diff options
Diffstat (limited to 'testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties')
41 files changed, 1373 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md new file mode 100644 index 0000000000..b3c24c3f82 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/README.md @@ -0,0 +1,9 @@ +Because this test suite is run as a virtual suite and it's quite deep in the +folders, we have to use abbreviations for the test names to not run over 200 +characters, which is problematic on Windows. + +* unspecified -> "u" +* unsafe-none -> "un" +* same-origin -> "so" +* same-origin-allow-popups -> "soap" +* restrict-properties -> omitted diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html new file mode 100644 index 0000000000..1c315b35d7 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-closed.https.html @@ -0,0 +1,19 @@ +<!doctype html> +<title> Check openee.closed access is allowed for COOP: restrict-properties</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty( + "closed", + w => w.closed, + expectReport = false, + use_restrict_properties = true +); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html new file mode 100644 index 0000000000..7a96f4f576 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-openee-rp-ro.https.html @@ -0,0 +1,62 @@ +<!doctype html> +<title> + COOP reports are sent to the openee when the openee used COOP-RO: + restrict-properties and its same-origin opener tries to access it. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +promise_test(async t => { + const report_token = token(); + const openee_token = token(); + const opener_token = token(); // The current test window. + + const opener_url = location.href; + + const reportTo = reportToHeaders(report_token); + const openee_url = same_origin + executor_path + reportTo.header + + reportTo.coopReportOnlyRestrictPropertiesHeader + + `&uuid=${openee_token}`; + + const openee = window.open(openee_url); + t.add_cleanup(() => send(openee_token, "window.close()")) + + // 1. Make sure the new document to be loaded. + send(openee_token, ` + send("${opener_token}", "Ready"); + `); + let reply = await receive(opener_token); + assert_equals(reply, "Ready"); + + // 2. Try to access the openee. A report is sent, because of COOP-RO: + // restrict-properties. + tryAccess(openee); + + // 3. Check a report is sent to the openee. + let report = + await receiveReport(report_token, "access-to-coop-page-from-opener"); + assert_equals(report.type, "coop"); + assert_equals(report.url, openee_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "restrict-properties"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, opener_url); + assert_equals(report.body.openeeURL, undefined); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, opener_url); + assert_equals(report.body.initialPopupURL, undefined); +}, "access-reporting-openee-rp-ro"); + +</script> + diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html new file mode 100644 index 0000000000..9e1e85b16a --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-opener-rp-ro.https.html @@ -0,0 +1,71 @@ +<!doctype html> +<title> + COOP reports are sent to the opener when the opener used COOP-RO: + restrict-properties and its same-origin openee tries to access it. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP and a reporter. + const opener_report_token= token(); + const opener_token = token(); + const opener_reportTo = reportToHeaders(opener_report_token); + const opener_url = same_origin + executor_path + opener_reportTo.header + + opener_reportTo.coopReportOnlyRestrictPropertiesHeader + + `&uuid=${opener_token}`; + + // The "openee" window. This is same origin with the "opener". + const openee_report_token= token(); + const openee_token = token(); + const openee_url = same_origin + executor_path + `&uuid=${openee_token}`; + + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens its openee. + send(opener_token, ` + openee = window.open("${openee_url}"); + send("${this_window_token}", "ACK 1"); + `); + assert_equals("ACK 1", await receive(this_window_token)); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. The openee tries to access its opener. + send(openee_token, addScriptAndTriggerOnload( + directory + "/reporting/resources/try-access.js", + "tryAccess(opener);") + ); + + // 4. Check a report sent to the opener. + let report = + await receiveReport(opener_report_token, "access-to-coop-page-from-openee"); + assert_equals(report.type, "coop"); + assert_equals(report.url, opener_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "reporting"); + assert_equals(report.body.effectivePolicy, "restrict-properties"); + assert_equals(report.body.property, "blur"); + assert_source_location_missing(report); + assert_equals(report.body.openerURL, undefined); + assert_equals(report.body.openeeURL, openee_url); + assert_equals(report.body.otherDocumentURL, undefined); + assert_equals(report.body.referrer, undefined); + assert_equals(report.body.initialPopupURL, openee_url); +}, "access-reporting-opener-rp-ro"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html