Origin isolation: implement window.originIsolationRestricted

See WICG/origin-agent-cluster#24 and WICG/origin-agent-cluster#30 for background, and whatwg/html#5545 for the specification. Failing test expectations include: - We implement (3) from WICG/origin-agent-cluster#24 instead of (2) for now, so we fail getter-sandboxed-iframe. Tracking at https://crbug.com/1095653. - data: URLs are not [SecureContext] in Chromium (https://crbug.com/1095656) so getter-data-url fails. - Other failures are due to the lack of origin vs site-keying, which is now more directly observable. See bug 1067389. Bug: 1042415, 1067389 Change-Id: I20c2d3e3fec7a5c0f1d12c386999c32fe27b6a34
web-platform-tests · Jun 17, 2020 · 50c5dee · 50c5dee
1 parent 6152228
commit 50c5dee
Show file tree

Hide file tree

Showing 29 changed files with 260 additions and 13 deletions.
diff --git a/origin-isolation/getter-data-url.https.html b/origin-isolation/getter-data-url.https.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.originIsolationRestricted for a data: URL</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import {
+  waitForIframe,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
+
+promise_setup(() => {
+  const iframe = document.createElement("iframe");
+
+  // This copies parts of resources/send-origin-isolation-header.py that allow
+  // us to reuse testOriginIsolationRestricted.
+  iframe.src = `data:text/html,<script>
+    window.onmessage = () => {
+      parent.postMessage(self.originIsolationRestricted, "*");
+    };
+    </` + `script>
+  `;
+
+  const waitPromise = waitForIframe(iframe);
+  document.body.append(iframe);
+  return waitPromise;
+});
+
+// The data: URL iframe has an opaque origin, so it definitely should return
+// false. It's pretty unlikely that it would return true anyway, since we can't
+// set the header on the iframe, but we should test it to make sure there isn't
+// some strange main page -> data: URL iframe inheritance going on.
+
+testOriginIsolationRestricted(0, false);
+</script>
diff --git a/origin-isolation/getter-data-url.https.html.headers b/origin-isolation/getter-data-url.https.html.headers
@@ -0,0 +1 @@
+Origin-Isolation: ?1
diff --git a/origin-isolation/getter-removed-iframe.sub.https.html b/origin-isolation/getter-removed-iframe.sub.https.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.crossOriginIsolated for a removed frame</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import { navigateIframe } from "./resources/helpers.mjs";
+
+promise_test(async () => {
+  // We cannot use insertIframe because it sets both `document.domain`s. That
+  // shouldn't matter, but Chrome has a bug (https://crbug.com/1095145), so
+  // let's avoid making the test needlessly fail because of that bug.
+  const iframe = document.createElement("iframe");
+  const navigatePromise = navigateIframe(iframe, "{{hosts[][]}}", "?1");
+  document.body.append(iframe);
+  await navigatePromise;
+
+  const frameWindow = iframe.contentWindow;
+
+  assert_equals(frameWindow.originIsolationRestricted, true, "before");
+  iframe.remove();
+  assert_equals(frameWindow.originIsolationRestricted, true, "after");
+}, "Removing the iframe does not change originIsolationRestricted");
+</script>
diff --git a/origin-isolation/getter-removed-iframe.sub.https.html.headers b/origin-isolation/getter-removed-iframe.sub.https.html.headers
@@ -0,0 +1 @@
+Origin-Isolation: ?1
diff --git a/origin-isolation/getter-sandboxed-iframe.sub.https.html b/origin-isolation/getter-sandboxed-iframe.sub.https.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.originIsolationRestricted for a sandboxed frame</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import {
+  navigateIframe,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
+
+// We do this manually instead of using insertIframe because we want to add a
+// sandbox="" attribute and we don't want to set both document.domains.
+promise_setup(() => {
+  const iframe = document.createElement("iframe");
+  iframe.sandbox = "allow-scripts";
+  const navigatePromise = navigateIframe(iframe, "{{hosts[][]}}", "?1");
+  document.body.append(iframe);
+  return navigatePromise;
+});
+
+// Because sandboxed iframes have an opaque origin, their agent cluster key is
+// always an origin, so there are no additional restrictions imposed by origin
+// isolation. Thus the getter returns false.
+
+testOriginIsolationRestricted(0, false);
+</script>
diff --git a/origin-isolation/getter-sandboxed-iframe.sub.https.html.headers b/origin-isolation/getter-sandboxed-iframe.sub.https.html.headers
@@ -0,0 +1 @@
+Origin-Isolation: ?1
diff --git a/origin-isolation/insecure-http.sub.html b/origin-isolation/insecure-http.sub.html
@@ -16,4 +16,9 @@
 // All isolation requests are ignored, since this is over insecure HTTP.
 // So both end up in the site-keyed agent cluster.
 testSameAgentCluster([self, 0]);
+
+// Has to be promise_test because we used promise_setup().
+promise_test(async () => {
+  assert_false("originIsolationRestricted" in window);
+}, "The getter must not exist");
 </script>
diff --git a/origin-isolation/parent-no-child-bad-subdomain.sub.https.html b/origin-isolation/parent-no-child-bad-subdomain.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 let frameIndex = 0;
 for (const badValue of ["", "?0", "true", "\"?1\"", "1", "?2", "(?1)"]) {
@@ -17,6 +21,7 @@
 
