Implement experimental allow="private-token" permissions policy

https://bugs.webkit.org/show_bug.cgi?id=266549 rdar://107854094 Reviewed by Youenn Fablet. This patch implements a new experimental permissions policy that provides third-party contexts with access to using Private Tokens, as described in the explainer [0]. If a third-party context is not granted the permission, then it is not allowed to interact in the specified HTTP Authorization [1] flow. If the context is given permission, then that interaction happens at a lower layer than WebKit on Cocoa platforms. [0] https://github.com/WebKit/explainers/tree/main/ThirdPartyPrivateTokens [1] https://datatracker.ietf.org/doc/draft-ietf-privacypass-auth-scheme/ * Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml: * Source/WTF/wtf/PlatformHave.h: * Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h: * Source/WebCore/html/FeaturePolicy.cpp: (WebCore::policyTypeName): (WebCore::FeaturePolicy::parse): (WebCore::FeaturePolicy::allows const): * Source/WebCore/html/FeaturePolicy.h: * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::updateRequestAndAddExtraFields): * Source/WebCore/platform/network/ResourceRequestBase.cpp: (WebCore::ResourceRequestBase::setAsIsolatedCopy): (WebCore::ResourceRequestBase::setIsPrivateTokenUsageByThirdPartyAllowed): * Source/WebCore/platform/network/ResourceRequestBase.h: (WebCore::ResourceRequestBase::RequestData::RequestData): (WebCore::ResourceRequestBase::isPrivateTokenUsageByThirdPartyAllowed const): * Source/WebCore/platform/network/cf/ResourceRequest.h: * Source/WebCore/platform/network/cocoa/ResourceRequestCocoa.mm: (WebCore::ResourceRequest::ResourceRequest): (WebCore::ResourceRequest::getResourceRequestPlatformData const): * Source/WebKit/NetworkProcess/NetworkProcess.cpp: (WebKit::NetworkProcess::setShouldSendPrivateTokenIPCForTesting const): * Source/WebKit/NetworkProcess/NetworkProcess.h: * Source/WebKit/NetworkProcess/NetworkProcess.messages.in: * Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp: (WebKit::NetworkResourceLoader::startNetworkLoad): * Source/WebKit/NetworkProcess/NetworkSession.cpp: (WebKit::NetworkSession::setShouldSendPrivateTokenIPCForTesting): * Source/WebKit/NetworkProcess/NetworkSession.h: (WebKit::NetworkSession::shouldSendPrivateTokenIPCForTesting const): * Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h: * Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.serialization.in: * Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm: (WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa): * Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.serialization.in: * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: * Source/WebKit/UIProcess/API/Cocoa/WKWebsiteDataStore.mm: (-[WKWebsiteDataStore _setPrivateTokenIPCForTesting:]): * Source/WebKit/UIProcess/API/Cocoa/WKWebsiteDataStorePrivate.h: * Source/WebKit/UIProcess/API/Cocoa/_WKWebsiteDataStoreDelegate.h: * Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp: (WebKit::NetworkProcessProxy::didAllowPrivateTokenUsageByThirdPartyForTesting): * Source/WebKit/UIProcess/Network/NetworkProcessProxy.h: * Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in: * Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp: (WebKit::WebsiteDataStore::didAllowPrivateTokenUsageByThirdPartyForTesting): (WebKit::WebsiteDataStore::setPrivateTokenIPCForTesting): * Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.h: * Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreClient.h: (WebKit::WebsiteDataStoreClient::didAllowPrivateTokenUsageByThirdPartyForTesting): * Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm: (-[NavigationDelegate websiteDataStore:didAllowPrivateTokenUsageByThirdPartyForTesting:forResourceURL:]): (setupWebViewForPrivateTokenTests): (TEST): Canonical link: https://commits.webkit.org/273360@main
WebKit · Jan 23, 2024 · 2887eed · 2887eed
1 parent 05bdebf
commit 2887eed
Show file tree

