| <!doctype html> |
| <meta charset="utf-8"> |
| <meta name="timeout" content="long"> |
| <title> |
| Check the ReportingObserver(s) are notified about the coop-access-violation |
| events. |
| </title> |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| <script src=/common/get-host-info.sub.js></script> |
| <script src="/common/utils.js"></script> |
| <script src="../resources/dispatcher.js"></script> |
| <script src="../resources/try-access.js"></script> |
| <script> |
| |
| const directory = "/html/cross-origin-opener-policy/reporting"; |
| const executor_path = directory + "/resources/executor.html?pipe="; |
| const same_origin = get_host_info().HTTPS_ORIGIN; |
| const cross_site = get_host_info().HTTPS_NOTSAMESITE_ORIGIN; |
| const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)'; |
| const corp_header = '|header(Cross-Origin-Resource-Policy,cross-origin)'; |
| |
| promise_test(async t => { |
| // This test window. |
| const this_window_token = token(); |
| |
| // The "opener" window, using COOP-Report-Only and a reporter. |
| const opener_token = token(); |
| const opener_reportTo = reportToHeaders(token()); |
| const opener_url = same_origin + executor_path + opener_reportTo.header + |
| opener_reportTo.coopReportOnlySameOriginHeader + coep_header + |
| `&uuid=${opener_token}`; |
| |
| // The "openee" window, NOT using COOP. |
| const openee_token = token(); |
| const openee_url = same_origin + executor_path + `&uuid=${openee_token}`; |
| |
| // 1. Create the opener window. |
| window.open(opener_url); |
| t.add_cleanup(() => send(opener_token, "window.close();")); |
| |
| // 2. The opener opens its openee. |
| send(opener_token, `openee = window.open('${openee_url}');`); |
| t.add_cleanup(() => send(openee_token, `window.close();`)); |
| |
| // 3. Wait for the openee to load its document. |
| send(openee_token, `send("${this_window_token}", "Ready");`); |
| assert_equals(await receive(this_window_token), "Ready"); |
| |
| // 4. The opener tries to access its openee. All reports for blocked access |
| // from the COOP page should notify the ReportingObservers. |
| send(opener_token, ` |
| let observer = new ReportingObserver(()=>{}); |
| observer.observe(); |
| tryAccess(openee); |
| let reports = observer.takeRecords(); |
| send("${this_window_token}", JSON.stringify(reports)); |
| observer.disconnect(); |
| `); |
| |
| let report_access_from = JSON.parse(await receive(this_window_token)); |
| assert_equals(report_access_from.length, 1, "No report received."); |
| assert_equals(report_access_from[0].type, "coop-access-violation"); |
| assert_equals(report_access_from[0].url, opener_url.replace(/"/g, '%22')); |
| assert_source_location_found(report_access_from[0]) |
| assert_equals(report_access_from[0].body.type, |
| "access-from-coop-page-to-openee"); |
| assert_equals(report_access_from[0].body.openeeURL, openee_url); |
| assert_equals(report_access_from[0].body.openerURL, undefined); |
| assert_equals(report_access_from[0].body.otherDocumentURL, undefined); |
| |
| // 5. The openee tries to access its opener. No reports for blocked access |
| // to the COOP page should be dispatched. |
| send(openee_token, ` |
| let observer = new ReportingObserver(()=>{}); |
| observer.observe(); |
| tryAccess(opener); |
| let reports = observer.takeRecords(); |
| send("${this_window_token}", JSON.stringify(reports)); |
| observer.disconnect(); |
| `); |
| let report_access_to = JSON.parse(await receive(this_window_token)); |
| assert_equals(report_access_to.length, 0, "Unexpected report received."); |
| }, "Opener COOP"); |
| |
| promise_test(async t => { |
| // This test window. |
| const this_window_token = token(); |
| |
