ampproject · alabiaga · Jun 28, 2019 · Jun 26, 2019 · Jun 27, 2019 · Jun 27, 2019
diff --git a/src/config.js b/src/config.js
@@ -33,7 +33,7 @@ const cdnProxyRegex =
     ? new RegExp(env['cdnProxyRegex'])
     : env['cdnProxyRegex'];
 
-/** @type {!Object<string, string|boolean|RegExp>} */
+/** @type {!Object<string, string|boolean|RegExp|Array<RegExp>>} */
 export const urls = {
   thirdParty: env['thirdPartyUrl'] || 'https://3p.ampproject.net',
   thirdPartyFrameHost: env['thirdPartyFrameHost'] || 'ampproject.net',
@@ -48,6 +48,19 @@ export const urls = {
   errorReporting:
     env['errorReportingUrl'] || 'https://amp-error-reporting.appspot.com/r',
   localDev: env['localDev'] || false,
+  /**
+   * These domains are trusted with more sensitive viewer operations such as
+   * propagating the referrer. If you believe your domain should be here,
+   * file the issue on GitHub to discuss. The process will be similar
+   * (but somewhat more stringent) to the one described in the [3p/README.md](
+   * https://github.com/ampproject/amphtml/blob/master/3p/README.md)
+   *
+   * {!Array<!RegExp>}
+   */
+  trustedViewerHosts: [
+    /(^|\.)google\.(com?|[a-z]{2}|com?\.[a-z]{2}|cat)$/,
+    /(^|\.)gmail\.dev$/,
+  ],
 };
 
 export const config = {

diff --git a/src/service/viewer-impl.js b/src/service/viewer-impl.js
@@ -33,6 +33,7 @@ import {map} from '../utils/object';
 import {registerServiceBuilderForDoc} from '../service';
 import {reportError} from '../error';
 import {startsWith} from '../string';
+import {urls} from '../config';
 
 const TAG_ = 'Viewer';
 const SENTINEL_ = '__AMP__';
@@ -57,34 +58,6 @@ const VIEWER_ORIGIN_TIMEOUT_ = 1000;
  */
 const TRIM_ORIGIN_PATTERN_ = /^(https?:\/\/)((www[0-9]*|web|ftp|wap|home|mobile|amp|m)\.)+/i;
 
-/**
- * These domains are trusted with more sensitive viewer operations such as
- * propagating the referrer. If you believe your domain should be here,
- * file the issue on GitHub to discuss. The process will be similar
- * (but somewhat more stringent) to the one described in the [3p/README.md](
- * https://github.com/ampproject/amphtml/blob/master/3p/README.md)
- *
- * @export {!Array<!RegExp>}
- */
-const TRUSTED_VIEWER_HOSTS = [
-  /**
-   * Google domains, including country-codes and subdomains:
-   * - google.com
-   * - www.google.com
-   * - google.co
-   * - www.google.co
-   * - google.az
-   * - www.google.az
-   * - google.com.az
-   * - www.google.com.az
-   * - google.co.az
-   * - www.google.co.az
-   * - google.cat
-   * - www.google.cat
-   */
-  /(^|\.)google\.(com?|[a-z]{2}|com?\.[a-z]{2}|cat)$/,
-];
-
 /**
  * @typedef {function(!JsonObject):(!Promise|undefined)}
  */
@@ -847,7 +820,7 @@ export class Viewer {
       // Non-https origins are never trusted.
       return false;
     }
-    return TRUSTED_VIEWER_HOSTS.some(th => th.test(url.hostname));
+    return urls.trustedViewerHosts.some(th => th.test(url.hostname));
   }
 
   /**

diff --git a/src/utils/xhr-utils.js b/src/utils/xhr-utils.js
@@ -27,6 +27,7 @@ import {
 } from '../url';
 import {getMode} from '../mode';
 import {isArray, isObject} from '../types';
+import {isExperimentOn} from '../experiments';
 import {isFormDataWrapper} from '../form-data-wrapper';
 
