diff options
Diffstat (limited to 'testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting')
33 files changed, 1667 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html new file mode 100644 index 0000000000..a7e83cc0d9 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro.https.html @@ -0,0 +1,82 @@ +<title> + COOP reports are to the opener when the opener used COOP-RO+COEP and then it + tries to access a same-origin openee. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_report_token= token(); + const opener_token = token(); + const opener_reportTo = reportToHeaders(opener_report_token); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. This is same origin with the "opener". + const openee_report_token = token(); + const openee_token = token(); + const openee_url = same_origin + executor_path + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens it openee. + send(opener_token, ` + openee = window.open("${openee_requested_url}"); + send("${this_window_token}", "ACK 1"); + `); + assert_equals("ACK 1", await receive(this_window_token)); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. Ensure the openee's document to be loaded. + send(openee_token, ` + send("${this_window_token}", "ACK 2"); + `); + assert_equals("ACK 2", await receive(this_window_token)); + + // 4. The opener tries to access its openee. + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(openee);") + ); + // 5. Check a report sent to the opener. + let report = + await receiveReport(opener_report_token, "access-from-coop-page-to-openee") + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_found(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, openee_url); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, openee_requested_url); +}, name); + +runTest(false, "access-from-coop-page-to-openee, same-origin"); +runTest(true , "access-from-coop-page-to-openee, same-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html new file mode 100644 index 0000000000..fe72a2299f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html @@ -0,0 +1,85 @@ +<title> + COOP reports are to the opener when the opener used COOP-RO+COEP and then it + tries to access a cross-origin openee. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; +const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_report_token= token(); + const opener_token = token(); + const opener_reportTo = reportToHeaders(opener_report_token); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. This is cross origin with the "opener". + const openee_report_token= token(); + const openee_token = token(); + const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens it openee. + send(opener_token, ` + openee = window.open("${openee_requested_url}"); + send("${this_window_token}", "ACK 1"); + `); + assert_equals("ACK 1", await receive(this_window_token)); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. Ensure the openee's document to be loaded. + send(openee_token, ` + send("${this_window_token}", "ACK 2"); + `); + assert_equals("ACK 2", await receive(this_window_token)); + + // 4. The opener tries to access its openee. + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(openee);") + ); + + + // 5. Check a report sent to the opener. + let report = + await receiveReport(opener_report_token, "access-from-coop-page-to-openee") + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_found(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, ""); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, openee_requested_url); +}, name); + +runTest(false, "access-from-coop-page-to-openee, cross-origin"); +runTest(true , "access-from-coop-page-to-openee, cross-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html new file mode 100644 index 0000000000..005339a06e --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro.https.html @@ -0,0 +1,63 @@ +<title> + COOP reports are sent when the openee used COOP-RO+COEP and then tries to + access its same-origin opener. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + const report_token = token(); + const openee_token = token(); + + const opener_url = location.href; + + const reportTo = reportToHeaders(report_token); + const openee_url = same_origin + executor_path + + reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + const openee = window.open(openee_requested_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Try to access the opener. A report is sent, because of COOP-RO+COEP. + + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + // 2. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-from-coop-page-to-opener") + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_found(report); + assert_equals(report.body.openerURL, opener_url); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, opener_url); + assert_equals(report.body.initialPopupURL, undefined); +}, name); + +runTest(false, "access-from-coop-page-to-opener, same-origin"); +runTest(true , "access-from-coop-page-to-opener, same-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html new file mode 100644 index 0000000000..eedfaa557f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html @@ -0,0 +1,63 @@ +<title> + COOP reports are sent when the openee used COOP-RO+COEP and then tries to + access its cross-origin opener. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; +const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + const report_token = token(); + const openee_token = token(); + + const opener_origin = location.origin + '/'; + + const reportTo = reportToHeaders(report_token); + const openee_url = cross_origin + executor_path + + reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + const openee = window.open(openee_requested_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Try to access the opener. A report is sent, because of COOP-RO+COEP. + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + // 2. