-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Permissions Policy Wildcards] (6) Add WPTs
We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <arichiv@chromium.org> Reviewed-by: Koji Ishii <kojii@chromium.org> Commit-Queue: Ari Chivukula <arichiv@chromium.org> Cr-Commit-Position: refs/heads/main@{#1056243}
- Loading branch information
1 parent
cb3c0a2
commit 65aefb2
Showing
4 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
55 changes: 55 additions & 0 deletions
55
...ons-policy/permissions-policy-header-policy-allowed-for-malformed-wildcard.https.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
<!DOCTYPE html> | ||
<body> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
<script src=/permissions-policy/resources/permissions-policy.js></script> | ||
<!-- Permissions-Policy: fullscreen=$MALFORMED_WILDCARD_ORIGINS self; --> | ||
<script> | ||
'use strict'; | ||
var same_origin = 'https://{{domains[]}}:{{ports[https][0]}}'; | ||
var cross_origin = 'https://{{domains[www]}}:{{ports[https][0]}}'; | ||
var cross_origin1 = 'https://{{domains[www1]}}:{{ports[https][0]}}'; | ||
var same_origin_src = '/permissions-policy/resources/permissions-policy-allowedfeatures.html'; | ||
var cross_origin_src = cross_origin + same_origin_src; | ||
var cross_origin_src1 = cross_origin1 + same_origin_src; | ||
var header_policy = `Permissions-Policy: fullscreen=("$MALFORMED_WILDCARD_ORIGINS self")`; | ||
|
||
// Test that fullscreen's allowlist lists all the malformed wildcards and self. | ||
test(function() { | ||
assert_array_equals( | ||
document.featurePolicy.getAllowlistForFeature('fullscreen').sort(), | ||
["https://%2A.%2A.{{domains[]}}:{{ports[https][0]}}", "https://example.%2A.{{domains[]}}:{{ports[https][0]}}", "https://{{domains[]}}:{{ports[https][0]}}"].sort()); | ||
}, header_policy + ' -- test allowlist lists all the malformed wildcards and self.'); | ||
|
||
// Test that fullscreen is allowed on same-origin subframes with or without an allow attribute. | ||
test_allowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is allowed on same-origin subframe', | ||
'fullscreen', | ||
same_origin_src); | ||
test_allowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is allowed on same-origin subframe with allow attribute', | ||
'fullscreen', | ||
same_origin_src, | ||
"fullscreen " + same_origin); | ||
|
||
// Test that fullscreen is disallowed on cross-origin subframes without an allow attribute. | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on cross-origin subframe', | ||
'fullscreen', | ||
cross_origin_src); | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on cross-origin subframe allow attribute', | ||
'fullscreen', | ||
cross_origin_src, | ||
"fullscreen " + cross_origin); | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe', | ||
'fullscreen', | ||
cross_origin_src1); | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe allow attribute', | ||
'fullscreen', | ||
cross_origin_src1, | ||
"fullscreen " + cross_origin1); | ||
</script> | ||
</body> |
1 change: 1 addition & 0 deletions
1
...ermissions-policy-header-policy-allowed-for-malformed-wildcard.https.sub.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Permissions-Policy: fullscreen=("*://{{domains[]}}:{{ports[https][0]}}" "https://{{domains[]}}:*" "https://*.*.{{domains[]}}:{{ports[https][0]}}" "https://example.*.{{domains[]}}:{{ports[https][0]}}" self) |
68 changes: 68 additions & 0 deletions
68
permissions-policy/permissions-policy-header-policy-allowed-for-wildcard.https.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
<!DOCTYPE html> | ||
<body> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
<script src=/permissions-policy/resources/permissions-policy.js></script> | ||
<!-- Permissions-Policy: fullscreen=self wildcard_origin; --> | ||
<script> | ||
'use strict'; | ||
var same_origin = 'https://{{domains[]}}:{{ports[https][0]}}'; | ||
var wildcard_origin = 'https://*.{{domains[]}}:{{ports[https][0]}}'; | ||
var cross_origin = 'https://{{domains[www]}}:{{ports[https][0]}}'; | ||
var cross_origin1 = 'https://{{domains[www1]}}:{{ports[https][0]}}'; | ||
var same_origin_src = '/permissions-policy/resources/permissions-policy-allowedfeatures.html'; | ||
var cross_origin_src = cross_origin + same_origin_src; | ||
var cross_origin_src1 = cross_origin1 + same_origin_src; | ||
var header_policy = `Permissions-Policy: fullscreen=("${wildcard_origin}")`; | ||
|
||
// Test that fullscreen's allowlist is [self wildcard_origin]. | ||
test(function() { | ||
assert_array_equals( | ||
document.featurePolicy.getAllowlistForFeature('fullscreen').sort(), | ||
[wildcard_origin, same_origin].sort()); | ||
}, header_policy + ' -- test allowlist is [self wildcard_origin].'); | ||
|
||
// Test that fullscreen is allowed on same-origin subframes with or without an allow attribute. | ||
test_allowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is allowed on same-origin subframe', | ||
'fullscreen', | ||
same_origin_src); | ||
test_allowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is allowed on same-origin subframe even with allow attribute', | ||
'fullscreen', | ||
same_origin_src, | ||
"fullscreen " + same_origin); | ||
|
||
// Test that fullscreen is disallowed on cross-origin subframes without an allow attribute. | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on cross-origin subframe', | ||
'fullscreen', | ||
cross_origin_src); | ||
test_allowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is allowed on cross-origin subframe allow attribute', | ||
'fullscreen', | ||
cross_origin_src, | ||
"fullscreen " + cross_origin); | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe', | ||
'fullscreen', | ||
cross_origin_src1); | ||
test_allowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is allowed on another cross-origin subframe allow attribute', | ||
'fullscreen', | ||
cross_origin_src1, | ||
"fullscreen " + cross_origin1); | ||
|
||
// Test that wildcard allow attribute isn't supported. | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on cross-origin subframe with wildcard allow attribute', | ||
'fullscreen', | ||
cross_origin_src, | ||
"fullscreen " + wildcard_origin); | ||
test_disallowed_feature_for_subframe( | ||
header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe with wildcard allow attribute', | ||
'fullscreen', | ||
cross_origin_src1, | ||
"fullscreen " + wildcard_origin); | ||
</script> | ||
</body> |
1 change: 1 addition & 0 deletions
1
...s-policy/permissions-policy-header-policy-allowed-for-wildcard.https.sub.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Permissions-Policy: fullscreen=(self "https://*.{{domains[]}}:{{ports[https][0]}}") |