 /** @private @const {!Array<string>} */
@@ -217,7 +218,13 @@ export function getViewerInterceptResponse(win, ampdocSingle, input, init) {
       return viewer.isTrustedViewer();
     })
     .then(viewerTrusted => {
-      if (!viewerTrusted && !getMode(win).localDev) {
+      if (
+        !(
+          viewerTrusted ||
+          getMode(win).localDev ||
+          isExperimentOn(win, 'untrusted-xhr-interception')
+        )
+      ) {
         return;
       }
       const messagePayload = dict({

diff --git a/test/unit/test-viewer.js b/test/unit/test-viewer.js
@@ -1062,6 +1062,14 @@ describe('Viewer', () => {
       });
     });
 
+    it('should consider trusted by ancestor', () => {
+      windowApi.parent = {};
+      windowApi.location.ancestorOrigins = ['https://gmail.dev'];
+      return new Viewer(ampdoc).isTrustedViewer().then(res => {
+        expect(res).to.be.true;
+      });
+    });
+
     it('should consider non-trusted without ancestor', () => {
       windowApi.parent = {};
       windowApi.location.ancestorOrigins = [];

diff --git a/test/unit/test-xhr.js b/test/unit/test-xhr.js
@@ -20,6 +20,7 @@ import {assertSuccess} from '../../src/utils/xhr-utils';
 import {createFormDataWrapper} from '../../src/form-data-wrapper';
 import {fetchPolyfill} from '../../src/polyfills/fetch';
 import {getCookie} from '../../src/cookies';
+import {toggleExperiment} from '../../src/experiments';
 import {user} from '../../src/log';
 import {utf8FromArrayBuffer} from '../../extensions/amp-a4a/0.1/amp-a4a';
 import {xhrServiceForTesting} from '../../src/service/xhr-impl';
@@ -685,6 +686,14 @@ describe
         };
       });
 
+      afterEach(() => {
+        toggleExperiment(
+          interceptionEnabledWin,
+          'untrusted-xhr-interception',
+          false
+        );
+      });
+
       it('should not intercept if AMP doc is not single', () => {
         ampdocServiceForStub.returns({
           isSingleDoc: () => false,
@@ -763,6 +772,26 @@ describe
           .then(() => expect(sendMessageStub).to.have.been.called);
       });
 
+      it('should intercept if untrusted-xhr-interception experiment enabled', () => {
+        sandbox.stub(viewer, 'isTrustedViewer').returns(Promise.resolve(false));
+        sandbox.stub(mode, 'getMode').returns({localDev: false});
+        sandbox
+          .stub(viewer, 'hasCapability')
+          .withArgs('xhrInterceptor')
+          .returns(true);
+        toggleExperiment(
+          interceptionEnabledWin,
+          'untrusted-xhr-interception',
+          true
+        );
+
+        const xhr = xhrServiceForTesting(interceptionEnabledWin);
+
+        return xhr
+          .fetch('https://www.some-url.org/some-resource/')
+          .then(() => expect(sendMessageStub).to.have.been.called);
+      });
+
       it('should intercept if non-dev mode but viewer trusted', () => {
         sandbox.stub(viewer, 'isTrustedViewer').returns(Promise.resolve(true));
         interceptionEnabledWin.AMP_DEV_MODE = false;

diff --git a/tools/experiments/experiments.js b/tools/experiments/experiments.js
@@ -428,6 +428,14 @@ const EXPERIMENTS = [
     spec: 'https://github.com/ampproject/amphtml/issues/22718',
     cleanupIssue: 'https://github.com/ampproject/amphtml/issues/22749',
   },
+  {
+    id: 'untrusted-xhr-interception',
+    name:
+      'Enable "xhrInterceptor" capability for untrusted viewers. ' +
+      'For development use only',
+    spec: 'N/A',
+    cleanupIssue: 'N/A',
+  },
 ];
 
 if (getMode().localDev) {