   // Since the header values are bad there should be no isolation
   testSameAgentCluster([self, frameIndex], `"${badValue}"`);
+  testOriginIsolationRestricted(frameIndex, false, `"${badValue}"`);
   ++frameIndex;
 }
 </script>
diff --git a/origin-isolation/parent-no-child-yes-same.sub.https.html b/origin-isolation/parent-no-child-yes-same.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][]}}", "?1");
@@ -16,4 +20,6 @@
 // Since they're same-origin, and the parent loaded without isolation, the
 // child's request for isolation gets ignored, and both end up site-keyed.
 testSameAgentCluster([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child");
 </script>
diff --git a/origin-isolation/parent-no-child-yes-subdomain.sub.https.html b/origin-isolation/parent-no-child-yes-subdomain.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,4 +21,6 @@
 // so the parent ends up in the site-keyed agent cluster and the child in the
 // origin-keyed one.
 testDifferentAgentClusters([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>
diff --git a/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html b/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1;param1;param2=value2");
@@ -17,4 +21,6 @@
 // so the parent ends up in the site-keyed agent cluster and the child in the
 // origin-keyed one.
 testDifferentAgentClusters([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>
diff --git a/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html b/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html
@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testDifferentAgentClusters([0, 1], "child1 to child2");
 testDifferentAgentClusters([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, true, "child2");
 </script>
diff --git a/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html b/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   // Must be sequential, not parallel: the non-isolated frame must load first.
@@ -25,4 +29,8 @@
 testSameAgentCluster([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
 </script>
diff --git a/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html b/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html
@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child1");
+testOriginIsolationRestricted(1, true, "child2");
 </script>
diff --git a/origin-isolation/parent-yes-child-no-same.sub.https.html b/origin-isolation/parent-yes-child-no-same.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][]}}");
@@ -16,4 +20,7 @@
 // Since they're same-origin, and the parent loaded with isolation, the
 // child's non-request for isolation gets ignored, and both end up origin-keyed.
 testSameAgentCluster([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>
diff --git a/origin-isolation/parent-yes-child-no-subdomain.sub.https.html b/origin-isolation/parent-yes-child-no-subdomain.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}");
@@ -17,4 +21,7 @@
 // as is the child's non-request. So the parent ends up in the origin-keyed
 // agent cluster and the child ends up in the site-keyed one.
 testDifferentAgentClusters([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child");
 </script>
diff --git a/origin-isolation/parent-yes-child-yes-same.sub.https.html b/origin-isolation/parent-yes-child-yes-same.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testSameAgentCluster,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][]}}", "?1");
@@ -16,4 +20,7 @@
 // Both request isolation, and they're same-origin, so they both end up in the
 // same origin-keyed agent cluster.
 testSameAgentCluster([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>
diff --git a/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html b/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html
@@ -7,7 +7,11 @@
 <div id="log"></div>
 
 <script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+  insertIframe,
+  testDifferentAgentClusters,
+  testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
 
 promise_setup(async () => {
   await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,4 +21,7 @@
 // cluster (the base domain's origin), and the child ends up in a different
 // origin-keyed agent cluster (the www subdomain's origin).
 testDifferentAgentClusters([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
 </script>
diff --git a/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html b/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html
@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
 </script>
diff --git a/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html b/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html
@@ -11,6 +11,7 @@
   insertIframe,
   testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -30,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testSameAgentCluster([0, 1], "child1 to child2");
 testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
 </script>
diff --git a/origin-isolation/parent-yes-child1-no-child2-yes-children-different.sub.https.html b/origin-isolation/parent-yes-child1-no-child2-yes-children-different.sub.https.html
@@ -9,8 +9,8 @@
 <script type="module">
 import {
   insertIframe,
-  testSameAgentCluster,
   testDifferentAgentClusters,
+  testOriginIsolationRestricted
 } from "./resources/helpers.mjs";
 
 promise_setup(async () => {
@@ -31,4 +31,8 @@
 testDifferentAgentClusters([self, 1], "Parent to child2");
 testDifferentAgentClusters([0, 1], "child1 to child2");
 testDifferentAgentClusters([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, true, "child2");
 </script>