Referrers: Flip ReducedReferrerGranularity to enabled by default

We rolled out ReducedReferrerGranularity, which changes the default referrer policy to strict-origin-when-cross-origin, to 100% in M85 stable. To clean up the experiment, we need to enable the behavior by default. This will take effect in M88; we'll follow up by removing the flag, the corresponding enterprise policy, and the corresponding field trial testing configuration. Changing this base::Feature's default value entails cleaning up the remaining tests that weren't within the field trial testing config's scope. These changes are mostly straightforward, involving updating expectations of full-URL referrers to expectations of the corresponding origins, but some tests require logic changes to make sure that they still cover the desired behavior. (For instance, multiple tests previously expected origins in order to test that a particular, arbitrary, non-default referrer policy took effect: to achieve a similar effect, this CL updates these tests to now expect full URLs and swaps in non-default full-URL-generating policies for the prior non-default origin-generating policies.) Launch approval: crbug.com/1019930 Spec change: w3c/webappsec-referrer-policy#142 Bug: 1014207, 1131688 Change-Id: Ib575af6a858641fb1fe2c8de73941f5702d88191
web-platform-tests · Nov 10, 2020 · 942396c · 942396c
1 parent eea3a3f
commit 942396c
Show file tree

Hide file tree

Showing 119 changed files with 1,442 additions and 4,581 deletions.
diff --git a/fetch/api/cors/cors-preflight-referrer.any.js b/fetch/api/cors/cors-preflight-referrer.any.js
@@ -35,8 +35,11 @@ var origin = get_host_info().HTTP_ORIGIN + "/";
 corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", undefined, "");
 corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "myreferrer", "");
 
-corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", undefined, location.toString())
-corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", "myreferrer", new URL("myreferrer", location).toString());
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", undefined, origin);
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: no-referrer-when-downgrade", corsUrl, "no-referrer-when-downgrade", undefined, location.toString())
+corsPreflightReferrer("Referrer policy: no-referrer-when-downgrade", corsUrl, "no-referrer-when-downgrade", "myreferrer", new URL("myreferrer", location).toString());
 
 corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", undefined, origin);
 corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", "myreferrer", origin);

diff --git a/...s/browsing-the-web/navigating-across-documents/source/navigate-child-src-about-blank.html b/...s/browsing-the-web/navigating-across-documents/source/navigate-child-src-about-blank.html
@@ -6,12 +6,14 @@
 <div id=log></div>
 <iframe></iframe>
 <script>
-  setup({ single_test: true });
+  setup({
+    single_test: true
+  });
   onload = function() {
     var fr = document.querySelector("iframe")
     fr.src = "about:blank"
     fr.onload = function() {
-      assert_equals(fr.contentDocument.referrer, document.URL)
+      assert_equals(fr.contentDocument.referrer, document.location.origin + '/')
       done()
     }
   }

diff --git a/html/browsers/windows/browsing-context.html b/html/browsers/windows/browsing-context.html
@@ -1,24 +1,26 @@
 <!doctype html>
 <html>
-  <head>
-    <title>HTML Test: Browsing context is first created</title>
-    <link rel="author" title="Intel" href="http://www.intel.com/" />
-    <script src="/resources/testharness.js"></script>
-    <script src="/resources/testharnessreport.js"></script>
-  </head>
-  <body>
-    <div id="log"></div>
-    <script>
+
+<head>
+  <title>HTML Test: Browsing context is first created</title>
+  <link rel="author" title="Intel" href="http://www.intel.com/" />
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+  <div id="log"></div>
+  <script>
     var doc, iframe;
 
-    setup(function () {
+    setup(function() {
       // Create new browsing context via iframe
       iframe = document.createElement("iframe");
       document.body.appendChild(iframe);
       doc = iframe.contentDocument;
     });
 
-    test(function () {
+    test(function() {
       assert_equals(doc.compatMode, "BackCompat", "The compatMode of a document without a document type declaration should be 'BackCompat'."); // Quirksmode
       assert_equals(doc.contentType, "text/html", "The document should be an HTML document.");
       assert_equals(doc.readyState, "complete", "The readyState attribute should be 'complete'.");
@@ -29,7 +31,7 @@
       assert_equals(doc.characterSet, "UTF-8", "The document's encoding should be 'UTF-8'.");
     }, "Check that browsing context has new, ready HTML document");
 
-    test(function () {
+    test(function() {
       assert_equals(doc.childNodes.length, 1, "The document must have only one child.");
       assert_equals(doc.documentElement.tagName, "HTML");
       assert_equals(doc.documentElement.childNodes.length, 2, "The HTML element should have 2 children.");
@@ -39,10 +41,11 @@
       assert_false(doc.documentElement.childNodes[1].hasChildNodes(), "The BODY element should not have children.");
     }, "Check that new document nodes extant, empty");
 
-    test(function () {
-      assert_equals(doc.referrer, document.URL, "The document's referrer should be its creator document's address.");
+    test(function() {
+      assert_equals(doc.referrer, document.location.origin + '/', "The document's referrer should be its creator document's address's origin.");
       assert_equals(iframe.contentWindow.parent.document, document);
     }, "Check the document properties corresponding to the creator browsing context");
-    </script>
-  </body>
+  </script>
+</body>
+
 </html>
diff --git a/...eporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html b/...eporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html
@@ -23,6 +23,7 @@
   const openee_token = token();
 
   const opener_url = location.href;
+  const opener_origin = location.origin + '/';
 
   const reportTo = reportToHeaders(report_token);
   const openee_url = cross_origin + executor_path +

diff --git a/...eporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html b/...eporting/access-reporting/access-to-coop-page-from-opener_coop-ro_cross-origin.https.html
@@ -24,6 +24,7 @@
   const opener_token = token(); // The current test window.
 
