Always fetch origin policies from /.well-known/origin-policy

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway.

In particular, this removes:

* The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040.

* Redirect-handling logic for default policies. Redirects are now always an error.

* Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036.

* Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51

* A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests.

* A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable.

* Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62.

Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec.

Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at #20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036.

Bug: 1042034
Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d

.well-known/origin-policy

@@ -0,0 +1,18 @@
+import os
+import glob
+
+
+def main(request, response):
+    host_piece = request.url_parts.hostname.split(".")[0]
+
+    filepath_pattern = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(
+        __file__)), "../origin-policy/policies/", "{} *.json".format(host_piece)))
+
+    matches = glob.glob(filepath_pattern)
+
+    if len(matches) != 1:
+        return 404, [], '{} origin policies found at a path matching "{}"'.format(len(matches), filepath_pattern)
+
+    with open(matches[0]) as f:
+        data = f.read()
+        return 200, [('Content-Type', 'application/originpolicy+json')], data

origin-policy/content-security/comma-in-policy.https.html

@@ -3,9 +3,14 @@
 <title>Commas in "content_security/policy" cause parse errors and thus no CSP</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op1",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>

origin-policy/content-security/double-content-security.https.html

@@ -3,11 +3,14 @@
 <title>Of two "content_security" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true, img: false });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/allow-unsafe-eval-disallow-images.mjs"
+});
 </script>

origin-policy/content-security/double-policies.https.html

@@ -3,11 +3,14 @@
 <title>Of two "content_security/policies" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true, img: false });
+runTestsInSubframe({
+  hostname: "op3",
+  testJS: "resources/allow-unsafe-eval-disallow-images.mjs"
+});
 </script>

origin-policy/content-security/non-array.https.html

@@ -3,9 +3,14 @@
 <title>Non-array "content_security/policies" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op4",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>

origin-policy/content-security/non-object.https.html

@@ -3,9 +3,14 @@
 <title>Non-object "content_security" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op5",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>

origin-policy/content-security/non-string.https.html

@@ -3,9 +3,14 @@
 <title>Non-string "content_security/policies" array member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op6",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>

origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs

@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: true, img: false });

origin-policy/content-security/resources/allow-unsafe-eval.mjs

@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: true });

origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs

@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: false, img: false });

origin-policy/content-security/helper.js → origin-policy/content-security/resources/helper.mjs

@@ -1,4 +1,4 @@
-window.waitForOneSecurityPolicyViolationEvent = expectedBlockedURI => {
+export function waitForOneSecurityPolicyViolationEvent(expectedBlockedURI) {
   return new Promise(resolve => {
     let eventCount = 0;
     let blockedURI = null;
@@ -17,9 +17,9 @@ window.waitForOneSecurityPolicyViolationEvent = expectedBlockedURI => {
       });
     });
   });
-};
+}
 
-window.waitForImgFail = imgSrc => {
+export function waitForImgFail(imgSrc) {
   return new Promise((resolve, reject) => {
     const img = document.createElement("img");
     img.onload = () => reject(new Error("Must not load the image"));
@@ -28,10 +28,9 @@ window.waitForImgFail = imgSrc => {
     img.src = imgSrc;
     document.body.append(img);
   });
-};
+}
 
-
-window.waitForImgSuccess = imgSrc => {
+export function waitForImgSuccess(imgSrc) {
   return new Promise((resolve, reject) => {
     const img = document.createElement("img");
     img.onload = () => resolve();
@@ -40,10 +39,10 @@ window.waitForImgSuccess = imgSrc => {
     img.src = imgSrc;
     document.body.append(img);
   });
-};
+}
 
 // Both params are optional; if they are not given as booleans then we will not test that aspect.
-window.runCSPTest = ({ unsafeEval, img }) => {
+export function runCSPTest({ unsafeEval, img }) {
   if (unsafeEval === true) {
     test(() => {
       eval("window.evalAllowed = true;");
@@ -70,4 +69,4 @@ window.runCSPTest = ({ unsafeEval, img }) => {
       "img loading must be disallowed"
     );
   }
-};
+}

origin-policy/content-security/resources/trigger-violation-report-report-only.mjs

@@ -0,0 +1,12 @@
+import { waitForOneSecurityPolicyViolationEvent, waitForImgSuccess } from "./helper.mjs";
+
+promise_test(() => {
+  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
+
+  return Promise.all([
+    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
+      assert_equals(blockedURI, imgURL);
+    }),
+    waitForImgSuccess(imgURL)
+  ]);
+});

origin-policy/content-security/resources/trigger-violation-report.mjs

@@ -0,0 +1,12 @@
+import { waitForOneSecurityPolicyViolationEvent, waitForImgFail } from "./helper.mjs";
+
+promise_test(() => {
+  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
+
+  return Promise.all([
+    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
+      assert_equals(blockedURI, imgURL);
+    }),
+    waitForImgFail(imgURL)
+  ]);
+});

origin-policy/content-security/trigger-violation-report-report-only.https.html

@@ -3,21 +3,14 @@
 <title>CSP via origin policy must trigger a securitypolicyviolation event even when the CSP is report-only</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-
-promise_test(() => {
-  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
-
-  return Promise.all([
-    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
-      assert_equals(blockedURI, imgURL);
-    }),
-    waitForImgSuccess(imgURL)
-  ]);
+runTestsInSubframe({
+  hostname: "op7",
+  testJS: "resources/trigger-violation-report-report-only.mjs"
 });
 </script>

origin-policy/content-security/trigger-violation-report.https.html

@@ -3,21 +3,14 @@
 <title>CSP via origin policy must trigger a securitypolicyviolation event</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-
-promise_test(() => {
-  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
-
-  return Promise.all([
-    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
-      assert_equals(blockedURI, imgURL);
-    }),
-    waitForImgFail(imgURL)
-  ]);
+runTestsInSubframe({
+  hostname: "op8",
+  testJS: "resources/trigger-violation-report.mjs"
 });
 </script>