Bug 1909971 [wpt PR 47296] - Shared Storage: Align createWorklet's de…

…fault data origin w/addModule's, a=testonly Automatic update from web-platform-tests Shared Storage: Align createWorklet's default data origin w/addModule's We align the default data origin for createWorklet with that of addModule to be the invoking context's origin. We also hook up the dataOrigin option in createWorklet's options dictionary, so that the script origin can be manually specified to be used as the data origin instead. See WICG/shared-storage#158, WICG/shared-storage#161, and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Bug: 353738488 Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5716903 Reviewed-by: Yao Xiao <yaoxia@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Cr-Commit-Position: refs/heads/main@{#1333189} -- wpt-commits: 71b107815a391a469b081cbb9242e1723ede50fb wpt-pr: 47296
mozilla · Jul 30, 2024 · 69d2114 · 69d2114
1 parent 4d81343
commit 69d2114
Show file tree

Hide file tree

Showing 25 changed files with 408 additions and 123 deletions.
diff --git a/...m/tests/private-aggregation/private-aggregation-permissions-policy-default.https.sub.html b/...m/tests/private-aggregation/private-aggregation-permissions-policy-default.https.sub.html
@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data);
 }, 'In a page with default "private-aggregation" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>
diff --git a/...form/tests/private-aggregation/private-aggregation-permissions-policy-none.https.sub.html b/...form/tests/private-aggregation/private-aggregation-permissions-policy-none.https.sub.html
@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data, /*expected_error=*/true);
 }, 'In a page with "private-aggregation=()" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>
diff --git a/...form/tests/private-aggregation/private-aggregation-permissions-policy-self.https.sub.html b/...form/tests/private-aggregation/private-aggregation-permissions-policy-self.https.sub.html
@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data, /*expected_error=*/true);
 }, 'In a page with "private-aggregation=(self)" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/private-aggregation/resources/util.js b/testing/web-platform/tests/private-aggregation/resources/util.js
@@ -35,8 +35,10 @@ async function CreateWorkletAndVerifyContributeToHistogram(shared_storage_origin
   let url1 = generateURL("/shared-storage/resources/frame1.html",
                          [ancestor_key]);
 
-  let worklet = await sharedStorage.createWorklet(shared_storage_origin +
-          "/private-aggregation/resources/shared-storage-helper-module.js");
+  let worklet = await sharedStorage.createWorklet(
+      shared_storage_origin +
+          '/private-aggregation/resources/shared-storage-helper-module.js',
+      {dataOrigin: 'script-origin'});
 
   let select_url_result = await worklet.selectURL(
     "contribute-to-histogram", [{url: url0}, {url: url1}],

diff --git a/.../tests/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html b/.../tests/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html
@@ -15,11 +15,28 @@
 }, 'addModule() with data URL module script');
 
 promise_test(async t => {
-  // Opaque data origins are not permitted.
-  return promise_rejects_dom(t, "InvalidAccessError",
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
                              sharedStorage.createWorklet(
                                `data:application/javascript;alert("Hi!")`));
 }, 'createWorklet() with data URL module script and default data origin');
 
+promise_test(async t => {
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
+                             sharedStorage.createWorklet(
+                                 `data:application/javascript;alert("Hi!")`,
+                                 { dataOrigin: "context-origin" }));
+}, 'createWorklet() with data URL module script and dataOrigin "context-origin"');
+
+promise_test(async t => {
+  // Opaque data origins are not permitted.
+  return promise_rejects_dom(t, "InvalidAccessError",
+                             sharedStorage.createWorklet(
+                                 `data:application/javascript;alert("Hi!")`,
+                                 { dataOrigin: "script-origin" }));
+}, 'createWorklet() with data URL module script and dataOrigin "script-origin"');
 </script>
 </body>
diff --git a/...s/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html b/...s/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
@@ -9,32 +9,63 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
                          `?name=key0` +
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&access_control_allow_credentials_header=true` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "include" }
+        : { credentials: "include", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "include" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
 
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "key0=1");
-}, 'createWorklet() with cross-origin module script and credentials "include"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>
diff --git a/...ests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html b/...ests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
@@ -9,31 +9,63 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
                          `?name=key0` +
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "omit" }
+        : { credentials: "omit", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "omit" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
 
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
-}, 'createWorklet() with cross-origin module script and credentials "omit"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>
diff --git a/...ared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html b/...ared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
@@ -9,31 +9,63 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
                          `?name=key0` +
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "same-origin" }
+        : { credentials: "same-origin", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "same-origin" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
 
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
-}, 'createWorklet() with cross-origin module script and credentials "same-origin"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>
diff --git a/...orklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/...orklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
diff --git a/...-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html b/...-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
@@ -9,22 +9,53 @@
 <script>
 'use strict';
 
+const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+
 promise_test(async t => {
   const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   return promise_rejects_dom(t, "OperationError",
     sharedStorage.createWorklet(
       helper_url + `&action=store-cookie`,
       { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Access-Control-Allow-Credentials response ' +
-   'header');
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", default data origin (context origin), and without the ' +
+   'Access-Control-Allow-Credentials response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "context-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "context-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Credentials response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "script-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "script-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Credentials response header');
 
 </script>
 </body>