Shared Storage: Allow x-origin module script in addModule

The same-origin restriction for module script loaded by `sharedStorage.worklet.addModule()` is no longer needed, so we remove it. See WICG/shared-storage#158 and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Only cross-origin scripts loaded with createWorklet() that use the script origin as their data origin will need the "Shared-Storage-Cross-Origin-Worklet-Allowed: ?1" response header, however. To differentiate between worklets that need to be checked for this header and ones that don't, we add a new "Sec-Shared-Storage-Data-Origin" request header with the data origin used to the requests where the data origin is cross-origin to the context origin. We then use this information to determine if the "Shared-Storage-Cross-Origin-Worklet-Allowed" response header is needed. Bug: 348660660 Change-Id: I55f7f5d6d282b679505be5f23901f26ff7d7d374
web-platform-tests · Jul 25, 2024 · fb38ef5 · fb38ef5
1 parent d5d125a
commit fb38ef5
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 5 deletions.
diff --git a/shared-storage/add-module-cross-origin-script.tentative.https.sub.html b/shared-storage/add-module-cross-origin-script.tentative.https.sub.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const sameOrigin = location.origin;
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const crossOriginScript = crossOrigin
+    + "/shared-storage/resources/simple-module2.js";
+  await sharedStorage.worklet.addModule(crossOriginScript);
+
+  const ancestor_key = token();
+  let url0 = generateURL("/shared-storage/resources/frame0.html",
+                         [ancestor_key]);
+  let select_url_result = await sharedStorage.selectURL(
+      "test-url-selection-operation", [{url: url0}],
+      {data: {'mockResult': 0, 'setKey': 'a', 'setValue': 'b'},
+       resolveToConfig: true});
+  assert_true(validateSelectURLResult(select_url_result, true));
+  attachFencedFrame(select_url_result, 'opaque-ads');
+  const result = await nextValueFromServer(ancestor_key);
+  assert_equals(result, "frame0_loaded");
+
+  // The invoking context's origin is used as the data origin.
+  await verifyKeyValueForOrigin('a', 'b', sameOrigin);
+  await verifyKeyNotFoundForOrigin('a', crossOrigin);
+
+  // Clean up.
+  return sharedStorage.delete('a');
+}, 'addModule with cross-origin url');
+
+</script>
+</body>
diff --git a/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html b/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html
@@ -0,0 +1,25 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
+                             sharedStorage.worklet.addModule(
+                               `data:application/javascript;alert("Hi!")`));
+}, 'addModule() with data URL module script');
+
+promise_test(async t => {
+  // Opaque data origins are not permitted.
+  return promise_rejects_dom(t, "InvalidAccessError",
+                             sharedStorage.createWorklet(
+                               `data:application/javascript;alert("Hi!")`));
+}, 'createWorklet() with data URL module script and default data origin');
+
+</script>
+</body>
diff --git a/shared-storage/add-module.tentative.https.sub.html b/shared-storage/add-module.tentative.https.sub.html
@@ -11,11 +11,6 @@
     sharedStorage.worklet.addModule("https://"));
 }, 'addModule with invalid url');
 
-promise_test(async t => {
-  return promise_rejects_dom(t, "DataError",
-    sharedStorage.worklet.addModule("https://foo.com"));
-}, 'addModule with cross-origin url');
-
 promise_test(() => {
   return sharedStorage.worklet.addModule(
       "/shared-storage/resources/simple-module.js");

diff --git a/shared-storage/resources/simple-module2.js b/shared-storage/resources/simple-module2.js
@@ -0,0 +1,20 @@
+// Copyright 2024 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class TestURLSelectionOperation {
+  async run(urls, data) {
+    if (data && data.hasOwnProperty('setKey') &&
+        data.hasOwnProperty('setValue')) {
+      await sharedStorage.set(data['setKey'], data['setValue']);
+    }
+
+    if (data && data.hasOwnProperty('mockResult')) {
+      return data['mockResult'];
+    }
+
+    return -1;
+  }
+}
+
+register('test-url-selection-operation', TestURLSelectionOperation);
diff --git a/shared-storage/resources/simple-module2.js.headers b/shared-storage/resources/simple-module2.js.headers
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *