Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

32 files changed, 1133 insertions, 0 deletions

diff --git a/testing/web-platform/tests/storage-access-api/META.yml b/testing/web-platform/tests/storage-access-api/META.yml
new file mode 100644
index 0000000000..554bd31684
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/META.yml
@@ -0,0 +1,6 @@
+spec: https://privacycg.github.io/storage-access/
+suggested_reviewers:
+  - Brandr0id
+  - cfredric
+  - ehsan
+  - johnwilander
diff --git a/testing/web-platform/tests/storage-access-api/hasStorageAccess-ABA.tentative.sub.https.window.js b/testing/web-platform/tests/storage-access-api/hasStorageAccess-ABA.tentative.sub.https.window.js
new file mode 100644
index 0000000000..8fa4122fbb
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/hasStorageAccess-ABA.tentative.sub.https.window.js
@@ -0,0 +1,7 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+// Create a test with a nested iframe that is same-site to the top-level frame but has cross-site frame in between.
+RunTestsInIFrame("https://{{hosts[alt][]}}:{{ports[https][0]}}/storage-access-api/resources/hasStorageAccess-ABA-iframe.https.html");
diff --git a/testing/web-platform/tests/storage-access-api/hasStorageAccess-insecure.sub.window.js b/testing/web-platform/tests/storage-access-api/hasStorageAccess-insecure.sub.window.js
new file mode 100644
index 0000000000..866bd97f27
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/hasStorageAccess-insecure.sub.window.js
@@ -0,0 +1,46 @@
+// META: script=helpers.js
+'use strict';
+
+const {testPrefix, topLevelDocument} = processQueryParams();
+
+// Common tests to run in all frames.
+promise_test(async () => {
+  assert_not_equals(document.hasStorageAccess, undefined);
+}, "[" + testPrefix + "] document.hasStorageAccess() should be supported on the document interface");
+
+promise_test(async () => {
+  const hasAccess = await document.hasStorageAccess();
+  assert_false(hasAccess, "Access should be disallowed in insecure contexts");
+}, "[" + testPrefix + "] document.hasStorageAccess() should be disallowed in insecure contexts");
+
+promise_test(async (t) => {
+  const description = "Promise should reject when called on a generated document not part of the DOM.";
+  const createdDocument = document.implementation.createDocument("", null);
+
+  // Can't use `promise_rejects_dom` here, since the error comes from the wrong global.
+  await createdDocument.hasStorageAccess().then(
+    t.unreached_func("Should have rejected: " + description), (e) => {
+      assert_equals(e.name, 'InvalidStateError', description);
+    });
+}, "[" + testPrefix + "] document.hasStorageAccess() should reject in a document that isn't fully active.");
+
+// Logic to load test cases within combinations of iFrames.
+if (topLevelDocument) {
+  // This specific test will run only as a top level test (not as a worker).
+  // Specific hasStorageAccess() scenarios will be tested within the context
+  // of various iFrames
+
+  // Create a test with a single-child same-origin iframe.
+  RunTestsInIFrame("resources/hasStorageAccess-iframe.html?testCase=same-origin-frame");
+
+  // Create a test with a single-child cross-origin iframe.
+  RunTestsInIFrame("http://{{domains[www]}}:{{ports[http][0]}}/storage-access-api/resources/hasStorageAccess-iframe.html?testCase=cross-origin-frame");
+
+  // Validate the nested-iframe scenario where the same-origin frame containing
+  // the tests is not the first child.
+  RunTestsInNestedIFrame("resources/hasStorageAccess-iframe.html?testCase=nested-same-origin-frame");
+
+  // Validate the nested-iframe scenario where the cross-origin frame containing
+  //  the tests is not the first child.
+  RunTestsInNestedIFrame("http://{{domains[www]}}:{{ports[http][0]}}/storage-access-api/resources/hasStorageAccess-iframe.html?testCase=nested-cross-origin-frame");
+}
diff --git a/testing/web-platform/tests/storage-access-api/hasStorageAccess.sub.https.window.js b/testing/web-platform/tests/storage-access-api/hasStorageAccess.sub.https.window.js
new file mode 100644
index 0000000000..d7ed42baa0
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/hasStorageAccess.sub.https.window.js
@@ -0,0 +1,52 @@
+// META: script=helpers.js
+'use strict';
+
+const {testPrefix, topLevelDocument} = processQueryParams();
+
+// Common tests to run in all frames.
+promise_test(async () => {
+  assert_not_equals(document.hasStorageAccess, undefined);
+}, "[" + testPrefix + "] document.hasStorageAccess() should exist on the document interface");
+
+promise_test(async () => {
+  const hasAccess = await document.hasStorageAccess();
+  if (topLevelDocument || testPrefix.includes('same-origin')) {
+    assert_true(hasAccess, "Access should be granted in top-level frame or iframe that is in first-party context by default.");
+  } else if (testPrefix == 'ABA') {
+    assert_false(hasAccess, "Access should not be granted in secure same-origin iframe that is in a third-party context by default.");
+  } else {
+    assert_false(hasAccess, "Access should not be granted in secure cross-origin iframes.");
+  }
+}, "[" + testPrefix + "] document.hasStorageAccess() should not be allowed by default unless in top-level frame or same-origin iframe.");
+
+promise_test(async (t) => {
+  const description = "Promise should reject when called on a generated document not part of the DOM.";
+  const createdDocument = document.implementation.createDocument("", null);
+
+  // Can't use `promise_rejects_dom` here, since the error comes from the wrong global.
+  await createdDocument.hasStorageAccess().then(
+    t.unreached_func("Should have rejected: " + description), (e) => {
+      assert_equals(e.name, 'InvalidStateError', description);
+    });
+}, "[" + testPrefix + "] document.hasStorageAccess() should reject in a document that isn't fully active.");
+
+// Logic to load test cases within combinations of iFrames.
+if (topLevelDocument) {
+  // This specific test will run only as a top level test (not as a worker).
+  // Specific hasStorageAccess() scenarios will be tested within the context
+  // of various iFrames
+
+  // Create a test with a single-child same-origin iframe.
+  RunTestsInIFrame("resources/hasStorageAccess-iframe.https.html?testCase=same-origin-frame");
+
+  // Create a test with a single-child cross-site iframe.
+  RunTestsInIFrame("https://{{hosts[alt][]}}:{{ports[https][0]}}/storage-access-api/resources/hasStorageAccess-iframe.https.html?testCase=cross-site-frame");
+
+  // Validate the nested-iframe scenario where the same-origin frame containing
+  // the tests is not the first child.