Hide file tree

Showing 31 changed files with 561 additions and 3 deletions.
diff --git a/Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml b/Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
@@ -5272,6 +5272,20 @@ PrivateClickMeasurementFraudPreventionEnabled:
       "HAVE(RSA_BSSA)": true
       default: false
 
+PrivateTokenUsageByThirdPartyEnabled:
+  type: bool
+  status: stable
+  category: privacy
+  humanReadableName: "Private Token usage by third party"
+  humanReadableDescription: "Enable private token usage by third party"
+  defaultValue:
+    WebKitLegacy:
+      default: false
+    WebKit:
+      default: true
+    WebCore:
+      default: true
+
 ProcessSwapOnCrossSiteNavigationEnabled:
   type: bool
   status: stable

diff --git a/Source/WTF/wtf/PlatformHave.h b/Source/WTF/wtf/PlatformHave.h
@@ -758,6 +758,15 @@
 #define HAVE_PRIVACY_PROXY_FAIL_CLOSED_FOR_UNREACHABLE_HOSTS 1
 #endif
 
+#if !defined(HAVE_ALLOW_PRIVATE_ACCESS_TOKENS_FOR_THIRD_PARTY) \
+    && ((PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 140000) \
+    || ((PLATFORM(IOS) || PLATFORM(MACCATALYST)) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 170000) \
+    || PLATFORM(VISION) \
+    || (PLATFORM(WATCHOS) && __WATCH_OS_VERSION_MIN_REQUIRED >= 100000) \
+    || (PLATFORM(APPLETV) && __TV_OS_VERSION_MIN_REQUIRED >= 170000))
+#define HAVE_ALLOW_PRIVATE_ACCESS_TOKENS_FOR_THIRD_PARTY 1
+#endif
+
 #if !defined(HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION) \
     && (((PLATFORM(IOS) || PLATFORM(MACCATALYST)) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 170000) \
     || PLATFORM(VISION))

diff --git a/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h b/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h
@@ -230,6 +230,9 @@ typedef enum {
 @property (setter=_setUseEnhancedPrivacyMode:) BOOL _useEnhancedPrivacyMode;
 @property (setter=_setBlockTrackers:) BOOL _blockTrackers;
 #endif
+#if HAVE(ALLOW_PRIVATE_ACCESS_TOKENS_FOR_THIRD_PARTY)
+@property (setter=_setAllowPrivateAccessTokensForThirdParty:) BOOL _allowPrivateAccessTokensForThirdParty;
+#endif
 @end
 
 @interface NSURLProtocol ()

diff --git a/Source/WebCore/html/FeaturePolicy.cpp b/Source/WebCore/html/FeaturePolicy.cpp
@@ -80,6 +80,8 @@ static const char* policyTypeName(FeaturePolicy::Type type)
     case FeaturePolicy::Type::XRSpatialTracking:
         return "XRSpatialTracking";
 #endif
+    case FeaturePolicy::Type::PrivateToken:
+        return "PrivateToken";
     }
     ASSERT_NOT_REACHED();
     return "";
@@ -219,6 +221,7 @@ FeaturePolicy FeaturePolicy::parse(Document& document, const HTMLIFrameElement&
 #if ENABLE(WEBXR)
     bool isXRSpatialTrackingInitialized = false;
 #endif
+    bool isPrivateTokenInitialized = false;
     for (auto allowItem : allowAttributeValue.split(';')) {
         auto item = allowItem.trim(isASCIIWhitespace<UChar>);
         if (item.startsWith("camera"_s)) {
@@ -307,6 +310,12 @@ FeaturePolicy FeaturePolicy::parse(Document& document, const HTMLIFrameElement&
             continue;
         }
 #endif
+        constexpr auto privateTokenToken { "private-token"_s };
+        if (item.startsWith(privateTokenToken)) {
+            isPrivateTokenInitialized = true;
+            updateList(document, iframe, policy.m_privateTokenRule, item.substring(privateTokenToken.length()));
+            continue;
+        }
     }
 
