Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[COOP] access reporting: Add same-origin/cross-origin variant.
Soon, the reports will contains URLS about the other document: - openeeURL - openerURL - otherDocumentURL - referrer - initialPopupURL Depending on whether they are same-origin or cross-origin with the reporter document, they might be reported or not. This patch add a same-origin/cross-origin variant for every type of accesses. Bug: 1090273 Change-Id: Ieeb396f6220877a2a61541cb33a964261e5f4070 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407314 Reviewed-by: Pâris Meuleman <pmeuleman@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#807470}
- Loading branch information
1 parent
96f4c50
commit 9d0ec02
Showing
10 changed files
with
419 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
73 changes: 73 additions & 0 deletions
73
...eporting/access-reporting/access-from-coop-page-to-openee_coop-ro_cross-origin.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| <title> | ||
| COOP reports are to the opener when the opener used COOP-RO+COEP and then it | ||
| tries to access a cross-origin openee. | ||
| </title> | ||
| <meta name=timeout content=long> | ||
| <script src=/resources/testharness.js></script> | ||
| <script src=/resources/testharnessreport.js></script> | ||
| <script src=/common/get-host-info.sub.js></script> | ||
| <script src="/common/utils.js"></script> | ||
| <script src="../resources/dispatcher.js"></script> | ||
| <script src="../resources/try-access.js"></script> | ||
| <script> | ||
|
|
||
| const directory = "/html/cross-origin-opener-policy/reporting"; | ||
| const executor_path = directory + "/resources/executor.html?pipe="; | ||
| const same_origin = get_host_info().HTTPS_ORIGIN; | ||
| const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; | ||
| const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)'; | ||
|
|
||
| promise_test(async t => { | ||
| // The test window. | ||
| const this_window_token = token(); | ||
|
|
||
| // The "opener" window. This has COOP and a reporter. | ||
| const opener_report_token= token(); | ||
| const opener_token = token(); | ||
| const opener_reportTo = reportToHeaders(opener_report_token); | ||
| const opener_url = same_origin + executor_path + opener_reportTo.header + | ||
| opener_reportTo.coopReportOnlySameOriginHeader + coep_header + | ||
| `&uuid=${opener_token}`; | ||
|
|
||
| // The "openee" window. This is cross origin with the "opener". | ||
| const openee_report_token= token(); | ||
| const openee_token = token(); | ||
| const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`; | ||
|
|
||
| // 1. Create the opener window. | ||
| let opener_window_proxy = window.open(opener_url); | ||
| t.add_cleanup(() => send(opener_token, "window.close()")); | ||
|
|
||
| // 2. The opener opens it openee. | ||
| send(opener_token, ` | ||
| openee = window.open("${openee_url}"); | ||
| send("${this_window_token}", "ACK 1"); | ||
| `); | ||
| assert_equals("ACK 1", await receive(this_window_token)); | ||
| t.add_cleanup(() => send(openee_token, "window.close()")); | ||
|
|
||
| // 3. Ensure the openee's document to be loaded. | ||
| send(openee_token, ` | ||
| send("${this_window_token}", "ACK 2"); | ||
| `); | ||
| assert_equals("ACK 2", await receive(this_window_token)); | ||
|
|
||
| // 4. The opener tries to access its openee. | ||
| send(opener_token, ` | ||
| tryAccess(openee); | ||
| `); | ||
|
|
||
| // 5. Check a report sent to the opener. | ||
| let report = | ||
| await receiveReport(opener_report_token, "access-from-coop-page-to-openee") | ||
| assert_not_equals(report, "timeout", "Report not received"); | ||
| assert_equals(report.type, "coop"); | ||
| assert_equals(report.url, opener_url.replace(/"/g, '%22')); | ||
| assert_equals(report.body.disposition, "reporting"); | ||
| assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); | ||
| assert_equals(report.body.property, "blur"); | ||
| assert_source_location_found(report); | ||
| // TODO(arthursonzogni): Check the window-blocked-url. | ||
| }, "Opener (COOP-RO+COEP) accesses openee. Report to opener"); | ||
|
|
||
| </script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
...eporting/access-reporting/access-from-coop-page-to-opener_coop-ro_cross-origin.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| <title> | ||
| COOP reports are sent when the openee used COOP-RO+COEP and then tries to | ||
| access its cross-origin opener. | ||
