-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add basic reporting test from Same-origin
Bug: 1076456 Change-Id: I7a39d4def20692d8628ce2406569638310684f4f
- Loading branch information
1 parent
effa399
commit d9acb68
Showing
10 changed files
with
710 additions
and
7 deletions.
There are no files selected for viewing
109 changes: 109 additions & 0 deletions
109
html/cross-origin-opener-policy/reporting-coop-navigated-popup.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
<!doctype html> | ||
<title>Cross-Origin-Opener-Policy: a navigated popup</title> | ||
<!-- In particular this is different from coep-navigate-popup.https.html as this document initiates | ||
the navigation (and uses same-origin-allow-popups and no COEP as without that it cannot be | ||
observed). COOP should work identically, but implementations might have used the wrong | ||
authority. --> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel --> | ||
<script src="resources/reporting-common.js"></script> | ||
<script> | ||
|
||
promise_test( async t => { | ||
const popupName = token(); | ||
const noCoopChannelName = token(); | ||
const coopChannelName = token(); | ||
reporting_test( (resolve) => { | ||
const noCOOP = `resources/coop-coep.py?coop=unsafe-none; report-to="${popupReportEndpoint.name}"&coep=&channel=${noCoopChannelName}`; | ||
const coop = `resources/coop-coep.py?coop=same-origin; report-to="${redirectReportEndpoint.name}&coep=&channel=${coopChannelName}`; | ||
|
||
const popup = window.open(noCOOP, popupName); | ||
const channel = new BroadcastChannel(coopChannelName); | ||
// Close the popup once the test is complete. | ||
// The browsing context is closed after the navigation hence use the broadcast channel | ||
// to trigger the closure. | ||
t.add_cleanup(() => { | ||
channel.postMessage("close"); | ||
}); | ||
popup.onload = t.step_func(() => { | ||
assert_equals(popup.name, popupName); | ||
assert_equals(new URL(popup.document.URL).pathname, noCOOP); | ||
channel.onmessage = t.step_func(event => { | ||
const payload = event.data; | ||
// The name should be empty, but we're checking the length rather than a | ||
// string comparison to "" to keep the random token out of error messages. | ||
assert_equals(payload.name.length, 0); | ||
assert_false(payload.opener); | ||
assert_true(popup.closed); | ||
resolve(); | ||
}); | ||
popup.location = coop; | ||
}); | ||
}, | ||
popupName, | ||
[ | ||
// Reports expected for the navigation from "noCOOP" to "coop" | ||
{ | ||
"endpoint": popupReportEndpoint, | ||
"report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": RegExp(`coop-coep.py?.*channel=${noCoopChannelName}$`), | ||
"effective-policy": "unsafe-none", | ||
"navigation-uri": RegExp(`coop-coep.py?.*channel=${coopChannelName}$`), | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": RegExp(`coop-coep.py?.*channel=${noCoopChannelName}$`), | ||
"type": "coop" | ||
} | ||
}, | ||
{ | ||
"endpoint": redirectReportEndpoint, | ||
"report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": RegExp(`coop-coep.py?.*channel=${coopChannelName}$`), | ||
"effective-policy": "same-origin", | ||
"navigation-uri": RegExp(`coop-coep.py?.*channel=${noCoopChannelName}$`), | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": RegExp(`coop-coep.py?.*channel=${coopChannelName}$`), | ||
"type": "coop" | ||
} | ||
}, | ||
], | ||
[ | ||
// no reports expected for the popup's navigation from about:blank to "noCoop" | ||
{ | ||
"endpoint": reportEndpoint, | ||
"report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin-allow-popups", | ||
"navigation-uri": RegExp(`coop-coep.py?.*channel=${noCoopChannelName}$`), | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
}, | ||
{ | ||
"endpoint": popupReportEndpoint, | ||
"report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": RegExp(`coop-coep.py?.*channel=${noCoopChannelName}$`), | ||
"effective-policy": "unsafe-none", | ||
"navigation-uri": `${location.href}`, | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": RegExp(`coop-coep.py?.*channel=${noCoopChannelName}$`), | ||
"type": "coop" | ||
} | ||
}, | ||
]); | ||
}, "Open a popup to a document without COOP, then navigate it to a document with"); | ||
|
||
</script> |
2 changes: 2 additions & 0 deletions
2
html/cross-origin-opener-policy/reporting-coop-navigated-popup.https.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint" | ||
report-to: { "group": "coop-report-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/html/cross-origin-opener-policy/resources/report.py?endpoint=coop-report-endpoint" }] }, { "group": "coop-report-only-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/html/cross-origin-opener-policy/resources/report.py?endpoint=coop-report-only-endpoint" }]} |
212 changes: 212 additions & 0 deletions
212
html/cross-origin-opener-policy/reporting-popup-same-origin-report-to.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,212 @@ | ||
|
||
<!doctype html> | ||
