From 3dd67d8a8f099242ce1e32b9871f0d1c1261b28f Mon Sep 17 00:00:00 2001
From: Nate Chapin <japhet@chromium.org>
Date: Mon, 6 Dec 2021 17:01:56 -0800
Subject: [PATCH] Allow appHistory entries that are cross-site-instance, censor
 the url of entires that are noreferrer

While this allows appHistory entries (including URLs) to be sent across
renderer processes on a BrowsingContextGroup switch, it still omits the
URL in cases where a page has expressed that the URL may be sensitive
and shouldn't be exposed (via ReferrerPolicy).

This follows https://github.com/WICG/app-history/issues/71

Change-Id: I07e7ff1376dd9eca34b4493a06a658f1b72da027
---
 .../app-history-entry/entry-after-detach.html |  4 +--
 .../no-referrer-dynamic-url-censored.html     | 33 +++++++++++++++++++
 .../no-referrer-from-meta-url-censored.html   | 32 ++++++++++++++++++
 .../no-referrer-url-censored.html             | 32 ++++++++++++++++++
 .../resources/no-referrer-meta.html           |  2 ++
 .../resources/no-referrer.html                |  1 +
 .../resources/no-referrer.html.headers        |  1 +
 7 files changed, 103 insertions(+), 2 deletions(-)
 create mode 100644 app-history/app-history-entry/no-referrer-dynamic-url-censored.html
 create mode 100644 app-history/app-history-entry/no-referrer-from-meta-url-censored.html
 create mode 100644 app-history/app-history-entry/no-referrer-url-censored.html
 create mode 100644 app-history/app-history-entry/resources/no-referrer-meta.html
 create mode 100644 app-history/app-history-entry/resources/no-referrer.html
 create mode 100644 app-history/app-history-entry/resources/no-referrer.html.headers