     // By default, camera, microphone, speaker-selection, display-capture, fullscreen, xr-spatial-tracking, screen-wake-lock, and web-share policy is 'self'.
@@ -344,6 +353,8 @@ FeaturePolicy FeaturePolicy::parse(Document& document, const HTMLIFrameElement&
     if (!isXRSpatialTrackingInitialized)
         policy.m_xrSpatialTrackingRule.allowedList.add(document.securityOrigin().data());
 #endif
+    if (!isPrivateTokenInitialized)
+        policy.m_privateTokenRule.allowedList.add(document.securityOrigin().data());
 
     // https://w3c.github.io/webappsec-feature-policy/#process-feature-policy-attributes
     // 9.5 Process Feature Policy Attributes
@@ -407,6 +418,8 @@ bool FeaturePolicy::allows(Type type, const SecurityOriginData& origin) const
     case Type::XRSpatialTracking:
         return isAllowedByFeaturePolicy(m_xrSpatialTrackingRule, origin);
 #endif
+    case Type::PrivateToken:
+        return isAllowedByFeaturePolicy(m_privateTokenRule, origin);
     }
     ASSERT_NOT_REACHED();
     return false;

diff --git a/Source/WebCore/html/FeaturePolicy.h b/Source/WebCore/html/FeaturePolicy.h
@@ -61,6 +61,7 @@ class FeaturePolicy {
 #if ENABLE(WEBXR)
         XRSpatialTracking,
 #endif
+        PrivateToken,
     };
     bool allows(Type, const SecurityOriginData&) const;
 
@@ -94,6 +95,7 @@ class FeaturePolicy {
 #if ENABLE(WEBXR)
     AllowRule m_xrSpatialTrackingRule;
 #endif
+    AllowRule m_privateTokenRule;
 };
 
 enum class LogFeaturePolicyFailure : bool { No, Yes };

diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
@@ -63,6 +63,7 @@
 #include "Event.h"
 #include "EventHandler.h"
 #include "EventNames.h"
+#include "FeaturePolicy.h"
 #include "FloatRect.h"
 #include "FormState.h"
 #include "FormSubmission.h"
@@ -3199,6 +3200,9 @@ void FrameLoader::updateRequestAndAddExtraFields(ResourceRequest& request, IsMai
     if (isMainResource)
         request.setHTTPHeaderField(HTTPHeaderName::Accept, CachedResourceRequest::acceptHeaderValueFromType(CachedResource::Type::MainResource));
 
+    if (RefPtr document = m_frame->document(); document && frame().settings().privateTokenUsageByThirdPartyEnabled() && !frame().loader().client().isRemoteWorkerFrameLoaderClient())
+        request.setIsPrivateTokenUsageByThirdPartyAllowed(isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::PrivateToken, *document, LogFeaturePolicyFailure::No));
+
     // Only set fallback array if it's still empty (later attempts may be incorrect, see bug 117818).
     if (request.responseContentDispositionEncodingFallbackArray().isEmpty()) {
         // Always try UTF-8. If that fails, try frame encoding (if any) and then the default.

diff --git a/Source/WebCore/platform/network/ResourceRequestBase.cpp b/Source/WebCore/platform/network/ResourceRequestBase.cpp
@@ -100,6 +100,7 @@ void ResourceRequestBase::setAsIsolatedCopy(const ResourceRequest& other)
     setPrivacyProxyFailClosedForUnreachableNonMainHosts(other.privacyProxyFailClosedForUnreachableNonMainHosts());
     setUseAdvancedPrivacyProtections(other.useAdvancedPrivacyProtections());
     setDidFilterLinkDecoration(other.didFilterLinkDecoration());
+    setIsPrivateTokenUsageByThirdPartyAllowed(other.isPrivateTokenUsageByThirdPartyAllowed());
 }
 
 bool ResourceRequestBase::isEmpty() const
@@ -672,6 +673,11 @@ void ResourceRequestBase::setDidFilterLinkDecoration(bool didFilterLinkDecoratio
     m_requestData.m_didFilterLinkDecoration = didFilterLinkDecoration;
 }
 