new file mode 100644 index 0000000000..5bc718e2a8 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/access-reporting-post-message.https.html @@ -0,0 +1,19 @@ +<!doctype html> +<title> Check openee.postMessage() access is allowed for COOP: restrict-properties</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/test-access-property.js"></script> +<script> + +testAccessProperty( + "postMessage", + w => w.postMessage("message", "*"), + expectReport = false, + use_restrict_properties = true +); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html new file mode 100644 index 0000000000..e5c8775174 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html @@ -0,0 +1,65 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +promise_test(async t => { + const popup_token = token(); + const second_popup_token = token(); + const reply_token = token(); + + const unsafe_none_url = getExecutorPath( + popup_token, + SAME_ORIGIN.origin, + { coop: "unsafe-none"}); + + const restrict_properties_url = getExecutorPath( + second_popup_token, + SAME_ORIGIN.origin, + { coop: "restrict-properties"}); + + // We open popup and then ping it, it will respond after loading. + const popup = window.open(unsafe_none_url); + send(popup_token, `send('${reply_token}', 'Popup loaded');`); + assert_equals(await receive(reply_token), 'Popup loaded'); + + // Make sure the popup will be closed once the test has run, keeping a clean + // state. + t.add_cleanup(() => { + send(popup_token, `close()`); + }); + + // Now navigate this popup to a restrict-properties page. + send(popup_token, `document.location = '${restrict_properties_url}'`); + send(second_popup_token, `send('${reply_token}', 'Popup loaded');`); + assert_equals(await receive(reply_token), 'Popup loaded'); + + // Navigate again to the original page. + send(second_popup_token, `document.location = '${unsafe_none_url}'`); + send(popup_token, `send('${reply_token}', 'Popup loaded');`); + assert_equals(await receive(reply_token), 'Popup loaded'); + + // Give some time for things to settle across processes etc. before + // proceeding with verifications. + await new Promise(resolve => { t.step_timeout(resolve, 500); }); + + // Verify that we have full access to the popup. + assert_false(popup.closed, 'Popup is closed from opener?'); + assert_true(await getPopupHasOpener(popup_token) === "true", + 'Popup has nulled opener?'); + assert_true(canAccessProperty(popup, "document"), + 'Main page has dom access to the popup?'); + assert_true(canAccessProperty(popup, "frames"), + 'Main page has cross origin access to the popup?'); + +}, "COOP: restrict-properties has no impact in a navigation chain between " + + "multiple unsafe-none pages."); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers new file mode 100644 index 0000000000..073ce7adfb --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/coop-rp-in-navigation-chain.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: unsafe-none diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js new file mode 100644 index 0000000000..1247400a4e --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js @@ -0,0 +1,144 @@ +// META: script=/common/get-host-info.sub.js +// META: script=/common/utils.js +// META: script=/common/dispatcher/dispatcher.js + +const executor_path = '/common/dispatcher/executor.html?pipe='; +const cross_origin = get_host_info().OTHER_ORIGIN; +const same_origin = get_host_info().ORIGIN; +const coep_require_corp_header = + '|header(Cross-Origin-Embedder-Policy,require-corp)'; +const corp_cross_origin_header = + '|header(Cross-Origin-Resource-Policy,cross-origin)'; +const coop_restrict_properties_header = + '|header(Cross-Origin-Opener-Policy,restrict-properties)'; + +function iframePopupAboutBlankTest( + origin, {expectedCrossOriginIsolated}, description) { + promise_test(async t => { + assert_true(crossOriginIsolated, 'Is main frame crossOriginIsolated?'); + assert_true( + 'SharedArrayBuffer' in globalThis, + 'Is SharedArrayBuffer defined in main frame?'); + + const reply_token = token(); + const iframe_token = token(); + + const iframe = document.createElement('iframe'); + iframe.src = origin + executor_path + coep_require_corp_header + + corp_cross_origin_header + `&uuid=${iframe_token}`; + document.body.appendChild(iframe); + + send(iframe_token, `send('${reply_token}', 'Iframe loaded');`); + assert_equals(await receive(reply_token), 'Iframe loaded'); + + send(iframe_token, ` + window.popup = window.open(); + send('${reply_token}', popup === null); + `); + assert_equals(await receive(reply_token), 'false', 'Is popup handle null?'); + + send( + iframe_token, + `send('${reply_token}', popup.window.crossOriginIsolated);`); + assert_equals( + await receive(reply_token), `${expectedCrossOriginIsolated}`, + 'Is popup