diff --git a/app-history/app-history-entry/entry-after-detach.html b/app-history/app-history-entry/entry-after-detach.html
index 9d99918c5b263c3..dc31f1a695b013f 100644
--- a/app-history/app-history-entry/entry-after-detach.html
+++ b/app-history/app-history-entry/entry-after-detach.html
@@ -7,12 +7,12 @@
   window.onload = t.step_func_done(() => {
     let i_entry = i.contentWindow.appHistory.current;
     assert_true(i_entry.sameDocument);
-    assert_not_equals(i_entry.url, "");
+    assert_not_equals(i_entry.url, null);
     assert_not_equals(i_entry.key, "");
     assert_not_equals(i_entry.id, "");
     i.remove();
     assert_false(i_entry.sameDocument);
-    assert_equals(i_entry.url, "");
+    assert_equals(i_entry.url, null);
     assert_equals(i_entry.key, "");
     assert_equals(i_entry.id, "");
   });
diff --git a/app-history/app-history-entry/no-referrer-dynamic-url-censored.html b/app-history/app-history-entry/no-referrer-dynamic-url-censored.html
new file mode 100644
index 000000000000000..91484daa00eeda7
--- /dev/null
+++ b/app-history/app-history-entry/no-referrer-dynamic-url-censored.html
@@ -0,0 +1,33 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe id="i" src="/common/blank.html"></iframe>
+<script>
+promise_test(async (t) => {
+  // Wait for after the load event so that the navigation doesn't get converted
+  // into a replace navigation.
+  await new Promise(r => window.onload = () => t.step_timeout(r, 0));
+
+  // The entry for the first document has a visible url.
+  i.contentWindow.appHistory.navigate("/common/blank.html?2");
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_not_equals(i.contentWindow.appHistory.entries()[0].url, null);
+
+  // Apply no-referrer, the url should now be censored when no longer on that document.
+  i.contentWindow.appHistory.back();
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  i.contentDocument.head.innerHTML = `<meta name="referrer" content="no-referrer">`;
+  assert_not_equals(i.contentWindow.appHistory.entries()[0].url, null);
+  i.contentWindow.appHistory.forward();
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_equals(i.contentWindow.appHistory.entries()[0].url, null);
+
+  // Overwrite the referrer policy, the url should be visible again.
+  i.contentWindow.appHistory.back();
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  i.contentDocument.head.innerHTML = `<meta name="referrer" content="same-origin">`;
+  i.contentWindow.appHistory.forward();
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_not_equals(i.contentWindow.appHistory.entries()[0].url, null);
+}, "The url of a document is censored by a no-referrer policy dynamically");
+</script>
diff --git a/app-history/app-history-entry/no-referrer-from-meta-url-censored.html b/app-history/app-history-entry/no-referrer-from-meta-url-censored.html
new file mode 100644
index 000000000000000..0f23f3b539b0641
--- /dev/null
+++ b/app-history/app-history-entry/no-referrer-from-meta-url-censored.html
@@ -0,0 +1,32 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe id="i" src="resources/no-referrer-meta.html"></iframe>
+<script>
+promise_test(async (t) => {
+  // Wait for after the load event so that the navigation doesn't get converted
+  // into a replace navigation.
+  await new Promise(r => window.onload = () => t.step_timeout(r, 0));
+
+  await i.contentWindow.appHistory.navigate("#hash");
+  assert_equals(i.contentWindow.appHistory.entries().length, 2);
+
+  // The entries for no-referrer.html should have the url censored.
+  i.contentWindow.appHistory.navigate("/common/blank.html");
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_equals(i.contentWindow.appHistory.entries().length, 3);
+  assert_equals(i.contentWindow.appHistory.current.index, 2);
+  assert_equals(i.contentWindow.appHistory.entries()[0].url, null);
+  assert_equals(i.contentWindow.appHistory.entries()[1].url, null);
+
+  // Navigating back to no-referrer.html should uncensor the urls.
+  i.contentWindow.appHistory.back();
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_equals(i.contentWindow.appHistory.entries().length, 3);
+  assert_equals(i.contentWindow.appHistory.current.index, 1);
+  assert_equals(new URL(i.contentWindow.appHistory.entries()[0].url).pathname,
+                "/app-history/app-history-entry/resources/no-referrer-meta.html");
+  assert_equals(new URL(i.contentWindow.appHistory.entries()[1].url).pathname,
+                "/app-history/app-history-entry/resources/no-referrer-meta.html");
+}, "The url of a document with no-referrer referrer meta tag is censored in AppHistoryEntry");
+</script>
diff --git a/app-history/app-history-entry/no-referrer-url-censored.html b/app-history/app-history-entry/no-referrer-url-censored.html
new file mode 100644
index 000000000000000..2db425368f6a043
--- /dev/null
+++ b/app-history/app-history-entry/no-referrer-url-censored.html
@@ -0,0 +1,32 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe id="i" src="resources/no-referrer.html"></iframe>
+<script>
+promise_test(async (t) => {
+  // Wait for after the load event so that the navigation doesn't get converted
+  // into a replace navigation.
+  await new Promise(r => window.onload = () => t.step_timeout(r, 0));
+
+  await i.contentWindow.appHistory.navigate("#hash");
+  assert_equals(i.contentWindow.appHistory.entries().length, 2);
+
+  // The entries for no-referrer.html should have the url censored.
+  i.contentWindow.appHistory.navigate("/common/blank.html");
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_equals(i.contentWindow.appHistory.entries().length, 3);
+  assert_equals(i.contentWindow.appHistory.current.index, 2);
+  assert_equals(i.contentWindow.appHistory.entries()[0].url, null);
+  assert_equals(i.contentWindow.appHistory.entries()[1].url, null);
+
+  // Navigating back to no-referrer.html should uncensor the urls.
+  i.contentWindow.appHistory.back();
+  await new Promise(r => i.onload = () => t.step_timeout(r, 0));
+  assert_equals(i.contentWindow.appHistory.entries().length, 3);
+  assert_equals(i.contentWindow.appHistory.current.index, 1);
+  assert_equals(new URL(i.contentWindow.appHistory.entries()[0].url).pathname,
+                "/app-history/app-history-entry/resources/no-referrer.html");
+  assert_equals(new URL(i.contentWindow.appHistory.entries()[1].url).pathname,
+                "/app-history/app-history-entry/resources/no-referrer.html");
+}, "The url of a document with no-referrer referrer policy is censored in AppHistoryEntry");
+</script>
diff --git a/app-history/app-history-entry/resources/no-referrer-meta.html b/app-history/app-history-entry/resources/no-referrer-meta.html
new file mode 100644
index 000000000000000..bd5ec391cce8921
--- /dev/null
+++ b/app-history/app-history-entry/resources/no-referrer-meta.html
@@ -0,0 +1,2 @@
+<meta name="referrer" content="no-referrer">
+<body></body>
diff --git a/app-history/app-history-entry/resources/no-referrer.html b/app-history/app-history-entry/resources/no-referrer.html
new file mode 100644
index 000000000000000..c8b7661f4221298
--- /dev/null
+++ b/app-history/app-history-entry/resources/no-referrer.html
@@ -0,0 +1 @@
+<body></body>
diff --git a/app-history/app-history-entry/resources/no-referrer.html.headers b/app-history/app-history-entry/resources/no-referrer.html.headers
new file mode 100644
index 000000000000000..7ffbf17d6be5a59
--- /dev/null
+++ b/app-history/app-history-entry/resources/no-referrer.html.headers
@@ -0,0 +1 @@
+Referrer-Policy: no-referrer