+  RunTestsInNestedIFrame("resources/hasStorageAccess-iframe.https.html?testCase=nested-same-origin-frame");
+
+  // Validate the nested-iframe scenario where the cross-site frame containing
+  //  the tests is not the first child.
+  RunTestsInNestedIFrame("https://{{hosts[alt][]}}:{{ports[https][0]}}/storage-access-api/resources/hasStorageAccess-iframe.https.html?testCase=nested-cross-site-frame");
+}
diff --git a/testing/web-platform/tests/storage-access-api/helpers.js b/testing/web-platform/tests/storage-access-api/helpers.js
new file mode 100644
index 0000000000..0a89c6d7f9
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/helpers.js
@@ -0,0 +1,256 @@
+'use strict';
+
+function processQueryParams() {
+  const url = new URL(window.location);
+  const queryParams = url.searchParams;
+  return {
+    topLevelDocument: window === window.top,
+    testPrefix: queryParams.get("testCase") || "top-level-context",
+  };
+}
+
+// Create an iframe element, set it up using `setUpFrame`, and optionally fetch
+// tests in it. Returns the created frame, after it has loaded.
+async function CreateFrameHelper(setUpFrame, fetchTests) {
+  const frame = document.createElement('iframe');
+  const promise = new Promise((resolve, reject) => {
+    frame.onload = () => resolve(frame);
+    frame.onerror = reject;
+  });
+
+  setUpFrame(frame);
+
+  if (fetchTests) {
+    await fetch_tests_from_window(frame.contentWindow);
+  }
+  return promise;
+}
+
+// Create an iframe element with content loaded from `sourceURL`, append it to
+// the document, and optionally fetch tests. Returns the loaded frame, once
+// ready.
+function CreateFrame(sourceURL, fetchTests = false) {
+  return CreateFrameHelper((frame) => {
+    frame.src = sourceURL;
+    document.body.appendChild(frame);
+  }, fetchTests);
+}
+
+// Create a new iframe with content loaded from `sourceURL`, and fetches tests.
+// Returns the loaded frame, once ready.
+function RunTestsInIFrame(sourceURL) {
+  return CreateFrame(sourceURL, true);
+}
+
+function RunTestsInNestedIFrame(sourceURL) {
+  return CreateFrameHelper((frame) => {
+    document.body.appendChild(frame);
+    frame.contentDocument.write(`
+      <script src="/resources/testharness.js"></script>
+      <script src="helpers.js"></script>
+      <body>
+      <script>
+        RunTestsInIFrame("${sourceURL}");
+      </script>
+    `);
+    frame.contentDocument.close();
+  }, true);
+}
+
+function CreateDetachedFrame() {
+  const frame = document.createElement('iframe');
+  document.body.append(frame);
+  const inner_doc = frame.contentDocument;
+  frame.remove();
+  return inner_doc;
+}
+
+function CreateDocumentViaDOMParser() {
+  const parser = new DOMParser();
+  const doc = parser.parseFromString('<html></html>', 'text/html');
+  return doc;
+}
+
+function RunCallbackWithGesture(callback) {
+  return test_driver.bless('run callback with user gesture', callback);
+}
+
+// Sends a message to the given target window and returns a promise that
+// resolves when a reply was sent.
+function PostMessageAndAwaitReply(message, targetWindow) {
+  const timestamp = window.performance.now();
+  const reply = ReplyPromise(timestamp);
+  targetWindow.postMessage({timestamp, ...message}, "*");
+  return reply;
+}
+
+// Returns a promise that resolves when the next "reply" is received via
+// postMessage. Takes a "timestamp" argument to validate that the received
+// message belongs to its original counterpart.
+function ReplyPromise(timestamp) {
+  return new Promise((resolve) => {
+    const listener = (event) => {
+      if (event.data.timestamp == timestamp) {
+        window.removeEventListener("message", listener);
+        resolve(event.data.data);
+      }
+    };
+    window.addEventListener("message", listener);
+  });
+}
+
+// Returns a promise that resolves when the given frame fires its load event.
+function LoadPromise(frame) {
+  return new Promise((resolve) => {
+    frame.addEventListener("load", (event) => {
+      resolve();
+    }, { once: true });
+  });
+}
+
+// Writes cookies via document.cookie in the given frame.
+function SetDocumentCookieFromFrame(frame, cookie) {
+  return PostMessageAndAwaitReply(
+    { command: "write document.cookie", cookie }, frame.contentWindow);
+}
+
+// Reads cookies via document.cookie in the given frame.
+function GetJSCookiesFromFrame(frame) {
+  return PostMessageAndAwaitReply(
+      { command: "document.cookie" }, frame.contentWindow);
+}
+
+async function DeleteCookieInFrame(frame, name, params) {
+  await SetDocumentCookieFromFrame(frame, `${name}=0; expires=${new Date(0).toUTCString()}; ${params};`);
+  assert_false(cookieStringHasCookie(name, '0', await GetJSCookiesFromFrame(frame)), `Verify that cookie '${name}' has been deleted.`);
+}
+
+// Tests whether the frame can write cookies via document.cookie. Note that this
+// overwrites, then optionally deletes, cookies named "cookie" and "foo".
+//
+// This function requires the caller to have included
+// /cookies/resources/cookie-helper.sub.js.
+async function CanFrameWriteCookies(frame, keep_after_writing = false) {
+  const cookie_suffix = "Secure;SameSite=None;Path=/";
+  await DeleteCookieInFrame(frame, "cookie", cookie_suffix);
+  await DeleteCookieInFrame(frame, "foo", cookie_suffix);
+
+  await SetDocumentCookieFromFrame(frame, `cookie=monster;${cookie_suffix}`);
+  await SetDocumentCookieFromFrame(frame, `foo=bar;${cookie_suffix}`);
+
+  const cookies = await GetJSCookiesFromFrame(frame);
+  const can_write = cookieStringHasCookie("cookie", "monster", cookies) &&
+      cookieStringHasCookie("foo", "bar", cookies);
+
+  if (!keep_after_writing) {
+    await DeleteCookieInFrame(frame, "cookie", cookie_suffix);
+    await DeleteCookieInFrame(frame, "foo", cookie_suffix);
+  }
+
+  return can_write;
+}
+
+// Tests whether the current frame can read and write cookies via HTTP headers.
+// This deletes, writes, reads, then deletes a cookie named "cookie".
+async function CanAccessCookiesViaHTTP() {
+  await create_cookie(window.location.origin, "cookie", "1", "samesite=None;Secure");
+  const http_cookies = await fetch(`${window.location.origin}/storage-access-api/resources/echo-cookie-header.py`)
+      .then((resp) => resp.text());
+  const can_access = cookieStringHasCookie("cookie", "1", http_cookies);
+
+  erase_cookie_from_js("cookie", "SameSite=None;Secure;Path=/");
+
+  return can_access;
+}
+
+// Tests whether the current frame can read and write cookies via
+// document.cookie. This deletes, writes, reads, then deletes a cookie named
+// "cookie".
+function CanAccessCookiesViaJS() {
+  erase_cookie_from_js("cookie", "SameSite=None;Secure;Path=/");
+  assert_false(cookieStringHasCookie("cookie", "1", document.cookie));
+
+  document.cookie = "cookie=1;SameSite=None;Secure;Path=/";
+  const can_access = cookieStringHasCookie("cookie", "1", document.cookie);
+
+  erase_cookie_from_js("cookie", "SameSite=None;Secure;Path=/");
+  assert_false(cookieStringHasCookie("cookie", "1", document.cookie));
+
+  return can_access;
+}
+
+// Reads cookies via the `httpCookies` variable in the given frame.
+function GetHTTPCookiesFromFrame(frame) {
+  return PostMessageAndAwaitReply(
+      { command: "httpCookies" }, frame.contentWindow);
+}
+
+// Executes document.hasStorageAccess in the given frame.
+function FrameHasStorageAccess(frame) {
+  return PostMessageAndAwaitReply(
+      { command: "hasStorageAccess" }, frame.contentWindow);
+}
+
+// Executes document.requestStorageAccess in the given frame.
+function RequestStorageAccessInFrame(frame) {
+  return PostMessageAndAwaitReply(
+      { command: "requestStorageAccess" }, frame.contentWindow);
+}
+
+// Executes test_driver.set_permission in the given frame, with the provided
+// arguments.
+function SetPermissionInFrame(frame, args = []) {
+  return PostMessageAndAwaitReply(
+      { command: "set_permission", args }, frame.contentWindow);
+}
+
+// Waits for a storage-access permission change and resolves with the current
+// state.
+function ObservePermissionChange(frame, args = []) {
+  return PostMessageAndAwaitReply(
+      { command: "observe_permission_change", args }, frame.contentWindow);
+}
+
+// Executes `location.reload()` in the given frame. The returned promise
+// resolves when the frame has finished reloading.
+function FrameInitiatedReload(frame) {
+  const reload = LoadPromise(frame);
+  frame.contentWindow.postMessage({ command: "reload" }, "*");
+  return reload;
+}
+
+// Executes `location.href = url` in the given frame. The returned promise
+// resolves when the frame has finished navigating.
+function FrameInitiatedNavigation(frame, url) {
+  const load = LoadPromise(frame);
+  frame.contentWindow.postMessage({ command: "navigate", url }, "*");
+  return load;
+}
+
+// Makes a subresource request to the provided host in the given frame, and
+// returns the cookies that were included in the request.
+function FetchSubresourceCookiesFromFrame(frame, host) {
+  return FetchFromFrame(frame, `${host}/storage-access-api/resources/echo-cookie-header.py`);
+}
+
+// Makes a subresource request to the provided host in the given frame, and
+// returns the response.
+function FetchFromFrame(frame, url) {
+  return PostMessageAndAwaitReply(
+    { command: "cors fetch", url }, frame.contentWindow);
+}
+
+// Tries to set storage access policy, ignoring any errors.
+//
+// Note: to discourage the writing of tests that assume unpartitioned cookie
+// access by default, any test that calls this with `value` == "blocked" should
+// do so as the first step in the test.
+async function MaybeSetStorageAccess(origin, embedding_origin, value) {
+  try {
+    await test_driver.set_storage_access(origin, embedding_origin, value);
+  } catch (e) {
+    // Ignore, can be unimplemented if the platform blocks cross-site cookies
+    // by default. If this failed without default blocking we'll notice it later
+    // in the test.
+  }
+}
diff --git a/testing/web-platform/tests/storage-access-api/idlharness.window.js b/testing/web-platform/tests/storage-access-api/idlharness.window.js
new file mode 100644
index 0000000000..41c6b84d68
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/idlharness.window.js
@@ -0,0 +1,14 @@
+// META: global=window,worker
+// META: script=/resources/WebIDLParser.js
+// META: script=/resources/idlharness.js
+'use strict';
+
+idl_test(
+  ['storage-access'],
+  ['dom'],
+  idl_array => {
+    idl_array.add_objects({
+      Document: ['document'],
+    });
+  }
+);
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-ABA.tentative.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-ABA.tentative.sub.https.window.js
new file mode 100644
index 0000000000..428053f3e5
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-ABA.tentative.sub.https.window.js
@@ -0,0 +1,9 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+// Create a test with a nested iframe that is same-site to the top-level frame
+// but has cross-site frame in between.
+RunTestsInIFrame(
+    'https://{{hosts[alt][]}}:{{ports[https][0]}}/storage-access-api/resources/requestStorageAccess-ABA-iframe.https.html');
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-origin-iframe-navigation.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-origin-iframe-navigation.sub.https.window.js
new file mode 100644
index 0000000000..24595ed340
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-origin-iframe-navigation.sub.https.window.js
@@ -0,0 +1,86 @@
+// META: script=helpers.js
+// META: script=/cookies/resources/cookie-helper.sub.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // This is cross-domain from the current document.