+void ResourceRequestBase::setIsPrivateTokenUsageByThirdPartyAllowed(bool isPrivateTokenUsageByThirdPartyAllowed)
+{
+    m_requestData.m_isPrivateTokenUsageByThirdPartyAllowed = isPrivateTokenUsageByThirdPartyAllowed;
+}
+
 bool equalIgnoringHeaderFields(const ResourceRequestBase& a, const ResourceRequestBase& b)
 {
     if (a.url() != b.url())

diff --git a/Source/WebCore/platform/network/ResourceRequestBase.h b/Source/WebCore/platform/network/ResourceRequestBase.h
@@ -66,7 +66,7 @@ class ResourceRequestBase {
     struct RequestData {
         RequestData() { }
 
-        RequestData(const URL& url, const URL& firstPartyForCookies, double timeoutInterval, const String& httpMethod, const HTTPHeaderMap& httpHeaderFields, const Vector<String>& responseContentDispositionEncodingFallbackArray, const ResourceRequestCachePolicy& cachePolicy, const SameSiteDisposition& sameSiteDisposition, const ResourceLoadPriority& priority, const ResourceRequestRequester& requester, bool allowCookies, bool isTopSite, bool isAppInitiated = true, bool privacyProxyFailClosedForUnreachableNonMainHosts = false, bool useAdvancedPrivacyProtections = false, bool didFilterLinkDecoration = false)
+        RequestData(const URL& url, const URL& firstPartyForCookies, double timeoutInterval, const String& httpMethod, const HTTPHeaderMap& httpHeaderFields, const Vector<String>& responseContentDispositionEncodingFallbackArray, const ResourceRequestCachePolicy& cachePolicy, const SameSiteDisposition& sameSiteDisposition, const ResourceLoadPriority& priority, const ResourceRequestRequester& requester, bool allowCookies, bool isTopSite, bool isAppInitiated = true, bool privacyProxyFailClosedForUnreachableNonMainHosts = false, bool useAdvancedPrivacyProtections = false, bool didFilterLinkDecoration = false, bool isPrivateTokenUsageByThirdPartyAllowed = false)
             : m_url(url)
             , m_firstPartyForCookies(firstPartyForCookies)
             , m_timeoutInterval(timeoutInterval)
@@ -83,6 +83,7 @@ class ResourceRequestBase {
             , m_privacyProxyFailClosedForUnreachableNonMainHosts(privacyProxyFailClosedForUnreachableNonMainHosts)
             , m_useAdvancedPrivacyProtections(useAdvancedPrivacyProtections)
             , m_didFilterLinkDecoration(didFilterLinkDecoration)
+            , m_isPrivateTokenUsageByThirdPartyAllowed(isPrivateTokenUsageByThirdPartyAllowed)
         {
         }
 
@@ -108,6 +109,7 @@ class ResourceRequestBase {
         bool m_privacyProxyFailClosedForUnreachableNonMainHosts : 1 { false };
         bool m_useAdvancedPrivacyProtections : 1 { false };
         bool m_didFilterLinkDecoration : 1 { false };
+        bool m_isPrivateTokenUsageByThirdPartyAllowed : 1 { false };
     };
 
     ResourceRequestBase(RequestData&& requestData)
@@ -271,6 +273,9 @@ class ResourceRequestBase {
     bool didFilterLinkDecoration() const { return m_requestData.m_didFilterLinkDecoration; }
     WEBCORE_EXPORT void setDidFilterLinkDecoration(bool);
 
