-access-api/resources/bless_cross_site_permissions.html b/testing/web-platform/tests/storage-access-api/resources/bless_cross_site_permissions.html
new file mode 100644
index 0000000000..c3c5b6c0b0
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/bless_cross_site_permissions.html
@@ -0,0 +1,17 @@
+<!doctype html>
+<meta charset="utf-8">
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<body>
+<script>
+// In order to enable `requestStorageAccess` in a third-party context for some
+// origin we must first act in a window where that same origin is the top-frame
+// due to the following requirements:
+// (1) The origin must be `bless`ed when it's in the top-frame
+// (2) `set_permission` always operates on the top-frame origin
+test_driver.set_test_context(window.opener.top);
+test_driver.bless("fake interaction", () => {}, window);
+test_driver.set_permission({ name: 'storage-access' }, 'granted');
+window.opener.postMessage("blessed", "*");
+</script>
+</body>
diff --git a/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js b/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
index bc13c7e7e8..228a262f16 100644
--- a/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
+++ b/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
@@ -79,7 +79,7 @@ window.addEventListener("message", async (event) => {
       reply(await fetch(event.data.url, {mode: 'no-cors', credentials: 'include'}).then((resp) => resp.text()));
       break;
     case "start_dedicated_worker":
-      worker = new Worker("embedded_worker.js");
+      worker = new Worker("embedded_worker.py");
       reply(undefined);
       break;
     case "message_worker": {
diff --git a/testing/web-platform/tests/storage-access-api/resources/embedded_worker.js b/testing/web-platform/tests/storage-access-api/resources/embedded_worker.js
deleted file mode 100644
index f3a0fb257a..0000000000
--- a/testing/web-platform/tests/storage-access-api/resources/embedded_worker.js
+++ /dev/null
@@ -1,17 +0,0 @@
-"use strict";
-
-self.onmessage = async (message) => {
-  function reply(data) {
-    self.postMessage({data});
-  }
-
-  switch (message.data.command) {
-    case "fetch": {
-      const response = await fetch(message.data.url, {mode: 'cors', credentials: 'include'})
-        .then((resp) => resp.text());
-      reply(response);
-      break;
-    }
-    default:
-  }
-};
diff --git a/testing/web-platform/tests/storage-access-api/resources/embedded_worker.py b/testing/web-platform/tests/storage-access-api/resources/embedded_worker.py
new file mode 100644
index 0000000000..0aa457657f
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/embedded_worker.py
@@ -0,0 +1,31 @@
+from cookies.resources.helpers import setNoCacheAndCORSHeaders
+
+# This worker messages how many connections have been made and checks what cookies are available.
+def main(request, response):
+    headers = setNoCacheAndCORSHeaders(request, response)
+    headers[0] = (b"Content-Type", b"text/javascript")
+    cookie_header = request.headers.get(b"Cookie", b"")
+    document = b"""
+"use strict";
+
+self.onmessage = async (message) => {
+  function reply(data) {
+    self.postMessage({data});
+  }
+
+  switch (message.data.command) {
+    case "fetch": {
+      const response = await fetch(message.data.url, {mode: 'cors', credentials: 'include'})
+        .then((resp) => resp.text());
+      reply(response);
+      break;
+    }
+    case "load": {
+      reply(\"""" + cookie_header + b"""");
+      break;
+    }
+    default:
+  }
+};
+"""
+    return headers, document
diff --git a/testing/web-platform/tests/storage-access-api/resources/get_cookies.py b/testing/web-platform/tests/storage-access-api/resources/get_cookies.py
new file mode 100644
index 0000000000..07e8c2dae3
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/get_cookies.py
@@ -0,0 +1,10 @@
+import json
+from cookies.resources.helpers import makeCookieHeader, readCookies, setNoCacheAndCORSHeaders
+
+from wptserve.utils import isomorphic_decode
+
+def main(request, response):
+    headers = setNoCacheAndCORSHeaders(request, response)
+    cookies = readCookies(request)
+    decoded_cookies = {isomorphic_decode(key): isomorphic_decode(val) for key, val in cookies.items()}
+    return headers, json.dumps(decoded_cookies)
\ No newline at end of file
diff --git a/testing/web-platform/tests/storage-access-api/resources/set_cookies.py b/testing/web-platform/tests/storage-access-api/resources/set_cookies.py
new file mode 100644
index 0000000000..fe182dd00c
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/set_cookies.py
@@ -0,0 +1,10 @@
+from cookies.resources.helpers import makeCookieHeader, setNoCacheAndCORSHeaders
+
+def main(request, response):
+    headers = setNoCacheAndCORSHeaders(request, response)
+    headers[0] = (b"Content-Type", b"text/html; charset=utf-8")
+    headers.append(makeCookieHeader(b"samesite_strict", b"test", {b"SameSite":b"Strict", b"path":b"/", b"Secure":b""}))
+    headers.append(makeCookieHeader(b"samesite_lax", b"test", {b"SameSite":b"Lax", b"path":b"/", b"Secure":b""}))
+    headers.append(makeCookieHeader(b"samesite_none", b"test", {b"SameSite":b"None", b"path":b"/", b"Secure":b""}))
+    document = b"<!DOCTYPE html>"
+    return headers, document
diff --git a/testing/web-platform/tests/storage-access-api/resources/shared-worker-cookies.py b/testing/web-platform/tests/storage-access-api/resources/shared-worker-cookies.py
new file mode 100644
index 0000000000..9307c4112c
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/shared-worker-cookies.py
@@ -0,0 +1,37 @@
+from cookies.resources.helpers import makeCookieHeader, readCookies, setNoCacheAndCORSHeaders
+
+# This worker messages how many connections have been made and checks what cookies are available.
