From cc0e93e2935ac64555b6cf9c5db2eab04a5ad1e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A2ris=20MEULEMAN?= <pmeuleman@chromium.org>
Date: Mon, 3 Aug 2020 06:45:51 -0700
Subject: [PATCH] COOP: add redirect WPT tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This CL adds a WPT test that checks the interaction of COOP
same-origin-allow-popups with redirects as specified in
https://github.com/whatwg/html/pull/5739.

This follows up on Clamy@ work in https://crrev.com/2312796.

Change-Id: I4afede7221c2edeec675035339064c4a9ae7fb80
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2332260
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Pâris Meuleman <pmeuleman@chromium.org>
Auto-Submit: Pâris Meuleman <pmeuleman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#794090}
---
 ...t-with-same-origin-allow-popups.https.html | 84 +++++++++++++++++++
 .../reporting/resources/dispatcher.js         |  2 +
 2 files changed, 86 insertions(+)
 create mode 100644 html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html

diff --git a/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
new file mode 100644
index 00000000000000..7dba76c4ef5434
--- /dev/null
+++ b/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
@@ -0,0 +1,84 @@
+<title>
+  COOP reports are to the opener when the opener used COOP-RO+COEP and then its
+  cross-origin openee tries to access it.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="../resources/dispatcher.js"></script>
+<script src="../resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy/reporting";
+const executor_path = directory + "/resources/executor.html?pipe=";
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const coep_header = '|header(Cross-Origin-Embedder-Policy,require-corp)';
+
+promise_test(async t => {
+  // The test window.
+  const this_window_token = token();
+
+  // The "opener" window. This has COOP same-origin-allow-popups and a reporter.
+  const opener_report_token= token();
+  const opener_token = token();
+  const opener_reportTo = reportToHeaders(opener_report_token);
+  const opener_url = same_origin + executor_path + opener_reportTo.header +
+    opener_reportTo.coopSameOriginAllowPopupsHeader +
+    `&uuid=${opener_token}`;
+
+  // The "openee" window.
+  // The initial URL is cross-origin with the opener, and redirects to a
+  // same-origin page with same-origin-allow-popups.
+  // The navigation to the cross-origin page stays in the same browsing context
+  // group due to the same-origin-allow-popups policy, but the redirect to the
+  // final page does since it compares the cross-origin/unsafe-none document
+  // with the same-origin/same-origin-allow-popups document.
+  const openee_token = token();
+  const openee_redirect_url = same_origin + executor_path +
+    opener_reportTo.header + opener_reportTo.coopSameOriginAllowPopupsHeader +
+    `&uuid=${openee_token}`;
+  const redirect_header = 'status(302)' +
+    `|header(Location,${encodeURIComponent(
+      openee_redirect_url
+        .replace(/,/g, "\\,")
+        .replace(/\\\\,/g, "\\\\\\,")
+        .replace(/\(/g, "%28")
+        .replace(/\)/g, "%29"))})`;
+  const openee_url = cross_origin + executor_path + redirect_header +
+    `&uuid=${openee_token}`;
+  // 1. Create the opener window.
+  let opener_window_proxy = window.open(opener_url);
+  t.add_cleanup(() => send(opener_token, "window.close()"));
+
+  // 2. The opener opens its openee.
+  send(opener_token, `
+    openee = window.open("${openee_url}");
+  `);
+  t.add_cleanup(() => send(openee_token, "window.close()"));
+
+  // 3. Check the opener status on the openee.
+  send(openee_token, `
+    send("${this_window_token}", opener !== null);
+  `);
+  assert_equals(await receive(this_window_token), "false", "opener");
+
+  // 4. Check the openee status on the opener.
+  send(opener_token, `
+    send("${this_window_token}", openee.closed);
+  `);
+  assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+  // 5. Check a report sent to the openee.
+  let report = await receiveReport(opener_report_token, "navigation-to-document")
+  assert_not_equals(report, "timeout", "Report not received");
+  assert_equals(report.type, "coop");
+  assert_equals(report.url, openee_redirect_url.replace(/"/g, '%22'));
+  assert_equals(report.body["disposition"], "enforce");
+  assert_equals(report.body["effective-policy"], "same-origin-allow-popups");
+  assert_equals(report.body["document-uri"], openee_url);
+}, "Cross-origin openee redirected to same-origin with same-origin-allow-popups");
+
+</script>
diff --git a/html/cross-origin-opener-policy/reporting/resources/dispatcher.js b/html/cross-origin-opener-policy/reporting/resources/dispatcher.js
index 38243fab81a8c0..13c01add30fcc1 100644
--- a/html/cross-origin-opener-policy/reporting/resources/dispatcher.js
+++ b/html/cross-origin-opener-policy/reporting/resources/dispatcher.js
@@ -64,6 +64,8 @@ const reportToHeaders = function(uuid) {
   return {
     header: `|header(report-to,${reportToJSON})`,
     coopSameOriginHeader: `|header(Cross-Origin-Opener-Policy,same-origin%3Breport-to="${uuid}")`,
+    coopSameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy,same-origin-allow-popups%3Breport-to="${uuid}")`,
     coopReportOnlySameOriginHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin%3Breport-to="${uuid}")`,
+    coopReportOnlySameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin-allow-popups%3Breport-to="${uuid}")`,
   };
 };