crossOriginIsolated?'); + + send(iframe_token, ` + send('${reply_token}', 'SharedArrayBuffer' in popup.window.globalThis); + `); + assert_equals( + await receive(reply_token), `${expectedCrossOriginIsolated}`, + 'Is SharedArrayBuffer defined in popup?'); + + // Test whether the popup's subframe is crossOriginIsolated + const popup_iframe_token = token(); + const popup_iframe_src = origin + executor_path + coep_require_corp_header + + corp_cross_origin_header + `&uuid=${popup_iframe_token}`; + send(iframe_token, ` + const iframe = window.popup.document.createElement('iframe'); + iframe.src = '${popup_iframe_src}'; + popup.document.body.appendChild(iframe); + `); + + send(popup_iframe_token, ` + send('${reply_token}', 'Iframe in popup loaded'); + `); + assert_equals(await receive(reply_token), 'Iframe in popup loaded'); + + send(popup_iframe_token, ` + send('${reply_token}', crossOriginIsolated); + `); + assert_equals( + await receive(reply_token), `${expectedCrossOriginIsolated}`, + 'Is iframe in popup crossOriginIsolated?'); + + send(popup_iframe_token, ` + send('${reply_token}', 'SharedArrayBuffer' in globalThis); + `); + assert_equals( + await receive(reply_token), `${expectedCrossOriginIsolated}`, + 'Is SharedArrayBuffer defined in iframe in popup?'); + + // Test whether a nested iframe is crossOriginIsolated + const popup_nested_iframe_token = token(); + const popup_nested_iframe_src = origin + executor_path + + coep_require_corp_header + corp_cross_origin_header + + `&uuid=${popup_nested_iframe_token}`; + send(iframe_token, ` + blank_iframe = popup.document.createElement('iframe'); + blank_iframe.src = ''; + popup.document.body.appendChild(blank_iframe); + nested_iframe = + blank_iframe.contentDocument.createElement('iframe'); + nested_iframe.src = '${popup_nested_iframe_src}'; + blank_iframe.contentDocument.body.appendChild(nested_iframe); + `); + + send(popup_nested_iframe_token, ` + send('${reply_token}', 'Nested iframe in popup loaded'); + `); + assert_equals(await receive(reply_token), 'Nested iframe in popup loaded'); + + send(popup_nested_iframe_token, ` + send('${reply_token}', crossOriginIsolated); + `); + assert_equals( + await receive(reply_token), `${expectedCrossOriginIsolated}`, + 'Is nested iframe in popup crossOriginIsolated?'); + + send(popup_nested_iframe_token, ` + send('${reply_token}', 'SharedArrayBuffer' in globalThis); + `); + assert_equals( + await receive(reply_token), `${expectedCrossOriginIsolated}`, + 'Is SharedArrayBuffer defined in nested iframe in popup?'); + + // Navigate the popup out of the initial empty document, with COOP:RP and + // COEP: require-corp. Expect to be crossOriginIsolated. + const popup_token = token(); + const popup_src = origin + executor_path + coop_restrict_properties_header + + coep_require_corp_header + `&uuid=${popup_token}`; + send(iframe_token, `popup.window.location = '${popup_src}';`); + + send(popup_token, `send('${reply_token}', 'Popup loaded');`); + assert_equals(await receive(reply_token), 'Popup loaded'); + + send(popup_token, `send('${reply_token}', crossOriginIsolated);`); + assert_equals( + await receive(reply_token), 'true', + 'Is popup crossOriginIsolated after navigation?'); + + send(popup_token, ` + send('${reply_token}', 'SharedArrayBuffer' in globalThis); + `); + assert_equals( + await receive(reply_token), 'true', + 'Is SharedArrayBuffer defined in popup after navigation?'); + }, description); +} + +iframePopupAboutBlankTest( + cross_origin, {expectedCrossOriginIsolated: false}, 'Cross-origin iframe'); +iframePopupAboutBlankTest( + same_origin, {expectedCrossOriginIsolated: true}, 'Same-origin iframe'); diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers new file mode 100644 index 0000000000..19d0dbe4e1 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-about-blank.https.window.js.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy: restrict-properties +Cross-Origin-Embedder-Policy: require-corp diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html new file mode 100644 index 0000000000..8cf2679e19 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html @@ -0,0 +1,94 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<meta name="variant" content="?1-1"> +<meta name="variant" content="?2-2"> +<meta name="variant" content="?3-3"> +<meta name="variant" content="?4-4"> +<meta name="variant" content="?5-5"> +<meta name="variant" content="?6-6"> +<meta name="variant" content="?7-7"> +<meta name="variant" content="?8-8"> +<meta name="variant" content="?9-last"> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/dispatcher/dispatcher.