+def main(request, response):
+    headers = setNoCacheAndCORSHeaders(request, response)
+    headers[0] = (b"Content-Type", b"text/javascript")
+    cookies = readCookies(request)
+    message = b"ReadOnLoad:"
+    if b"samesite_strict" in cookies:
+        message += b"Strict"
+    if b"samesite_lax" in cookies:
+        message += b"Lax"
+    if b"samesite_none" in cookies:
+        message += b"None"
+    document = b"""
+let connection_count = 0;
+self.onconnect = (e) => {
+    connection_count++;
+    fetch("/storage-access-api/resources/get_cookies.py", {credentials: 'include'}).then((resp) => {
+        resp.json().then((cookies) => {
+            let message = \"""" + message + b""",ReadOnFetch:";
+            if (cookies.hasOwnProperty("samesite_strict")) {
+                message += "Strict";
+            }
+            if (cookies.hasOwnProperty("samesite_lax")) {
+                message += "Lax";
+            }
+            if (cookies.hasOwnProperty("samesite_none")) {
+                message += "None";
+            }
+            message += ",ConnectionsMade:" + connection_count;
+            e.ports[0].postMessage(message);
+        });
+    });
+}
+"""
+    return headers, document
\ No newline at end of file
diff --git a/testing/web-platform/tests/storage-access-api/resources/shared-worker-relay.js b/testing/web-platform/tests/storage-access-api/resources/shared-worker-relay.js
new file mode 100644
index 0000000000..c94acefec9
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/shared-worker-relay.js
@@ -0,0 +1,10 @@
+// This worker relays any messages received to the first connection.
+let port;
+self.onconnect = (e) => {
+    if (port == undefined) {
+        port = e.ports[0];
+    }
+    e.ports[0].onmessage = (e) => {
+        port.postMessage(e.data);
+    }
+}
diff --git a/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe-iframe.html b/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe-iframe.html
index ffb419f799..2d5e22fa71 100644
--- a/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe-iframe.html
+++ b/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe-iframe.html
@@ -17,7 +17,7 @@
       case "none": {
         let couldRequestStorageAccessForNone = true;
         try {
-          await document.requestStorageAccess({});
+          await test_driver.bless("fake user interaction", () => document.requestStorageAccess({}));
         } catch (_) {
           couldRequestStorageAccessForNone = false;
         }
@@ -26,7 +26,7 @@
         }
         let couldRequestStorageAccessForAllFalse = true;
         try {
-          await document.requestStorageAccess({all:false});
+          await test_driver.bless("fake user interaction", () => document.requestStorageAccess({all:false}));
         } catch (_) {
           couldRequestStorageAccessForAllFalse = false;
         }
@@ -44,7 +44,7 @@
         if (hasUnpartitionedCookieAccess || document.cookie.includes("test="+id)) {
           message = "First-party cookies should not be readable before handle is loaded.";
         }
-        await document.requestStorageAccess({cookies: true});
+        await test_driver.bless("fake user interaction", () => document.requestStorageAccess({cookies: true}));
         hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (!hasUnpartitionedCookieAccess || !document.cookie.includes("test="+id)) {
           message = "First-party cookies should be readable if cookies were requested.";
@@ -52,7 +52,7 @@
         break;
       }
       case "sessionStorage": {
-        const handle = await document.requestStorageAccess({sessionStorage: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({sessionStorage: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -77,7 +77,7 @@
         break;
       }
       case "localStorage": {
-        const handle = await document.requestStorageAccess({localStorage: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({localStorage: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -102,7 +102,7 @@
         break;
       }
       case "indexedDB": {
-        const handle = await document.requestStorageAccess({indexedDB: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({indexedDB: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -119,7 +119,7 @@
         break;
       }
       case "locks": {
-        const handle = await document.requestStorageAccess({locks: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({locks: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -136,7 +136,7 @@
         break;
       }
       case "caches": {
-        const handle = await document.requestStorageAccess({caches: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({caches: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -153,7 +153,7 @@
         break;
       }
       case "getDirectory": {
-        const handle = await document.requestStorageAccess({getDirectory: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({getDirectory: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -172,7 +172,7 @@
         break;
       }
       case "estimate": {
-        const handle = await document.requestStorageAccess({estimate: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({estimate: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -188,7 +188,7 @@
         break;
       }
       case "blobStorage": {
-        const handle = await document.requestStorageAccess({createObjectURL: true, revokeObjectURL: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({createObjectURL: true, revokeObjectURL: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -230,7 +230,7 @@
