From 61df7ef8b9093d46cd6cb76022583b49e6da6e35 Mon Sep 17 00:00:00 2001
From: Camillia Smith Barnes <cammie@chromium.org>
Date: Mon, 20 May 2024 16:29:13 -0700
Subject: [PATCH] Shared Storage: Allow writes from headers in all sandboxed
 frames

Previously, writing to shared storage via response headers by way of
a fetch or image request would work inside a sandboxed iframe only if
the iframe had sandbox flag "allow-same-origin". We remove this
unnecessary restriction by correcting the origin used for the
opaqueness check for sharedStorageWritable image and fetch requests:
instead of checking the environment's origin for opaqueness, we now
check the request's origin for opaqueness in order to determine
eligibility for the 'Sec-Shared-Storage-Writable' request header.

See https://github.com/WICG/shared-storage/pull/155 for the related
specification fix.

Bug: 339172115
Change-Id: Ia3d048c8441bb99ea48d3943c55fe83c943bcadf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5527770
Reviewed-by: Nate Chapin <japhet@chromium.org>
Reviewed-by: Yao Xiao <yaoxia@chromium.org>
Commit-Queue: Cammie Smith Barnes <cammie@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1303509}
---
 ...uest-for-data-url.tentative.https.sub.html | 18 +++++
 ...quest-in-data-url.tentative.https.sub.html | 69 +++++++++++++++++++
 ...st-in-sandboxed-frame.tentative.https.html |  2 +-
 ...quest-in-data-url.tentative.https.sub.html | 64 +++++++++++++++++
 ...quest-in-data-url.tentative.https.sub.html | 62 +++++++++++++++++
 ...st-in-sandboxed-frame.tentative.https.html |  2 +-
 ...ble-opaque-origin.tentative.https.sub.html | 41 -----------
 7 files changed, 215 insertions(+), 43 deletions(-)
 create mode 100644 shared-storage/shared-storage-writable-fetch-request-for-data-url.tentative.https.sub.html
 create mode 100644 shared-storage/shared-storage-writable-fetch-request-in-data-url.tentative.https.sub.html
 create mode 100644 shared-storage/shared-storage-writable-iframe-request-in-data-url.tentative.https.sub.html
 create mode 100644 shared-storage/shared-storage-writable-img-request-in-data-url.tentative.https.sub.html
 delete mode 100644 shared-storage/shared-storage-writable-opaque-origin.tentative.https.sub.html

diff --git a/shared-storage/shared-storage-writable-fetch-request-for-data-url.tentative.https.sub.html b/shared-storage/shared-storage-writable-fetch-request-for-data-url.tentative.https.sub.html
new file mode 100644
index 00000000000000..51283579d9210a
--- /dev/null
+++ b/shared-storage/shared-storage-writable-fetch-request-for-data-url.tentative.https.sub.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script>
+    'use strict';
+
+    promise_test(async t => {
+       const innerCode =
+         `window.parent.postMessage({fetchStatus: "success"}, '*');`;
+       const dataURL = 'data:text/javascript;base64,'
+         + btoa(unescape(encodeURIComponent(innerCode)));
+        await promise_rejects_js(t, TypeError,
+                                 fetch(dataURL, {sharedStorageWritable: true}));
+
+    }, 'shared storage fetch request disallowed for data URL');
+  </script>
+</body>
diff --git a/shared-storage/shared-storage-writable-fetch-request-in-data-url.tentative.https.sub.html b/shared-storage/shared-storage-writable-fetch-request-in-data-url.tentative.https.sub.html
new file mode 100644
index 00000000000000..1ebfdbc96f8db1
--- /dev/null
+++ b/shared-storage/shared-storage-writable-fetch-request-in-data-url.tentative.https.sub.html
@@ -0,0 +1,69 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/common/utils.js></script>
+  <script src=/fenced-frame/resources/utils.js></script>
+  <script src=/shared-storage/resources/util.js></script>
+  <script>
+    'use strict';
+    const origin = window.location.origin;
+    const rawSetHeader = 'set;key=hello;value=world';
+    const setHeader = encodeURIComponent(rawSetHeader);
+
+    promise_test(async t => {
+      let frame = document.createElement('iframe');
+      const promise = new Promise((resolve, reject) => {
+        window.addEventListener('message', async function handler(evt) {
+          if (evt.source === frame.contentWindow &&
+              evt.data.sharedStorageFetchStatus) {
+            document.body.removeChild(frame);
+            window.removeEventListener('message', handler);
+            resolve(evt.data.sharedStorageFetchStatus);
+          }
+        });
+        window.addEventListener('error', (error) => {
+          reject(error);
+        });
+      });
+
+      const fetchUrl =
+        `${origin}\\/shared-storage\\/resources\\/shared-storage-write.py`
+        + `?write=${setHeader}`;
+      const fetchCode = `
+let parentOrOpener = window.opener || window.parent;
+let innerFrame = document.createElement('iframe');
+window.addEventListener('message', async (evt) => {
+  if (evt.source === innerFrame.contentWindow) {
+    parentOrOpener.postMessage({sharedStorageFetchStatus: "success"}, '*');
