From 9e1f46668b220458be6f406e2e6214375a5ca092 Mon Sep 17 00:00:00 2001
From: Simon Pieters <zcorpan@gmail.com>
Date: Thu, 9 Jan 2020 16:54:33 +0100
Subject: [PATCH] COOP: test COOP popup from a CSP-sandboxed popup

Part of #18354.
---
 .../coop-csp-sandbox.https.html               | 24 +++++++++++++++++++
 .../resources/csp-sandbox.py                  | 21 ++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 html/cross-origin-opener-policy/coop-csp-sandbox.https.html
 create mode 100644 html/cross-origin-opener-policy/resources/csp-sandbox.py

diff --git a/html/cross-origin-opener-policy/coop-csp-sandbox.https.html b/html/cross-origin-opener-policy/coop-csp-sandbox.https.html
new file mode 100644
index 00000000000000..259d484df2cbf7
--- /dev/null
+++ b/html/cross-origin-opener-policy/coop-csp-sandbox.https.html
@@ -0,0 +1,24 @@
+<!doctype html>
+<title>CSP sandboxed Cross-Origin-Opener-Policy popup should result in a network error</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log>
+<script>
+[
+  "allow-popups allow-scripts allow-same-origin",
+  "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+  async_test(t => {
+    const channel = new BroadcastChannel(token());
+    channel.onmessage = t.unreached_func("A COOP popup was created from a CSP-sandboxed popup");
+    const popup = window.open(`resources/csp-sandbox.py?coop=same-origin&coep=&sandbox=${sandboxValue}&channel=${channel.name}`);
+    t.add_cleanup(() => { popup.close(); });
+    addEventListener('load', t.step_func(() => {
+      t.step_timeout(() => {
+        t.done()
+      }, 1500);
+    }));
+  }, `CSP: sandbox ${sandboxValue}; ${document.title}`);
+});
+</script>
diff --git a/html/cross-origin-opener-policy/resources/csp-sandbox.py b/html/cross-origin-opener-policy/resources/csp-sandbox.py
new file mode 100644
index 00000000000000..adaf50b8688162
--- /dev/null
+++ b/html/cross-origin-opener-policy/resources/csp-sandbox.py
@@ -0,0 +1,21 @@
+def main(request, response):
+    coop = request.GET.first("coop")
+    coep = request.GET.first("coep")
+    sandbox = request.GET.first("sandbox")
+    if coop != "":
+        response.headers.set("Cross-Origin-Opener-Policy", coop)
+    if coep != "":
+        response.headers.set("Cross-Origin-Embedder-Policy", coep)
+    response.headers.set("Content-Security-Policy", "sandbox " + sandbox + ";")
+
+    # Open a popup to coop-coep.py with the same parameters (except sandbox)
+    response.content = """
+<!doctype html>
+<meta charset=utf-8>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+  const params = new URL(location).searchParams;
+  params.delete("sandbox");
+  window.open(`${get_host_info().HTTPS_ORIGIN}/html/cross-origin-opener-policy/resources/coop-coep.py?${params}`)
+</script>
+"""