COOP: add redirect WPT tests

This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with redirects as specified in whatwg/html#5739. This follows up on Clamy@ work in https://crrev.com/2312796. Change-Id: I4afede7221c2edeec675035339064c4a9ae7fb80
web-platform-tests · Aug 3, 2020 · 5e5646e · 5e5646e
1 parent e35de4d
commit 5e5646e
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 0 deletions.
diff --git a/...eporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/...eporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
@@ -0,0 +1,86 @@
+<title>
+  COOP reports are to the opener when the opener used COOP-RO+COEP and then its
+  cross-origin openee tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/dispatcher.js"></script>
+<script src="../resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy/reporting";
+const executor_path = directory + "/resources/executor.html?pipe=";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)';
+
+promise_test(async t => {
+  // The test window.
+  const this_window_token = token();
+
+  // The "opener" window. This has COOP same-origin-allow-popups and a reporter.
+  const opener_report_token= token();
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(opener_report_token);
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopSameOriginAllowPopupsHeader +
+    `&uuid=${opener_token}`;
+
+  // The "openee" window.
+  // The initial URL is cross-origin with the opener, and redirects to a
+  // same-origin page with same-origin-allow-popups.
+  // The navigation to the cross-origin page does not cause a swap, due to the
+  // same-origin-allow-popups policy, but the redirect to the final page does
+  // since it compares the cross-origin/unsafe-none document with the
+  // same-origin/same-origin-allow-popups document.
+  const openee_token = token();
+  const openee_redirect_url = same_origin + executor_path +
+    opener_reportTo.header + opener_reportTo.coopSameOriginAllowPopupsHeader +
+    `&uuid=${openee_token}`;
+  const redirect_header = 'status(302)' +
+    `|header(Location,${encodeURIComponent(
+      openee_redirect_url
+        .replace(/,/g, "\\,")
+        .replace(/\\\\,/g, "\\\\\\,")
+        .replace(/\(/g, "%28")
+        .replace(/\)/g, "%29"))})`;
+  const openee_url = cross_origin + executor_path + redirect_header +
+    `&uuid=${openee_token}`;
+  // 1. Create the opener window.
+  let opener_window_proxy = window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close()"));
+
+  // 2. The opener opens its openee.
+  send(opener_token, `
+    openee = window.open("${openee_url}");
+    send("${this_window_token}", "ACK 1");
+  `);
+  assert_equals(await receive(this_window_token), "ACK 1");
+  t.add_cleanup(() => send(openee_token, "window.close()"));
+
+  // 3. Check the opener status on the openee.
+  send(openee_token, `
+    send("${this_window_token}", opener !== null);
+  `);
+  assert_equals(await receive(this_window_token), "false", "opener");
+
+  // 4. Check the openee status on the opener.
+  send(opener_token, `
+    send("${this_window_token}", openee.closed);
+  `);
+  assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+  // 5. Check a report sent to the openee.
+  let report = await receiveReport(opener_report_token, "navigation-to-document")
+  assert_not_equals(report, "timeout", "Report not received");
+  assert_equals(report.type, "coop");
+  assert_equals(report.url, openee_redirect_url.replace(/"/g, '%22'));
+  assert_equals(report.body["disposition"], "enforce");
+  assert_equals(report.body["effective-policy"], "same-origin-allow-popups");
+  assert_equals(report.body["document-uri"], openee_url);
+}, "Cross-origin openee redirected to same-origin with same-origin-allow-popups");
+
+</script>
diff --git a/html/cross-origin-opener-policy/reporting/resources/dispatcher.js b/html/cross-origin-opener-policy/reporting/resources/dispatcher.js
@@ -64,6 +64,8 @@ const reportToHeaders = function(uuid) {
   return {
     header: `|header(report-to,${reportToJSON})`,
     coopSameOriginHeader: `|header(Cross-Origin-Opener-Policy,same-origin%3Breport-to="${uuid}")`,
+    coopSameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy,same-origin-allow-popups%3Breport-to="${uuid}")`,
     coopReportOnlySameOriginHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin%3Breport-to="${uuid}")`,
+    coopReportOnlySameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin-allow-popups%3Breport-to="${uuid}")`,
   };
 };