Use resource-level referrer policy for attributionsrc requests

For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463164 Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Nan Lin <linnan@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#1294868}
web-platform-tests · May 1, 2024 · b20c1ff · b20c1ff
1 parent 3a9b437
commit b20c1ff
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 6 deletions.
diff --git a/attribution-reporting/referrer-policy.sub.https.html b/attribution-reporting/referrer-policy.sub.https.html
@@ -0,0 +1,56 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta name=timeout content=long>
+<meta name=variant content="?method=a">
+<meta name=variant content="?method=a&noreferrer">
+<meta name=variant content="?method=img">
+<meta name=variant content="?method=img&noreferrer">
+<meta name=variant content="?method=open">
+<meta name=variant content="?method=open&noreferrer">
+<meta name=variant content="?method=script">
+<meta name=variant content="?method=script&noreferrer">
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/helpers.js"></script>
+<body>
+<script>
+const waitForRequest = async () => {
+  const url = blankURL();
+  url.searchParams.set('get-requests', 'true');
+
+  for (let i = 0; i < 20; i++) {
+    const resp = await fetch(url);
+    const payload = await resp.json();
+    if (payload !== null && payload.length > 0) {
+      return payload;
+    }
+    await delay(100);
+  }
+  throw new Error('Timeout polling requests');
+};
+
+const searchParams = new URLSearchParams(location.search);
+
+promise_test(async t => {
+  const noreferrer = searchParams.has('noreferrer');
+
+  await registerAttributionSrc({
+    method: 'variant',
+    extraQueryParams: {'store-request': 'true'},
+    referrerPolicy: noreferrer ? 'no-referrer' : '',
+  });
+
+  const requests = await waitForRequest();
+  assert_equals(requests.length, 1);
+
+  if (noreferrer) {
+    assert_not_own_property(requests[0], 'referer');
+  } else {
+    assert_own_property(requests[0], 'referer');
+    assert_equals(requests[0].referer, location.toString());
+  }
+
+}, 'attributionsrc referrer policy is propagated.');
+</script>
diff --git a/attribution-reporting/request-format.sub.https.html b/attribution-reporting/request-format.sub.https.html
@@ -53,9 +53,7 @@
   } else {
     assert_not_own_property(requests[0], 'attribution-reporting-eligible');
   }
-  assert_equals(requests[0].referer, location.toString());
 
-  // TODO(apaseltiner): Test various referrer policies.
   // TODO(apaseltiner): Test cookie propagation.
 
   const expectedURL = blankURL();

diff --git a/attribution-reporting/resources/helpers.js b/attribution-reporting/resources/helpers.js
@@ -171,6 +171,7 @@ const registerAttributionSrc = async ({
   extraQueryParams = {},
   reportingOrigin,
   extraHeaders = [],
+  referrerPolicy = '',
 }) => {
   const searchParams = new URLSearchParams(location.search);
 
@@ -201,7 +202,6 @@ const registerAttributionSrc = async ({
     headers.push({name, value: cookie});
   }
 
-
   let credentials;
   if (method === 'fetch') {
     const params = getFetchParams(reportingOrigin, cookie);
@@ -219,6 +219,7 @@ const registerAttributionSrc = async ({
   switch (method) {
     case 'img':
       const img = document.createElement('img');
+      img.referrerPolicy = referrerPolicy;
       if (eligible === null) {
         img.attributionSrc = url;
       } else {
@@ -236,6 +237,7 @@ const registerAttributionSrc = async ({
       return 'event';
     case 'script':
       const script = document.createElement('script');
+      script.referrerPolicy = referrerPolicy;
       if (eligible === null) {
         script.attributionSrc = url;
       } else {
@@ -249,6 +251,7 @@ const registerAttributionSrc = async ({
       return 'event';
     case 'a':
       const a = document.createElement('a');
+      a.referrerPolicy = referrerPolicy;
       a.target = '_blank';
       a.textContent = 'link';
       if (eligible === null) {
@@ -263,12 +266,13 @@ const registerAttributionSrc = async ({
       return 'navigation';
     case 'open':
       await test_driver.bless('open window', () => {
+        const feature = referrerPolicy === 'no-referrer' ? 'noreferrer' : '';
         if (eligible === null) {
           open(
               blankURL(), '_blank',
-              `attributionsrc=${encodeURIComponent(url)}`);
+              `attributionsrc=${encodeURIComponent(url)} ${feature}`);
         } else {
-          open(url, '_blank', 'attributionsrc');
+          open(url, '_blank', `attributionsrc ${feature}`);
         }
       });
       return 'navigation';
@@ -277,7 +281,7 @@ const registerAttributionSrc = async ({
       if (eligible !== null) {
         attributionReporting = JSON.parse(eligible);
       }
-      await fetch(url, {credentials, attributionReporting});
+      await fetch(url, {credentials, attributionReporting, referrerPolicy});
       return 'event';
     }
     case 'xhr':