From b4c6956db5a5dcfc68c9e196e70da91aa652620c Mon Sep 17 00:00:00 2001 From: Luna Lu Date: Fri, 23 Feb 2018 08:02:58 -0800 Subject: [PATCH] Reland "Add WPT tests for feature policy" This is a reland of 6252427ab5415839618a0d25e4f6e61becce3923. Original change's description: > Add WPT tests for feature policy > > 1. Added tests for header policy. > a. document.policy shows correctly parsed policy > b. local / remote iframes without allow attribute correctly inherit > document.policy > c. dynamically update allow attribute updates the policy correctly. > > 2. Added tests for nested policies. > > Bug: 732003 > Change-Id: I869449f6bba89fc58997355df27249f403d76808 > Reviewed-on: https://chromium-review.googlesource.com/796952 > Commit-Queue: Luna Lu > Reviewed-by: Ian Clelland > Cr-Commit-Position: refs/heads/master@{#531698} Bug: 732003 Change-Id: I46065efff8c5af2d5279721f3c759580b0807e05 --- ...ader-policy-allowed-for-all.https.sub.html | 46 ++++++ ...allowed-for-all.https.sub.html.sub.headers | 1 + ...der-policy-allowed-for-self.https.sub.html | 46 ++++++ ...llowed-for-self.https.sub.html.sub.headers | 1 + ...der-policy-allowed-for-some.https.sub.html | 52 +++++++ ...llowed-for-some.https.sub.html.sub.headers | 1 + ...r-policy-disallowed-for-all.https.sub.html | 46 ++++++ ...allowed-for-all.https.sub.html.sub.headers | 2 + ...ader-policy-allowed-for-all.https.sub.html | 61 ++++++++ ...allowed-for-all.https.sub.html.sub.headers | 1 + ...der-policy-allowed-for-self.https.sub.html | 62 ++++++++ ...llowed-for-self.https.sub.html.sub.headers | 1 + ...r-policy-disallowed-for-all.https.sub.html | 50 +++++++ ...allowed-for-all.https.sub.html.sub.headers | 1 + .../feature-policy-allowedfeatures.html | 7 + ...licy-nested-subframe-policy.https.sub.html | 50 +++++++ feature-policy/resources/featurepolicy.js | 136 ++++++++++++++++++ 17 files changed, 564 insertions(+) create mode 100644 feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html create mode 100644 feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html.sub.headers create mode 100644 feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html create mode 100644 feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html.sub.headers create mode 100644 feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html create mode 100644 feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html.sub.headers create mode 100644 feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html create mode 100644 feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html.sub.headers create mode 100644 feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html create mode 100644 feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html.sub.headers create mode 100644 feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html create mode 100644 feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html.sub.headers create mode 100644 feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html create mode 100644 feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html.sub.headers create mode 100644 feature-policy/resources/feature-policy-allowedfeatures.html create mode 100644 feature-policy/resources/feature-policy-nested-subframe-policy.https.sub.html diff --git a/feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html b/feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html new file mode 100644 index 00000000000000..3334b97247e5fd --- /dev/null +++ b/feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html @@ -0,0 +1,46 @@ + + + + + + + + diff --git a/feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html.sub.headers b/feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html.sub.headers new file mode 100644 index 00000000000000..111121a52fbdc9 --- /dev/null +++ b/feature-policy/feature-policy-header-policy-allowed-for-all.https.sub.html.sub.headers @@ -0,0 +1 @@ +Feature-Policy: fullscreen *; diff --git a/feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html b/feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html new file mode 100644 index 00000000000000..60e22f4aec865b --- /dev/null +++ b/feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html @@ -0,0 +1,46 @@ + + + + + + + + diff --git a/feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html.sub.headers b/feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html.sub.headers new file mode 100644 index 00000000000000..0cc259b24f3829 --- /dev/null +++ b/feature-policy/feature-policy-header-policy-allowed-for-self.https.sub.html.sub.headers @@ -0,0 +1 @@ +Feature-Policy: fullscreen 'self'; diff --git