Bug 1646359 [wpt PR 24194] - Origin isolation: implement window.origi…

…nIsolationRestricted, a=testonly

Automatic update from web-platform-tests
Origin isolation: implement window.originIsolationRestricted

See WICG/origin-agent-cluster#24 and
WICG/origin-agent-cluster#30 for background,
and whatwg/html#5545 for the specification.

Failing test expectations include:

- We implement (3) from
  WICG/origin-agent-cluster#24
  instead of (2) for now, so we fail getter-sandboxed-iframe. Tracking
  at https://crbug.com/1095653.
- The initial about:blank, as well as removed iframes, are not properly
  returning true, so about-blank and removing-iframes are failing. Also
  tracking at https://crbug.com/1095653.
- data: URLs are not [SecureContext] in Chromium
  (https://crbug.com/1095656) so getter-data-url fails.

Note that per ongoing discussion in
WICG/origin-agent-cluster#31 the naming of this
API, as well as its edge-case behavior (e.g. for sandboxed iframes) will
likely change.

Bug: 1042415
Change-Id: I20c2d3e3fec7a5c0f1d12c386999c32fe27b6a34
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2243994
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#782672}

--

wpt-commits: 9e23aa452a1261c637ce32cbb8bee450e7006f8d
wpt-pr: 24194

testing/web-platform/tests/origin-isolation/about-blank.https.sub.html

@@ -11,7 +11,8 @@
   insertIframe,
   setBothDocumentDomains,
   testSameAgentCluster,
-  testDifferentAgentClusters
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -25,6 +26,10 @@
 testDifferentAgentClusters([0, 1], "about:blank to child2");
 testDifferentAgentClusters([1, 0], "child2 to about:blank");
 
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "about:blank");
+testOriginIsolationRestricted(1, false, "child2");
+
 async function insertAboutBlankIframe() {
   const iframe = document.createElement("iframe");
   document.body.append(iframe);

testing/web-platform/tests/origin-isolation/getter-data-url.https.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.originIsolationRestricted for a data: URL</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import {
+  waitForIframe,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
+
+promise_setup(() => {
+  const iframe = document.createElement("iframe");
+
+  // This copies parts of resources/send-origin-isolation-header.py that allow
+  // us to reuse testOriginIsolationRestricted.
+  iframe.src = `data:text/html,<script>
+    window.onmessage = () => {
+      parent.postMessage(self.originIsolationRestricted, "*");
+    };
+    </` + `script>
+  `;
+
+  const waitPromise = waitForIframe(iframe);
+  document.body.append(iframe);
+  return waitPromise;
+});
+
+// The data: URL iframe has an opaque origin, so it definitely should return
+// false. It's pretty unlikely that it would return true anyway, since we can't
+// set the header on the iframe, but we should test it to make sure there isn't
+// some strange main page -> data: URL iframe inheritance going on.
+
+testOriginIsolationRestricted(0, false);
+</script>

testing/web-platform/tests/origin-isolation/getter-data-url.https.html.headers

@@ -0,0 +1 @@
+Origin-Isolation: ?1

testing/web-platform/tests/origin-isolation/getter-removed-iframe.sub.https.html

@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.crossOriginIsolated for a removed frame</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import { navigateIframe } from "./resources/helpers.mjs";
+
+promise_test(async () => {
+  // We cannot use insertIframe because it sets both `document.domain`s. That
+  // shouldn't matter, but Chrome has a bug (https://crbug.com/1095145), so
+  // let's avoid making the test needlessly fail because of that bug.
+  const iframe = document.createElement("iframe");
+  const navigatePromise = navigateIframe(iframe, "{{hosts[][]}}", "?1");
+  document.body.append(iframe);
+  await navigatePromise;
+
+  const frameWindow = iframe.contentWindow;
+
+  assert_equals(frameWindow.originIsolationRestricted, true, "before");
+  iframe.remove();
+  assert_equals(frameWindow.originIsolationRestricted, true, "after");
+}, "Removing the iframe does not change originIsolationRestricted");
+</script>

testing/web-platform/tests/origin-isolation/getter-removed-iframe.sub.https.html.headers