+    bool isPrivateTokenUsageByThirdPartyAllowed() const { return m_requestData.m_isPrivateTokenUsageByThirdPartyAllowed; }
+    void setIsPrivateTokenUsageByThirdPartyAllowed(bool);
+
 protected:
     // Used when ResourceRequest is initialized from a platform representation of the request
     ResourceRequestBase()

diff --git a/Source/WebCore/platform/network/cf/ResourceRequest.h b/Source/WebCore/platform/network/cf/ResourceRequest.h
@@ -44,6 +44,7 @@ struct ResourceRequestPlatformData {
     bool m_privacyProxyFailClosedForUnreachableNonMainHosts { false };
     bool m_useAdvancedPrivacyProtections { false };
     bool m_didFilterLinkDecoration { false };
+    bool m_isPrivateTokenUsageByThirdPartyAllowed { false };
 };
 
 using ResourceRequestData = std::variant<ResourceRequestBase::RequestData, ResourceRequestPlatformData>;

diff --git a/Source/WebCore/platform/network/cocoa/ResourceRequestCocoa.mm b/Source/WebCore/platform/network/cocoa/ResourceRequestCocoa.mm
@@ -69,6 +69,7 @@
         setPrivacyProxyFailClosedForUnreachableNonMainHosts(platformData.m_privacyProxyFailClosedForUnreachableNonMainHosts);
         setUseAdvancedPrivacyProtections(platformData.m_useAdvancedPrivacyProtections);
         setDidFilterLinkDecoration(platformData.m_didFilterLinkDecoration);
+        setIsPrivateTokenUsageByThirdPartyAllowed(platformData.m_isPrivateTokenUsageByThirdPartyAllowed);
     }
 
     setCachePartition(cachePartition);
@@ -127,6 +128,7 @@
         privacyProxyFailClosedForUnreachableNonMainHosts(),
         useAdvancedPrivacyProtections(),
         didFilterLinkDecoration(),
+        isPrivateTokenUsageByThirdPartyAllowed(),
     };
 }
 

diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.cpp b/Source/WebKit/NetworkProcess/NetworkProcess.cpp
@@ -1479,6 +1479,12 @@ void NetworkProcess::setBlobRegistryTopOriginPartitioningEnabled(PAL::SessionID
         session->setBlobRegistryTopOriginPartitioningEnabled(enabled);
 }
 
+void NetworkProcess::setShouldSendPrivateTokenIPCForTesting(PAL::SessionID sessionID, bool enabled) const
+{
+    if (auto* session = networkSession(sessionID))
+        session->setShouldSendPrivateTokenIPCForTesting(enabled);
+}
+
 void NetworkProcess::preconnectTo(PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, WebCore::PageIdentifier webPageID, WebCore::ResourceRequest&& request, WebCore::StoredCredentialsPolicy storedCredentialsPolicy, std::optional<NavigatingToAppBoundDomain> isNavigatingToAppBoundDomain)
 {
     auto url = request.url();

diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.h b/Source/WebKit/NetworkProcess/NetworkProcess.h
@@ -295,6 +295,7 @@ class NetworkProcess : public AuxiliaryProcess, private DownloadManager::Client,
     void setPrivateClickMeasurementDebugMode(PAL::SessionID, bool);
 
     void setBlobRegistryTopOriginPartitioningEnabled(PAL::SessionID, bool) const;
+    void setShouldSendPrivateTokenIPCForTesting(PAL::SessionID, bool) const;
 
     void preconnectTo(PAL::SessionID, WebPageProxyIdentifier, WebCore::PageIdentifier, WebCore::ResourceRequest&&, WebCore::StoredCredentialsPolicy, std::optional<NavigatingToAppBoundDomain>);
 

diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.messages.in b/Source/WebKit/NetworkProcess/NetworkProcess.messages.in
@@ -155,6 +155,7 @@ messages -> NetworkProcess LegacyReceiver {
     SetPrivateClickMeasurementDebugMode(PAL::SessionID sessionID, bool debugMode)
 