<meta charset=utf-8> | ||
<meta name=timeout content=long> | ||
<title>reporting same origin with report-to</title> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
<script src="/common/get-host-info.sub.js"></script> | ||
<script src="resources/common.js"></script> | ||
<script src="resources/reporting-common.js"></script> | ||
|
||
<div id=log></div> | ||
<script> | ||
|
||
let tests = [ | ||
// popup origin, popup COOP, popup COEP, expected opener, expected reports, unwanted reports | ||
// Open and navigate a popup to a same-origin page: no browsing context group switch, no report. | ||
[SAME_ORIGIN, `same-origin; report-to="${popupReportEndpoint.name}"`, "", true, [], [ | ||
{ | ||
"endpoint": reportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
}, | ||
{ | ||
"endpoint": popupReportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": `${location.href}`, | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"type": "coop" | ||
} | ||
} | ||
] | ||
], | ||
// Cross origin popup, report the browsing context group switch to all required endpoints. | ||
[CROSS_ORIGIN, `same-origin; report-to="${popupReportEndpoint.name}"`, "", false, [ | ||
{ | ||
"endpoint": reportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, // initial navigation URL | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
}, | ||
{ | ||
"endpoint": popupReportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": `${location.href}`, // referrer | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"type": "coop" | ||
} | ||
} | ||
], | ||
[] | ||
], | ||
// Open and navigate a popup to a same-origin without COOP page: two reports. | ||
// Verifies that unsafe-none can specify a reporting endpoint. | ||
[SAME_ORIGIN, `unsafe-none; report-to="${popupReportEndpoint.name}"`, "", false, [ | ||
{ | ||
"endpoint": reportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
}, | ||
{ | ||
"endpoint": popupReportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"effective-policy": "unsafe-none", | ||
"navigation-uri": `${location.href}`, | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"type": "coop" | ||
} | ||
} | ||
], | ||
[] | ||
], | ||
// Cross origin popup, report the browsing context group switch to all required endpoints. | ||
// Verifies that unsafe-none can specify a reporting endpoint. | ||
[CROSS_ORIGIN, `unsafe-none; report-to="${popupReportEndpoint.name}"`, "", false, [ | ||
{ | ||
"endpoint": reportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, // initial navigation URL | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
}, | ||
{ | ||
"endpoint": popupReportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"effective-policy": "unsafe-none", | ||
"navigation-uri": `${location.href}`, // referrer | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"type": "coop" | ||
} | ||
} | ||
], | ||
[] | ||
], | ||
// Same origin popup, without COOP or reporting, report only sent to opener. | ||
[SAME_ORIGIN, "unsafe-none", "", false, | ||
[ | ||
{ | ||
"endpoint": reportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
} | ||
], | ||
[ | ||
{ | ||
"endpoint": popupReportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"effective-policy": "unsafe-none", | ||
"navigation-uri": `${location.href}`, | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"type": "coop" | ||
} | ||
} | ||
] | ||
], | ||
// Cross origin popup, without COOP or reporting, report only sent to opener. | ||
[CROSS_ORIGIN, "unsafe-none", "", false, | ||
[ | ||
{ | ||
"endpoint": reportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": `${location.href}`, | ||
"effective-policy": "same-origin", | ||
"navigation-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"violation-type": "navigation-from-document" | ||
}, | ||
"url": `${location.href}`, | ||
"type": "coop" | ||
} | ||
} | ||
], | ||
[ | ||
{ | ||
"endpoint": popupReportEndpoint, "report": { | ||
"body": { | ||
"disposition": "enforce", | ||
"document-uri": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"effective-policy": "unsafe-none", | ||
"navigation-uri": `${location.href}`, | ||
"violation-type": "navigation-to-document" | ||
}, | ||
"url": /coop-coep.py?.*channel=CHANNEL_NAME$/, | ||
"type": "coop" | ||
} | ||
} | ||
] | ||
], | ||
]; | ||
|
||
run_coop_reporting_test(document.title, tests); | ||
|
||
</script> |
2 changes: 2 additions & 0 deletions
2
html/cross-origin-opener-policy/reporting-popup-same-origin-report-to.https.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
report-to: { "group": "coop-report-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/html/cross-origin-opener-policy/resources/report.py?endpoint=coop-report-endpoint" }] }, { "group": "coop-report-only-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/html/cross-origin-opener-policy/resources/report.py?endpoint=coop-report-only-endpoint" }]} | ||
Cross-Origin-Opener-Policy: same-origin; report-to="coop-report-endpoint" |
Oops, something went wrong.