1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
<title>
Tests the redirect interaction with COOP same-origin-allow-popups.
</title>
<meta name=timeout content=long>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=/common/get-host-info.sub.js></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
<script>
const same_origin = {
host: get_host_info().HTTPS_ORIGIN,
name: "Same origin"
};
const cross_origin = {
host: get_host_info().HTTPS_REMOTE_ORIGIN,
name: "Cross origin"
};
// Tests the redirect interaction with COOP same-origin-allow-popups and
// reporting:
// 1 - open the opener document on origin same_origin wit COOP
// same-origin-allow-popups.
// 2 - opener opens popup with document on origin popup_origin, no COOP and a
// redirect header (HTTP 302, location).
// 3 - redirection to a document with origin same_origin and COOP
// same-origin-allow-popups.
//
// The navigation (2) to the first document of the popup stays in the same
// browsing context group due to the same-origin-allow-popups COOP of the
// opener.
// The redirect (3) to the final document does since it compares the
// popup_origin/unsafe-none document with the
// same-origin/same-origin-allow-popups document.
//
// A opens B, B redirects to C.
//
// Document Origin COOP
// -------- ------------ ------------------------
// A same-origin same-origin-allow-popups
// B popup-origin unsafe-none
// C same-origin same-origin-allow-popups
function redirect_test(popup_origin) {
promise_test(async t => {
// The test window.
const this_window_token = token();
// The "opener" window. This has COOP same-origin-allow-popups and a
// reporter.
const opener_token = token();
const opener_report_token = reportToken();
const opener_reporting = reportingEndpointsHeaders(opener_report_token);
const opener_url = same_origin.host + executor_path +
opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader +
`&uuid=${opener_token}`;
// The "openee" window.
// The initial document does not have COOP and is on popup_origin, it
// redirects to a same-origin (with the opener) document with COOP
// same-origin-allow-popups.
const openee_token = token();
const openee_redirect_url = same_origin.host + executor_path +
opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader +
`&uuid=${openee_token}`;
const redirect_header = 'status(302)' +
`|header(Location,${encodeURIComponent(
openee_redirect_url
.replace(/,/g, "\\,")
.replace(/\\\\,/g, "\\\\\\,")
.replace(/\(/g, "%28")
.replace(/\)/g, "%29"))})`;
const openee_url = popup_origin.host + executor_path + redirect_header +
`&uuid=${openee_token}`;
// 1. Create the opener window.
let opener_window_proxy = window.open(opener_url);
t.add_cleanup(() => send(opener_token, "window.close()"));
// 2. The opener opens its openee.
send(opener_token, `
openee = window.open("${openee_url}");
`);
t.add_cleanup(() => send(openee_token, "window.close()"));
// 3. Check the opener status on the openee.
send(openee_token, `
send("${this_window_token}", opener !== null);
`);
assert_equals(await receive(this_window_token), "false", "opener");
// 4. Check the openee status on the opener.
send(opener_token, `
send("${this_window_token}", openee.closed);
`);
assert_equals(await receive(this_window_token), "true", "openee.closed");
// 5. Check a report sent to the openee.
let report = await receiveReport(
opener_report_token,
"navigation-to-response");
assert_equals(report.type, "coop");
assert_equals(report.body.disposition, "enforce");
assert_equals(report.body.effectivePolicy, "same-origin-allow-popups");
}, `${popup_origin.name} openee redirected to same-origin with same-origin-allow-popups`);
}
redirect_test(same_origin);
redirect_test(cross_origin);
</script>
|