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-from-coop-page-to-opener") + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_found(report); + assert_equals(report.body.openerURL, ""); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, opener_origin); + assert_equals(report.body.initialPopupURL, undefined); +}, name); + +runTest(false, "access-from-coop-page-to-opener, cross-origin"); +runTest(true , "access-from-coop-page-to-opener, cross-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html new file mode 100644 index 0000000000..90df0e4e99 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro.https.html @@ -0,0 +1,92 @@ +<title> + One window accesses a second one. They are aren't related by an opener/openee + relationship. The first window has set + Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a + "access-from-coop-page-to-other" report. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +let escapeComma = url => url.replace(/,/g, '\\,'); + +promise_test(async t => { + const report_token= token(); + const report_to = reportToHeaders(report_token); + + // The test window. + const this_window_token = token(); + + // The "opener" window. With COOP:same-origin + reporter. + const opener_token = token(); + const opener_url = same_origin + executor_path + report_to.header + + report_to.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. With COOP:same-origin + reporter. + const openee_token = token(); + const openee_url = same_origin + executor_path + report_to.header + + report_to.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // The "other" window. + const other_token = token(); + const other_url = same_origin + executor_path + report_to.header + + `&uuid=${other_token}`; + + t.add_cleanup(() => { + send(opener_token, "window.close()") + send(openee_token, "window.close()") + send(other_token, "window.close()") + }) + + // 1. Create the "opener" window. + let opener_window_proxy = window.open(opener_url); + + // 2. Create the "openee" window. + send(opener_token, ` + window.openee = window.open('${escapeComma(openee_url)}'); + `); + + // 3. Create the "other" window. + send(openee_token, ` + window.other = window.open('${escapeComma(other_url)}'); + `); + + // 4. Wait for "other" to load its document. + send(other_token, `send('${this_window_token}', "Loaded");`); + assert_equals(await receive(this_window_token), "Loaded"); + + // 5. "opener" accesses "other" window, through "openee". + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(openee.other);") + ); + + // 6. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-from-coop-page-to-other") + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_found(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, other_url.replace(/"/g, '%22')); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, undefined); +}, "access-from-coop-page-to-other (COOP-RO)"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html new file mode 100644 index 0000000000..f0d60c2531 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html @@ -0,0 +1,93 @@ +<title> + One window accesses a second one. They are aren't related by an opener/openee + relationship. The first window has set + Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a + "access-from-coop-page-to-other" report. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin= get_host_info().HTTPS_ORIGIN; +const cross_origin= get_host_info().HTTPS_REMOTE_ORIGIN; + +let escapeComma = url => url.replace(/,/g, '\\,'); + +promise_test(async t => { + const report_token= token(); + const report_to = reportToHeaders(report_token); + + // The test window. + const this_window_token = token(); + + // The "opener" window. With COOP:same-origin + reporter. + const opener_token = token(); + const opener_url = same_origin + executor_path + report_to.header + + report_to.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. With COOP:same-origin + reporter. + const openee_token = token(); + const openee_url = same_origin + executor_path + report_to.header + + report_to.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // The "other" window. + const other_token = token(); + const other_url = cross_origin + executor_path + report_to.header + + `&uuid=${other_token}`; + + t.add_cleanup(() => { + send(opener_token, "window.close()") + send(openee_token, "window.close()") + send(other_token, "window.close()") + }) + + // 1. Create the "opener" window. + let opener_window_proxy = window.open(opener_url); + + // 2. Create the "openee" window. + send(opener_token, ` + window.openee = window.open('${escapeComma(openee_url)}'); + `); + + // 3. Create the "other" window. + send(openee_token, ` + window.other = window.open('${escapeComma(other_url)}'); + `); + + // 4. Wait for "other" to load its document. + send(other_token, `send('${this_window_token}', "Loaded");`); + assert_equals(await receive(this_window_token), "Loaded"); + + // 5. "opener" accesses "other" window, through "openee". + + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(openee.other);") + ); + + // 6. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-from-coop-page-to-other") + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_found(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, ""); + assert_equals(report.body.referrer, undefined); +}, "access-from-coop-page-to-other (COOP-RO)"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html new file mode 100644 index 0000000000..9f0a8821a4 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro.https.html @@ -0,0 +1,77 @@ +<title> + COOP reports are to the opener when the opener used COOP-RO+COEP and then its + same-origin openee tries to access it. