Test that cross-origin subframes can't set automatic beacon data

Cross-origin subframes are allowed to send automatic beacons, but they are not allowed to set the data that will be sent out. This CL adds a WPT to confirm that behavior. Change-Id: I490eb5aa7d2a75cc8f6372382d311acbb173ee6f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5783504 Reviewed-by: Andrew Verge <[email protected]> Commit-Queue: Liam Brady <[email protected]> Cr-Commit-Position: refs/heads/main@{#1343773}
web-platform-tests · Aug 19, 2024 · 1680062 · 1680062
1 parent 2668e1d
commit 1680062
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/fenced-frame/automatic-beacon-data-cross-origin-subframe.https.html b/fenced-frame/automatic-beacon-data-cross-origin-subframe.https.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<title>Test window.fence.setReportEventDataForAutomaticBeacons</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="resources/utils.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-actions.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/automatic-beacon-helper.js"></script>
+
+<body>
+<script>
+promise_test(async(t) => {
+  const fencedframe = await attachFencedFrameContext({
+    generator_api: 'fledge', register_beacon: true
+  });
+
+  const beacon = {
+    eventType: "reserved.top_navigation_start",
+    eventData: "This is the start data",
+    destination: ["buyer"],
+    crossOriginExposed: true
+  }
+
+  await fencedframe.execute(async (beacon) => {
+    const iframe = await attachIFrameContext({
+      origin: get_host_info().HTTPS_REMOTE_ORIGIN,
+      headers: [['Allow-Fenced-Frame-Automatic-Beacons', 'true']]
+    });
+    return setupAutomaticBeacon(iframe, [beacon],
+        "resources/close.html", NavigationTrigger.Click,
+        "_blank");
+  }, [beacon]);
+
+  await multiClick(10, 10, fencedframe.element)
+
+  // An automatic beacon should be sent, but no data should be attached to it,
+  // as it shouldn't have been able to be set from a cross-origin subframe.
+  await verifyBeaconData(beacon.eventType, "<No data>",
+      get_host_info().HTTPS_REMOTE_ORIGIN);
+
+  // Leaving this fenced frame around for subsequent tests can lead to
+  // flakiness.
+  document.body.removeChild(fencedframe.element);
+}, 'A cross origin subframe cannot set automatic beacon data.');
+
+</script>
+</body>
diff --git a/fenced-frame/resources/remote-context-executor.https.html b/fenced-frame/resources/remote-context-executor.https.html
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="utils.js"></script>
+<script src="automatic-beacon-helper.js"></script>
 <script src="/common/dispatcher/dispatcher.js"></script>
 <script src="/common/get-host-info.sub.js"></script>
 <script src="/common/utils.js"></script>