Add "origin" and "same-origin" referrer policies, replacing "origin-only".

[aravind-pg]

Adds the "origin" and "same-origin" referrer policy options, with the former replacing "origin-only".

---

• ./mach build -d does not report any errors
• ./mach test-tidy does not report any errors
• These changes fix #11384
• There are tests for these changes

---

This change is

[highfive]

Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @mbrubeck (or someone else) soon.

[highfive]

Heads up! This PR modifies the following files:

• @KiChjang: components/script/dom/document.rs, components/net/http_loader.rs

[aravind-pg]

cc @jdm

[aravind-pg]

Updated with wpt test updates. Commits kept separate to keep things manageable to review -- it's basically only the first that's important.

For the record, this is what I did in the second commit: update spec.src.json to add "origin" and "same-origin" in place of "origin-only", generate the new test files, run tests (in release mode), and update expectations. The third commit is almost the same but for tests/wpt/mozilla/tests/mozilla/referrer-policy, and along with the the "origin" and "same-origin" updates it also removes all but iframe-tag tests (see #11384 for context).

r? @jdm -- since you've been following along on the issue.

[bors-servo]

☔ The latest upstream changes (presumably #12241) made this pull request unmergeable. Please resolve the merge conflicts.

[jdm]

I'm going to merge #12265 first, since that includes updates to the referrer-policy tests that are duplicated here. We should be able to remove the second commit in this PR, I believe.

[aravind-pg]

Sure, sounds good. But won't I still need to update test expectations for the new tests? It's only this PR that adds the new functionality, and in that PR all the new tests will probably be marked as failing, right?

[jdm]

That's correct.

[bors-servo]

☔ The latest upstream changes (presumably #12003) made this pull request unmergeable. Please resolve the merge conflicts.

[aravind-pg]

All right! Updated and rebased, should be good to go now.

[rebstar6]

Hey, just checking in - looking at your branch:
this file: https://github.com/aravind-pg/servo/blob/new-referrer-pols/tests/wpt/mozilla/tests/mozilla/referrer-policy/spec.src.json
should be the same as this file: https://github.com/aravind-pg/servo/blob/new-referrer-pols/tests/wpt/web-platform-tests/referrer-policy/spec.src.json
except that the 1st only has iframe-tag as a subresource. There are other changes (see unset-referrer-policy, delivery methods, etc) that I never copied over, and you don't seem to either. I'd suggest just copying the spec.src.json file from wpt/web-platform-tests into wpt/mozilla as the starting point, making the changes to be iframe-only, and regenerating from there.

[aravind-pg]

Ah yeah so I did consider doing that, but then told myself that they must be different for a reason, especially considering what @jdm said on the issue about why they existed at all:

The tests in the mozilla folder are modifications of the original tests from referrer-policy, because the originals rely on features that Servo doesn't support yet.

If I do as you say and make the two spec.src.json files essentially the same (except one only has iframe-tag), then the generated tests and expectations in the two folders won't be different at all -- one will just be a strict subset of the other. Is that really what we want? Maybe it is, but I'm kinda confused about it all.

[rebstar6]

Unless something's changed, that is what you want. Basically, the tests in wpt/web-platform-tests are pulled directly from https://github.com/w3c/web-platform-tests. Other browsers use them, so we dont want to make servo-specific changes within those (just updating expectations for what servo doesnt yet support).

The issue is that the way that the w3c referrer policy tests implement iframe tags uses some other functionality that servo doesnt support. Because of that, the iframe tests within web-platform-tests that should pass based on the referrer policy implementation will fail (timeout I think). To get around that, the mozilla tests are the same test files, but the actual mechanism iframe uses is different (ie some of the stuff in the generic folder around how these tests are run)

[aravind-pg]

I see, interesting, that makes things a bit clearer -- it's how the tests are run (i.e. the generic folder) that's different.

But then there's a small issue: in the mozilla folder, I can't really get away with not updating parts of the generic folder too. This is because the spec.src.json in that folder has some outdated things (such as "http-csp" instead of "http-rp") which, if updated (say to "http-rp"), generate.py wouldn't understand. So I need to s/http-csp/http-rp in generate.py as well. But that's just a specific example and a specific piecemeal change. I think there must be other such updates to things in the generic folder, so that they keep pace with the updates to spec.src.json (EDIT: to be concrete, I see e.g. changes to generic/common.js, generic/referrer-policy-test-case.js, changes to things in generic/template/, a new generic/subresource-test/ folder, etc. -- not sure which of these are changes that we want and which we don't). How do I go about updating things without affecting the things that are actually supposed to be different?

[rebstar6]

Good call - I think the only changes I made outside of spec.src.json are in this PR:
web-platform-tests/wpt#3118
There are actually minimal changes outside of that one file. Generally anything outside of implementing how iframe works is fine (so adding/changing delivery options or policies is pretty safe).

[jdm]

In an ideal world, I think we would have a script that would copy everything from the upstream tests then apply a set of patches on top of that.

[jdm]

The only files that should have been changed in the modified tests are document.html.template, common.js, and spec.src.json.

[jdm]

Oh, and the addition of stash.py.