+  }
+});
+window.addEventListener('error', (error) => {
+  parentOrOpener.postMessage({sharedStorageFetchStatus: error.message}, '*');
+});
+fetch('${fetchUrl}', {sharedStorageWritable: true})
+  .then(response => response.text())
+  .then(htmlContent => {
+    innerFrame.srcdoc = htmlContent;
+    document.body.appendChild(innerFrame);
+  })
+  .catch(error => {
+    parentOrOpener.postMessage({sharedStorageFetchStatus: error.name},
+                                "*");
+  });
+`;
+
+      const dataURL = 'data:text/html;base64,'
+        + btoa(unescape('%3Chtml%3E%3Cbody%3E%3Cscript%3E'
+                        + encodeURIComponent(fetchCode) +
+                        '%3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E'));
+      frame.src = dataURL;
+      document.body.appendChild(frame);
+
+      const result = await promise;
+      assert_equals(result, "TypeError");
+      await verifyKeyNotFoundForOrigin('hello', origin);
+
+    }, 'shared storage fetch request disallowed in opaque origin from data URL');
+  </script>
+</body>
diff --git a/shared-storage/shared-storage-writable-fetch-request-in-sandboxed-frame.tentative.https.html b/shared-storage/shared-storage-writable-fetch-request-in-sandboxed-frame.tentative.https.html
index de935b22fe080e..cb0f8fb7c81ef8 100644
--- a/shared-storage/shared-storage-writable-fetch-request-in-sandboxed-frame.tentative.https.html
+++ b/shared-storage/shared-storage-writable-fetch-request-in-sandboxed-frame.tentative.https.html
@@ -79,7 +79,7 @@
         /*key=*/'c',
         /*value=*/'d',
         /*sandbox_flags=*/'allow-scripts',
-        /*expect_success=*/false);
+        /*expect_success=*/true);
     }, 'test sharedStorageWritable fetch request in sandboxed iframe without '
          + '"allow-same-origin"');
   </script>
diff --git a/shared-storage/shared-storage-writable-iframe-request-in-data-url.tentative.https.sub.html b/shared-storage/shared-storage-writable-iframe-request-in-data-url.tentative.https.sub.html
new file mode 100644
index 00000000000000..1833e842b00a94
--- /dev/null
+++ b/shared-storage/shared-storage-writable-iframe-request-in-data-url.tentative.https.sub.html
@@ -0,0 +1,64 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/common/utils.js></script>
+  <script src=/fenced-frame/resources/utils.js></script>
+  <script src=/shared-storage/resources/util.js></script>
+  <script>
+    'use strict';
+    const origin = window.location.origin;
+    const rawSetHeader = 'set;key=hello;value=world';
+    const setHeader = encodeURIComponent(rawSetHeader);
+
+    promise_test(async t => {
+      let frame = document.createElement('iframe');
+      const promise = new Promise((resolve, reject) => {
+        window.addEventListener('message', async function handler(evt) {
+          if (evt.source === frame.contentWindow &&
+              evt.data.sharedStorageWritableHeader) {
+            document.body.removeChild(frame);
+            window.removeEventListener('message', handler);
+            resolve(evt.data.sharedStorageWritableHeader);
+          }
+        });
+        window.addEventListener('error', (error) => {
+          reject(error);
+        });
+      });
+
+      const innerUrl =
+        `${origin}\\/shared-storage\\/resources\\/shared-storage-write-`
+        + `notify-parent.py?write=${setHeader}`;
+      const innerCode = `
+let parentOrOpener = window.opener || window.parent;
+let innerFrame = document.createElement('iframe');
+window.addEventListener('message', async (evt) => {
+  if (evt.source === innerFrame.contentWindow &&
+      evt.data.sharedStorageWritableHeader) {
+    parentOrOpener.postMessage({sharedStorageWritableHeader:
+                                evt.data.sharedStorageWritableHeader}, '*');
+  }
+});
+window.addEventListener('error', (error) => {
+  parentOrOpener.postMessage({sharedStorageWritableHeader: error.message}, '*');
+});
+innerFrame.src = '${innerUrl}';
+innerFrame.sharedStorageWritable = true;
+document.body.appendChild(innerFrame);
+`;
+
+      const dataURL = 'data:text/html;base64,'
+        + btoa(unescape('%3Chtml%3E%3Cbody%3E%3Cscript%3E'
+                        + encodeURIComponent(innerCode) +
+                        '%3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E'));
+      frame.src = dataURL;
+      document.body.appendChild(frame);
+
+      const result = await promise;
+      assert_equals(result, "NO_SHARED_STORAGE_WRITABLE_HEADER");
+      await verifyKeyNotFoundForOrigin('hello', origin);
+
+    }, 'shared storage iframe request disallowed in opaque origin from data URL');
+  </script>
+</body>
diff --git a/shared-storage/shared-storage-writable-img-request-in-data-url.tentative.https.sub.html b/shared-storage/shared-storage-writable-img-request-in-data-url.tentative.https.sub.html
new file mode 100644
index 00000000000000..75d6b514a82c29
--- /dev/null
+++ b/shared-storage/shared-storage-writable-img-request-in-data-url.tentative.https.sub.html