| // The "opener" window, NOT using COOP. |
| const opener_token = token(); |
| const opener_url = same_origin + executor_path + `&uuid=${opener_token}`; |
| |
| // The "openee" window, using COOP-Report-Only and a reporter. |
| const openee_token = token(); |
| const openee_reportTo = reportToHeaders(token()); |
| const openee_url = same_origin + executor_path + openee_reportTo.header + |
| openee_reportTo.coopReportOnlySameOriginHeader + coep_header + |
| `&uuid=${openee_token}`; |
| |
| // 1. Create the opener window. |
| window.open(opener_url); |
| t.add_cleanup(() => send(opener_token, "window.close();")); |
| |
| // 2. The opener opens its openee. |
| send(opener_token, |
| `openee = window.open('${openee_url.replace(/,/g, '\\,')}');`); |
| t.add_cleanup(() => send(openee_token, `window.close();`)); |
| |
| // 3. The openee tries to access its opener. All reports for blocked access |
| // from the COOP page should notify the ReportingObservers. |
| send(openee_token, ` |
| let observer = new ReportingObserver(()=>{}); |
| observer.observe(); |
| tryAccess(opener); |
| let reports = observer.takeRecords(); |
| send("${this_window_token}", JSON.stringify(reports)); |
| observer.disconnect(); |
| `); |
| let report_access_from = JSON.parse(await receive(this_window_token)); |
| assert_equals(report_access_from.length, 1, "No report received."); |
| assert_equals(report_access_from[0].type, "coop-access-violation"); |
| assert_equals(report_access_from[0].url, openee_url.replace(/"/g, '%22')); |
| assert_true(report_access_from[0].body.sourceFile.includes("try-access.js")); |
| assert_source_location_found(report_access_from[0]) |
| assert_equals(report_access_from[0].body.type, |
| "access-from-coop-page-to-opener"); |
| assert_equals(report_access_from[0].body.openeeURL, undefined); |
| assert_equals(report_access_from[0].body.openerURL, opener_url); |
| assert_equals(report_access_from[0].body.otherDocumentURL, undefined); |
| |
| // 4. The opener tries to access its openee. No reports for blocked access |
| // to the COOP page should be dispatched. |
| send(opener_token, ` |
| let observer = new ReportingObserver(()=>{}); |
| observer.observe(); |
| tryAccess(openee); |
| let reports = observer.takeRecords(); |
| send("${this_window_token}", JSON.stringify(reports)); |
| observer.disconnect(); |
| `); |
| let report_access_to = JSON.parse(await receive(this_window_token)); |
| assert_equals(report_access_to.length, 0, "Unexpected report received."); |
| }, "Openee COOP"); |
| |
| promise_test(async t => { |
| // This test window. |
| const this_window_token = token(); |
| |
| // The "opener" window, using COOP-Report-Only and a reporter. |
| const opener_token = token(); |
| const opener_reportTo = reportToHeaders(token()); |
| const opener_url = same_origin + executor_path + opener_reportTo.header + |
| opener_reportTo.coopReportOnlySameOriginHeader + coep_header + |
| `&uuid=${opener_token}`; |
| |
| // The "opener's iframe", same-origin with its parent. |
| const opener_iframe_token = token(); |
| const opener_iframe_url = same_origin + executor_path + coep_header + |
| `&uuid=${opener_iframe_token}`; |
| |
| // The "openee" window, NOT using COOP. |
| const openee_token = token(); |
| const openee_url = same_origin + executor_path + coep_header + |
| `&uuid=${openee_token}`; |
| |
| // 1. Create the opener window. |
| window.open(opener_url); |
| t.add_cleanup(() => send(opener_token, "window.close();")); |
| |
| // 2. The opener opens an iframe, and install a ReportingObserver to catch |
| // future accesses. |
| send(opener_token, ` |
| iframe = document.createElement("iframe"); |
| iframe.src = "${opener_iframe_url}"; |
| document.body.appendChild(iframe); |