   const opener_url = location.href;
+  const opener_origin = location.origin + '/';
 
   const reportTo = reportToHeaders(report_token);
   const openee_url = cross_origin + executor_path +
@@ -59,7 +60,7 @@
   assert_equals(report.body.openerURL, "");
   assert_equals(report.body.openeeURL, undefined);
   assert_equals(report.body.otherDocumentURL, undefined);
-  assert_equals(report.body.referrer, opener_url);
+  assert_equals(report.body.referrer, opener_origin);
   assert_equals(report.body.initialPopupURL, undefined);
 }, name);
 

diff --git a/...rigin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html b/...rigin-opener-policy/reporting/navigation-reporting/reporting-popup-same-origin.https.html
@@ -9,49 +9,45 @@
 <script src="../resources/reporting-common.js"></script>
 
 <script>
+  let tests = [
+    // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
 
-let tests = [
-  // popup origin, popup COOP, popup COEP, popup COOP report only, popup COEP report only, expected reports
-
-  // Open a cross-origin popup with a same-origin COOP and no COEP. COOP
-  // switches the browsing context group and hence produces one report.
-  // This test verifies that the navigated to document properly sends a
-  // navigation-to report. The navigationURI is the referrer.
-  [
-    CROSS_ORIGIN,
-    `same-origin; report-to="${popupReportEndpoint.name}"`,
-    "",
-    "",
-    "",
+    // Open a cross-origin popup with a same-origin COOP and no COEP. COOP
+    // switches the browsing context group and hence produces one report.
+    // This test verifies that the navigated to document properly sends a
+    // navigation-to report. The navigationURI is the referrer.
     [
-      {
+      CROSS_ORIGIN,
+      `same-origin; report-to="${popupReportEndpoint.name}"`,
+      "",
+      "",
+      "",
+      [{
         "endpoint": popupReportEndpoint,
         "report": {
           "body": {
             "disposition": "enforce",
             "effectivePolicy": "same-origin",
             "previousResponseURL": "",
-            "referrer": `${location.href}`, // referrer
+            "referrer": `${location.origin}/`, // referrer
             "type": "navigation-to-response"
           },
           "url": /uuid=EXECUTOR_UUID$/,
           "type": "coop"
         }
-      }
-    ]
-  ],
-  // Open a same-origin popup with a unsafe-none COOP and no COEP. COOP switches
-  // the browsing context group and hence produces one report.
-  // This test verifies that having different policies on same origin documents
-  // still properly produces report to the navigated-to-document.
-  [
-    SAME_ORIGIN,
-    `unsafe-none; report-to="${popupReportEndpoint.name}"`,
-    "",
-    "",
-    "",
+      }]
+    ],
+    // Open a same-origin popup with a unsafe-none COOP and no COEP. COOP switches
+    // the browsing context group and hence produces one report.
+    // This test verifies that having different policies on same origin documents
+    // still properly produces report to the navigated-to-document.
     [
-      {
+      SAME_ORIGIN,
+      `unsafe-none; report-to="${popupReportEndpoint.name}"`,
+      "",
+      "",
+      "",
+      [{
         "endpoint": popupReportEndpoint,
         "report": {
           "body": {
@@ -64,47 +60,43 @@
           "url": /uuid=EXECUTOR_UUID$/,
           "type": "coop"
         }
-      }
-    ]
-  ],
-  // Open a cross-origin popup with a unsafe-none COOP (with reporting) and no
-  // COEP. COOP switches the browsing context group and hence produces one
-  // reports to the unsafe-none document. This test verifies that unsafe-none
-  // properly sends report in that configuration.
-  [
-    CROSS_ORIGIN,
-    `unsafe-none; report-to="${popupReportEndpoint.name}"`,
-    "",
-    "",
-    "",
+      }]
+    ],
+    // Open a cross-origin popup with a unsafe-none COOP (with reporting) and no
+    // COEP. COOP switches the browsing context group and hence produces one
+    // reports to the unsafe-none document. This test verifies that unsafe-none
+    // properly sends report in that configuration.
     [
-      {
+      CROSS_ORIGIN,
+      `unsafe-none; report-to="${popupReportEndpoint.name}"`,
+      "",
+      "",
+      "",
+      [{
         "endpoint": popupReportEndpoint,
         "report": {
           "body": {
             "disposition": "enforce",
             "previousResponseURL": "",
-            "referrer": `${location.href}`, // referrer
+            "referrer": `${location.origin}/`, // referrer
             "type": "navigation-to-response"
           },
           "url": /uuid=EXECUTOR_UUID$/,
           "type": "coop"
         }
-      }
-    ]
-  ],
-  // Open a same-origin popup with a same-origin COOP Report only value, the
-  // report only matches the previous document COOP value, no report is sent.
-  [
-    SAME_ORIGIN,
-    "",
-    "",
-    `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
-    "",
-    []
-  ],
-];
-
-runNavigationReportingTests(document.title, tests);
+      }]
+    ],
+    // Open a same-origin popup with a same-origin COOP Report only value, the
+    // report only matches the previous document COOP value, no report is sent.
+    [
+      SAME_ORIGIN,
+      "",
+      "",
+      `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+      "",
+      []
+    ],
+  ];
 
+  runNavigationReportingTests(document.title, tests);
 </script>