@@ -0,0 +1,62 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/common/utils.js></script>
+  <script src=/fenced-frame/resources/utils.js></script>
+  <script src=/shared-storage/resources/util.js></script>
+  <script>
+    'use strict';
+    const origin = window.location.origin;
+    const rawSetHeader = 'set;key=hello;value=world';
+    const setHeader = encodeURIComponent(rawSetHeader);
+
+    promise_test(async t => {
+      let frame = document.createElement('iframe');
+      const promise = new Promise((resolve, reject) => {
+        window.addEventListener('message', async function handler(evt) {
+          if (evt.source === frame.contentWindow &&
+              evt.data.sharedStorageWritableLoadStatus) {
+            document.body.removeChild(frame);
+            window.removeEventListener('message', handler);
+            resolve(evt.data.sharedStorageWritableLoadStatus);
+          }
+        });
+        window.addEventListener('error', (error) => {
+          reject(error);
+        });
+      });
+
+      const imageUrl =
+        `${origin}\\/shared-storage\\/resources\\/shared-storage-writable-`
+        + `pixel-write.png?write=${setHeader}`;
+      const innerCode = `
+let parentOrOpener = window.opener || window.parent;
+let image = document.createElement('img');
+window.addEventListener('load', async (evt) => {
+  parentOrOpener.postMessage({sharedStorageWritableLoadStatus:
+                              'loaded'}, '*');
+});
+window.addEventListener('error', (error) => {
+  parentOrOpener.postMessage({sharedStorageWritableLoadStatus: error.message},
+                             '*');
+});
+image.src = '${imageUrl}';
+image.sharedStorageWritable = true;
+document.body.appendChild(image);
+`;
+
+      const dataURL = 'data:text/html;base64,'
+        + btoa(unescape('%3Chtml%3E%3Cbody%3E%3Cscript%3E'
+                        + encodeURIComponent(innerCode) +
+                        '%3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E'));
+      frame.src = dataURL;
+      document.body.appendChild(frame);
+
+      const result = await promise;
+      assert_equals(result, "loaded");
+      await verifyKeyNotFoundForOrigin('hello', origin);
+
+    }, 'shared storage iframe request disallowed in opaque origin from data URL');
+  </script>
+</body>
diff --git a/shared-storage/shared-storage-writable-img-request-in-sandboxed-frame.tentative.https.html b/shared-storage/shared-storage-writable-img-request-in-sandboxed-frame.tentative.https.html
index a901500d66a4e4..8e33c68e8ca0cf 100644
--- a/shared-storage/shared-storage-writable-img-request-in-sandboxed-frame.tentative.https.html
+++ b/shared-storage/shared-storage-writable-img-request-in-sandboxed-frame.tentative.https.html
@@ -72,7 +72,7 @@
         /*key=*/'c',
         /*value=*/'d',
         /*sandbox_flags=*/'allow-scripts',
-        /*expect_success=*/false);
+        /*expect_success=*/true);
     }, 'test sharedStorageWritable img request in sandboxed iframe without '
          + '"allow-same-origin"');
   </script>
diff --git a/shared-storage/shared-storage-writable-opaque-origin.tentative.https.sub.html b/shared-storage/shared-storage-writable-opaque-origin.tentative.https.sub.html
deleted file mode 100644
index 4829af0e0c17c0..00000000000000
--- a/shared-storage/shared-storage-writable-opaque-origin.tentative.https.sub.html
+++ /dev/null
@@ -1,41 +0,0 @@
-<!doctype html>
-<body>
-  <script src=/resources/testharness.js></script>
-  <script src=/resources/testharnessreport.js></script>
-  <script>
-    'use strict';
-    const rawSetHeader = 'set;key=hello;value=world';
-    const setHeader = encodeURIComponent(rawSetHeader);
-
-    promise_test(async t => {
-      const fetchUrl =
-        `/shared-storage/resources/shared-storage-write.py?write=${setHeader}`;
-      const fetchCode =
-        `try {
-           new Request(fetchUrl,{sharedStorageWritable: true});
-         } catch (e) {
-           assert_equals(e.name, 'TypeError');
-           assert_equals(e.message, "Failed to construct 'Request': "
-                      + "sharedStorageWritable: sharedStorage operations "
-                      + "are not available for opaque origins.");
-           return;
-         }
-         assert_unreached("did not catch an error");`
-
-      const dataURL = 'data:text/javascript;base64,'
-        + btoa(unescape(encodeURIComponent(fetchCode)));
-      let frame = document.createElement('iframe');
-      frame.src = dataURL;
-      const promise = new Promise((resolve, reject) => {
-       frame.addEventListener('load', () => {
-          resolve();
-        });
-        frame.addEventListener('error', () => {
-          reject(new Error('Navigation failed'));
-        });
-      });
-      document.body.appendChild(frame);
-      await promise;
-    }, 'shared storage fetch request disallowed for opaque origin');
-  </script>
-</body>