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_report_token= token(); + const opener_token = token(); + const opener_reportTo = reportToHeaders(opener_report_token); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. This is same origin with the "opener". + const openee_report_token= token(); + const openee_token = token(); + const openee_url = same_origin + executor_path + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens its openee. + send(opener_token, ` + openee = window.open("${openee_requested_url}"); + send("${this_window_token}", "ACK 1"); + `); + assert_equals("ACK 1", await receive(this_window_token)); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. The openee tries to access its opener. + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + // 4. Check a report sent to the opener. + let report = + await receiveReport(opener_report_token, "access-to-coop-page-from-openee") + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, openee_url); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, openee_requested_url); +}, name); + +runTest(false, "access-to-coop-page-from-openee, same-origin"); +runTest(true , "access-to-coop-page-from-openee, same-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html new file mode 100644 index 0000000000..d9577836d9 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html @@ -0,0 +1,79 @@ +<title> + COOP reports are to the opener when the opener used COOP-RO+COEP and then its + cross-origin openee tries to access it. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_REMOTE_ORIGIN; +const cross_origin= get_host_info().HTTPS_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_report_token= token(); + const opener_token = token(); + const opener_reportTo = reportToHeaders(opener_report_token); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. This is cross origin with the "opener". + const openee_report_token= token(); + const openee_token = token(); + const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens its openee. + send(opener_token, ` + openee = window.open("${openee_requested_url}"); + send("${this_window_token}", "ACK 1"); + `); + assert_equals("ACK 1", await receive(this_window_token)); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. The openee tries to access its opener. + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + // 4. Check a report sent to the opener. + let report = + await receiveReport(opener_report_token, "access-to-coop-page-from-openee") + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, ""); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, openee_requested_url); +}, name); + +runTest(false, "access-to-coop-page-from-openee, cross-origin"); +runTest(true , "access-to-coop-page-from-openee, cross-origin + redirect)"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html new file mode 100644 index 0000000000..8a643d762c --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro.https.html @@ -0,0 +1,67 @@ +<title> + COOP reports are sent when the openee used COOP-RO+COEP and then its + same-origin opener tries to access it. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + const report_token = token(); + const openee_token = token(); + const opener_token = token(); // The current test window. + + const opener_url = location.href; + + const reportTo = reportToHeaders(report_token); + const openee_url = same_origin + executor_path + reportTo.header + + reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + + const openee = window.open(openee_requested_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Make sure the new document to be loaded. + send(openee_token, ` + send("${opener_token}", "Ready"); + `); + let reply = await receive(opener_token); + assert_equals(reply, "Ready"); + + // 2. Try to access the openee. A report is sent, because of COOP-RO+COEP. + tryAccess(openee); + + // 3. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-to-coop-page-from-opener") + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, opener_url); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, opener_url); + assert_equals(report.body.initialPopupURL, undefined); +}, name); + +runTest(false, "access-to-coop-page-from-opener, same-origin"); +runTest(true , "access-to-coop-page-from-opener, same-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html new file mode 100644 index 0000000000..7e1ae870a7 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html @@ -0,0 +1,68 @@ +<title> + COOP reports are sent when the openee used COOP-RO+COEP and then its + cross-origin opener tries to access it. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const redirect_path = directory + "/resources/redirect.py?"; +const same_origin = get_host_info().HTTPS_ORIGIN; +const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; + +let runTest = (openee_redirect, name) => promise_test(async t => { + const report_token = token(); + const openee_token = token(); + const opener_token = token(); // The current test window. + + const opener_origin = location.origin + '/'; + + const reportTo = reportToHeaders(report_token); + const openee_url = cross_origin + executor_path + + reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + const openee_redirect_url = same_origin + redirect_path + openee_url + const openee_requested_url = openee_redirect ? openee_redirect_url + : openee_url; + + + const openee = window.open(openee_requested_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Make sure the new document to be loaded. + send(openee_token, ` + send("${opener_token}", "Ready"); + `); + let reply = await receive(opener_token); + assert_equals(reply, "Ready"); + + // 2. Try to access the openee. A report is sent, because of COOP-RO+COEP. + tryAccess(openee); + + // 3. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-to-coop-page-from-opener") + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, ""); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, opener_origin); + assert_equals(report.body.initialPopupURL, undefined); +}, name); + +runTest(false, "access-to-coop-page-from-opener, cross-origin"); +runTest(true , "access-to-coop-page-from-opener, cross-origin + redirect"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html new file mode 100644 index 0000000000..b73bab8610 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro.https.html @@ -0,0 +1,82 @@ +<title> + One window accesses a second one. They are aren't related by an opener/openee + relationship. The second window has set + Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a + "access-to-coop-page-from-other" report. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. + const opener_token = token(); + const opener_url = same_origin + executor_path + `&uuid=${opener_token}`; + + // The "openee" window. With COOP:same-origin + reporter. + const openee_report_token= token(); + const openee_token = token(); + const openee_reportTo = reportToHeaders(openee_report_token); + const openee_url = same_origin + executor_path + openee_reportTo.header + + openee_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // The "other" window. + const other_token = token(); + const other_url = same_origin + executor_path + `&uuid=${other_token}`; + + t.add_cleanup(() => { + send(opener_token, "window.close()") + send(openee_token, "window.close()") + send(other_token, "window.close()") + }) + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + + // 2. The opener opens its openee and the other window. + send(opener_token, ` + window.openee = window.open('${openee_url.replace(/,/g, '\\,')}'); + window.other = window.open('${other_url}'); + `); + + // 3. Make sure the openee is loaded. + send(openee_token, `send("${this_window_token}", "Loaded");`); + assert_equals(await receive(this_window_token), "Loaded"); + + // 4. The "other" window attempts to access the openee though the opener. + send(other_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener.openee);") + ); + + // 4. Check a report sent to the openee. + let report = + await receiveReport(openee_report_token, "access-to-coop-page-from-other") + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, other_url); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, undefined); +}, "access-to-coop-page-from-other (COOP-RO)"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html new file mode 100644 index 0000000000..c86daa3dca --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/access-to-coop-page-from-other_coop-ro_cross-origin.https.html @@ -0,0 +1,83 @@ +<title> + One window accesses a second one. They are aren't related by an opener/openee + relationship. The second window has set + Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a + "access-to-coop-page-from-other" report. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; +const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; + +promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. + const opener_token = token(); + const opener_url = same_origin + executor_path + `&uuid=${opener_token}`; + + // The "openee" window. With COOP:same-origin + reporter. + const openee_report_token= token(); + const openee_token = token(); + const openee_reportTo = reportToHeaders(openee_report_token); + const openee_url = cross_origin + executor_path + openee_reportTo.header + + openee_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // The "other" window. + const other_token = token(); + const other_url = same_origin + executor_path + `&uuid=${other_token}`; + + t.add_cleanup(() => { + send(opener_token, "window.close()") + send(openee_token, "window.close()") + send(other_token, "window.close()") + }) + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + + // 2. The opener opens its openee and the other window. + send(opener_token, ` + window.openee = window.open('${openee_url.replace(/,/g, '\\,')}'); + window.other = window.open('${other_url}'); + `); + + // 3. Make sure the openee is loaded. + send(openee_token, `send("${this_window_token}", "Loaded");`); + assert_equals(await receive(this_window_token), "Loaded"); + + // 4. The "other" window attempts to access the openee though the opener. + send(other_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener.openee);") + ); + + // 4. Check a report sent to the openee. + let report = + await receiveReport(openee_report_token, "access-to-coop-page-from-other") + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, ""); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, undefined); +}, "access-to-coop-page-from-other (COOP-RO)"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html new file mode 100644 index 0000000000..849bf6579a --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-blur.https.html @@ -0,0 +1,13 @@ +<title> Check openee.blur() access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("blur", w => w.blur()); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html new file mode 100644 index 0000000000..7696600488 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-close.https.html @@ -0,0 +1,13 @@ +<title> Check openee.close() access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("close", w => w.close()); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html new file mode 100644 index 0000000000..c678d18a80 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-closed.https.html @@ -0,0 +1,13 @@ +<title> Check openee.closed access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("closed", w => w.closed); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html new file mode 100644 index 0000000000..363c0d294f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-focus.https.html @@ -0,0 +1,13 @@ +<title> Check openee.focus() access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("focus", w => w.focus()); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html new file mode 100644 index 0000000000..fc1925045f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-frames.https.html @@ -0,0 +1,13 @@ +<title> Check openee.frames access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("frames", w => w.frames); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html new file mode 100644 index 0000000000..b6c5f5acb1 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html @@ -0,0 +1,66 @@ +<title> Check reports are sent for the indexed getter</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const executor_path = "/common/dispatcher/executor.html?pipe="; +const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)'; + +let origin = [ + ["cross-origin" , get_host_info().HTTPS_REMOTE_ORIGIN ] , + ["same-site" , get_host_info().HTTPS_ORIGIN ] , +]; + +let testCase = [ +//[operation , expectReport ] , + [w => w[0] , true ], // Existing iframe. + [w => w[1] , false ], // Out of bounds (positive). + [w => w[-1] , false ], // Out of bounds (negative). +]; + +origin.forEach(([origin_name, origin]) => { + testCase.forEach(([op, expectReport]) => { + promise_test(async t => { + const opener_token = token(); + const openee_token = token(); + + const openee_url = origin+ executor_path + `&uuid=${openee_token}`; + const openee = window.open(openee_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Create an iframe in the openee. + send(openee_token, ` + let iframe = document.createElement("iframe"); + document.body.appendChild(iframe); + + send("${opener_token}", "openee loaded"); + `); + let reply = await receive(opener_token); + assert_equals(reply, "openee loaded"); + + // 2. Try to access the openee. + let observer = new ReportingObserver(()=>{}); + observer.observe(); + try {op(openee)} catch(e) {} + let reports = observer.takeRecords(); + observer.disconnect(); + + // 3. Check the received reports. + if (expectReport) { + assert_equals(reports.length, 1); + assert_equals(reports[0].type, "coop-access-violation"); + assert_equals(reports[0].body.property, "indexed"); + } else { + assert_equals(reports.length, 0); + } + + }, `${origin_name} > ${op}`); +}); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers new file mode 100644 index 0000000000..64f4d5fedf --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-indexed-getter.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="none" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html new file mode 100644 index 0000000000..a9f3614cb5 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-length.https.html @@ -0,0 +1,13 @@ +<title> Check openee.length access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("length", w => w.length); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html new file mode 100644 index 0000000000..442817748d --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-get.https.html @@ -0,0 +1,13 @@ +<title> Check openee.location access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("location", w => w.location); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html new file mode 100644 index 0000000000..e42f084821 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-location-set.https.html @@ -0,0 +1,13 @@ +<title> Check openee.location access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("location", w => w.location = "#"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html new file mode 100644 index 0000000000..27be9a48d1 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html @@ -0,0 +1,71 @@ +<title> Check reports are sent for the indexed getter</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script> + +const executor_path = "/common/dispatcher/executor.html?pipe="; +let crossOrigin = ["cross-origin" , get_host_info().HTTPS_REMOTE_ORIGIN ]; +let sameOrigin = ["same-site" , get_host_info().HTTPS_ORIGIN ]; + +let testCase = [ +//[ operation , origin , expectReport ], + [ w => w["iframeName"] , sameOrigin , true ], + [ w => w["iframeName"] , crossOrigin , true ], + [ w => w["divID"] , sameOrigin , true ], + [ w => w["divID"] , crossOrigin , false ], + [ w => w["existingGlobal"] , sameOrigin , false ], + [ w => w["existingGlobal"] , crossOrigin , false ], + [ w => w["missingGlobal"] , sameOrigin , false ], + [ w => w["missingGlobal"] , crossOrigin , false ], +]; + +testCase.forEach(([op, [origin_name, origin], expectReport]) => { + promise_test(async t => { + const opener_token = token(); + const openee_token = token(); + + const openee_url = origin + executor_path + `&uuid=${openee_token}`; + const openee = window.open(openee_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Make sure the new document to be loaded. Populate the document. + send(openee_token, ` + let iframe = document.createElement("iframe"); + iframe.name = "iframeName"; + document.body.appendChild(iframe); + + let div = document.createElement("div"); + div.id = "divID"; + document.body.appendChild(div); + + window.existingGlobal = "test"; + + send("${opener_token}", "Ready"); + `); + let reply = await receive(opener_token); + assert_equals(reply, "Ready"); + + // 2. Try to access the openee. + let observer = new ReportingObserver(()=>{}); + observer.observe(); + try {op(openee)} catch(e) {} + let reports = observer.takeRecords(); + observer.disconnect(); + + // 3. Check the received reports. + if (expectReport) { + assert_equals(reports.length, 1); + assert_equals(reports[0].type, "coop-access-violation"); + assert_equals(reports[0].body.property, "named"); + } else { + assert_equals(reports.length, 0); + } + + }, `${origin_name} > ${op}`); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers new file mode 100644 index 0000000000..64f4d5fedf --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-named-getter.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="none" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html new file mode 100644 index 0000000000..b99dfdc562 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-get.https.html @@ -0,0 +1,13 @@ +<title> Check openee.opener access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("opener", w => w.opener); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html new file mode 100644 index 0000000000..10c251140b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-opener-set.https.html @@ -0,0 +1,13 @@ +<title> Check openee.opener access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("opener", w => w.opener = "", /* expectReport = */false); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html new file mode 100644 index 0000000000..a9168fdaa5 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-1.https.html @@ -0,0 +1,13 @@ +<title> Check openee.postMessage(arg1, arg2) access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("postMessage", w => w.postMessage("", "")); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html new file mode 100644 index 0000000000..4341f245d5 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-postmessage-2.https.html @@ -0,0 +1,13 @@ +<title> Check openee.postMessage(arg1) access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("postMessage", w => w.postMessage("")); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html new file mode 100644 index 0000000000..7a7d5a3fec --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-self.https.html @@ -0,0 +1,13 @@ +<title> Check openee.self access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("self", w => w.self); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html new file mode 100644 index 0000000000..1b75ecc105 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-top.https.html @@ -0,0 +1,13 @@ +<title> Check openee.top access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("top", w => w.top); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html new file mode 100644 index 0000000000..07278b4a11 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/property-window.https.html @@ -0,0 +1,13 @@ +<title> Check openee.window access is checked</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty("window", w => w.window); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html new file mode 100644 index 0000000000..46cdc6eb27 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/report-to-both_coop-ro.https.html @@ -0,0 +1,124 @@ +<title> + Both the openee and the opener have a COOP reporter. The report are sent to + both side. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const origin_opener = get_host_info().HTTPS_ORIGIN; +const origin_openee = get_host_info().HTTPS_REMOTE_ORIGIN; + +let escapeComma = url => url.replace(/,/g, '\\,'); + +let genericSetup = async function(test) { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_report_token= token(); + const opener_token = token(); + const opener_reportTo = reportToHeaders(opener_report_token); + const opener_url = origin_opener+ executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window. This has COOP and a reporter. + const openee_report_token= token(); + const openee_token = token(); + const openee_reportTo = reportToHeaders(openee_report_token); + const openee_url = origin_openee + executor_path + openee_reportTo.header + + openee_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // Cleanup at the end of the test. + test.add_cleanup(() => { + send(openee_token, 'window.close()'); + send(opener_token, 'window.close()'); + }); + + // 1. Spawn the opener and the openee windows. + window.open(opener_url); + send(opener_token, ` + openee = window.open('${escapeComma(openee_url)}'); + `); + + // 2. Wait for both to be loaded. + send(openee_token, `send('${this_window_token}', 'ACK');`); + assert_equals(await receive(this_window_token), 'ACK'); + + return [ + this_window_token, + opener_token, opener_report_token, opener_url, + openee_token, openee_report_token, openee_url, + ]; +} + +let assert_generic_coop_report = function(report) { + assert_equals(report.type, "coop"); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); + assert_equals(report.body.property, "blur"); +} + +promise_test(async test => { + let [ + this_window_token, + opener_token, opener_report_token, opener_url, + openee_token, openee_report_token, openee_url, + ] = await genericSetup(test); + + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(openee);") + ); + + let report_opener = + await receiveReport(opener_report_token, "access-from-coop-page-to-openee") + let report_openee = + await