// META: timeout=long
// META: script=/common/get-host-info.sub.js
// META: script=./resources/common.js
const {ORIGIN, REMOTE_ORIGIN} = get_host_info();
const COEP = '|header(cross-origin-embedder-policy,credentialless)';
const COEP_RO =
'|header(cross-origin-embedder-policy-report-only,credentialless)';
const CORP_CROSS_ORIGIN =
'|header(cross-origin-resource-policy,cross-origin)';
const FRAME_URL = `${ORIGIN}/common/blank.html?pipe=`;
const REMOTE_FRAME_URL = `${REMOTE_ORIGIN}/common/blank.html?pipe=`;
function checkCorpReport(report, contextUrl, blockedUrl, disposition) {
assert_equals(report.type, 'coep');
assert_equals(report.url, contextUrl);
assert_equals(report.body.type, 'corp');
assert_equals(report.body.blockedURL, blockedUrl);
assert_equals(report.body.disposition, disposition);
assert_equals(report.body.destination, 'iframe');
}
function checkCoepMismatchReport(report, contextUrl, blockedUrl, disposition) {
assert_equals(report.type, 'coep');
assert_equals(report.url, contextUrl);
assert_equals(report.body.type, 'navigation');
assert_equals(report.body.blockedURL, blockedUrl);
assert_equals(report.body.disposition, disposition);
}
function loadFrame(document, url) {
return new Promise((resolve, reject) => {
const frame = document.createElement('iframe');
frame.src = url;
frame.onload = () => resolve(frame);
frame.onerror = reject;
document.body.appendChild(frame);
});
}
// |parentSuffix| is a suffix for the parent frame URL.
// |targetUrl| is a URL for the target frame.
async function loadFrames(test, parentSuffix, targetUrl) {
const frame = await loadFrame(document, FRAME_URL + parentSuffix);
test.add_cleanup(() => frame.remove());
// Here we don't need "await". This loading may or may not succeed, and
// we're not interested in the result.
loadFrame(frame.contentDocument, targetUrl);
return frame;
}
async function observeReports(global, expected_count) {
const reports = [];
const receivedEveryReports = new Promise(resolve => {
if (expected_count == 0)
resolve();
const observer = new global.ReportingObserver((rs) => {
for (const r of rs) {
reports.push(r.toJSON());
}
if (expected_count <= reports.length)
resolve();
});
observer.observe();
});
// Wait 500ms more to catch additionnal unexpected reports.
await receivedEveryReports;
await new Promise(r => step_timeout(r, 500));
return reports;
}
function desc(headers) {
return headers === '' ? '(none)' : headers;
}
// CASES is a list of test case. Each test case consists of:
// parent_headers: the suffix of the URL of the parent frame.
// target_headers: the suffix of the URL of the target frame.
// expected_reports: one of:
// 'CORP': CORP violation
// 'CORP-RO': CORP violation (report only)
// 'NAV': COEP mismatch between the frames.
// 'NAV-RO': COEP mismatch between the frames (report only).
const reportingTest = function(
parent_headers, target_headers, expected_reports) {
// These tests are very slow, so they must be run in parallel using
// async_test.
promise_test_parallel(async t => {
const targetUrl = REMOTE_FRAME_URL + target_headers;
const parent = await loadFrames(t, parent_headers, targetUrl);
const contextUrl = parent.src ? parent.src : 'about:blank';
const reports = await observeReports(
parent.contentWindow,
expected_reports.length
);
assert_equals(reports.length, expected_reports.length);
for (let i = 0; i < reports.length; i += 1) {
const report = reports[i];
switch (expected_reports[i]) {
case 'CORP':
checkCorpReport(report, contextUrl, targetUrl, 'enforce');
break;
case 'CORP-RO':
checkCorpReport(report, contextUrl, targetUrl, 'reporting');
break;
case 'NAV':
checkCoepMismatchReport(report, contextUrl, targetUrl, 'enforce');
break;
case 'NAV-RO':
checkCoepMismatchReport(report, contextUrl, targetUrl, 'reporting');
break;
default:
assert_unreached(
'Unexpected report exception: ' + expected_reports[i]);
}
}
}, `parent: ${desc(parent_headers)}, target: ${desc(target_headers)}, `);
}
reportingTest('', '', []);
reportingTest('', COEP, []);
reportingTest(COEP, COEP, ['CORP']);
reportingTest(COEP, '', ['CORP']);
reportingTest('', CORP_CROSS_ORIGIN, []);
reportingTest(COEP, CORP_CROSS_ORIGIN, ['NAV']);
reportingTest('', COEP + CORP_CROSS_ORIGIN, []);
reportingTest(COEP, COEP + CORP_CROSS_ORIGIN, []);
reportingTest(COEP_RO, COEP, ['CORP-RO']);
reportingTest(COEP_RO, '', ['CORP-RO', 'NAV-RO']);
reportingTest(COEP_RO, CORP_CROSS_ORIGIN, ['NAV-RO']);
reportingTest(COEP_RO, COEP + CORP_CROSS_ORIGIN, []);
reportingTest(COEP, COEP_RO + CORP_CROSS_ORIGIN, ['NAV']);
Codebase Browser
chromium