6 files changed, 129 insertions, 4 deletions

diff --git a/testing/web-platform/tests/storage-access-api/helpers.js b/testing/web-platform/tests/storage-access-api/helpers.js
index 0fd5d814db..416c4a401e 100644
--- a/testing/web-platform/tests/storage-access-api/helpers.js
+++ b/testing/web-platform/tests/storage-access-api/helpers.js
@@ -287,6 +287,13 @@ async function MaybeSetStorageAccess(origin, embedding_origin, value) {
   }
 }
 
+
+// Navigate the inner iframe using the given frame.
+function NavigateChild(frame, url) {
+  return PostMessageAndAwaitReply(
+    { command: "navigate_child", url }, frame.contentWindow);
+}
+
 // Starts a dedicated worker in the given frame.
 function StartDedicatedWorker(frame) {
   return PostMessageAndAwaitReply(
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-origin-iframe-navigation-relax.tentative.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-origin-iframe-navigation-relax.tentative.sub.https.window.js
new file mode 100644
index 0000000000..7ccb9824e6
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-origin-iframe-navigation-relax.tentative.sub.https.window.js
@@ -0,0 +1,65 @@
+// META: script=helpers.js
+// META: script=/cookies/resources/cookie-helper.sub.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // This is cross-domain from the current document.
+  const altWww = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+  const altRoot = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
+  const responderPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
+  const forwarderPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_forwarder.js";
+
+  const altWwwResponder = `${altWww}${responderPath}`;
+  const altRootResponder = `${altRoot}${responderPath}`;
+  const altWwwNestedCrossOriginResponder = `${altRoot}${forwarderPath}&inner_url=${encodeURI(altWwwResponder)}`;
+
+  async function SetUpResponderFrame(t, url) {
+    const frame = await CreateFrame(url);
+
+    await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'granted']);
+    t.add_cleanup(async () => {
+      await test_driver.delete_all_cookies();
+      await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'prompt']);
+      await MaybeSetStorageAccess("*", "*", "allowed");
+    });
+
+    assert_false(await FrameHasStorageAccess(frame), "frame initially does not have storage access.");
+    assert_false(await HasUnpartitionedCookie(frame), "frame initially does not have access to cookies.");
+
+    assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture.");
+
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request.");
+    assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request.");
+
+    return frame;
+  }
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+    await SetFirstPartyCookieAndUnsetStorageAccessPermission(altWww);
+
+    const frame = await SetUpResponderFrame(t, altWwwNestedCrossOriginResponder);
+
+    await NavigateChild(frame, altWwwResponder);
+
+    assert_true(await FrameHasStorageAccess(frame), "innermost frame has storage access after refresh.");
+    assert_true(await HasUnpartitionedCookie(frame), "innermost frame has access to cookies after refresh.");
+  }, "Same-site-initiated same-origin navigations preserve storage access");
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+    await SetFirstPartyCookieAndUnsetStorageAccessPermission(altWww);
+
+    const frame = await SetUpResponderFrame(t, altWwwNestedCrossOriginResponder);
+
+    await NavigateChild(frame, altRootResponder);
+
+    assert_false(await FrameHasStorageAccess(frame), "innermost frame has no storage access after refresh.");
+    assert_false(await HasUnpartitionedCookie(frame), "innermost frame has no access to cookies after refresh.");
+    let cookieOnLoad = await GetHTTPCookiesFromFrame(frame);
+    assert_false(cookieStringHasCookie("cookie", "unpartitioned", cookieOnLoad), "innermost frame has cookie in initial load");
+  }, "Same-site-initiated cross-origin navigations do not preserve storage access");
+
+})();
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-dedicated-worker.tentative.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-dedicated-worker.tentative.sub.https.window.js
index 6c3d616e26..5c3089bf34 100644
--- a/testing/web-platform/tests/storage-access-api/requestStorageAccess-dedicated-worker.tentative.sub.https.window.js
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-dedicated-worker.tentative.sub.https.window.js
@@ -40,10 +40,10 @@
     assert_true(cookieStringHasCookie("cookie", "unpartitioned",
           await MessageWorker(frame, {command: "load"})),
         "Worker's load was credentialed.");
-    assert_true(cookieStringHasCookie("cookie", "unpartitioned",
+    assert_false(cookieStringHasCookie("cookie", "unpartitioned",
           await MessageWorker(frame, {command: "fetch", url: altRootEchoCookies})),
-        "Worker's fetch is credentialed.");
-  }, "Workers inherit storage access");
+        "Worker's fetch is uncredentialed.");
+  }, "Workers don't inherit storage access");
 
   promise_test(async (t) => {
     await MaybeSetStorageAccess("*", "*", "blocked");
diff --git a/testing/web-platform/tests/storage-access-api/resources/embedded_forwarder.js b/testing/web-platform/tests/storage-access-api/resources/embedded_forwarder.js
new file mode 100644
index 0000000000..c1e5e54443
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/embedded_forwarder.js
@@ -0,0 +1,50 @@
+"use strict";
+
+test_driver.set_test_context(window.top);
+
+function waitForMessage(timestamp) {
+  return new Promise(resolve => {
+    const listener = (event) => {
+      if (!timestamp || event.data.timestamp == timestamp) {
+        window.removeEventListener("message", listener);
+        resolve(event.data);
+      }
+    };
+    window.addEventListener("message", listener);
+  });
+}
+
+var iframe = document.createElement('iframe');
+const queryString = window.location.search;
+const urlParams = new URLSearchParams(queryString);
+iframe.src = urlParams.get("inner_url");
+document.body.appendChild(iframe);
+
+window.addEventListener("message", async (event) => {
+  function replyToParent(data) {
+    parent.postMessage(
+        {timestamp: event.data.timestamp, data}, "*");
+  }
+
+  if (!event.data["command"]) {
+    return;
+  }
+
+  switch (event.data["command"]) {
+    case "navigate_child":
+      iframe.onload = () => replyToParent(event.data.url);
+      iframe.src = event.data.url;
+      break;
+    case "reload":
+    case "navigate":
+      iframe.contentWindow.postMessage({timestamp, ...event.data}, "*");
+      break;
+    default:{
+      const timestamp = event.data.timestamp;
+      const p = waitForMessage(timestamp);
+      iframe.contentWindow.postMessage({timestamp, ...event.data}, "*");
+      replyToParent(await p.then(resp => resp.data));
+      break;
+    }
+  }
+});
diff --git a/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js b/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
index 228a262f16..3cca86154a 100644
--- a/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
+++ b/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
@@ -31,7 +31,7 @@ function connectAndGetRequestCookiesFrom(origin) {
 window.addEventListener("message", async (event) => {
   function reply(data) {
     event.source.postMessage(
-        {timestamp: event.data.timestamp, data}, event.origin);
+        {timestamp: event.data.timestamp, data}, "*");
   }
 
   switch (event.data["command"]) {
diff --git a/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py b/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py
index 83129a5559..ae95b7593f 100644
--- a/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py
+++ b/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py
@@ -13,7 +13,10 @@ def main(request, response):
     var httpCookies = "%s";
   </script>
 
+  <body>
   <script src="%s"></script>
+  </body>
+
   """ % (cookie_header, script)
 
   return (200, [], body)