| </title> | ||
| <meta name=timeout content=long> | ||
| <script src=/resources/testharness.js></script> | ||
| <script src=/resources/testharnessreport.js></script> | ||
| <script src=/common/get-host-info.sub.js></script> | ||
| <script src="/common/utils.js"></script> | ||
| <script src="../resources/dispatcher.js"></script> | ||
| <script src="../resources/try-access.js"></script> | ||
| <script> | ||
|
|
||
| const directory = "/html/cross-origin-opener-policy/reporting"; | ||
| const executor_path = directory + "/resources/executor.html?pipe="; | ||
| const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; | ||
| const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)'; | ||
|
|
||
| promise_test(async t => { | ||
| const report_token = token(); | ||
| const openee_token = token(); | ||
|
|
||
| const reportTo = reportToHeaders(report_token); | ||
| const openee_url = cross_origin + executor_path + | ||
| reportTo.header + reportTo.coopReportOnlySameOriginHeader + coep_header + | ||
| `&uuid=${openee_token}`; | ||
| const openee = window.open(openee_url); | ||
| t.add_cleanup(() => send(openee_token, "window.close()")) | ||
|
|
||
| // 1. Try to access the opener. A report is sent, because of COOP-RO+COEP. | ||
| send(openee_token, ` | ||
| tryAccess(opener); | ||
| `); | ||
|
|
||
| // 2. Check a report is sent to the openee. | ||
| let report = | ||
| await receiveReport(report_token, "access-from-coop-page-to-opener") | ||
| assert_not_equals(report, "timeout", "Report not received"); | ||
| assert_equals(report.type, "coop"); | ||
| assert_equals(report.url, openee_url.replace(/"/g, '%22')); | ||
| assert_equals(report.body.disposition, "reporting"); | ||
| assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); | ||
| assert_equals(report.body.property, "blur"); | ||
| assert_source_location_found(report); | ||
| }, "Openee (COOP-RO+COEP) accesses opener. Report to openee"); | ||
|
|
||
| </script> |
88 changes: 88 additions & 0 deletions
88
...reporting/access-reporting/access-from-coop-page-to-other_coop-ro_cross-origin.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| <title> | ||
| One window accesses a second one. They are aren't related by an opener/openee | ||
| relationship. The first window has set | ||
| Cross-Origin-Opener-Policy-Report-Only:same-origin, so it receives a | ||
| "access-from-coop-page-to-other" report. | ||
| </title> | ||
| <meta name=timeout content=long> | ||
| <script src=/resources/testharness.js></script> | ||
| <script src=/resources/testharnessreport.js></script> | ||
| <script src=/common/get-host-info.sub.js></script> | ||
| <script src="/common/utils.js"></script> | ||
| <script src="../resources/dispatcher.js"></script> | ||
| <script src="../resources/try-access.js"></script> | ||
| <script> | ||
|
|
||
| const directory = "/html/cross-origin-opener-policy/reporting"; | ||
| const executor_path = directory + "/resources/executor.html?pipe="; | ||
| const same_origin= get_host_info().HTTPS_ORIGIN; | ||
| const cross_origin= get_host_info().HTTPS_REMOTE_ORIGIN; | ||
| const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)'; | ||
|
|
||
| let escapeComma = url => url.replace(/,/g, '\\,'); | ||
|
|
||
| promise_test(async t => { | ||
| const report_token= token(); | ||
| const report_to = reportToHeaders(report_token); | ||
|
|
||
| // The test window. | ||
| const this_window_token = token(); | ||
|
|
||
| // The "opener" window. With COOP:same-origin + reporter. | ||
| const opener_token = token(); | ||
| const opener_url = same_origin + executor_path + report_to.header + | ||
| report_to.coopReportOnlySameOriginHeader + coep_header + | ||
| `&uuid=${opener_token}`; | ||
|
|
||
| // The "openee" window. With COOP:same-origin + reporter. | ||
| const openee_token = token(); | ||
| const openee_url = same_origin + executor_path + report_to.header + | ||
| report_to.coopReportOnlySameOriginHeader + coep_header + | ||
| `&uuid=${openee_token}`; | ||
|
|
||
| // The "other" window. | ||
| const other_token = token(); | ||
| const other_url = cross_origin + executor_path + report_to.header + | ||
| `&uuid=${other_token}`; | ||
|
|
||
| t.add_cleanup(() => { | ||
| send(opener_token, "window.close()") | ||
| send(openee_token, "window.close()") | ||
| send(other_token, "window.close()") | ||
| }) | ||
|
|
||
| // 1. Create the "opener" window. | ||
| let opener_window_proxy = window.open(opener_url); | ||
|
|
||