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src=/common/subset-tests.js></script> +<script src=/common/utils.js></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/iframe-test.js"></script> + +<body> +<script> + +// This document has COOP: restrict-properties. The popup has COOP: same-origin. +// Opening from an iframe should not be different from opening from the main +// frame and the opener should be severed. +[ + { + "title": "same origin iframe, same origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "severed" + }, + { + "title": "same site iframe, same origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_ORIGIN, + "opener": "severed" + }, + { + "title": "cross origin iframe, same origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "severed" + }, + { + "title": "same origin iframe, same site popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "severed" + }, + { + "title": "same site iframe, same site popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_SITE, + "opener": "severed" + }, + { + "title": "cross origin iframe, same site popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "severed" + }, + { + "title": "same origin iframe, cross origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "severed" + }, + { + "title": "same site iframe, cross origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": CROSS_ORIGIN, + "opener": "severed" + }, + { + "title": "cross origin iframe, cross origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "severed" + } +].forEach(variant => { + subsetTest( + iframe_test, + `COOP: restrict-properties to popup COOP: same-origin via an iframe, ` + + `with ${variant.title}`, + variant.iframeOrigin, + variant.popupOrigin, + { coop: 'same-origin' }, + variant.opener); +}); +</script> +</body> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-so.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html new file mode 100644 index 0000000000..f3af3ca7db --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html @@ -0,0 +1,91 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<meta name="variant" content="?1-2"> +<meta name="variant" content="?3-4"> +<meta name="variant" content="?5-6"> +<meta name="variant" content="?7-8"> +<meta name="variant" content="?9-last"> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/dispatcher/dispatcher.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src=/common/subset-tests.js></script> +<script src=/common/utils.js></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/iframe-test.js"></script> + +<body> +<script> + + +// This document has COOP: restrict-properties. The popup has COOP: +// same-origin-allow-popups. Opening from an iframe should not be different from +// opening from the main frame and the opener should be severed. +[ + { + "title": "same origin iframe, same origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "severed" + }, + { + "title": "same site iframe, same origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_ORIGIN, + "opener": "severed" + }, + { + "title": "cross origin iframe, same origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "severed" + }, + { + "title": "same origin iframe, same site popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "severed" + }, + { + "title": "same site iframe, same site popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_SITE, + "opener": "severed" + }, + { + "title": "cross origin iframe, same site popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "severed" + }, + { + "title": "same origin iframe, cross origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "severed" + }, + { + "title": "same site iframe, cross origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": CROSS_ORIGIN, + "opener": "severed" + }, + { + "title": "cross origin iframe, cross origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "severed" + } +].forEach(variant => { + subsetTest( + iframe_test, + `COOP: restrict-properties to popup COOP: same-origin-allow-popups ` + + `via an iframe, with ${variant.title}`, + variant.iframeOrigin, + variant.popupOrigin, + { coop: 'same-origin-allow-popups' }, + variant.opener); +}); +</script> +</body> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-soap.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html new file mode 100644 index 0000000000..560dfd9051 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html @@ -0,0 +1,90 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<meta name="variant" content="?1-2"> +<meta name="variant" content="?3-4"> +<meta name="variant" content="?5-6"> +<meta name="variant" content="?7-8"> +<meta name="variant" content="?9-last"> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/dispatcher/dispatcher.