Origin isolation: initial getter updates

This makes window.originIsolationRestricted available in non-secure
contexts, per the latest updates in
whatwg/html#5545. It also updates the tests to
expect the values we would get from that spec. It does *not* update the
web platform tests, or the implementation, for the new name; that's
https://crbug.com/1103866.

Bug: 1095653
Change-Id: I9ac31d36e2744a3a49eb61c6899debbe38180868

origin-isolation/getter-special-cases/data-url.https.html

@@ -4,6 +4,10 @@
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 
+<!-- TODO(domenic): update this to test window.originIsolated, not
+     window.originIsolationRestricted. See
+     https://github.com/WICG/origin-isolation/pull/34. -->
+
 <div id="log"></div>
 
 <script type="module">
@@ -29,10 +33,8 @@
   return waitPromise;
 });
 
-// The data: URL iframe has an opaque origin, so it definitely should return
-// false. It's pretty unlikely that it would return true anyway, since we can't
-// set the header on the iframe, but we should test it to make sure there isn't
-// some strange main page -> data: URL iframe inheritance going on.
+// The data: URL iframe has an opaque origin, so it should return true, since
+// for them site === origin so they are always "origin-isolated".
 
-testOriginIsolationRestricted(0, false);
+testOriginIsolationRestricted(0, true);
 </script>

origin-isolation/getter-special-cases/removed-iframe.sub.https.html

@@ -4,6 +4,10 @@
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 
+<!-- TODO(domenic): update this to test window.originIsolated, not
+     window.originIsolationRestricted. See
+     https://github.com/WICG/origin-isolation/pull/34. -->
+
 <div id="log"></div>
 
 <script type="module">

origin-isolation/getter-special-cases/sandboxed-iframe.sub.https.html

@@ -4,6 +4,10 @@
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 
+<!-- TODO(domenic): update this to test window.originIsolated, not
+     window.originIsolationRestricted. See
+     https://github.com/WICG/origin-isolation/pull/34. -->
+
 <div id="log"></div>
 
 <script type="module">
@@ -22,9 +26,7 @@
   return navigatePromise;
 });
 
-// Because sandboxed iframes have an opaque origin, their agent cluster key is
-// always an origin, so there are no additional restrictions imposed by origin
-// isolation. Thus the getter returns false.
-
-testOriginIsolationRestricted(0, false);
+// Sandboxed iframes have an opaque origin, so it should return true, since
+// for them site === origin so they are always "origin-isolated".
+testOriginIsolationRestricted(0, true);
 </script>

origin-isolation/insecure-http.sub.html

@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,8 +21,6 @@
 // So both end up in the site-keyed agent cluster.
 testSameAgentCluster([self, 0]);
 
-// Has to be promise_test because we used promise_setup().
-promise_test(async () => {
-  assert_false("originIsolationRestricted" in window);
-}, "The getter must not exist");
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child");
 </script>