         break;
       }
       case "BroadcastChannel": {
-        const handle = await document.requestStorageAccess({BroadcastChannel: true});
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({BroadcastChannel: true}));
         let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
         if (hasUnpartitionedCookieAccess) {
           message = "First-party cookies should not be readable if not requested.";
@@ -243,6 +243,26 @@
         local_channel.close();
         break;
       }
+      case "SharedWorker": {
+        const local_shared_worker = new SharedWorker("/storage-access-api/resources/shared-worker-relay.js", id);
+        local_shared_worker.port.start();
+        local_shared_worker.port.postMessage("Same-origin local access");
+        const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({SharedWorker: true}));
+        let couldRequestAllCookies = true;
+        try {
+          handle.SharedWorker("/storage-access-api/resources/shared-worker-relay.js", {name: id, sameSiteCookies: 'all'});
+        } catch (_) {
+          couldRequestAllCookies = false;
+        }
+        if (couldRequestAllCookies) {
+          message = "Shared Workers in a third-party context should not be able to request SameSite cookies.";
+        }
+        handle.SharedWorker("/storage-access-api/resources/shared-worker-cookies.py", id).port.start();
+        const handle_shared_worker = handle.SharedWorker("/storage-access-api/resources/shared-worker-relay.js", {name: id, sameSiteCookies: 'none'});
+        handle_shared_worker.port.start();
+        handle_shared_worker.port.postMessage("Same-origin handle access");
+        break;
+      }
       default: {
         message = "Unexpected type " + type;
         break;
@@ -254,6 +274,6 @@
   // Step 7 (storage-access-api/storage-access-beyond-cookies.{}.tentative.sub.https.html)
   await MaybeSetStorageAccess("*", "*", "allowed");
   await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
-  window.top.postMessage(message, "*");
+  window.top.postMessage({type: "result", message: message}, "*");
 })();
 </script>
diff --git a/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe.sub.html b/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe.sub.html
index 8c30973416..a9247a0002 100644
--- a/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe.sub.html
+++ b/testing/web-platform/tests/storage-access-api/resources/storage-access-beyond-cookies-iframe.sub.html
@@ -5,7 +5,10 @@
 <script src="/storage-access-api/helpers.js"></script>
 <body>
 <script>
-(async function() {
+window.addEventListener("message", async (e) => {
+  if (e.data != "blessed") {
+    return;
+  }
   test_driver.set_test_context(window.top);
   const type = (new URLSearchParams(window.location.search)).get("type");
   const id = (new URLSearchParams(window.location.search)).get("id");
@@ -14,14 +17,18 @@
   try {
     await MaybeSetStorageAccess("*", "*", "blocked");
     await test_driver.set_permission({ name: 'storage-access' }, 'granted');
-    let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
-    if (hasUnpartitionedCookieAccess) {
-      message = "First-party cookies should not be readable before handle is loaded.";
+    if (type == "cookies") {
+      let hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
+      if (hasUnpartitionedCookieAccess) {
+        message = "First-party cookies should not be readable before handle is loaded.";
+      }
     }
-    const handle = await document.requestStorageAccess({all: true});
-    hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
-    if (!hasUnpartitionedCookieAccess) {
-      message = "First-party cookies should be readable after handle is loaded.";
+    const handle = await test_driver.bless("fake user interaction", () => document.requestStorageAccess({all: true}));
+    if (type == "cookies") {
+      hasUnpartitionedCookieAccess = await document.hasUnpartitionedCookieAccess();
+      if (!hasUnpartitionedCookieAccess) {
+        message = "First-party cookies should be readable after handle is loaded.";
+      }
     }
     switch (type) {
       case "none": {
@@ -108,6 +115,12 @@
         channel.close();
         break;
       }
+      case "SharedWorker": {
+        const shared_worker = handle.SharedWorker("/storage-access-api/resources/shared-worker-relay.js", id);
+        shared_worker.port.start();
+        shared_worker.port.postMessage("Cross-origin handle access");
+        break;
+      }
       default: {
         message = "Unexpected type " + type;
         break;
@@ -119,13 +132,14 @@
   await MaybeSetStorageAccess("*", "*", "allowed");
   await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
   if (message) {
-    window.top.postMessage(message, "*");
+    window.top.postMessage({type: "result", message: message}, "*");
     return;
   }
   // Step 5 (storage-access-api/storage-access-beyond-cookies.{}.tentative.sub.https.html)
   let iframe = document.createElement("iframe");
   iframe.src = "https://{{hosts[][]}}:{{ports[https][0]}}/storage-access-api/resources/storage-access-beyond-cookies-iframe-iframe.html?type=" + type + "&id=" + id;
   document.body.appendChild(iframe);
-})();
+});
+window.open("https://{{hosts[alt][]}}:{{ports[https][0]}}/storage-access-api/resources/bless_cross_site_permissions.html");
 </script>
 </body>