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src=/common/subset-tests.js></script> +<script src=/common/utils.js></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/iframe-test.js"></script> + +<body> +<script> + +// This document has COOP: restrict-properties. The popup has COOP: unsafe-none. +// Opening from an iframe should not be different from opening from the main +// frame and the opener should be severed. +[ + { + "title": "same origin iframe, same origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "restricted" + }, + { + "title": "same site iframe, same origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_ORIGIN, + "opener": "restricted" + }, + { + "title": "cross origin iframe, same origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "restricted" + }, + { + "title": "same origin iframe, same site popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "restricted" + }, + { + "title": "same site iframe, same site popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_SITE, + "opener": "restricted" + }, + { + "title": "cross origin iframe, same site popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "restricted" + }, + { + "title": "same origin iframe, cross origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "restricted" + }, + { + "title": "same site iframe, cross origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": CROSS_ORIGIN, + "opener": "restricted" + }, + { + "title": "cross origin iframe, cross origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "restricted" + } +].forEach(variant => { + subsetTest( + iframe_test, + `COOP: restrict-properties to popup COOP: unsafe-none via an iframe, ` + + `with ${variant.title}`, + variant.iframeOrigin, + variant.popupOrigin, + { coop: 'unsafe-none' }, + variant.opener); +}); +</script> +</body> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup-to-un.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html new file mode 100644 index 0000000000..17840724d9 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html @@ -0,0 +1,91 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<meta name="variant" content="?1-2"> +<meta name="variant" content="?3-4"> +<meta name="variant" content="?5-6"> +<meta name="variant" content="?7-8"> +<meta name="variant" content="?9-last"> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/dispatcher/dispatcher.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src=/common/subset-tests.js></script> +<script src=/common/utils.js></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/iframe-test.js"></script> + +<body> +<script> + +// This document has COOP: restrict-properties. The popup has COOP: +// restrict-properties. Opening from an iframe should not be different from +// opening from the main frame and the opener should be restricted if +// cross-origin. +[ + { + "title": "same origin iframe, same origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "preserved" + }, + { + "title": "same site iframe, same origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_ORIGIN, + "opener": "preserved" + }, + { + "title": "cross origin iframe, same origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_ORIGIN, + "opener": "preserved" + }, + { + "title": "same origin iframe, same site popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "restricted" + }, + { + "title": "same site iframe, same site popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": SAME_SITE, + "opener": "restricted" + }, + { + "title": "cross origin iframe, same site popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": SAME_SITE, + "opener": "restricted" + }, + { + "title": "same origin iframe, cross origin popup", + "iframeOrigin": SAME_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "restricted" + }, + { + "title": "same site iframe, cross origin popup", + "iframeOrigin": SAME_SITE, + "popupOrigin": CROSS_ORIGIN, + "opener": "restricted" + }, + { + "title": "cross origin iframe, cross origin popup", + "iframeOrigin": CROSS_ORIGIN, + "popupOrigin": CROSS_ORIGIN, + "opener": "restricted" + } +].forEach(variant => { + subsetTest( + iframe_test, + `COOP: restrict-properties to popup COOP: restrict-properties via an ` + + `iframe, with ${variant.title}`, + variant.iframeOrigin, + variant.popupOrigin, + { coop: 'restrict-properties' }, + variant.opener); +}); +</script> +</body> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/iframe-popup.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html new file mode 100644 index 0000000000..10929847ee --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/named_targeting.https.html @@ -0,0 +1,57 @@ +<!doctype html> +<meta charset=utf-8> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> + +<script> + +async function createCoopRestrictPropertiesPopup(popupToken, name) { + const url = SAME_ORIGIN.origin + '/common/dispatcher/executor.html' + + `?uuid=${popupToken}` + + '&pipe=|header(Cross-Origin-Opener-Policy, restrict-properties)'; + const popup = window.open(url, name); + add_completion_callback(() => popup.close()); + + // Wait for the popup to be loaded. + const replyToken = token(); + send(popupToken, `send('${replyToken}', 'Done loading')`); + assert_equals(await receive(replyToken), 'Done loading'); + + return popup; +} + +promise_test(async t => { + // Start by opening a first COOP: restrict-properties popup. No name is set to + // begin with. + const popupToken1 = token(); + const popup1 = await createCoopRestrictPropertiesPopup(popupToken1, ''); + + // Once