[aravind-pg]

Alright then, I'll update only the files you mentioned as well as make the s/http-csp/http-rp change to generate.py (as in web-platform-tests/wpt#3118). I can't find any stash.py in referrer-policy/ though. This means I'm not updating the following:

• referrer-policy-test-case.js
• test.debug.html.template, test.release.html.template
• generic/subresource/subresource.py
• the entire new directory of generic/subresource-test/

Lemme know if this sounds good.

Also, I wonder if you could describe what that required set of patches would be? Would be good to know.

[jdm]

stash.py was an addition to the mozilla referrer-policy tests. It is not present in the originals. Via the following commands, the current required patches are (not including any changes to spec.src.json):

diff -U4 tests/wpt/web-platform-tests/referrer-policy/generic/template/document.html.template tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/template/document.html.template
diff -U4 tests/wpt/web-platform-tests/referrer-policy/generic/common.js tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/common.js
diff -NU4 tests/wpt/web-platform-tests/referrer-policy/generic/subresource/stash.py tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/subresource/stash.py

--- tests/wpt/web-platform-tests/referrer-policy/generic/template/document.html.template    2016-05-12 10:46:08.000000000 -0400
+++ tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/template/document.html.template 2016-05-27 11:47:23.000000000 -0400
@@ -4,13 +4,29 @@
     <title>This page reports back it's request details to the parent frame</title>
   </head>
   <body>
     <script>
+      function getQueryVariable(variable)
+      {
+             var query = window.location.search.substring(1);
+             var vars = query.split("&");
+             for (var i=0;i<vars.length;i++) {
+                     var pair = vars[i].split("=");
+                     if(pair[0] == variable){return pair[1];}
+             }
+             return(false);
+      }
+
+      var referrer = 'referrer' in document ? document.referrer : undefined;
+
       var result = {
         location: document.location.toString(),
-        referrer: document.referrer.length > 0 ? document.referrer : undefined,
+        referrer: referrer,
         headers: %(headers)s
       };
-      parent.postMessage(result, "*");
+      var xhr = new XMLHttpRequest();
+      xhr.open('POST', 'stash.py?id=' + getQueryVariable("id"), false);
+      xhr.send(JSON.stringify(result));
+
     </script>
   </body>
 </html>
--- tests/wpt/web-platform-tests/referrer-policy/generic/common.js  2016-05-24 10:09:46.000000000 -0400
+++ tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/common.js   2016-05-27 11:47:23.000000000 -0400
@@ -99,17 +99,30 @@
   }
 }

 function queryIframe(url, callback, referrer_policy) {
-  var iframe = appendIframeToBody(url, referrer_policy);
-  var listener = function(event) {
-    if (event.source != iframe.contentWindow)
-      return;
-
-    callback(event.data, url);
-    window.removeEventListener("message", listener);
+  var x = document.createElement('script');
+  x.src = '/common/utils.js';
+  x.onerror = function() { console.log('whoops') };
+  x.onload = function() { doQuery() };
+  document.getElementsByTagName("head")[0].appendChild(x);
+
+  function doQuery() {
+    var id = token();
+    var iframe = appendIframeToBody(url + "&id=" + id, referrer_policy);
+    iframe.addEventListener("load", function listener() {
+      var xhr = new XMLHttpRequest();
+      xhr.open('GET', '/_mozilla/mozilla/referrer-policy/generic/subresource/stash.py?id=' + id, false);
+      xhr.onreadystatechange = function(e) {
+        if (this.readyState == 4 && this.status == 200) {
+          var server_data = JSON.parse(this.responseText);
+          callback(server_data, url);
+        }
+      };
+      xhr.send();
+      iframe.removeEventListener("load", listener);
+    });
   }
-  window.addEventListener("message", listener);
 }

 function queryImage(url, callback, referrer_policy) {
   decodeImage(url, function(server_data) {
--- tests/wpt/web-platform-tests/referrer-policy/generic/subresource/stash.py   1969-12-31 19:00:00.000000000 -0500
+++ tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/subresource/stash.py    2016-05-27 11:47:23.000000000 -0400
@@ -0,0 +1,6 @@
+def main(request, response):
+    print request.GET['id']
+    if request.method == 'POST':
+        request.server.stash.put(request.GET["id"], request.body)
+        return ''
+    return request.server.stash.take(request.GET["id"])

[aravind-pg]

Alright whew, just push a bunch of new commits, this time separated more usefully. I note that in my comment above when I said "I'll only update the files you mentioned" really I should've said "I'll take care to preserve differences in the files you mentioned and update everything else".

In any case, I looked through all the diffs carefully to double-check and am pretty confident I've made the required updates while preserving all necessary differences. All that is in the second commit -- basically it updates just spec.src.json and generate.py (everything else was either unchanged or had changes that needed to be preserved). In the third commit I just update spec.src.json to remove all but iframe tests. And finally the fourth is the purely mechanical one of generating the new tests plus expectations. The last three should probably be squashed before merging.

@rebstar6 would be great if you could sanity-check the second and third commits too :)

[jdm]

I like leaving the commits separate like this. Thanks for doing this!
@bors-servo: r+

[bors-servo]

📌 Commit 79cc2f7 has been approved by jdm

[bors-servo]

⌛ Testing commit 79cc2f7 with merge 37dbb50...

[bors-servo]

☀️ Test successful - android, arm32, arm64, linux-dev, linux-rel, mac-dev-unit, mac-rel-css, mac-rel-wpt, windows

[aravind-pg]

Hooray 😄 Thanks for all the help, @jdm!