+  const altWww = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+  const altRoot = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
+  const responderPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
+
+  const altWwwResponder = `${altWww}${responderPath}`;
+  const altRootResponder = `${altRoot}${responderPath}`;
+
+  async function SetUpResponderFrame(t, url) {
+    const frame = await CreateFrame(url);
+
+    await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'granted']);
+    t.add_cleanup(async () => {
+      await test_driver.delete_all_cookies();
+      await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'prompt']);
+      await MaybeSetStorageAccess("*", "*", "allowed");
+    });
+
+    assert_false(await FrameHasStorageAccess(frame), "frame initially does not have storage access.");
+    assert_false(await CanFrameWriteCookies(frame), "frame initially cannot write cookies via document.cookie.");
+    assert_false(cookieStringHasCookie("cookie", "monster", await GetHTTPCookiesFromFrame(frame)), "frame's fetch was done without credentials.");
+
+    assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture.");
+
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request.");
+    assert_true(await CanFrameWriteCookies(frame, /* keep_after_writing=*/true), "frame can write cookies via JS after request.");
+
+    return frame;
+  }
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+
+    const frame = await SetUpResponderFrame(t, altWwwResponder);
+
+    await FrameInitiatedReload(frame);
+
+    assert_true(cookieStringHasCookie('cookie', 'monster', await GetHTTPCookiesFromFrame(frame)), "The frame's navigation request included cookies.");
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after refresh.");
+    assert_true(await CanFrameWriteCookies(frame), "frame can write cookies via JS after refresh.");
+  }, "Self-initiated reloads preserve storage access");
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+
+    const frame = await SetUpResponderFrame(t, altWwwResponder);
+
+    await FrameInitiatedNavigation(frame, altWwwResponder);
+
+    assert_true(cookieStringHasCookie('cookie', 'monster', await GetHTTPCookiesFromFrame(frame)), "The frame's navigation request included cookies.");
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after refresh.");
+    assert_true(await CanFrameWriteCookies(frame), "frame can write cookies via JS after refresh.");
+  }, "Self-initiated same-origin navigations preserve storage access");
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+
+    const frame = await SetUpResponderFrame(t, altWwwResponder);
+
+    await new Promise((resolve) => {
+      frame.addEventListener("load", () => resolve());
+      frame.src = altWwwResponder;
+    });
+
+    assert_false(await FrameHasStorageAccess(frame), "frame does not have storage access after refresh.");
+    assert_false(await CanFrameWriteCookies(frame), "frame cannot write cookies via JS after refresh.");
+  }, "Non-self-initiated same-origin navigations do not preserve storage access");
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+
+    const frame = await SetUpResponderFrame(t, altWwwResponder);
+
+    await FrameInitiatedNavigation(frame, altRootResponder);
+
+    assert_false(await FrameHasStorageAccess(frame), "frame does not have storage access after refresh.");
+    assert_false(await CanFrameWriteCookies(frame), "frame cannot write cookies via JS after refresh.");
+  }, "Self-initiated cross-origin navigations do not preserve storage access");
+})();
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-iframe.sub.https.window.js
new file mode 100644
index 0000000000..53f90de75d
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-iframe.sub.https.window.js
@@ -0,0 +1,9 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // Create a test with a single-child cross-site iframe.
+  RunTestsInIFrame('https://{{hosts[alt][www]}}:{{ports[https][0]}}/storage-access-api/resources/requestStorageAccess-iframe.https.html?testCase=cross-site-frame');
+})();
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-sibling-iframes.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-sibling-iframes.sub.https.window.js
new file mode 100644
index 0000000000..c93673887c
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-sibling-iframes.sub.https.window.js
@@ -0,0 +1,81 @@
+// META: script=helpers.js
+// META: script=/cookies/resources/cookie-helper.sub.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // This is on the www subdomain, so it's cross-origin from the current document.
+  const www = "https://{{domains[www]}}:{{ports[https][0]}}";
+  // This is on the alt host, so it's cross-site from the current document.
+  const wwwAlt = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
+  const url_suffix = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+    const responder_html = `${wwwAlt}${url_suffix}`;
+    const [frame1, frame2] = await Promise.all([
+      CreateFrame(responder_html),
+      CreateFrame(responder_html),
+    ]);
+
+    t.add_cleanup(async () => {
+      await test_driver.delete_all_cookies();
+      await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'prompt']);
+      await MaybeSetStorageAccess("*", "*", "allowed");
+    });
+
+    await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'granted']);
+
+    assert_false(await FrameHasStorageAccess(frame1), "frame1 should not have storage access initially.");
+    assert_false(await FrameHasStorageAccess(frame2), "frame2 should not have storage access initially.");
+
+    assert_false(await CanFrameWriteCookies(frame1), "frame1 should not have access via document.cookie.");
+    assert_false(await CanFrameWriteCookies(frame2), "frame2 should not have access via document.cookie.");
+
+    assert_true(await RequestStorageAccessInFrame(frame1), "requestStorageAccess doesn't require a gesture since the permission has already been granted.");
+
+    assert_true(await FrameHasStorageAccess(frame1), "frame1 should have storage access now.");
+    assert_true(await CanFrameWriteCookies(frame1), "frame1 should now be able to write cookies via document.cookie.");
+
+    assert_false(await FrameHasStorageAccess(frame2), "frame2 should still not have storage access.");
+    assert_false(await CanFrameWriteCookies(frame2), "frame2 should still be unable to write cookies via document.cookie");
+
+    assert_true(await RequestStorageAccessInFrame(frame2), "frame2 should be able to get storage access without a gesture.");
+
+    assert_true(await FrameHasStorageAccess(frame2), "frame2 should have storage access after it requested it.");
+    assert_true(await CanFrameWriteCookies(frame2), "frame2 should be able to write cookies via document.cookie after getting storage access.");
+  }, "Grants have per-frame scope");
+
+  promise_test(async (t) => {
+    await MaybeSetStorageAccess("*", "*", "blocked");
+    const [crossOriginFrame, crossSiteFrame] = await Promise.all([
+      CreateFrame(`${www}${url_suffix}`),
+      CreateFrame(`${wwwAlt}${url_suffix}`),
+    ]);
+
+    t.add_cleanup(async () => {
+      await test_driver.delete_all_cookies();
+      await SetPermissionInFrame(crossOriginFrame, [{ name: 'storage-access' }, 'prompt']);
+      await SetPermissionInFrame(crossSiteFrame, [{ name: 'storage-access' }, 'prompt']);
+      await MaybeSetStorageAccess("*", "*", "allowed");
+    });
+
+    await SetPermissionInFrame(crossOriginFrame, [{ name: 'storage-access' }, 'granted']);
+    await SetPermissionInFrame(crossSiteFrame, [{ name: 'storage-access' }, 'granted']);
+
+    assert_true(await RequestStorageAccessInFrame(crossOriginFrame), "crossOriginFrame should be able to get storage access without a gesture.");
+    assert_true(await RequestStorageAccessInFrame(crossSiteFrame), "crossSiteFrame should be able to get storage access without a gesture.");
+
+    await SetDocumentCookieFromFrame(crossOriginFrame, `cookie=monster;Secure;SameSite=None;Path=/`);
+    await SetDocumentCookieFromFrame(crossSiteFrame, `foo=bar;Secure;SameSite=None;Path=/`);
+
+    assert_true(cookieStringHasCookie("cookie", "monster", await FetchSubresourceCookiesFromFrame(crossOriginFrame, www)),"crossOriginFrame making same-origin subresource request can access cookies.");
+    assert_true(cookieStringHasCookie("foo", "bar", await FetchSubresourceCookiesFromFrame(crossSiteFrame, wwwAlt)),"crossSiteFrame making same-origin subresource request can access cookies.");
+
+    assert_false(cookieStringHasCookie("foo", "bar",  await FetchSubresourceCookiesFromFrame(crossOriginFrame, wwwAlt)), "crossOriginFrame making cross-site subresource request to sibling iframe's host should not include cookies.");
+    assert_false(cookieStringHasCookie("cookie", "monster", await FetchSubresourceCookiesFromFrame(crossSiteFrame, www)),"crossSiteFrame making cross-site subresource request to sibling iframe's host should not include cookies.");
+
+  }, "Cross-site sibling iframes should not be able to take advantage of the existing permission grant requested by others.");
+
+})();
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-insecure.sub.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-insecure.sub.window.js
new file mode 100644
index 0000000000..1b00aee00a
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-insecure.sub.window.js
@@ -0,0 +1,83 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+// Document-level test config flags:
+//
+// testPrefix: Prefix each test case with an indicator so we know what context
+// they are run in if they are used in multiple iframes.