the popup is live, explicitly set a name. + const name = token(); + send(popupToken1, `window.name = '${name}'`); + + // To make sure this name has been propagated to other processes, send a dummy + // message from the popup to the main page, and wait for it to be received. + // It should be delivered after the name change is replicated. + const message_waiter = new Promise(resolve => { + onmessage = (event) => { + if (event.data == 'Waited enough') { resolve(); } + } + }); + send(popupToken1, `opener.postMessage('Waited enough', '*')`); + await message_waiter; + + // Finally, call window.open with the same name. This should not resolve + // across browsing context groups, and create a brand new popup. + const popupToken2 = token(); + const popup2 = await createCoopRestrictPropertiesPopup(popupToken2, name); + assert_not_equals(popup1, popup2, + 'Named targeting resolved across isolation boundaries'); + +}, 'Verify that named targeting does not work across isolation boundaries.'); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html new file mode 100644 index 0000000000..e5313a6e22 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html @@ -0,0 +1,37 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "severed", + "origin": SAME_ORIGIN + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "severed", + "origin": SAME_SITE + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "severed", + "origin": CROSS_ORIGIN + } +].forEach(variant => { + popup_test(`${variant.origin.name} ${variant.title}`, variant.origin, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers new file mode 100644 index 0000000000..46ad58d83b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-so.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: same-origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html new file mode 100644 index 0000000000..595a10a84b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html @@ -0,0 +1,37 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": SAME_ORIGIN + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": SAME_SITE + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": CROSS_ORIGIN + } +].forEach(variant => { + popup_test(`${variant.origin.name} ${variant.title}`, variant.origin, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers new file mode 100644 index 0000000000..d83ed86fb9 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-soap.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: same-origin-allow-popups diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html new file mode 100644 index 0000000000..595a10a84b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-u.https.html @@ -0,0 +1,37 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": SAME_ORIGIN + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": SAME_SITE + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": CROSS_ORIGIN + } +].forEach(variant => { + popup_test(`${variant.origin.name} ${variant.title}`, variant.origin, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html new file mode 100644 index 0000000000..595a10a84b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html @@ -0,0 +1,37 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": SAME_ORIGIN + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": SAME_SITE + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted", + "origin": CROSS_ORIGIN + } +].forEach(variant => { + popup_test(`${variant.origin.name} ${variant.title}`, variant.origin, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers new file mode 100644 index 0000000000..073ce7adfb --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-un.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: unsafe-none diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html new file mode 100644 index 0000000000..a84d52584e --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html @@ -0,0 +1,44 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with empty coop", + "coop": "", + "opener": "restricted" + }, + { + "title": "popup with coop unsafe-none", + "coop": "unsafe-none", + "opener": "restricted" + }, + { + "title": "popup with coop same-origin", + "coop": "same-origin", + "opener": "severed" + }, + { + "title": "popup with coop same-origin-allow-popups", + "coop": "same-origin-allow-popups", + "opener": "severed" + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted" + } +].forEach(variant => { + popup_test(`Cross-origin ${variant.title}`, CROSS_ORIGIN, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-cross-origin.