| |
| let observer = new ReportingObserver(reports => { |
| send("${this_window_token}", JSON.stringify(reports)); |
| observer.disconnect(); |
| }); |
| observer.observe(); |
| `); |
| |
| // 3. The iframe opens the openee. |
| send(opener_iframe_token, `openee = window.open('${openee_url}');`); |
| t.add_cleanup(() => send(openee_token, `window.close();`)); |
| |
| // 4. Wait for the openee to load its document. |
| send(openee_token, `send("${this_window_token}", "Ready");`); |
| assert_equals(await receive(this_window_token), "Ready"); |
| |
| // 4. The opener's iframe tries to access the openee. This is an |
| // "access-from-coop-page" from a same-origin iframe, so the |
| // ReportingObserver(s) are notified. |
| send(opener_iframe_token, `tryAccess(openee);`); |
| |
| let reports = await receive(this_window_token); |
| reports = JSON.parse(reports); |
| assert_equals(reports.length, 1, "No report received."); |
| assert_equals(reports[0].type, "coop-access-violation"); |
| assert_equals(reports[0].url, opener_url.replace(/"/g, '%22')); |
| assert_true(reports[0].body.sourceFile.includes("try-access.js")); |
| assert_source_location_found(reports[0]); |
| assert_equals(reports[0].body.type, |
| "access-from-coop-page-to-openee"); |
| assert_equals(reports[0].body.openeeURL, openee_url); |
| assert_equals(reports[0].body.openerURL, undefined); |
| assert_equals(reports[0].body.otherDocumentURL, undefined); |
| }, "Access from same-origin iframe") |
| |
| promise_test(async t => { |
| // This test window. |
| const this_window_token = token(); |
| |
| // The "opener" window, using COOP-Report-Only and a reporter. |
| const opener_token = token(); |
| const opener_reportTo = reportToHeaders(token()); |
| const opener_url = same_origin + executor_path + opener_reportTo.header + |
| opener_reportTo.coopReportOnlySameOriginHeader + coep_header + |
| `&uuid=${opener_token}`; |
| |
| // The "opener's iframe", same-origin with its parent. |
| const opener_iframe_token = token(); |
| const opener_iframe_url = cross_site + executor_path + coep_header + |
| corp_header + |
| `&uuid=${opener_iframe_token}`; |
| |
| // The "openee" window, NOT using COOP. |
| const openee_token = token(); |
| const openee_url = same_origin + executor_path + coep_header + |
| `&uuid=${openee_token}`; |
| |
| // 1. Create the opener window. |
| window.open(opener_url); |
| t.add_cleanup(() => send(opener_token, "window.close();")); |
| |
| // 2. The opener opens an iframe, and install a ReportingObserver to catch |
| // future accesses. |
| send(opener_token, ` |
| iframe = document.createElement("iframe"); |
| iframe.src = "${opener_iframe_url}"; |
| document.body.appendChild(iframe); |
| |
| let observer = new ReportingObserver(reports => { |
| send("${this_window_token}", JSON.stringify(reports)); |
| observer.disconnect(); |
| }); |
| observer.observe(); |
| `); |
| |
| // 3. The iframe opens the openee. |
| send(opener_iframe_token, `openee = window.open('${openee_url}');`); |
| t.add_cleanup(() => send(openee_token, `window.close();`)); |
| |
| // 4. Wait for the openee to load its document. |
| send(openee_token, `send("${this_window_token}", "Ready");`); |
| assert_equals(await receive(this_window_token), "Ready"); |
| |
| // 5. The opener's iframe tries to access the openee. This is an |
| // "access-from-coop-page" from a cross-site iframe. The ReportingObservers |
| // from the main document aren't notified. |
| send(opener_iframe_token, `tryAccess(openee);`); |
| |
| let reports = await receive(this_window_token, 2000); |
| assert_equals(reports, "timeout", "Unexpected report received."); |
| }, "Access from cross-site iframe") |
| |
| </script> |