+//
+// topLevelDocument: Keep track of if we run these tests in a nested context, we
+// don't want to recurse forever.
+const {testPrefix, topLevelDocument} = processQueryParams();
+
+// Common tests to run in all frames.
+promise_test(async () => {
+  assert_not_equals(document.requestStorageAccess, undefined);
+}, "[" + testPrefix + "] document.requestStorageAccess() should exist on the document interface");
+
+promise_test(t => {
+  return promise_rejects_dom(t, "NotAllowedError", document.requestStorageAccess(),
+    "document.requestStorageAccess() call without user gesture");
+}, "[" + testPrefix + "] document.requestStorageAccess() should be rejected in insecure context");
+
+// Logic to load test cases within combinations of iFrames.
+if (topLevelDocument) {
+  // This specific test will run only as a top level test (not as a worker).
+  // Specific requestStorageAccess() scenarios will be tested within the context
+  // of various iFrames
+  promise_test(t => {
+    const description = "document.requestStorageAccess() call in a detached frame";
+    // Can't use `promise_rejects_dom` here, since the error comes from the wrong global.
+    return CreateDetachedFrame().requestStorageAccess()
+      .then(t.unreached_func("Should have rejected: " + description), (e) => {
+        assert_equals(e.name, 'InvalidStateError', description);
+      });
+  }, "[non-fully-active] document.requestStorageAccess() should reject when run in a detached frame");
+
+  promise_test(t => {
+    return promise_rejects_dom(t, 'InvalidStateError', CreateDocumentViaDOMParser().requestStorageAccess(),
+     "document.requestStorageAccess() in a detached DOMParser result");
+  }, "[non-fully-active] document.requestStorageAccess() should reject when run in a detached DOMParser document");
+
+  // Create a test with a single-child same-origin iframe.
+  const sameOriginFramePromise = RunTestsInIFrame(
+      'resources/requestStorageAccess-iframe.html?testCase=same-origin-frame');
+
+  // Create a test with a single-child cross-origin iframe.
+  const crossOriginFramePromise = RunTestsInIFrame(
+      'http://{{domains[www]}}:{{ports[http][0]}}/storage-access-api/resources/requestStorageAccess-iframe.html?testCase=cross-origin-frame');
+
+  // Validate the nested-iframe scenario where the same-origin frame
+  // containing the tests is not the first child.
+  const nestedSameOriginFramePromise = RunTestsInNestedIFrame(
+      'resources/requestStorageAccess-iframe.html?testCase=nested-same-origin-frame');
+
+  // Validate the nested-iframe scenario where the cross-origin frame
+  // containing the tests is not the first child.
+  const nestedCrossOriginFramePromise = RunTestsInNestedIFrame(
+      'http://{{domains[www]}}:{{ports[http][0]}}/storage-access-api/resources/requestStorageAccess-iframe.html?testCase=nested-cross-origin-frame');
+
+  // Because the iframe tests expect no user activation, and because they
+  // load asynchronously, we want to first run those tests before simulating
+  // clicks on the page.
+  Promise
+      .all([
+        sameOriginFramePromise,
+        crossOriginFramePromise,
+        nestedSameOriginFramePromise,
+        nestedCrossOriginFramePromise,
+      ])
+      .then(() => {
+        promise_test(
+            async t => {
+              await RunCallbackWithGesture(() => {
+                return promise_rejects_dom(t, "NotAllowedError", document.requestStorageAccess(),
+                "should reject in insecure context");
+              });
+            },
+            '[' + testPrefix +
+                '] document.requestStorageAccess() should be rejected when called with a user gesture in insecure context');
+      });
+}
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-cross-origin-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-cross-origin-iframe.sub.https.window.js
new file mode 100644
index 0000000000..eeac9c2a40
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-cross-origin-iframe.sub.https.window.js
@@ -0,0 +1,10 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // Validate the nested-iframe scenario where the cross-origin frame
+  // containing the tests is not the first child.
+  RunTestsInNestedIFrame('https://{{domains[www]}}:{{ports[https][0]}}/storage-access-api/resources/requestStorageAccess-iframe.https.html?testCase=nested-cross-origin-frame');
+})();
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-cross-site-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-cross-site-iframe.sub.https.window.js
new file mode 100644
index 0000000000..59442d97c9
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-cross-site-iframe.sub.https.window.js
@@ -0,0 +1,10 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // Validate the nested-iframe scenario where the cross-site frame
+  // containing the tests is not the first child.
+  RunTestsInNestedIFrame('https://{{hosts[alt][www]}}:{{ports[https][0]}}/storage-access-api/resources/requestStorageAccess-iframe.https.html?testCase=nested-cross-site-frame');
+})();
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-same-origin-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-same-origin-iframe.sub.https.window.js
new file mode 100644
index 0000000000..24d82c487f
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-nested-same-origin-iframe.sub.https.window.js
@@ -0,0 +1,8 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+// Validate the nested-iframe scenario where the same-origin frame
+// containing the tests is not the first child.