receiveReport(openee_report_token, "access-to-coop-page-from-opener") + + assert_generic_coop_report(report_openee); + assert_generic_coop_report(report_opener); + + assert_equals(report_opener.url, opener_url.replace(/"/g, '%22')); + assert_equals(report_openee.url, openee_url.replace(/"/g, '%22')); + assert_source_location_found(report_opener); + assert_source_location_missing(report_openee); +}, "Access from opener") + +promise_test(async test => { + let [ + this_window_token, + opener_token, opener_report_token, opener_url, + openee_token, openee_report_token, openee_url, + ] = await genericSetup(test); + + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + let report_opener = + await receiveReport(opener_report_token, "access-to-coop-page-from-openee") + let report_openee = + await receiveReport(openee_report_token, "access-from-coop-page-to-opener") + + assert_generic_coop_report(report_openee); + assert_generic_coop_report(report_opener); + + assert_equals(report_opener.url, opener_url.replace(/"/g, '%22')); + assert_equals(report_openee.url, openee_url.replace(/"/g, '%22')); + assert_source_location_missing(report_opener); + assert_source_location_found(report_openee); +}, "Access from openee") + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html new file mode 100644 index 0000000000..375c627d27 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/access-reporting/reporting-observer.html @@ -0,0 +1,275 @@ +<!doctype html> +<meta charset="utf-8"> +<meta name="timeout" content="long"> +<title> + Check the ReportingObserver(s) are notified about the coop-access-violation + events. +</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; +const cross_site = get_host_info().HTTPS_NOTSAMESITE_ORIGIN; +const corp_header = '|header(Cross-Origin-Resource-Policy,cross-origin)'; + +promise_test(async t => { + // This test window. + const this_window_token = token(); + + // The "opener" window, using COOP-Report-Only and a reporter. + const opener_token = token(); + const opener_reportTo = reportToHeaders(token()); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "openee" window, NOT using COOP. + const openee_token = token(); + const openee_url = same_origin + executor_path + `&uuid=${openee_token}`; + + // 1. Create the opener window. + window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close();")); + + // 2. The opener opens its openee. + send(opener_token, `openee = window.open('${openee_url}');`); + t.add_cleanup(() => send(openee_token, `window.close();`)); + + // 3. Wait for the openee to load its document. + send(openee_token, `send("${this_window_token}", "Ready");`); + assert_equals(await receive(this_window_token), "Ready"); + + // 4. The opener tries to access its openee. All reports for blocked access + // from the COOP page should notify the ReportingObservers. + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", ` + let observer = new ReportingObserver(()=>{}); + observer.observe(); + tryAccess(openee); + let reports = observer.takeRecords(); + send("${this_window_token}", JSON.stringify(reports)); + observer.disconnect(); + `)); + + let report_access_from = JSON.parse(await receive(this_window_token)); + assert_equals(report_access_from.length, 1, "No report received."); + assert_equals(report_access_from[0].type, "coop-access-violation"); + assert_equals(report_access_from[0].url, opener_url.replace(/"/g, '%22')); + assert_source_location_found(report_access_from[0]) + assert_equals(report_access_from[0].body.type, + "access-from-coop-page-to-openee"); + assert_equals(report_access_from[0].body.openeeURL, openee_url); + assert_equals(report_access_from[0].body.openerURL, undefined); + assert_equals(report_access_from[0].body.otherDocumentURL, undefined); + + // 5. The openee tries to access its opener. No reports for blocked access + // to the COOP page should be dispatched. + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", ` + let observer = new ReportingObserver(()=>{}); + observer.observe(); + tryAccess(opener); + let reports = observer.takeRecords(); + send("${this_window_token}", JSON.stringify(reports)); + observer.disconnect(); + `)); + let report_access_to = JSON.parse(await receive(this_window_token)); + assert_equals(report_access_to.length, 0, "Unexpected report received."); +}, "Opener COOP"); + +promise_test(async t => { + // This test window. + const this_window_token = token(); + + // The "opener" window, NOT using COOP. + const opener_token = token(); + const opener_url = same_origin + executor_path + `&uuid=${opener_token}`; + + // The "openee" window, using COOP-Report-Only and a reporter. + const openee_token = token(); + const openee_reportTo = reportToHeaders(token()); + const openee_url = same_origin + executor_path + openee_reportTo.header + + openee_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${openee_token}`; + + // 1. Create the opener window. + window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close();")); + + // 2. The opener opens its openee. + send(opener_token, + `openee = window.open('${openee_url.replace(/,/g, '\\,')}');`); + t.add_cleanup(() => send(openee_token, `window.close();`)); + + // 3. The openee tries to access its opener. All reports for blocked access + // from the COOP page should notify the ReportingObservers. + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", ` + let observer = new ReportingObserver(()=>{}); + observer.observe(); + tryAccess(opener); + let reports = observer.takeRecords(); + send("${this_window_token}", JSON.stringify(reports)); + observer.disconnect(); + `)); + let report_access_from = JSON.parse(await receive(this_window_token)); + assert_equals(report_access_from.length, 1, "No report