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html new file mode 100644 index 0000000000..c0020fa23a --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html @@ -0,0 +1,44 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with empty coop", + "coop": "", + "opener": "restricted" + }, + { + "title": "popup with coop unsafe-none", + "coop": "unsafe-none", + "opener": "restricted" + }, + { + "title": "popup with coop same-origin", + "coop": "same-origin", + "opener": "severed" + }, + { + "title": "popup with coop same-origin-allow-popups", + "coop": "same-origin-allow-popups", + "opener": "severed" + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "preserved" + } +].forEach(variant => { + popup_test(`Same-origin ${variant.title}`, SAME_ORIGIN, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-origin.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html new file mode 100644 index 0000000000..7d115ac7e6 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html @@ -0,0 +1,44 @@ +<!doctype html> +<meta charset=utf-8> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="../../resources/common.js"></script> +<script src="../../resources/popup-test.js"></script> +<script> + +[ + { + "title": "popup with empty coop", + "coop": "", + "opener": "restricted" + }, + { + "title": "popup with coop unsafe-none", + "coop": "unsafe-none", + "opener": "restricted" + }, + { + "title": "popup with coop same-origin", + "coop": "same-origin", + "opener": "severed" + }, + { + "title": "popup with coop same-origin-allow-popups", + "coop": "same-origin-allow-popups", + "opener": "severed" + }, + { + "title": "popup with coop restrict-properties", + "coop": "restrict-properties", + "opener": "restricted" + } +].forEach(variant => { + popup_test(`Same-site ${variant.title}`, SAME_SITE, + { coop: variant.coop }, variant.opener); +}); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers new file mode 100644 index 0000000000..d5c99062d2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/popup-with-same-site.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: restrict-properties diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html new file mode 100644 index 0000000000..9bc171a269 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html @@ -0,0 +1,62 @@ +<!doctype html> +<title> + Verify that we consider browsing context group reuse for COOP reporting. +</title> +<meta name="timeout" content="long"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=f1e361ab5854f2dcfe0224b19bc53199&report_only_id=b6fe666b74547291d52d72790adde05c"></script> +<script> + +const same_origin = get_host_info().HTTPS_ORIGIN; +const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; + +promise_test(async test => { + // To receive reports use the same hard-coded value as the one passed in the + // headers and to "reporting-common.js". + const report_token = "b6fe666b74547291d52d72790adde05c"; + const reportTo = reportToHeaders(report_token); + + // 1. Open a popup without any COOP. It should be in a + // different virtual browsing context group. + const opener_token = token(); // For this window. + const initial_openee_token = token(); + const initial_openee_url = cross_origin + executor_path + + `&uuid=${initial_openee_token}`; + let openee = window.open(initial_openee_url); + + // 2. Navigate the openee to a COOP-RO: restrict-properties page. If the + // policy was enforced, it would live in the same browsing context group as + // this page. The virtual browsing context group should similarly be equal. + // Note: We omit the reporting endpoint header, because it is not possible to + // easily escape it. Since it is not necessary in this test, we skip it. + const final_openee_token = token(); + const final_openee_url = same_origin + executor_path + + reportTo.coopReportOnlyRestrictPropertiesHeader + + `&uuid=${final_openee_token}`; + + send(initial_openee_token, `location.href = '${final_openee_url}';`); + test.add_cleanup(() => send(final_openee_token, "window.close()")); + + // Wait for the final openee to load. + send(final_openee_token, + `send("${opener_token}", "Ready"); + `); + assert_equals(await receive(opener_token), "Ready"); + + // 3. Try to access the openee from the opener. No report should be sent. + tryAccess(openee); + + let report = + await receiveReport(report_token, "access-from-coop-page-to-openee") + assert_equals(report, "timeout"); + +}, "access-reporting-browsing-context-group-reuse"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers new file mode 100644 index 0000000000..33abadd83d --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-bcg-reuse.https.html.sub.