@@ -0,0 +1 @@
+Origin-Isolation: ?1

testing/web-platform/tests/origin-isolation/getter-sandboxed-iframe.sub.https.html

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.originIsolationRestricted for a sandboxed frame</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import {
+  navigateIframe,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
+
+// We do this manually instead of using insertIframe because we want to add a
+// sandbox="" attribute and we don't want to set both document.domains.
+promise_setup(() => {
+  const iframe = document.createElement("iframe");
+  iframe.sandbox = "allow-scripts";
+  const navigatePromise = navigateIframe(iframe, "{{hosts[][]}}", "?1");
+  document.body.append(iframe);
+  return navigatePromise;
+});
+
+// Because sandboxed iframes have an opaque origin, their agent cluster key is
+// always an origin, so there are no additional restrictions imposed by origin
+// isolation. Thus the getter returns false.
+
+testOriginIsolationRestricted(0, false);
+</script>

testing/web-platform/tests/origin-isolation/getter-sandboxed-iframe.sub.https.html.headers

@@ -0,0 +1 @@
+Origin-Isolation: ?1

testing/web-platform/tests/origin-isolation/insecure-http.sub.html

@@ -16,4 +16,9 @@
 // All isolation requests are ignored, since this is over insecure HTTP.
 // So both end up in the site-keyed agent cluster.
 testSameAgentCluster([self, 0]);
+
+// Has to be promise_test because we used promise_setup().
+promise_test(async () => {
+  assert_false("originIsolationRestricted" in window);
+}, "The getter must not exist");
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child-bad-subdomain.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 let frameIndex = 0;
 for (const badValue of ["", "?0", "true", "\"?1\"", "1", "?2", "(?1)"]) {
@@ -17,6 +21,7 @@
 
   // Since the header values are bad there should be no isolation
   testSameAgentCluster([self, frameIndex], `"${badValue}"`);
+  testOriginIsolationRestricted(frameIndex, false, `"${badValue}"`);
   ++frameIndex;
 }
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child-yes-same.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][]}}", "?1");
@@ -16,4 +20,6 @@
 // Since they're same-origin, and the parent loaded without isolation, the
 // child's request for isolation gets ignored, and both end up site-keyed.
 testSameAgentCluster([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child-yes-subdomain.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,4 +21,6 @@
 // so the parent ends up in the site-keyed agent cluster and the child in the
 // origin-keyed one.
 testDifferentAgentClusters([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1;param1;param2=value2");
@@ -17,4 +21,6 @@
 // so the parent ends up in the site-keyed agent cluster and the child in the
 // origin-keyed one.
 testDifferentAgentClusters([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html

@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testDifferentAgentClusters([0, 1], "child1 to child2");
 testDifferentAgentClusters([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, true, "child2");
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   // Must be sequential, not parallel: the non-isolated frame must load first.
@@ -25,4 +29,8 @@
 testSameAgentCluster([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
 </script>

testing/web-platform/tests/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html

@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child1");
+testOriginIsolationRestricted(1, true, "child2");
 </script>

testing/web-platform/tests/origin-isolation/parent-yes-child-no-same.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][]}}");
@@ -16,4 +20,7 @@
 // Since they're same-origin, and the parent loaded with isolation, the
 // child's non-request for isolation gets ignored, and both end up origin-keyed.
 testSameAgentCluster([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-yes-child-no-subdomain.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}");
@@ -17,4 +21,7 @@
 // as is the child's non-request. So the parent ends up in the origin-keyed
 // agent cluster and the child ends up in the site-keyed one.
 testDifferentAgentClusters([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-yes-child-yes-same.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][]}}", "?1");
@@ -16,4 +20,7 @@
 // Both request isolation, and they're same-origin, so they both end up in the
 // same origin-keyed agent cluster.
 testSameAgentCluster([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,4 +21,7 @@
 // cluster (the base domain's origin), and the child ends up in a different
 // origin-keyed agent cluster (the www subdomain's origin).
 testDifferentAgentClusters([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>

testing/web-platform/tests/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html

@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
 </script>

testing/web-platform/tests/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html

@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
 </script>