<title>
This tests the inheritance of COOP for navigations to about:blank.
</title>
<meta name=timeout content=long>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<p>Non-initial empty documents (about:blank) should inherit their
cross-origin-opener-policy from the navigation's initiator top level document,
if the initiator and its top level document are same-origin, or default
(unsafe-none) otherwise.
</p>
<ol>
<li>Create the opener popup with a given COOP <code>openerCOOP</code>.</li>
<li>Add iframe to the opener popup that is either same-origin or
cross-origin.
</li>
<li>Opener's iframe opens a new window, to a network document with <code>openeeCOOP</code>.</li>
<li>Opener's iframe navigates the openee popup to about:blank.</li>
</ol>
<script>
const executor_path = "/common/dispatcher/executor.html?pipe=";
const same_origin = get_host_info().HTTPS_ORIGIN;
const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
const coop_same_origin_header =
'|header(Cross-Origin-Opener-Policy,same-origin)';
const coep_require_corp_header =
'|header(Cross-Origin-Embedder-Policy,require-corp)';
const coop_same_origin_plus_coep_header =
coop_same_origin_header + coep_require_corp_header;
const coop_same_origin_allow_popups_header =
'|header(Cross-Origin-Opener-Policy,same-origin-allow-popups)';
const coop_unsafe_none_header =
'|header(Cross-Origin-Opener-Policy,unsafe-none)';
function navigateToAboutBlankTest(
opener_COOP_header,
iframe_origin,
openee_COOP_header,
openee_origin,
iframe_header,
expect_openee_closed
){
return promise_test(async t => {
const this_window_token = token();
const opener_token = token();
const openee_token = token();
const iframe_token = token();
const opener_url = same_origin + executor_path + opener_COOP_header +
`&uuid=${opener_token}`;
const openee_url = openee_origin + executor_path + openee_COOP_header +
`&uuid=${openee_token}`;
const iframe_url = iframe_origin + executor_path + iframe_header + `&uuid=${iframe_token}`;
t.add_cleanup(() => {
send(openee_token, "window.close()");
send(opener_token, "window.close()");
});
// 1. Create the opener window.
let opener_window_proxy = window.open(opener_url, opener_token);
// 2. Create the iframe.
send(opener_token, `
iframe = document.createElement('iframe');
iframe.src = "${iframe_url}";
document.body.appendChild(iframe);
`);
// 3. The iframe opens its openee window.
send(iframe_token, `
window.openee = window.open(
'${openee_url.replace(/,/g, '\\,')}',
"${openee_token}"
);
`);
// 4. Ensure the popup is fully loaded.
send(openee_token, `send("${this_window_token}", "Ack");`);
assert_equals(await receive(this_window_token), "Ack");
// 5. The iframe navigates openee to about:blank.
send(iframe_token, `
window.openee_blank = window.open('about:blank', "${openee_token}");
(async function() {
const timeout = 2000;
const retry_delay = 100;
for(let i = 0; i * retry_delay < timeout; ++i) {
// A try-catch block is used, because of same-origin policy,
// preventing access to the document before committing about:blank.
try {
if (window.openee_blank.closed ||
window.openee_blank.document.location.href == "about:blank") {
send("${this_window_token}", "about:blank loaded");
return;
}
} catch(e) {}
await new Promise(resolve => setTimeout(resolve, retry_delay));
}
send("${this_window_token}", "about:blank not loaded");
})()
`);
assert_equals(await receive(this_window_token), "about:blank loaded");
// 6. Retrieve and check the results.
send(iframe_token, `
send("${this_window_token}", window.openee.closed);
`);
assert_equals(await receive(this_window_token), `${expect_openee_closed}`);
}, `Navigate to about:blank from iframe with opener.top \
COOP: ${opener_COOP_header}, iframe origin: ${iframe_origin}, \
openee COOP: ${openee_COOP_header}, openee origin: ${openee_origin}.`);
};
// iframe same-origin with its top-level embedder:
// initial empty document and about:blank navigations initiated from the
// same-origin iframe will inherit the COOP from the iframe's top-level embedder.
// Since all navigations of openee are within same-origin pages with the
// same COOP value, there are no browsing context group switches.
navigateToAboutBlankTest(
coop_same_origin_header,
same_origin,
coop_same_origin_header,
same_origin,
"",
false
);
// Since all navigations of openee are within same-origin pages with the
// same COOP value, there are no browsing context group switches.
// Test with both COOP and COEP.
navigateToAboutBlankTest(
coop_same_origin_plus_coep_header,
same_origin,
coop_same_origin_plus_coep_header,
same_origin,
coep_require_corp_header,
false
);
// Since all navigations of openee are within same-origin pages with the
// same COOP value, there are no browsing context group switches.
navigateToAboutBlankTest(
coop_same_origin_allow_popups_header,
same_origin,
coop_same_origin_allow_popups_header,
same_origin,
"",
false
);
// The first openee navigation, from initial empty document to
// cross-origin will not switch the browsing context group, thanks to the
// same-origin-allow-popups behavior.
// The second openee navigation, to about:blank, will inherit from the
// iniatiator's, the iframe, top. Navigating from a COOP: unsafe-none page to
// a COOP: same-origin-allow-popups page causes a browsing context group
// switch.
navigateToAboutBlankTest(
coop_same_origin_allow_popups_header,
same_origin,
coop_unsafe_none_header,
cross_origin,
"",
true
);
// iframe cross-origin with its top-level embedder:
// initial empty document and about:blank navigations initiated from the
// cross-origin iframe will default COOP to unsafe-none.
// The navigation from the initial empty document and the cross_origin url
// does not cause a browsing context group switch
// (both have COOP: unsafe-none).
// The navigation from the cross-origin url to about:blank does not cause a
// browsing context group swich, about:blank defaulted its COOP value to
// unsafe-none.
navigateToAboutBlankTest(
coop_same_origin_allow_popups_header,
cross_origin,
coop_unsafe_none_header,
cross_origin,
"",
false
);
</script>
Codebase Browser
chromium