| // 2. Create the "openee" window. | ||
| send(opener_token, ` | ||
| window.openee = window.open('${escapeComma(openee_url)}'); | ||
| `); | ||
|
|
||
| // 3. Create the "other" window. | ||
| send(openee_token, ` | ||
| window.other = window.open('${escapeComma(other_url)}'); | ||
| `); | ||
|
|
||
| // 4. Wait for "other" to load its document. | ||
| send(other_token, `send('${this_window_token}', "Loaded");`); | ||
| assert_equals(await receive(this_window_token), "Loaded"); | ||
|
|
||
| // 5. "opener" accesses "other" window, through "openee". | ||
| send(opener_token, ` | ||
| tryAccess(openee.other); | ||
| `); | ||
|
|
||
| // 6. Check a report is sent to the openee. | ||
| let report = | ||
| await receiveReport(report_token, "access-from-coop-page-to-other") | ||
| assert_not_equals(report, "timeout", "Report not received"); | ||
| assert_equals(report.type, "coop"); | ||
| assert_equals(report.url, opener_url.replace(/"/g, '%22')); | ||
| assert_equals(report.body.disposition, "reporting"); | ||
| assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); | ||
| assert_equals(report.body.property, "blur"); | ||
| assert_source_location_found(report); | ||
| }, "access-from-coop-page-to-other (COOP-RO)"); | ||
|
|
||
| </script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
...eporting/access-reporting/access-to-coop-page-from-openee_coop-ro_cross-origin.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| <title> | ||
| COOP reports are to the opener when the opener used COOP-RO+COEP and then its | ||
| cross-origin openee tries to access it. | ||
| </title> | ||
| <meta name=timeout content=long> | ||
| <script src=/resources/testharness.js></script> | ||
| <script src=/resources/testharnessreport.js></script> | ||
| <script src=/common/get-host-info.sub.js></script> | ||
| <script src="/common/utils.js"></script> | ||
| <script src="../resources/dispatcher.js"></script> | ||
| <script src="../resources/try-access.js"></script> | ||
| <script> | ||
|
|
||
| const directory = "/html/cross-origin-opener-policy/reporting"; | ||
| const executor_path = directory + "/resources/executor.html?pipe="; | ||
| const same_origin = get_host_info().HTTPS_REMOTE_ORIGIN; | ||
| const cross_origin= get_host_info().HTTPS_ORIGIN; | ||
| const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)'; | ||
|
|
||
| promise_test(async t => { | ||
| // The test window. | ||
| const this_window_token = token(); | ||
|
|
||
| // The "opener" window. This has COOP and a reporter. | ||
| const opener_report_token= token(); | ||
| const opener_token = token(); | ||
| const opener_reportTo = reportToHeaders(opener_report_token); | ||
| const opener_url = same_origin + executor_path + opener_reportTo.header + | ||
| opener_reportTo.coopReportOnlySameOriginHeader + coep_header + | ||
| `&uuid=${opener_token}`; | ||
|
|
||
| // The "openee" window. This is cross origin with the "opener". | ||
| const openee_report_token= token(); | ||
| const openee_token = token(); | ||
| const openee_url = cross_origin + executor_path + `&uuid=${openee_token}`; | ||
|
|
||
| // 1. Create the opener window. | ||
| let opener_window_proxy = window.open(opener_url); | ||
| t.add_cleanup(() => send(opener_token, "window.close()")); | ||
|
|
||
| // 2. The opener opens its openee. | ||
| send(opener_token, ` | ||
| openee = window.open("${openee_url}"); | ||
| send("${this_window_token}", "ACK 1"); | ||
| `); | ||
| assert_equals("ACK 1", await receive(this_window_token)); | ||
| t.add_cleanup(() => send(openee_token, "window.close()")); | ||
|
|
||
| // 3. The openee tries to access its opener. | ||
| send(openee_token, ` | ||
| tryAccess(opener); | ||
| `); | ||
|
|
||
| // 4. Check a report sent to the opener. | ||
| let report = | ||
| await receiveReport(opener_report_token, "access-to-coop-page-from-openee") | ||
| assert_not_equals(report, "timeout", "Report not received"); | ||
| assert_equals(report.type, "coop"); | ||
| assert_equals(report.url, opener_url.replace(/"/g, '%22')); | ||
| assert_equals(report.body.disposition, "reporting"); | ||
| assert_equals(report.body.effectivePolicy, "same-origin-plus-coep"); | ||
| assert_equals(report.body.property, "blur"); | ||
| assert_source_location_missing(report); | ||
| // TODO(arthursonzogni): Check the window-blocked-url. | ||
| }, "Openee accesses opener (COOP-RO-COEP). Report to opener"); | ||
|
|
||
| </script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.