diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting')
26 files changed, 1437 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html new file mode 100644 index 0000000000..ca1471ccc0 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html @@ -0,0 +1,86 @@ +<meta name=timeout content=long> +<title>A test with both COOP and COOP report only setup</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=47b45e17-51c5-4691-bdd5-8f343bbfcf42&report_only_id=3eb3ad1d-872e-4ea8-8b40-0e98783a0683"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a cross-origin popup with both normal and report-only COOP. Four + // reports are sent. + [ + CROSS_ORIGIN, + `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`, + "require-corp", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "require-corp", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": reportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + }, + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ] +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers new file mode 100644 index 0000000000..50c3045bb6 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-four-reports.https.html.sub.headers @@ -0,0 +1,6 @@ +Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint" +Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint" +Cross-Origin-Embedder-Policy: require-corp +Cross-Origin-Embedder-Policy-Report-Only: require-corp +Referrer-Policy: origin +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=47b45e17-51c5-4691-bdd5-8f343bbfcf42", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=3eb3ad1d-872e-4ea8-8b40-0e98783a0683"
\ No newline at end of file diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html new file mode 100644 index 0000000000..cca2e7e1ae --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html @@ -0,0 +1,71 @@ + +<meta name=timeout content=long> +<title>Report only tests for an opener without any COOP/COOP report only set</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a same-origin popup with a same-origin COOP report-only value, which + // would cause a browsing context group swap, hence a report is sent. + [ + SAME_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [ + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin", + "previousResponseURL": `${location.href}`, // previous documnent url + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a same-origin COOP report-only value, which + // would cause a browsing context group swap, hence a report is sent. + [ + CROSS_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [ + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers new file mode 100644 index 0000000000..5b29739bbd --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-from-unsafe-none.https.html.headers @@ -0,0 +1 @@ +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html new file mode 100644 index 0000000000..52b1f2a09f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html @@ -0,0 +1,96 @@ +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=380ca360-d1ae-4329-b1dd-69cea49cd705&report_only_id=cf9ac91d-6c5d-4489-a420-10be9402ef84"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a cross-origin popup without any COOP setup, the current document + // (opener) report-only would cause a browsing context group swap, hence a + // report is sent to the corresponding endpoint. + [ + CROSS_ORIGIN, + "", + "", + "", + "", + [ + { + "endpoint": reportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + ] + ], + // Open a cross-origin popup with a same-origin COOP report-only value, which + // would cause a browsing context group swap, hence a report is sent to both + // endpoints. + [ + CROSS_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [ + { + "endpoint": reportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a same-origin COOP report-only value, the two + // COOP-report-only values match, hence no virtual browsing context group swap + // happens and no report is sent. + [ + SAME_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers new file mode 100644 index 0000000000..04bc49906b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-report-to.https.html.sub.headers @@ -0,0 +1,3 @@ +Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint" +Referrer-Policy: origin +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=380ca360-d1ae-4329-b1dd-69cea49cd705", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=cf9ac91d-6c5d-4489-a420-10be9402ef84" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html new file mode 100644 index 0000000000..148c700ee5 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html @@ -0,0 +1,32 @@ + +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a cross-origin popup with COOP report-only with coep, which mismatches + // with the current document (opener) COOP (unsafe-none) and COOP report-only + // (same-origin) values. + [ + SAME_ORIGIN, + "", + "require-corp", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers new file mode 100644 index 0000000000..58ab03394a --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep-report-only.https.html.headers @@ -0,0 +1,3 @@ +Cross-Origin-Opener-Policy-Report-Only: same-origin +Cross-Origin-Embedder-Policy-Report-Only: require-corp +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html new file mode 100644 index 0000000000..148c700ee5 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html @@ -0,0 +1,32 @@ + +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a cross-origin popup with COOP report-only with coep, which mismatches + // with the current document (opener) COOP (unsafe-none) and COOP report-only + // (same-origin) values. + [ + SAME_ORIGIN, + "", + "require-corp", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers new file mode 100644 index 0000000000..2ba7ffb592 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin-with-coep.https.html.headers @@ -0,0 +1,3 @@ +Cross-Origin-Opener-Policy-Report-Only: same-origin +Cross-Origin-Embedder-Policy: require-corp +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html new file mode 100644 index 0000000000..8a63682c69 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html @@ -0,0 +1,73 @@ + +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports + + // Open a cross-origin popup with COOP report-only with coep, which mismatches + // with the current document (opener) COOP (unsafe-none) and COOP report-only + // (same-origin) values. + [ + SAME_ORIGIN, + "", + "require-corp", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [ + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": `${location.href}`, + "referrer": `${location.origin}/`, + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with COOP report-only with coep report-only, + // which mismatches with the current document (opener) COOP (unsafe-none) and + // COOP report-only (same-origin) values. + [ + SAME_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "require-corp", + [ + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": `${location.href}`, + "referrer": `${location.origin}/`, + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers new file mode 100644 index 0000000000..9a8445a43e --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/report-only-same-origin.https.html.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy-Report-Only: same-origin +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html new file mode 100644 index 0000000000..893dfa20b8 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-opener.https.html @@ -0,0 +1,67 @@ +<title> + Reports a browsing context group switch when an opener with COOP navigates. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = get_host_info().HTTPS_ORIGIN; + +let escapeComma = url => url.replace(/,/g, '\\,'); + +promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. + const opener_token = token(); + const opener_url = same_origin + executor_path + `&uuid=${opener_token}`; + + // The "openee" window. + const openee_token = token(); + const openee_url = same_origin + executor_path + `&uuid=${openee_token}`; + + // The "final" url the opener will navigate to. It has COOP and a reporter. + const final_report_token = reportToken(); + const final_token = token(); + const final_reportTo = reportingEndpointsHeaders(final_report_token); + const final_url = same_origin + executor_path + final_reportTo.header + + final_reportTo.coopSameOriginHeader +`&uuid=${final_token}`; + + // 1. Create the opener window and ensure it doesn't have an opener. + let opener_window_proxy = window.open(opener_url, '_blank', 'noopener'); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens a window. + send(opener_token, ` + openee = window.open('${escapeComma(openee_url)}'); + `); + + // 3. Ensure the openee loads. + send(openee_token, ` + send("${this_window_token}", "ACK"); + `); + assert_equals("ACK", await receive(this_window_token)); + + // 4. The opener navigates. + send(opener_token, ` + location.replace('${escapeComma(final_url)}'); + `); + + // 5. Check a report was sent to the opener. + let report = + await receiveReport(final_report_token, "navigation-to-response") + assert_equals(report.type, "coop"); + assert_equals(report.url, final_url.replace(/"/g, '%22')); + assert_equals(report.body.disposition, "enforce"); + assert_equals(report.body.effectivePolicy, "same-origin"); + assert_equals(report.body.previousResponseURL, opener_url.replace(/"/g, '%22')); +}, "navigation-report-from-opener-navigation"); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html new file mode 100644 index 0000000000..b625b285cf --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html @@ -0,0 +1,85 @@ +<title>Cross-Origin-Opener-Policy: a navigated popup with reporting</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel --> +<script src="/common/dispatcher/dispatcher.