+RunTestsInNestedIFrame('resources/requestStorageAccess-iframe.https.html?testCase=nested-same-origin-frame');
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-non-fully-active.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-non-fully-active.sub.https.window.js
new file mode 100644
index 0000000000..18f451975a
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-non-fully-active.sub.https.window.js
@@ -0,0 +1,18 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+promise_test(t => {
+  const promise = CreateDetachedFrame().requestStorageAccess();
+  const description = "document.requestStorageAccess() call in a detached frame";
+  // Can't use `promise_rejects_dom` here, since the error comes from the wrong global.
+  return promise.then(t.unreached_func("Should have rejected: " + description), (e) => {
+    assert_equals(e.name, 'InvalidStateError', description);
+  });
+}, "[non-fully-active] document.requestStorageAccess() should not resolve when run in a detached frame");
+
+promise_test(t => {
+  return promise_rejects_dom(t, 'InvalidStateError', CreateDocumentViaDOMParser().requestStorageAccess(),
+   "document.requestStorageAccess() in a detached DOMParser result");
+}, "[non-fully-active] document.requestStorageAccess() should not resolve when run in a detached DOMParser document");
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess-same-site-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess-same-site-iframe.sub.https.window.js
new file mode 100644
index 0000000000..f646444e67
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess-same-site-iframe.sub.https.window.js
@@ -0,0 +1,8 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+// Create a test with a single-child cross-origin same-site iframe.
+RunTestsInIFrame(
+    'https://{{domains[www]}}:{{ports[https][0]}}/storage-access-api/resources/requestStorageAccess-iframe.https.html?testCase=same-site-frame');
diff --git a/testing/web-platform/tests/storage-access-api/requestStorageAccess.sub.https.window.js b/testing/web-platform/tests/storage-access-api/requestStorageAccess.sub.https.window.js
new file mode 100644
index 0000000000..e1a8b93450
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/requestStorageAccess.sub.https.window.js
@@ -0,0 +1,115 @@
+// META: script=helpers.js
+// META: script=/cookies/resources/cookie-helper.sub.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+// Document-level test config flags:
+//
+// testPrefix: Prefix each test case with an indicator so we know what context
+// they are run in if they are used in multiple iframes.
+//
+// topLevelDocument: Keep track of if we run these tests in a nested context, we
+// don't want to recurse forever.
+const {testPrefix, topLevelDocument} = processQueryParams();
+
+if (!topLevelDocument) {
+  // WPT synthesizes a top-level HTML test for this JS file, and in that case we
+  // don't want to, or need to, call set_test_context.
+  test_driver.set_test_context(window.top);
+}
+
+// Common tests to run in all frames.
+promise_test(async () => {
+  assert_not_equals(document.requestStorageAccess, undefined);
+}, "[" + testPrefix + "] document.requestStorageAccess() should exist on the document interface");
+
+// Most tests need to start with the feature in "prompt" state.
+async function CommonSetup() {
+  await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
+}
+
+promise_test(
+    async t => {
+      await CommonSetup();
+      if (topLevelDocument || !testPrefix.includes('cross-site') ||
+          testPrefix.includes('ABA')) {
+        await document.requestStorageAccess().catch(t.unreached_func(
+            'document.requestStorageAccess() call should resolve in top-level frame or same-site iframe.'));
+
+        assert_true(await CanAccessCookiesViaHTTP(), 'After obtaining storage access, subresource requests from the frame should send and set cookies.');
+        assert_true(CanAccessCookiesViaJS(), 'After obtaining storage access, scripts in the frame should be able to access cookies.');
+      } else {
+        return promise_rejects_dom(
+            t, "NotAllowedError", document.requestStorageAccess(),
+            "document.requestStorageAccess() call without user gesture.");
+      }
+    },
+    '[' + testPrefix +
+        '] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.');
+
+promise_test(
+    async (t) => {
+      await CommonSetup();
+      await MaybeSetStorageAccess("*", "*", "blocked");
+      await test_driver.set_permission({name: 'storage-access'}, 'granted');
+      t.add_cleanup(async () => {
+        await test_driver.delete_all_cookies();
+      });
+
+      await document.requestStorageAccess();
+
+      assert_true(await CanAccessCookiesViaHTTP(), 'After obtaining storage access, subresource requests from the frame should send and set cookies.');
+      assert_true(CanAccessCookiesViaJS(), 'After obtaining storage access, scripts in the frame should be able to access cookies.');
+    },
+    '[' + testPrefix +
+        '] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and ' +
+        'should allow cookie access');
+
+if (testPrefix.includes('cross-site')) {
+  promise_test(
+      async t => {
+        await CommonSetup();
+        await RunCallbackWithGesture(() => {
+          return promise_rejects_dom(t, "NotAllowedError", document.requestStorageAccess(),
+            "document.requestStorageAccess() call without permission");
+        });
+      },
+      '[' + testPrefix +
+          '] document.requestStorageAccess() should be rejected with a NotAllowedError without permission grant');
+
+  promise_test(
+      async t => {
+        await test_driver.set_permission(
+            {name: 'storage-access'}, 'denied');
+
+        await RunCallbackWithGesture(() => {
+          return promise_rejects_dom(t, "NotAllowedError", document.requestStorageAccess(),
+            "document.requestStorageAccess() call without permission");
+        });
+      },
+      '[' + testPrefix +
+          '] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission');
+} else {
+  promise_test(
+      async () => {
+        await CommonSetup();
+        await document.requestStorageAccess();
+
+        assert_true(await CanAccessCookiesViaHTTP(), 'After obtaining storage access, subresource requests from the frame should send and set cookies.');
+        assert_true(CanAccessCookiesViaJS(), 'After obtaining storage access, scripts in the frame should be able to access cookies.');
+      },
+      `[${testPrefix}] document.requestStorageAccess() should resolve without permission grant or user gesture`);
+
+  promise_test(
+      async () => {
+        await test_driver.set_permission(
+            {name: 'storage-access'}, 'denied');
+
+        await document.requestStorageAccess();
+
+        assert_true(await CanAccessCookiesViaHTTP(), 'After obtaining storage access, subresource requests from the frame should send and set cookies.');
+        assert_true(CanAccessCookiesViaJS(), 'After obtaining storage access, scripts in the frame should be able to access cookies.');
+      },
+      `[${testPrefix}] document.requestStorageAccess() should resolve with denied permission`);
+}
diff --git a/testing/web-platform/tests/storage-access-api/resources/echo-cookie-header.py b/testing/web-platform/tests/storage-access-api/resources/echo-cookie-header.py
new file mode 100644
index 0000000000..f1599e3a89
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/echo-cookie-header.py
@@ -0,0 +1,12 @@
+def main(request, response):
+  # Set the cors enabled headers.