     SetBlobRegistryTopOriginPartitioningEnabled(PAL::SessionID sessionID, bool enabled)
+    SetShouldSendPrivateTokenIPCForTesting(PAL::SessionID sessionID, bool enabled)
 
     SetSessionIsControlledByAutomation(PAL::SessionID sessionID, bool controlled);
 

diff --git a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
@@ -385,6 +385,9 @@ void NetworkResourceLoader::startNetworkLoad(ResourceRequest&& request, FirstLoa
         m_connection->networkProcess().parentProcessConnection()->send(Messages::NetworkProcessProxy::ResourceLoadDidSendRequest(m_parameters.webPageProxyID, resourceLoadInfo(), request, httpBody), 0);
     }
 
+    if (networkSession->shouldSendPrivateTokenIPCForTesting())
+        m_connection->networkProcess().parentProcessConnection()->send(Messages::NetworkProcessProxy::DidAllowPrivateTokenUsageByThirdPartyForTesting(sessionID(), request.isPrivateTokenUsageByThirdPartyAllowed(), request.url()), 0);
+
     parameters.request = WTFMove(request);
     parameters.isNavigatingToAppBoundDomain = m_parameters.isNavigatingToAppBoundDomain;
     m_networkLoad = makeUnique<NetworkLoad>(*this, WTFMove(parameters), *networkSession);

diff --git a/Source/WebKit/NetworkProcess/NetworkSession.cpp b/Source/WebKit/NetworkProcess/NetworkSession.cpp
@@ -175,6 +175,7 @@ NetworkSession::NetworkSession(NetworkProcess& networkProcess, const NetworkSess
     setTrackingPreventionEnabled(parameters.resourceLoadStatisticsParameters.enabled);
 
     setBlobRegistryTopOriginPartitioningEnabled(parameters.isBlobRegistryTopOriginPartitioningEnabled);
+    setShouldSendPrivateTokenIPCForTesting(parameters.shouldSendPrivateTokenIPCForTesting);
 
     SandboxExtension::consumePermanently(parameters.serviceWorkerRegistrationDirectoryExtensionHandle);
     m_serviceWorkerInfo = ServiceWorkerInfo {
@@ -493,6 +494,11 @@ void NetworkSession::setBlobRegistryTopOriginPartitioningEnabled(bool enabled)
     m_blobRegistry.setPartitioningEnabled(enabled);
 }
 
+void NetworkSession::setShouldSendPrivateTokenIPCForTesting(bool enabled)
+{
+    m_shouldSendPrivateTokenIPCForTesting = enabled;
+}
+
 void NetworkSession::allowTLSCertificateChainForLocalPCMTesting(const WebCore::CertificateInfo& certificateInfo)
 {
     privateClickMeasurement().allowTLSCertificateChainForLocalPCMTesting(certificateInfo);

diff --git a/Source/WebKit/NetworkProcess/NetworkSession.h b/Source/WebKit/NetworkProcess/NetworkSession.h
@@ -233,6 +233,8 @@ class NetworkSession : public WebCore::SWServerDelegate, public CanMakeCheckedPt
     bool privateClickMeasurementDebugModeEnabled() const { return m_privateClickMeasurementDebugModeEnabled; }
 
     void setBlobRegistryTopOriginPartitioningEnabled(bool);
+    void setShouldSendPrivateTokenIPCForTesting(bool);
+    bool shouldSendPrivateTokenIPCForTesting() const { return m_shouldSendPrivateTokenIPCForTesting; }
 