a/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html b/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html new file mode 100644 index 00000000000000..cce2fdb1b9f7d3 --- /dev/null +++ b/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html @@ -0,0 +1,52 @@ + + + + + + + + diff --git a/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html.sub.headers b/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html.sub.headers new file mode 100644 index 00000000000000..c2493a089031aa --- /dev/null +++ b/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html.sub.headers @@ -0,0 +1 @@ +Feature-Policy: fullscreen 'self' https://{{domains[www]}}:{{ports[https][0]}} https://www.example.com; diff --git a/feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html b/feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html new file mode 100644 index 00000000000000..c025705a36b10e --- /dev/null +++ b/feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html @@ -0,0 +1,46 @@ + + + + + + + + diff --git a/feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html.sub.headers b/feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html.sub.headers new file mode 100644 index 00000000000000..04d160ae103f91 --- /dev/null +++ b/feature-policy/feature-policy-header-policy-disallowed-for-all.https.sub.html.sub.headers @@ -0,0 +1,2 @@ +Feature-Policy: fullscreen 'none'; + diff --git a/feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html b/feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html new file mode 100644 index 00000000000000..289fd508444d27 --- /dev/null +++ b/feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html @@ -0,0 +1,61 @@ + + + + + + + diff --git a/feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html.sub.headers b/feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html.sub.headers new file mode 100644 index 00000000000000..111121a52fbdc9 --- /dev/null +++ b/feature-policy/feature-policy-nested-header-policy-allowed-for-all.https.sub.html.sub.headers @@ -0,0 +1 @@ +Feature-Policy: fullscreen *; diff --git a/feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html b/feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html new file mode 100644 index 00000000000000..274b3ebe9073f1 --- /dev/null +++ b/feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html @@ -0,0 +1,62 @@ + + + + + + + diff --git a/feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html.sub.headers b/feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html.sub.headers new file mode 100644 index 00000000000000..0cc259b24f3829 --- /dev/null +++ b/feature-policy/feature-policy-nested-header-policy-allowed-for-self.https.sub.html.sub.headers @@ -0,0 +1 @@ +Feature-Policy: fullscreen 'self'; diff --git a/feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html b/feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html new file mode 100644 index 00000000000000..f15b43576f2cac --- /dev/null +++ b/feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html @@ -0,0 +1,50 @@ + + + + + + + diff --git a/feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html.sub.headers b/feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html.sub.headers new file mode 100644 index 00000000000000..961d40336aeb3e --- /dev/null +++ b/feature-policy/feature-policy-nested-header-policy-disallowed-for-all.https.sub.html.sub.headers @@ -0,0 +1 @@ +Feature-Policy: fullscreen 'none'; diff --git a/feature-policy/resources/feature-policy-allowedfeatures.html b/feature-policy/resources/feature-policy-allowedfeatures.html new file mode 100644 index 00000000000000..9cc8e1e33a32d2 --- /dev/null +++ b/feature-policy/resources/feature-policy-allowedfeatures.html @@ -0,0 +1,7 @@ + diff --git a/feature-policy/resources/feature-policy-nested-subframe-policy.https.sub.html b/feature-policy/resources/feature-policy-nested-subframe-policy.https.sub.html new file mode 100644 index 00000000000000..3d9530c26f668a --- /dev/null +++ b/feature-policy/resources/feature-policy-nested-subframe-policy.https.sub.html @@ -0,0 +1,50 @@ + + + + + diff --git a/feature-policy/resources/featurepolicy.js b/feature-policy/resources/featurepolicy.js index b08d560d143e65..925408ea8a4e50 100644 --- a/feature-policy/resources/featurepolicy.js +++ b/feature-policy/resources/featurepolicy.js @@ -247,3 +247,139 @@ function run_all_fp_tests_allow_all( 'Feature policy "' + feature_name + '" can be disabled in cross-origin iframes using "allow" attribute.'); } + +// This function tests that a given policy allows each feature for the correct +// list of origins specified by the |expected_policy|. +// Arguments: +// expected_policy: A list of {feature, allowlist} pairs where the feature is +// enabled for every origin in the allowlist, in the |policy|. +// policy: Either a document.policy or a iframe.policy to be tested. +// message: A short description of what policy is being tested. +function test_allowlists(expected_policy, policy, message) { + for (var allowlist of allowlists) { + test(function() { + assert_array_equals( + policy.getAllowlistForFeature(allowlist.feature), + allowlist.allowlist); + }, message + ' for feature ' + allowlist.feature); + } +} + +// This function tests that a subframe's document policy allows a given feature. +// A feature is allowed in a frame either through inherited policy or specified +// by iframe allow attribute. +// Arguments: +// test: test created by testharness. Examples: async_test, promise_test. +// feature: feature name that should be allowed in the frame. +// src: the URL to load in the frame. +// allow: the allow attribute (container policy) of the iframe +function test_allowed_feature_for_subframe(message, feature, src, allow) { + let frame = document.createElement('iframe'); + if (typeof allow !== 'undefined') { + frame.allow = allow; + } + promise_test(function() { + frame.src = src; + return new Promise(function(resolve, reject) { + window.addEventListener('message', function handler(evt) { + resolve(evt.data); + }, { once: true }); + document.body.appendChild(frame); + }).then(function(data) { + assert_true(data.includes(feature), feature); + }); + }, message); +} + +// This function tests that a subframe's document policy disallows a given +// feature. A feature is allowed in a frame either through inherited policy or +// specified by iframe allow attribute. +// Arguments: +// test: test created by testharness. Examples: async_test, promise_test. +// feature: feature name that should not be allowed in the frame. +// src: the URL to load in the frame. +// allow: the allow attribute (container policy) of the iframe +function test_disallowed_feature_for_subframe(message, feature, src, allow) { + let frame = document.createElement('iframe'); + if (typeof allow !== 'undefined') { + frame.allow = allow; + } + promise_test(function() { + frame.src = src; + return new Promise(function(resolve, reject) { + window.addEventListener('message', function handler(evt) { + resolve(evt.data); + }, { once: true }); + document.body.appendChild(frame); + }).then(function(data) { + assert_false(data.includes(feature), feature); + }); + }, message); +} + +// This function tests that a subframe with header policy defined on a given +// feature allows and disallows the feature as expected. +// Arguments: +// feature: feature name. +// frame_header_policy: either *, 'self' or 'none', defines the frame +// document's header policy on |feature|. +// src: the URL to load in the frame. +// test_expects: contains 6 expected results of either |feature| is allowed +// or not inside of a local or remote iframe nested inside +// the subframe given the header policy to be either *, +// 'slef', or 'none'. +// test_name: name of the test. +function test_subframe_header_policy( + feature, frame_header_policy, src, test_expects, test_name) { + let frame = document.createElement('iframe'); + promise_test(function() { + frame.src = src + '?pipe=sub|header(Feature-Policy,' + feature + ' ' + + frame_header_policy + ';)'; + return new Promise(function(resolve, reject) { + let results = []; + window.addEventListener('message', function handler(evt) { + results.push(evt.data); + if (results.length >= 6) { + resolve(results); + } + }); + document.body.appendChild(frame); + }).then(function(results) { + for (var j = 0; j < results.length; j++) { + var data = results[j]; + + function test_result(message, test_expect) { + if (test_expect) { + assert_true(data.allowedfeatures.includes(feature), message); + } else { + assert_false(data.allowedfeatures.includes(feature), message); + } + } + + if (data.frame === 'local') { + if (data.policy === '*') { + test_result('local_all:', test_expects.local_all); + } + if (data.policy === '\'self\'') { + test_result('local_self:', test_expects.local_self); + } + if (data.policy === '\'none\'') { + test_result('local_none:', test_expects.local_none); + } + } + + if (data.frame === 'remote') { + if (data.policy === '*') { + test_result('remote_all:', test_expects.remote_all); + } + if (data.policy === '\'self\'') { + test_result('remote_self:', test_expects.remote_self); + } + if (data.policy === '\'none\'') { + test_result('remote_none:', test_expects.remote_none); + } + } + } + }); + }, test_name); +}