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy-Report-Only: restrict-properties; report-to="coop-report-only-endpoint" +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=f1e361ab5854f2dcfe0224b19bc53199", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=b6fe666b74547291d52d72790adde05c" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html new file mode 100644 index 0000000000..b89030f218 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html @@ -0,0 +1,55 @@ +<!doctype html> +<meta name=timeout content=long> +<title>Opening a restrict-properties</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=fb054dadb3a9ec17b5cd5c0152d2a7dd&report_only_id=c265b07fbb3bffa2cd2a5179d686ced2"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a same-origin popup with COOP unsafe-none, which mismatches with the + // current document (opener) COOP report-only (restrict-properties) values. + [ + SAME_ORIGIN, + "unsafe-none", + "", + "", + "", + [] + ], + + // Open a cross-origin popup with COOP unsafe-none, which mismatches with the + // current document (opener) COOP report-only (restrict-properties) values. + [ + CROSS_ORIGIN, + "unsafe-none", + "", + "", + "", + [] + ], + + // Open a same-origin popup with COOP restrict-properties, which matches with + // the current document (opener) COOP report-only (restrict-properties) value. + [ + SAME_ORIGIN, + "restrict-properties", + "", + "", + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> + diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers new file mode 100644 index 0000000000..07ecad96f2 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp-ro.https.html.sub.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy-Report-Only: restrict-properties; report-to="coop-report-only-endpoint" +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=fb054dadb3a9ec17b5cd5c0152d2a7dd", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=c265b07fbb3bffa2cd2a5179d686ced2" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html new file mode 100644 index 0000000000..6b31f7e009 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html @@ -0,0 +1,55 @@ +<!doctype html> +<meta name=timeout content=long> +<title>Opening a restrict-properties</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=ed5a8be35e4e21c2ba960e6574e0a32c&report_only_id=fa22ddc676642edae42c75defb82ba2e"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a same-origin popup with COOP unsafe-none, which mismatches + // with the current document (opener) COOP (restrict-properties) values. + [ + SAME_ORIGIN, + "unsafe-none", + "", + "", + "", + [] + ], + + // Open a cross-origin popup with COOP unsafe-none, which mismatches + // with the current document (opener) COOP (restrict-properties) values. + [ + CROSS_ORIGIN, + "unsafe-none", + "", + "", + "", + [] + ], + + // Open a same-origin popup with COOP restrict-properties, which matches with + // the current document (opener) COOP (restrict-properties) value. + [ + SAME_ORIGIN, + "restrict-properties", + "", + "", + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> + diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers new file mode 100644 index 0000000000..a61e2919c8 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-from-rp.https.html.sub.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy: restrict-properties; report-to="coop-report-endpoint" +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=ed5a8be35e4e21c2ba960e6574e0a32c", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=fa22ddc676642edae42c75defb82ba2e" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html new file mode 100644 index 0000000000..c47e59cd8f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html @@ -0,0 +1,43 @@ +<!doctype html> +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a same-origin popup with COOP report-only restrict-properties, which + // mismatches with the current document (opener) COOP (unsafe-none). + [ + SAME_ORIGIN, + "", + "", + `restrict-properties; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [] + ], + + // Open a cross-origin popup with COOP report-only restrict-properties, which + // mismatches with the current document (opener) COOP (unsafe-none). + [ + CROSS_ORIGIN, + "", + "", + `restrict-properties; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> + diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers new file mode 100644 index 0000000000..16903320bb --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp-ro.https.html.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy: unsafe-none +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html new file mode 100644 index 0000000000..ff60e8c5af --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html @@ -0,0 +1,43 @@ +<!doctype html> +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a same-origin popup with COOP report-only restrict-properties, which + // mismatches with the current document (opener) COOP (unsafe-none). + [ + SAME_ORIGIN, + `restrict-properties; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [] + ], + + // Open a cross-origin popup with COOP report-only restrict-properties, which + // mismatches with the current document (opener) COOP (unsafe-none). + [ + CROSS_ORIGIN, + `restrict-properties; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> + diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers new file mode 100644 index 0000000000..16903320bb --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/tentative/restrict-properties/reporting-to-rp.https.html.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy: unsafe-none +Referrer-Policy: origin |