From a90a5cba08fdf6c0ceb95101c275108a152a3aed Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 12 Jun 2024 07:35:37 +0200
Subject: Merging upstream version 127.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 ...et-credentials-include.tentative.https.sub.html |  1 +
 ...rklet-credentials-omit.tentative.https.sub.html |  1 +
 ...redentials-same-origin.tentative.https.sub.html |  1 +
 ...trol-allow-credentials.tentative.https.sub.html | 29 --------------
 ...s-control-allow-origin.tentative.https.sub.html | 28 -------------
 ...origin-worklet-allowed.tentative.https.sub.html | 32 +++++++++++++++
 ...trol-allow-credentials.tentative.https.sub.html | 31 +++++++++++++++
 ...s-control-allow-origin.tentative.https.sub.html | 30 ++++++++++++++
 ...origin-worklet-allowed.tentative.https.sub.html | 31 +++++++++++++++
 ...and-verify-data-origin.tentative.https.sub.html | 46 ++++++++++++++++++++++
 .../resources/credentials-test-helper.py           |  3 ++
 .../shared-storage/resources/simple-module.js      |  4 ++
 .../resources/simple-module.js.headers             |  2 +
 13 files changed, 182 insertions(+), 57 deletions(-)
 delete mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
 delete mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-credentials.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-origin.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/resources/simple-module.js.headers

(limited to 'testing/web-platform/tests/shared-storage')

diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
index 9c44d2a29f..4c0e91c156 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
@@ -19,6 +19,7 @@ promise_test(async () => {
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `?access_control_allow_origin_header=${window.origin}` +
                      `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
index ddda1809f2..86b56ce80d 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
@@ -18,6 +18,7 @@ promise_test(async () => {
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `?access_control_allow_origin_header=${window.origin}` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
index 99701d2b7d..0b8faad783 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
@@ -18,6 +18,7 @@ promise_test(async () => {
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `?access_control_allow_origin_header=${window.origin}` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
deleted file mode 100644
index 598fd8f405..0000000000
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<!doctype html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/common/utils.js"></script>
-<script src="/shared-storage/resources/util.js"></script>
-<script src="/fenced-frame/resources/utils.js"></script>
-
-<body>
-<script>
-'use strict';
-
-promise_test(async t => {
-  const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
-  const helper_url = crossOrigin +
-                     `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&token=${ancestor_key}`;
-
-  return promise_rejects_dom(t, "OperationError",
-    sharedStorage.createWorklet(
-      helper_url + `&action=store-cookie`,
-      { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Access-Control-Allow-Credentials response ' +
-   'header');
-
-</script>
-</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
deleted file mode 100644
index 4195d09fc0..0000000000
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
+++ /dev/null
@@ -1,28 +0,0 @@
-<!doctype html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/common/utils.js"></script>
-<script src="/shared-storage/resources/util.js"></script>
-<script src="/fenced-frame/resources/utils.js"></script>
-
-<body>
-<script>
-'use strict';
-
-promise_test(async t => {
-  const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
-  const helper_url = crossOrigin +
-                     `/shared-storage/resources/credentials-test-helper.py` +
-                     `&access_control_allow_credentials_header=true` +
-                     `&token=${ancestor_key}`;
-
-  return promise_rejects_dom(t, "OperationError",
-    sharedStorage.createWorklet(
-      helper_url + `&action=store-cookie`,
-      { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Access-Control-Allow-Origin response header');
-
-</script>
-</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
new file mode 100644
index 0000000000..f1f37b0aff
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
@@ -0,0 +1,32 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?0` +
+                     `&token=${ancestor_key}`;
+
+  // The network error for `createWorklet()` won't be revealed to the
+  // cross-origin caller.
+  await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" });
+}, 'createWorklet() with cross-origin module script and credentials ' +
+   '"include", and with the Shared-Storage-Cross-Origin-Worklet-Allowed ' +
+   'response header value set to false (?0)');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-credentials.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-credentials.tentative.https.sub.html
new file mode 100644
index 0000000000..dd6347e463
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-credentials.tentative.https.sub.html
@@ -0,0 +1,31 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
+                     `&token=${ancestor_key}`;
+
+  // The network error for `createWorklet()` won't be revealed to the
+  // cross-origin caller.
+  await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" });
+}, 'createWorklet() with cross-origin module script and credentials ' +
+   '"include", and without the Access-Control-Allow-Credentials response ' +
+   'header');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-origin.tentative.https.sub.html
new file mode 100644
index 0000000000..1f3223a564
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-access-control-allow-origin.tentative.https.sub.html
@@ -0,0 +1,30 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
+                     `&token=${ancestor_key}`;
+
+  // The network error for `createWorklet()` won't be revealed to the
+  // cross-origin caller.
+  await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" });
+}, 'createWorklet() with cross-origin module script and credentials ' +
+   '"include", and without the Access-Control-Allow-Origin response header');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
new file mode 100644
index 0000000000..f96e4d596e
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-unrevealed-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
@@ -0,0 +1,31 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+  // The network error for `createWorklet()`` won't be revealed to the
+  // cross-origin caller.
+  await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" });
+}, 'createWorklet() with cross-origin module script and credentials ' +
+   '"include", and without the Shared-Storage-Cross-Origin-Worklet-Allowed ' +
+   'response header');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html
new file mode 100644
index 0000000000..5b6b9d5f8f
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html
@@ -0,0 +1,46 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async () => {
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const script_url = crossOrigin +
+                     `/shared-storage/resources/simple-module.js`;
+
+  const worklet = await sharedStorage.createWorklet(
+    script_url,
+    { credentials: "omit" });
+
+  const ancestor_key = token();
+  let url0 = generateURL("/shared-storage/resources/frame0.html",
+                         [ancestor_key]);
+
+  let select_url_result = await worklet.selectURL(
+    "test-url-selection-operation",
+    [{ url: url0 }], {
+      data: {
+        'mockResult': 0,
+        'setKey': 'key0',
+        'setValue': 'value0'
+      },
+      resolveToConfig: true,
+      keepAlive: true
+    });
+
+  assert_true(validateSelectURLResult(select_url_result, true));
+  attachFencedFrame(select_url_result, 'opaque-ads');
+  const result0 = await nextValueFromServer(ancestor_key);
+  assert_equals(result0, "frame0_loaded");
+
+  await verifyKeyValueForOrigin('key0', 'value0', crossOrigin);
+}, 'For a cross-origin worklet, test selectURL() and verify its data origin');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/resources/credentials-test-helper.py b/testing/web-platform/tests/shared-storage/resources/credentials-test-helper.py
index 46fc0ea6fb..575e504e64 100644
--- a/testing/web-platform/tests/shared-storage/resources/credentials-test-helper.py
+++ b/testing/web-platform/tests/shared-storage/resources/credentials-test-helper.py
@@ -19,6 +19,9 @@ def main(request, response):
     if b"access_control_allow_origin_header" in request.GET:
       response.headers.append(b"Access-Control-Allow-Origin", request.GET[b"access_control_allow_origin_header"])
 