 #if PLATFORM(COCOA)
     AppPrivacyReportTestingData& appPrivacyReportTestingData() { return m_appPrivacyReportTestingData; }
@@ -334,6 +336,7 @@ class NetworkSession : public WebCore::SWServerDelegate, public CanMakeCheckedPt
     unsigned m_testSpeedMultiplier { 1 };
     bool m_allowsServerPreconnect { true };
     bool m_shouldRunServiceWorkersOnMainThreadForTesting { false };
+    bool m_shouldSendPrivateTokenIPCForTesting { false };
     std::optional<unsigned> m_overrideServiceWorkerRegistrationCountTestingValue;
     HashSet<std::unique_ptr<ServiceWorkerSoftUpdateLoader>> m_softUpdateLoaders;
     HashMap<WebCore::FetchIdentifier, WeakRef<ServiceWorkerFetchTask>> m_navigationPreloaders;

diff --git a/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h b/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h
@@ -110,6 +110,7 @@ struct NetworkSessionCreationParameters {
     String webPushPartitionString;
     bool enablePrivateClickMeasurementDebugMode { false };
     bool isBlobRegistryTopOriginPartitioningEnabled { false };
+    bool shouldSendPrivateTokenIPCForTesting { false };
 
     UnifiedOriginStorageLevel unifiedOriginStorageLevel { UnifiedOriginStorageLevel::Standard };
     uint64_t perOriginStorageQuota;

diff --git a/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.serialization.in b/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.serialization.in
@@ -77,6 +77,7 @@
     String webPushPartitionString;
     bool enablePrivateClickMeasurementDebugMode;
     bool isBlobRegistryTopOriginPartitioningEnabled;
+    bool shouldSendPrivateTokenIPCForTesting;
 
     WebKit::UnifiedOriginStorageLevel unifiedOriginStorageLevel;
     uint64_t perOriginStorageQuota;

diff --git a/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm b/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
@@ -253,6 +253,11 @@ static float toNSURLSessionTaskPriority(WebCore::ResourceLoadPriority priority)
     if ([mutableRequest respondsToSelector:@selector(_setWebSearchContent:)] && advancedPrivacyProtections.contains(WebCore::AdvancedPrivacyProtections::WebSearchContent))
         [mutableRequest _setWebSearchContent:YES];
 
+#if HAVE(ALLOW_PRIVATE_ACCESS_TOKENS_FOR_THIRD_PARTY)
+    if ([mutableRequest respondsToSelector:@selector(_setAllowPrivateAccessTokensForThirdParty:)] && parameters.request.isPrivateTokenUsageByThirdPartyAllowed())
+        [mutableRequest _setAllowPrivateAccessTokensForThirdParty:YES];
+#endif
+
 #if ENABLE(APP_PRIVACY_REPORT)
     mutableRequest.get().attribution = request.isAppInitiated() ? NSURLRequestAttributionDeveloper : NSURLRequestAttributionUser;
 #endif

diff --git a/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.serialization.in b/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.serialization.in
@@ -47,6 +47,7 @@ header: <WebCore/ResourceRequest.h>
     bool m_privacyProxyFailClosedForUnreachableNonMainHosts;
     bool m_useAdvancedPrivacyProtections;
     bool m_didFilterLinkDecoration;
+    bool m_isPrivateTokenUsageByThirdPartyAllowed;
 };
 
 [Nested] struct WebCore::AttributedString::ParagraphStyleWithTableAndListIDs {

diff --git a/Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in b/Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
@@ -1870,6 +1870,7 @@ header: <WebCore/ResourceRequest.h>
     [BitField] bool m_privacyProxyFailClosedForUnreachableNonMainHosts;
     [BitField] bool m_useAdvancedPrivacyProtections;
     [BitField] bool m_didFilterLinkDecoration;
+    [BitField] bool m_isPrivateTokenUsageByThirdPartyAllowed;
 };
 