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=df3cde15-b00b-4a59-b6e2-498b67a6146e&report_only_id=ebf3a415-7a74-42e1-92d1-e600b1bbe22e"></script> + +<script> + +// This test does the following: +// 1 - This document has COOP: same-origin-allow-popups; report-to="coop-report-endpoint" +// 2 - Open a popup on a same-origin page without COOP, with the coop-popup-report-endpoint +// 3 - Navigate the popup to a same-origin page with COOP, with the coop-redirect-report-endpoint +// it verifies that the reports are properly send for the browsing context switch +// during the navigation in the popup (step 3). The current document (the opener) +// endpoint should not receive any report as no switch ocurred on 2. +promise_test( async t => { + const callbackToken = token(); + const noCoopToken = token(); + const coopToken= token(); + await reportingTest(async resolve => { + const noCOOPUrl = executor_path + + convertToWPTHeaderPipe(getReportingEndpointsHeader(location.origin)) + + `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(`unsafe-none; report-to="${popupReportEndpoint.name}"`)})` + + `&uuid=${noCoopToken}`; + const coopUrl = executor_path + + convertToWPTHeaderPipe(getReportingEndpointsHeader(location.origin)) + + `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(`same-origin; report-to="${redirectReportEndpoint.name}"`)})` + + `&uuid=${coopToken}`; + + // 1. Open a popup without COOP and with reporting. COOP does not trigger + // a browsing context group switch because the current document is + // same-origin-allow-popups + const popup = window.open(noCOOPUrl); + t.add_cleanup(() => send(noCoopToken, "window.close()")); + + // 2. Navigate the popup to a COOP document, which switches the browsing + // context group. + send(noCoopToken, `window.location = "${coopUrl}";`); + t.add_cleanup(() => send(coopToken, "window.close()")); + + // 3. Make sure the new document is loaded. + send(coopToken, ` + send("${callbackToken}", "Ready"); + `); + let reply = await receive(callbackToken); + resolve(); + }, + "", // executor token for the report replacements, unused in this test + [ + // Reports expected for the navigation from "noCOOP" to "coop" + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "nextResponseURL": RegExp(`uuid=${coopToken}$`), + "type": "navigation-from-response" + }, + "url": RegExp(`uuid=${noCoopToken}$`), + "type": "coop" + } + }, + { + "endpoint": redirectReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": RegExp(`uuid=${noCoopToken}$`), + "referrer": RegExp(`uuid=${noCoopToken}$`), + "type": "navigation-to-response" + }, + "url": RegExp(`uuid=${coopToken}$`), + "type": "coop" + } + }, + ]); +}, "Open a popup to a document without COOP, then navigate it to a document with"); + +verifyRemainingReports(); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers new file mode 100644 index 0000000000..a6a27c2d3e --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html.sub.headers @@ -0,0 +1,2 @@ +Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint" +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=df3cde15-b00b-4a59-b6e2-498b67a6146e", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=ebf3a415-7a74-42e1-92d1-e600b1bbe22e" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html new file mode 100644 index 0000000000..d674e2e449 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html @@ -0,0 +1,126 @@ +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script +src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=6a739c25-0ec5-4832-b4a3-847281006857&report_only_id=f91209ee-b3a3-474b-b337-d663533745fb"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports + + // Open a same-origin popup with a same-origin COOP and no COEP. Produces two + // reports (one from and one to). Both pages being same origin, the + // next/pervious document urls are available. + [ + SAME_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": `${location.href}`, // previous documnent url + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a same-origin-allow-popup COOP and noCOEP. + // Produces two reports (one from and one to). Both pages being cross origin, + // the next/pervious document urls are not available and the initial document + // url/referrer are used instead. + [ + CROSS_ORIGIN, + `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`, + "require-corp", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "previousResponseURL": ``, + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a same-origin COOP and COEP, and no reporting. + // Produces one navigation-from-report for this document (the opener). The + // pages being cross origin, the next/pervious document urls are not available + // and the initial document url/referrer are used instead. + [ + CROSS_ORIGIN, + `same-origin`, + "require-corp", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-allow-popups", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + } + ] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers new file mode 100644 index 0000000000..3e213a95a3 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-allow-popups-report-to.https.html.sub.headers @@ -0,0 +1,3 @@ +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=6a739c25-0ec5-4832-b4a3-847281006857", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=f91209ee-b3a3-474b-b337-d663533745fb" +Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint" +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html new file mode 100644 index 0000000000..88b180702f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html @@ -0,0 +1,173 @@ +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=edbbace3-40ca-4640-8d50-dc6e52acc1da&report_only_id=f65cf51a-ca6f-4028-a2c3-0c06183faa13"></script> +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports + + // Open and navigate a popup to a same-origin page with the same COOP-COEP + // settings: no browsing context group switch hence no report expected. + [ + SAME_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "require-corp", + "", + "", + [] + ], + // Open a same-origin popup with a same-origin COOP but no COEP. Produces two + // reports (one from and one to). The from report has an effectivePolicy of + // same-origin-plus-coep, both pages being same origin, the entire + // next/pervious document urls are available. + [ + SAME_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-plus-coep", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next destination url + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": `${location.href}`, // previous document url + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a same-origin COOP and COEP. Produces two + // reports (one from and one to). The from report has an effectivePolicy of + // same-origin-plus-coep, both pages being cross origin, the next/pervious + // document urls are not available and the initial document url/referrer are + // used instead. + [ + CROSS_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "require-corp", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-plus-coep", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation url + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": ``, + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a same-origin COOP report only. One report + // is sent to this page's endpoint, but none to the report-only endpoint. + [ + SAME_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "require-corp", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-plus-coep", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation url + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a same-origin COOP report only. A report is + // sent to both this page's endpoint and the popup's. + [ + CROSS_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "require-corp", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-plus-coep", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // initial navigation url + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportOnlyEndpoint, + "report": { + "body": { + "disposition": "reporting", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": ``, + "referrer": `${location.origin}/`, // referrer (origin, as dictated by the referrer policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers new file mode 100644 index 0000000000..0f78bdb2d0 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-coep-report-to.https.html.sub.headers @@ -0,0 +1,4 @@ +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=edbbace3-40ca-4640-8d50-dc6e52acc1da", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=f65cf51a-ca6f-4028-a2c3-0c06183faa13" +Cross-Origin-Opener-Policy: same-origin; report-to="coop-report-endpoint" +Cross-Origin-Embedder-Policy: require-corp +Referrer-Policy: origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html new file mode 100644 index 0000000000..47bb67cc4b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html @@ -0,0 +1,216 @@ +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=6aad9729-8642-4894-91d9-a4d44707cd4a&report_only_id=69eb1838-6a03-4cda-97b0-c126ffcb9e8a"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports + + // Open a popup on a same-origin page, with a compatible COOP. + // This is a sanity check that no report are produced. + [ + SAME_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [] + ], + // Open a cross-origin popup with a same-origin COOP. Produces two + // reports (one from and one to). The from report has an effectivePolicy of + // same-origin (corresponding to the current document), both pages being + // cross origin, the next/pervious document urls are not available and the + // initial document url/referrer are used instead. + [ + CROSS_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": "", + "referrer": '', // referrer (empty due to the Referrer Policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a unsafe-none COOP and no COEP. COOP switches + // the browsing context group and hence produces two reports (one from and one + // to). This test verifies that unsafe-none properly sends report. + [ + SAME_ORIGIN, + `unsafe-none; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "previousResponseURL": `${location.href}`, + "referrer": '', // referrer (empty due to the Referrer Policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a same-origin COOP and COEP. The difference + // of COEP values leads to the browsing context group switch and produces two + // reports. This verifies that the navigation-to-document report has an + // effectivePolicy of same-origin-plus-coep. + [ + SAME_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "require-corp", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin-plus-coep", + "previousResponseURL": `${location.href}`, + "referrer": '', // referrer (empty due to the Referrer Policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with no COOP (but reporting) and