+    if b"shared_storage_cross_origin_worklet_allowed_header" in request.GET:
+      response.headers.append(b"Shared-Storage-Cross-Origin-Worklet-Allowed", request.GET[b"shared_storage_cross_origin_worklet_allowed_header"])
+
     if action == b"store-cookie":
       cookie = request.headers.get(b"Cookie", b"NO_COOKIE_HEADER")
       request.server.stash.put(token, cookie)
diff --git a/testing/web-platform/tests/shared-storage/resources/simple-module.js b/testing/web-platform/tests/shared-storage/resources/simple-module.js
index 620a3592f2..11b650811d 100644
--- a/testing/web-platform/tests/shared-storage/resources/simple-module.js
+++ b/testing/web-platform/tests/shared-storage/resources/simple-module.js
@@ -6,6 +6,10 @@ var globalVar = 0;
 
 class TestURLSelectionOperation {
   async run(urls, data) {
+    if (data && data.hasOwnProperty('setKey') && data.hasOwnProperty('setValue')) {
+      await sharedStorage.set(data['setKey'], data['setValue']);
+    }
+
     if (data && data.hasOwnProperty('mockResult')) {
       return data['mockResult'];
     }
diff --git a/testing/web-platform/tests/shared-storage/resources/simple-module.js.headers b/testing/web-platform/tests/shared-storage/resources/simple-module.js.headers
new file mode 100644
index 0000000000..cf3e03e24c
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/resources/simple-module.js.headers
@@ -0,0 +1,2 @@
+Access-Control-Allow-Origin: *
+Shared-Storage-Cross-Origin-Worklet-Allowed: ?1
-- 
cgit v1.2.3