[Permissions Policy Wildcards] (6) Add WPTs

We can see the entire thing work end to end now! This includes a fix for the JS permissions inspection API now that it's tested e2e. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e
web-platform-tests · Oct 6, 2022 · 7a839d8 · 7a839d8
1 parent 802e6c3
commit 7a839d8
Show file tree

Hide file tree

Showing 4 changed files with 125 additions and 0 deletions.
diff --git a/...ons-policy/permissions-policy-header-policy-allowed-for-malformed-wildcard.https.sub.html b/...ons-policy/permissions-policy-header-policy-allowed-for-malformed-wildcard.https.sub.html
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/permissions-policy/resources/permissions-policy.js></script>
+  <!-- Permissions-Policy: fullscreen=$MALFORMED_WILDCARD_ORIGINS self; -->
+  <script>
+  'use strict';
+  var same_origin = 'https://{{domains[]}}:{{ports[https][0]}}';
+  var cross_origin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  var cross_origin1 = 'https://{{domains[www1]}}:{{ports[https][0]}}';
+  var same_origin_src = '/permissions-policy/resources/permissions-policy-allowedfeatures.html';
+  var cross_origin_src = cross_origin + same_origin_src;
+  var cross_origin_src1 = cross_origin1 + same_origin_src;
+  var header_policy = `Permissions-Policy: fullscreen=("$MALFORMED_WILDCARD_ORIGINS self")`;
+
+  // Test that fullscreen's allowlist lists all the malformed wildcards and self.
+  test(function() {
+    assert_array_equals(
+      document.featurePolicy.getAllowlistForFeature('fullscreen').sort(),
+      ["https://%2A.%2A.{{domains[]}}:{{ports[https][0]}}", "https://example.%2A.{{domains[]}}:{{ports[https][0]}}", "https://{{domains[]}}:{{ports[https][0]}}"].sort());
+  }, header_policy + ' -- test allowlist lists all the malformed wildcards and self.');
+
+  // Test that fullscreen is allowed on same-origin subframes with or without an allow attribute.
+  test_allowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is allowed on same-origin subframe',
+    'fullscreen',
+    same_origin_src);
+  test_allowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is allowed on same-origin subframe with allow attribute',
+    'fullscreen',
+    same_origin_src,
+    "fullscreen " + same_origin);
+
+  // Test that fullscreen is disallowed on cross-origin subframes without an allow attribute.
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on cross-origin subframe',
+    'fullscreen',
+    cross_origin_src);
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on cross-origin subframe allow attribute',
+    'fullscreen',
+    cross_origin_src,
+    "fullscreen " + cross_origin);
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe',
+    'fullscreen',
+    cross_origin_src1);
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe allow attribute',
+    'fullscreen',
+    cross_origin_src1,
+    "fullscreen " + cross_origin1);
+  </script>
+</body>
diff --git a/...ermissions-policy-header-policy-allowed-for-malformed-wildcard.https.sub.html.sub.headers b/...ermissions-policy-header-policy-allowed-for-malformed-wildcard.https.sub.html.sub.headers
@@ -0,0 +1 @@
+Permissions-Policy: fullscreen=("*://{{domains[]}}:{{ports[https][0]}}" "https://{{domains[]}}:*" "https://*.*.{{domains[]}}:{{ports[https][0]}}" "https://example.*.{{domains[]}}:{{ports[https][0]}}" self)
diff --git a/permissions-policy/permissions-policy-header-policy-allowed-for-wildcard.https.sub.html b/permissions-policy/permissions-policy-header-policy-allowed-for-wildcard.https.sub.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/permissions-policy/resources/permissions-policy.js></script>
+  <!-- Permissions-Policy: fullscreen=self wildcard_origin; -->
+  <script>
+  'use strict';
+  var same_origin = 'https://{{domains[]}}:{{ports[https][0]}}';
+  var wildcard_origin = 'https://*.{{domains[]}}:{{ports[https][0]}}';
+  var cross_origin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  var cross_origin1 = 'https://{{domains[www1]}}:{{ports[https][0]}}';
+  var same_origin_src = '/permissions-policy/resources/permissions-policy-allowedfeatures.html';
+  var cross_origin_src = cross_origin + same_origin_src;
+  var cross_origin_src1 = cross_origin1 + same_origin_src;
+  var header_policy = `Permissions-Policy: fullscreen=("${wildcard_origin}")`;
+
+  // Test that fullscreen's allowlist is [self wildcard_origin].
+  test(function() {
+    assert_array_equals(
+      document.featurePolicy.getAllowlistForFeature('fullscreen').sort(),
+      [wildcard_origin, same_origin].sort());
+  }, header_policy + ' -- test allowlist is [self wildcard_origin].');
+
+  // Test that fullscreen is allowed on same-origin subframes with or without an allow attribute.
+  test_allowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is allowed on same-origin subframe',
+    'fullscreen',
+    same_origin_src);
+  test_allowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is allowed on same-origin subframe even with allow attribute',
+    'fullscreen',
+    same_origin_src,
+    "fullscreen " + same_origin);
+
+  // Test that fullscreen is disallowed on cross-origin subframes without an allow attribute.
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on cross-origin subframe',
+    'fullscreen',
+    cross_origin_src);
+  test_allowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is allowed on cross-origin subframe allow attribute',
+    'fullscreen',
+    cross_origin_src,
+    "fullscreen " + cross_origin);
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe',
+    'fullscreen',
+    cross_origin_src1);
+  test_allowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is allowed on another cross-origin subframe allow attribute',
+    'fullscreen',
+    cross_origin_src1,
+    "fullscreen " + cross_origin1);
+
+  // Test that wildcard allow attribute isn't supported.
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on cross-origin subframe with wildcard allow attribute',
+    'fullscreen',
+    cross_origin_src,
+    "fullscreen " + wildcard_origin);
+  test_disallowed_feature_for_subframe(
+    header_policy + ' -- test fullscreen is disallowed on another cross-origin subframe with wildcard allow attribute',
+    'fullscreen',
+    cross_origin_src1,
+    "fullscreen " + wildcard_origin);
+  </script>
+</body>
diff --git a/...s-policy/permissions-policy-header-policy-allowed-for-wildcard.https.sub.html.sub.headers b/...s-policy/permissions-policy-header-policy-allowed-for-wildcard.https.sub.html.sub.headers
@@ -0,0 +1 @@
+Permissions-Policy: fullscreen=(self "https://*.{{domains[]}}:{{ports[https][0]}}")