received."); + assert_equals(report_access_from[0].type, "coop-access-violation"); + assert_equals(report_access_from[0].url, openee_url.replace(/"/g, '%22')); + assert_true(report_access_from[0].body.sourceFile.includes("try-access.js")); + assert_source_location_found(report_access_from[0]) + assert_equals(report_access_from[0].body.type, + "access-from-coop-page-to-opener"); + assert_equals(report_access_from[0].body.openeeURL, undefined); + assert_equals(report_access_from[0].body.openerURL, opener_url); + assert_equals(report_access_from[0].body.otherDocumentURL, undefined); + + // 4. The opener tries to access its openee. No reports for blocked access + // to the COOP page should be dispatched. + send(opener_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", ` + let observer = new ReportingObserver(()=>{}); + observer.observe(); + tryAccess(openee); + let reports = observer.takeRecords(); + send("${this_window_token}", JSON.stringify(reports)); + observer.disconnect(); + `)); + let report_access_to = JSON.parse(await receive(this_window_token)); + assert_equals(report_access_to.length, 0, "Unexpected report received."); +}, "Openee COOP"); + +promise_test(async t => { + // This test window. + const this_window_token = token(); + + // The "opener" window, using COOP-Report-Only and a reporter. + const opener_token = token(); + const opener_reportTo = reportToHeaders(token()); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "opener's iframe", same-origin with its parent. + const opener_iframe_token = token(); + const opener_iframe_url = same_origin + executor_path + coep_header + + `&uuid=${opener_iframe_token}`; + + // The "openee" window, NOT using COOP. + const openee_token = token(); + const openee_url = same_origin + executor_path + coep_header + + `&uuid=${openee_token}`; + + // 1. Create the opener window. + window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close();")); + + // 2. The opener opens an iframe, and install a ReportingObserver to catch + // future accesses. + send(opener_token, ` + iframe = document.createElement("iframe"); + iframe.src = "${opener_iframe_url}"; + document.body.appendChild(iframe); + + let observer = new ReportingObserver(reports => { + send("${this_window_token}", JSON.stringify(reports)); + observer.disconnect(); + }); + observer.observe(); + `); + + // 3. The iframe opens the openee. + send(opener_iframe_token, `openee = window.open('${openee_url}');`); + t.add_cleanup(() => send(openee_token, `window.close();`)); + + // 4. Wait for the openee to load its document. + send(openee_token, `send("${this_window_token}", "Ready");`); + assert_equals(await receive(this_window_token), "Ready"); + + // 4. The opener's iframe tries to access the openee. This is an + // "access-from-coop-page" from a same-origin iframe, so the + // ReportingObserver(s) are notified. + send(opener_iframe_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", `tryAccess(openee);`)); + + let reports = await receive(this_window_token); + reports = JSON.parse(reports); + assert_equals(reports.length, 1, "No report received."); + assert_equals(reports[0].type, "coop-access-violation"); + assert_equals(reports[0].url, opener_url.replace(/"/g, '%22')); + assert_true(reports[0].body.sourceFile.includes("try-access.js")); + assert_source_location_found(reports[0]); + assert_equals(reports[0].body.type, + "access-from-coop-page-to-openee"); + assert_equals(reports[0].body.openeeURL, openee_url); + assert_equals(reports[0].body.openerURL, undefined); + assert_equals(reports[0].body.otherDocumentURL, undefined); +}, "Access from same-origin iframe") + +promise_test(async t => { + // This test window. + const this_window_token = token(); + + // The "opener" window, using COOP-Report-Only and a reporter. + const opener_token = token(); + const opener_reportTo = reportToHeaders(token()); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlySameOriginHeader + coep_header + + `&uuid=${opener_token}`; + + // The "opener's iframe", same-origin with its parent. + const opener_iframe_token = token(); + const opener_iframe_url = cross_site + executor_path + coep_header + + corp_header + + `&uuid=${opener_iframe_token}`; + + // The "openee" window, NOT using COOP. + const openee_token = token(); + const openee_url = same_origin + executor_path + coep_header + + `&uuid=${openee_token}`; + + // 1. Create the opener window. + window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close();")); + + // 2. The opener opens an iframe, and install a ReportingObserver to catch + // future accesses. + send(opener_token, ` + iframe = document.createElement("iframe"); + iframe.src = "${opener_iframe_url}"; + document.body.appendChild(iframe); + + let observer = new ReportingObserver(reports => { + send("${this_window_token}", JSON.stringify(reports)); + observer.disconnect(); + }); + observer.observe(); + `); + + // 3. The iframe opens the openee. + send(opener_iframe_token, `openee = window.open('${openee_url}');`); + t.add_cleanup(() => send(openee_token, `window.close();`)); + + // 4. Wait for the openee to load its document. + send(openee_token, `send("${this_window_token}", "Ready");`); + assert_equals(await receive(this_window_token), "Ready"); + + // 5. The opener's iframe tries to access the openee. This is an + // "access-from-coop-page" from a cross-site iframe. The ReportingObservers + // from the main document aren't notified. + send(opener_iframe_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", `tryAccess(openee);`)); + + let reports = await receive(this_window_token, 2000); + assert_equals(reports, "timeout", "Unexpected report received."); +}, "Access from cross-site iframe") + +</script> |