no COEP. + // Produces two reports. The pages being cross origin, the next/pervious + // document urls are not available and the initial document url/referrer are + // used instead. + [ + CROSS_ORIGIN, + `unsafe-none; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "previousResponseURL": "", + "referrer": '', // referrer (empty due to the Referrer Policy) + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with no COOP (without reporting) and no COEP. + // Produces one report to this page (opener) endpoint. + // This verifies that the navigated-to-document's COOP report values do not + // impact the navigated-from-document's COOP. + [ + SAME_ORIGIN, + "unsafe-none", + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + } + ] + ] +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers new file mode 100644 index 0000000000..79c851a86c --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin-report-to.https.html.sub.headers @@ -0,0 +1,3 @@ +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=6aad9729-8642-4894-91d9-a4d44707cd4a", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=69eb1838-6a03-4cda-97b0-c126ffcb9e8a" +Cross-Origin-Opener-Policy: same-origin; report-to="coop-report-endpoint" +Referrer-Policy: no-referrer diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html new file mode 100644 index 0000000000..3a8f343f37 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html @@ -0,0 +1,110 @@ +<meta name=timeout content=long> +<title>reporting same origin</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports + + // Open a cross-origin popup with a same-origin COOP and no COEP. COOP + // switches the browsing context group and hence produces one report. + // This test verifies that the navigated to document properly sends a + // navigation-to report. The navigationURI is the referrer. + [ + CROSS_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a unsafe-none COOP and no COEP. COOP switches + // the browsing context group and hence produces one report. + // This test verifies that having different policies on same origin documents + // still properly produces report to the navigated-to-document. + [ + SAME_ORIGIN, + `unsafe-none; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "previousResponseURL": `${location.href}`, + "referrer": `${location.href}`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a unsafe-none COOP (with reporting) and no + // COEP. COOP switches the browsing context group and hence produces one + // reports to the unsafe-none document. This test verifies that unsafe-none + // properly sends report in that configuration. + [ + CROSS_ORIGIN, + `unsafe-none; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "previousResponseURL": "", + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a same-origin COOP Report only value, the + // report only matches the previous document COOP value, no report is sent. + [ + SAME_ORIGIN, + "", + "", + `same-origin; report-to="${popupReportOnlyEndpoint.name}"`, + "", + [] + ], +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers new file mode 100644 index 0000000000..46ad58d83b --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html.headers @@ -0,0 +1 @@ +Cross-Origin-Opener-Policy: same-origin diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html new file mode 100644 index 0000000000..2563dbb01f --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html @@ -0,0 +1,126 @@ +<meta name=timeout content=long> +<title>reporting same origin with report-to</title> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/resources/common.js"></script> +<script + src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=1f79b0d5-c2a2-4e0b-8e8c-651af2321964&report_only_id=c50700c8-db1e-4224-b06f-4c6a95a5f4be"></script> + +<script> + +let tests = [ + // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports + + // Open a same-origin popup with a same-origin COOP with reporting and no COEP. + // COOP switches the browsing context group and hence produces two reports + // (one from and one to). This test verifies that unsafe-none (from the opener) + // properly sends a report. + [ + SAME_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": `${location.href}`, // previous document url + "referrer": `${location.href}`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ], + // Open a same-origin popup with a same-origin COOP (no reporting)and no COEP. + // COOP switches the browsing context group and hence produces one report for + // the navigated from document (this page, the opener). This test differs with + // the previous one as it assert that the navigated to document's COOP reporting + // values do not interfere. + [ + SAME_ORIGIN, + `same-origin`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + } + ] + ], + // Open a cross-origin popup with a same-origin COOP and no COEP. COOP switches + // the browsing context group and hence produces two reports. + [ + CROSS_ORIGIN, + `same-origin; report-to="${popupReportEndpoint.name}"`, + "", + "", + "", + [ + { + "endpoint": reportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "unsafe-none", + "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL + "type": "navigation-from-response" + }, + "url": `${location.href}`, + "type": "coop" + } + }, + { + "endpoint": popupReportEndpoint, + "report": { + "body": { + "disposition": "enforce", + "effectivePolicy": "same-origin", + "previousResponseURL": ``, + "referrer": `${location.origin}/`, // referrer + "type": "navigation-to-response" + }, + "url": /uuid=EXECUTOR_UUID$/, + "type": "coop" + } + } + ] + ] +]; + +runNavigationReportingTests(document.title, tests); + +</script> diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers new file mode 100644 index 0000000000..f1f18d6708 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-popup-unsafe-none-report-to.https.html.sub.headers @@ -0,0 +1,2 @@ +Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=1f79b0d5-c2a2-4e0b-8e8c-651af2321964", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=c50700c8-db1e-4224-b06f-4c6a95a5f4be" +Cross-Origin-Opener-Policy: unsafe-none; report-to="coop-report-endpoint" diff --git a/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html new file mode 100644 index 0000000000..cd2f6b67b3 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html @@ -0,0 +1,111 @@ +<title> + Tests the redirect interaction with COOP same-origin-allow-popups. +</title> +<meta name=timeout content=long> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<script src=/common/get-host-info.sub.js></script> +<script src="/common/utils.js"></script> +<script src="/common/dispatcher/dispatcher.js"></script> +<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script> +<script> + +const directory = "/html/cross-origin-opener-policy"; +const same_origin = { + host: get_host_info().HTTPS_ORIGIN, + name: "Same origin" +}; +const cross_origin = { + host: get_host_info().HTTPS_REMOTE_ORIGIN, + name: "Cross origin" +}; + +// Tests the redirect interaction with COOP same-origin-allow-popups and +// reporting: +// 1 - open the opener document on origin same_origin with COOP +// same-origin-allow-popups. +// 2 - opener opens popup with document on origin popup_origin, no COOP and a +// redirect header (HTTP 302, location). +// 3 - redirection to a document with origin same_origin and COOP +// same-origin-allow-popups. +// +// The navigation (2) to the first document of the popup stays in the same +// browsing context group due to the same-origin-allow-popups COOP of the +// opener. +// The redirect (3) to the final document does since it compares the +// popup_origin/unsafe-none document with the +// same-origin/same-origin-allow-popups document. +// +// A opens B, B redirects to C. +// +// Document Origin COOP +// -------- ------------ ------------------------ +// A same-origin same-origin-allow-popups +// B popup-origin unsafe-none +// C same-origin same-origin-allow-popups +function redirect_test( popup_origin ) { + promise_test(async t => { + // The test window. + const this_window_token = token(); + + // The "opener" window. This has COOP same-origin-allow-popups and a + // reporter. + const opener_report_token = reportToken(); + const opener_token = token(); + const opener_reportTo = reportingEndpointsHeaders(opener_report_token); + const opener_url = same_origin.host + executor_path + + opener_reportTo.header + opener_reportTo.coopSameOriginAllowPopupsHeader + + `&uuid=${opener_token}`; + + // The "openee" window. + // The initial document does not have COOP and is on popup_origin, it + // redirects to a same-origin (with the opener) document with COOP + // same-origin-allow-popups. + const openee_token = token(); + const openee_redirect_url = same_origin.host + executor_path + + opener_reportTo.header + opener_reportTo.coopSameOriginAllowPopupsHeader + + `&uuid=${openee_token}`; + const redirect_header = 'status(302)' + + `|header(Location,${encodeURIComponent( + openee_redirect_url + .replace(/,/g, "\\,") + .replace(/\\\\,/g, "\\\\\\,") + .replace(/\(/g, "%28") + .replace(/\)/g, "%29"))})`; + const openee_url = popup_origin.host + executor_path + redirect_header + + `&uuid=${openee_token}`; + // 1. Create the opener window. + let opener_window_proxy = window.open(opener_url); + t.add_cleanup(() => send(opener_token, "window.close()")); + + // 2. The opener opens its openee. + send(opener_token, ` + openee = window.open("${openee_url}"); + `); + t.add_cleanup(() => send(openee_token, "window.close()")); + + // 3. Check the opener status on the openee. + send(openee_token, ` + send("${this_window_token}", opener !== null); + `); + assert_equals(await receive(this_window_token), "false", "opener"); + + // 4. Check the openee status on the opener. + send(opener_token, ` + send("${this_window_token}", openee.closed); + `); + assert_equals(await receive(this_window_token), "true", "openee.closed"); + + // 5. Check a report sent to the openee. + let report = await receiveReport( + opener_report_token, + "navigation-to-response"); + assert_equals(report.type, "coop"); + assert_equals(report.body.disposition, "enforce"); + assert_equals(report.body.effectivePolicy, "same-origin-allow-popups"); + }, `${popup_origin.name} openee redirected to same-origin with same-origin-allow-popups`); +} + +redirect_test(same_origin); +redirect_test(cross_origin); +</script> |