+  origin = request.headers.get(b"Origin")
+  headers = []
+  if origin is not None and origin != b"null":
+      headers.append((b"Content-Type", b"text/plain"))
+      headers.append((b"Access-Control-Allow-Origin", origin))
+      headers.append((b"Access-Control-Allow-Credentials", 'true'))
+
+  cookie_header = request.headers.get(b"Cookie", b"")
+
+  return (200, headers, cookie_header)
diff --git a/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js b/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
new file mode 100644
index 0000000000..634079289b
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/embedded_responder.js
@@ -0,0 +1,56 @@
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+"use strict";
+
+test_driver.set_test_context(window.top);
+
+window.addEventListener("message", async (event) => {
+  function reply(data) {
+    event.source.postMessage(
+        {timestamp: event.data.timestamp, data}, event.origin);
+  }
+
+  switch (event.data["command"]) {
+    case "hasStorageAccess":
+      reply(await document.hasStorageAccess());
+      break;
+    case "requestStorageAccess": {
+      const obtainedAccess = await document.requestStorageAccess()
+        .then(() => true, () => false);
+      reply(obtainedAccess);
+    }
+      break;
+    case "write document.cookie":
+      document.cookie = event.data.cookie;
+      reply(undefined);
+      break;
+    case "document.cookie":
+      reply(document.cookie);
+      break;
+    case "set_permission":
+      await test_driver.set_permission(...event.data.args);
+      reply(undefined);
+      break;
+    case "observe_permission_change":
+      const status = await navigator.permissions.query({name: "storage-access"});
+      status.addEventListener("change", (event) => {
+        reply(event.target.state)
+      }, { once: true });
+      break;
+    case "reload":
+      window.location.reload();
+      break;
+    case "navigate":
+      window.location.href = event.data.url;
+      break;
+    case "httpCookies":
+      // The `httpCookies` variable is defined/set by
+      // script-with-cookie-header.py.
+      reply(httpCookies);
+      break;
+    case "cors fetch":
+      reply(await fetch(event.data.url, {mode: 'cors', credentials: 'include'}).then((resp) => resp.text()));
+      break;
+    default:
+  }
+});
diff --git a/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-ABA-iframe.https.html b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-ABA-iframe.https.html
new file mode 100644
index 0000000000..c9f23f02ac
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-ABA-iframe.https.html
@@ -0,0 +1,7 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<script src="/storage-access-api/helpers.js"></script>
+<body>
+<script src="/storage-access-api/resources/hasStorageAccess-ABA-iframe.sub.https.window.js"></script>
\ No newline at end of file
diff --git a/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-ABA-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-ABA-iframe.sub.https.window.js
new file mode 100644
index 0000000000..126ae00201
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-ABA-iframe.sub.https.window.js
@@ -0,0 +1,9 @@
+// META: script=../helpers.js
+'use strict';
+
+// This expects to be run in an iframe that is cross-site to the top-level frame.
+(async function() {
+  // Create a test with a single-child iframe that is same-site to the top-level frame but cross-site to the iframe
+  // that is being created here, for the purpose of testing hasStorageAccess in an A(B(A)) frame tree setting.
+  RunTestsInIFrame("https://{{host}}:{{ports[https][0]}}/storage-access-api/resources/hasStorageAccess-iframe.https.html?testCase=ABA");
+})();
diff --git a/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-iframe.html b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-iframe.html
new file mode 100644
index 0000000000..d57c3961e5
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-iframe.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<!-- no testharnessreport.js -->
+<script src="../helpers.js"></script>
+<div id=log></div>
+<script src="/storage-access-api/hasStorageAccess-insecure.sub.window.js"></script>
diff --git a/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-iframe.https.html b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-iframe.https.html
new file mode 100644
index 0000000000..95169503c2
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/hasStorageAccess-iframe.https.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<!-- no testharnessreport.js -->
+<script src="../helpers.js"></script>
+<div id=log></div>
+<script src="/storage-access-api/hasStorageAccess.sub.https.window.js"></script>
diff --git a/testing/web-platform/tests/storage-access-api/resources/permissions-iframe.https.html b/testing/web-platform/tests/storage-access-api/resources/permissions-iframe.https.html
new file mode 100644
index 0000000000..b83a05c3f1
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/permissions-iframe.https.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<!-- no testharnessreport.js -->
+<script src="../helpers.js"></script>
+<div id=log></div>
+<script src="/storage-access-api/storage-access-permission.sub.https.window.js"></script>
diff --git a/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-ABA-iframe.https.html b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-ABA-iframe.https.html
new file mode 100644
index 0000000000..7452ff89a0
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-ABA-iframe.https.html
@@ -0,0 +1,7 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<script src="/storage-access-api/helpers.js"></script>
+<body>
+<script src="/storage-access-api/resources/requestStorageAccess-ABA-iframe.sub.https.window.js"></script>
\ No newline at end of file
diff --git a/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-ABA-iframe.sub.https.window.js b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-ABA-iframe.sub.https.window.js
new file mode 100644
index 0000000000..8bfef8022a
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-ABA-iframe.sub.https.window.js
@@ -0,0 +1,12 @@
+// META: script=../helpers.js
+'use strict';
+
+// This expects to be run in an iframe that is cross-site to the top-level
+// frame.
+(async function() {
+  // Create a test with a single-child iframe that is same-site to the top-level
+  // frame but cross-site to the iframe that is being created here, for the
+  // purpose of testing requestStorageAccess in an A(B(A)) frame tree setting.