 #if USE(SOUP)

diff --git a/Source/WebKit/UIProcess/API/Cocoa/WKWebsiteDataStore.mm b/Source/WebKit/UIProcess/API/Cocoa/WKWebsiteDataStore.mm
@@ -79,6 +79,7 @@
         , m_hasRequestBackgroundFetchPermissionSelector([m_delegate.get() respondsToSelector:@selector(requestBackgroundFetchPermission:frameOrigin:decisionHandler:)])
         , m_hasNotifyBackgroundFetchChangeSelector([m_delegate.get() respondsToSelector:@selector(notifyBackgroundFetchChange:change:)])
         , m_hasWindowProxyPropertyAccessSelector([m_delegate.get() respondsToSelector:@selector(websiteDataStore:domain:didOpenDomainViaWindowOpen:withProperty:directly:)])
+        , m_hasDidAllowPrivateTokenUsageByThirdPartyForTestingSelector([m_delegate.get() respondsToSelector:@selector(websiteDataStore:didAllowPrivateTokenUsageByThirdPartyForTesting:forResourceURL:)])
     {
     }
 
@@ -290,6 +291,14 @@ void didAccessWindowProxyProperty(const WebCore::RegistrableDomain& parentDomain
         [m_delegate.getAutoreleased() websiteDataStore:m_dataStore.getAutoreleased() domain:parentDomain.string() didOpenDomainViaWindowOpen:childDomain.string() withProperty:windowProxyProperty directly:directlyAccessedProperty];
     }
 
+    void didAllowPrivateTokenUsageByThirdPartyForTesting(bool wasAllowed, WTF::URL&& resourceURL) final
+    {
+        if (!m_hasDidAllowPrivateTokenUsageByThirdPartyForTestingSelector)
+            return;
+
+        [m_delegate.getAutoreleased() websiteDataStore:m_dataStore.getAutoreleased() didAllowPrivateTokenUsageByThirdPartyForTesting:wasAllowed forResourceURL:resourceURL];
+    }
+
     WeakObjCPtr<WKWebsiteDataStore> m_dataStore;
     WeakObjCPtr<id <_WKWebsiteDataStoreDelegate> > m_delegate;
     bool m_hasRequestStorageSpaceSelector { false };
@@ -303,6 +312,7 @@ void didAccessWindowProxyProperty(const WebCore::RegistrableDomain& parentDomain
     bool m_hasRequestBackgroundFetchPermissionSelector { false };
     bool m_hasNotifyBackgroundFetchChangeSelector { false };
     bool m_hasWindowProxyPropertyAccessSelector { false };
+    bool m_hasDidAllowPrivateTokenUsageByThirdPartyForTestingSelector { false };
 };
 
 @implementation WKWebsiteDataStore {
@@ -874,6 +884,11 @@ - (void)_setUserAgentStringQuirkForTesting:(NSString *)domain withUserAgent:(NSS
     });
 }
 
+- (void)_setPrivateTokenIPCForTesting:(bool)enabled
+{
+    _websiteDataStore->setPrivateTokenIPCForTesting(enabled);
+}
+
 - (id <_WKWebsiteDataStoreDelegate>)_delegate
 {
     return _delegate.get().get();

diff --git a/Source/WebKit/UIProcess/API/Cocoa/WKWebsiteDataStorePrivate.h b/Source/WebKit/UIProcess/API/Cocoa/WKWebsiteDataStorePrivate.h
@@ -96,7 +96,7 @@ typedef NS_OPTIONS(NSUInteger, _WKWebsiteDataStoreFetchOptions) {
 
 - (BOOL)_networkProcessHasEntitlementForTesting:(NSString *)entitlement WK_API_AVAILABLE(macos(12.0), ios(15.0));
 - (void)_setUserAgentStringQuirkForTesting:(NSString *)domain withUserAgent:(NSString *)userAgent completionHandler:(void (^)(void))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
-
+- (void)_setPrivateTokenIPCForTesting:(bool)enabled WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 
 @property (nullable, nonatomic, weak) id <_WKWebsiteDataStoreDelegate> _delegate WK_API_AVAILABLE(macos(10.15), ios(13.0));
 @property (nonatomic, readonly, copy) _WKWebsiteDataStoreConfiguration *_configuration;