COOP, COEP and CORP headers for browser tests harness

[abujalski]

In #10077 COOP, COEP and CORP headers were added to emrun.py to take
account upcomming restrictions on Conent Policy for Firefor 72.

This change adds similar headers to browser tests harness.

Note that it is needed to set following flags for Firefox:
browser.tabs.remote.useCORP
browser.tabs.remote.useCrossOriginOpenerPolicy
browser.tabs.remote.useCrossOriginEmbedderPolicy
dom.postMessage.sharedArrayBuffer.withCOOP_COEP

[kripken]

Thanks!

On Firefox Dev, is dom.postMessage.sharedArrayBuffer.bypassCOOP_COEP.insecure.enabled still enough? That's what we use on our CI here.

Are those 4 flags needed in release Firefox? I haven't followed the status there closely - is this only a temporary situation?

[VirtualTim]

This is my understanding:
No flags are needed to be set in Firefox 73 onwards.
To use a SharedArrayBuffer with a webworker:

• The entire page must be https (no mixed content).
  I also couldn't get it to work with a self signed cert.
• CORS headers must be set (personally I couldn't get it working with '*').
• The top level document must have the headers 'Cross-Origin-Opener-Policy', 'Cross-Origin-Embedder-Policy', and 'Cross-Origin-Resource-Policy', and they must be set to the values used in this PR.

These restrictions can be bypassed in Firefox Nightly/Dev by setting the flag dom.postMessage.sharedArrayBuffer.bypassCOOP_COEP.insecure.enabled, however this is only ever going to be in Nightly/Dev.
Chrome is planning on implementing similar security policies (see: COOP, COEP, CORP).

The whole thing is kind of a pain in the arse. If we just want to run tests against Firefox Nightly/Dev we can use dom.postMessage.sharedArrayBuffer.bypassCOOP_COEP.insecure.enabled, but if we want to test release line Firefox we need those headers, plus https, which means sorting out certificates. The python server we use does support https, we would just need a non-self signed cert.

My testing was last done a month ago, so things may be slightly less painful now.

[abujalski]

@VirtualTim Regarding https, then it is not required for localhost. According to https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts:

"Locally delivered files such as http://localhost and file:// paths are considered to have been delivered securely."

In my understanding, if we will stick to localhost then we won't need https://.

I've checked this during working on #10524 and on 74.0b6 is was enough:

• to set 4 mentioned options in FF
• send added headers from http server
  to allow sending SharedArrayBuffers in postMessages when page was loaded as http://localost.

Personally I didn't know (and haven't checked that in scripts) that CI runs FF with dom.postMessage.sharedArrayBuffer.bypassCOOP_COEP.insecure.enabled :(

[kripken]

I see, thanks for the info @VirtualTim and @abujalski

[VirtualTim]

@abujalski ah thanks for the note about localhost. My previous investigation was more focused on production environments, so I didn't realise this.