+  RunTestsInIFrame(
+      'https://{{domains[www]}}:{{ports[https][0]}}/storage-access-api/resources/requestStorageAccess-iframe.https.html?testCase=ABA');
+})();
diff --git a/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-iframe.html b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-iframe.html
new file mode 100644
index 0000000000..8b47786e17
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-iframe.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<!-- no testharnessreport.js -->
+<script src="../helpers.js"></script>
+<div id=log></div>
+<script src="/storage-access-api/requestStorageAccess-insecure.sub.window.js"></script>
diff --git a/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-iframe.https.html b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-iframe.https.html
new file mode 100644
index 0000000000..828af799e6
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/requestStorageAccess-iframe.https.html
@@ -0,0 +1,11 @@
+<!doctype html>
+<meta charset=utf-8>
+
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<!-- no testharnessreport.js -->
+<script src="../helpers.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<div id=log></div>
+<script src="/storage-access-api/requestStorageAccess.sub.https.window.js"></script>
diff --git a/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py b/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py
new file mode 100644
index 0000000000..83129a5559
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/resources/script-with-cookie-header.py
@@ -0,0 +1,19 @@
+def main(request, response):
+  script = request.GET.first(b"script")
+  cookie_header = request.headers.get(b"Cookie", b"")
+
+  body = b"""
+  <!DOCTYPE html>
+  <meta charset="utf-8">
+  <title>Subframe with HTTP Cookies</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testdriver.js"></script>
+  <script src="/resources/testdriver-vendor.js"></script>
+  <script>
+    var httpCookies = "%s";
+  </script>
+
+  <script src="%s"></script>
+  """ % (cookie_header, script)
+
+  return (200, [], body)
diff --git a/testing/web-platform/tests/storage-access-api/sandboxAttribute.window.js b/testing/web-platform/tests/storage-access-api/sandboxAttribute.window.js
new file mode 100644
index 0000000000..de79cd07a9
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/sandboxAttribute.window.js
@@ -0,0 +1,7 @@
+'use strict';
+
+test(() => {
+  let iframe = document.createElement('iframe');
+  assert_true(iframe.sandbox.supports('allow-storage-access-by-user-activation'), '`allow-storage-access-by-user-activation`' +
+    'sandbox attribute should be supported');
+}, "`allow-storage-access-by-user-activation` sandbox attribute is supported");
diff --git a/testing/web-platform/tests/storage-access-api/storage-access-permission.sub.https.window.js b/testing/web-platform/tests/storage-access-api/storage-access-permission.sub.https.window.js
new file mode 100644
index 0000000000..f0aadf4828
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/storage-access-permission.sub.https.window.js
@@ -0,0 +1,108 @@
+// META: script=helpers.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // These are cross-domain from the current document.
+  const wwwAlt = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+  const www1Alt = "https://{{hosts[alt][www1]}}:{{ports[https][0]}}";
+  const responder_html = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
+
+  if (window === window.top) {
+    // Test the interaction between two (same-origin) iframes.
+    promise_test(async (t) => {
+      const [frame1, frame2] = await Promise.all([
+        CreateFrame(wwwAlt + responder_html),
+        CreateFrame(wwwAlt + responder_html),
+      ]);
+
+      t.add_cleanup(async () => {
+        await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'prompt']);
+      });
+
+      const observed = ObservePermissionChange(frame2);
+      await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'granted']);
+
+      const state = await observed;
+      assert_equals(state, "granted");
+    }, "Permissions grants are observable across same-origin iframes");
+
+    // Test the interaction between two cross-origin but same-site iframes.
+    promise_test(async (t) => {
+      const [frame1, frame2] = await Promise.all([
+        CreateFrame(wwwAlt + responder_html),
+        CreateFrame(www1Alt + responder_html),
+      ]);
+
+      t.add_cleanup(async () => {
+        await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'prompt']);
+      });
+
+      const observed = ObservePermissionChange(frame2);
+      await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'granted']);
+
+      const state = await observed;
+      assert_equals(state, "granted");
+    }, "Permissions grants are observable across same-site iframes");
+
+    promise_test(async (t) => {
+      // Finally run the simple tests below in a separate cross-origin iframe.
+      await RunTestsInIFrame('https://{{domains[www]}}:{{ports[https][0]}}/storage-access-api/resources/permissions-iframe.https.html');
+    }, "IFrame tests");
+    return;
+  }
+
+  // We're in a cross-origin, same-site iframe test now.
+  test_driver.set_test_context(window.top);
+
+  promise_test(async t => {
+    const permission = await navigator.permissions.query({name: "storage-access"});
+    assert_equals(permission.name, "storage-access");
+    assert_equals(permission.state, "prompt");
+  }, "Permission default state can be queried");
+
+  promise_test(async t => {
+    t.add_cleanup(async () => {
+      await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
+    });
+    await test_driver.set_permission({ name: 'storage-access' }, 'granted');
+
+    const permission = await navigator.permissions.query({name: "storage-access"});
+    assert_equals(permission.name, "storage-access");
+    assert_equals(permission.state, "granted");
+  }, "Permission granted state can be queried");
+
+  promise_test(async t => {
+    t.add_cleanup(async () => {
+      await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
+    });
+    await test_driver.set_permission({ name: 'storage-access' }, 'denied');
+
+    const permission = await navigator.permissions.query({name: "storage-access"});
+    assert_equals(permission.name, "storage-access");
+    assert_equals(permission.state, "prompt");
+
+    await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
+  }, "Permission denied state is hidden");
+
+  promise_test(async t => {
+    t.add_cleanup(async () => {
+      await test_driver.set_permission({ name: 'storage-access' }, 'prompt');
+    });
+
+    const permission = await navigator.permissions.query({name: "storage-access"});
+
+    const p = new Promise(resolve => {
+      permission.addEventListener("change", (event) => resolve(event), { once: true });
+    });
+
+    await test_driver.set_permission({ name: 'storage-access' }, 'granted');
+    await document.requestStorageAccess();
+
+    const event = await p;
+
+    assert_equals(event.target.name, "storage-access");
+    assert_equals(event.target.state, "granted");
+  }, "Permission state can be observed");
+})();
diff --git a/testing/web-platform/tests/storage-access-api/storageAccess.testdriver.sub.html b/testing/web-platform/tests/storage-access-api/storageAccess.testdriver.sub.html
new file mode 100644
index 0000000000..cc945dd182
--- /dev/null
+++ b/testing/web-platform/tests/storage-access-api/storageAccess.testdriver.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<head>
+  <title>TestDriver - Set Storage Access Command Tests</title>
+  <script src="/cookies/resources/cookie-helper.sub.js"></script>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/resources/testdriver.js"></script>
+  <script src="/resources/testdriver-vendor.js"></script>
+  <script src="helpers.js"></script>
+</head>
+<body>
+  <script>
+    "use strict";
+
+    // Use a different domain so that the cookie is cross-site.
+    const wwwAlt = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+
+    promise_test(async t => {
+      await MaybeSetStorageAccess("*", "*", "blocked");
+      t.add_cleanup(async () => {
+        await test_driver.delete_all_cookies();
+        await MaybeSetStorageAccess("*", "*", "allowed");
+      });
+
+      const responder_html = `${wwwAlt}/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js`;
+      const frame = await CreateFrame(responder_html);
+
+      assert_false(await CanFrameWriteCookies(frame), "Cross-site iframe should not be allowed to write cookies via document.cookie.");
+    });
+  </script>
+</body>