From fbe693cf9b75025d1e1d1f76131edb129bc772d0 Mon Sep 17 00:00:00 2001
From: Yao Xiao <yaoxia@chromium.org>
Date: Wed, 20 Jul 2022 10:55:05 +0000
Subject: [PATCH] Bug 1779485 [wpt PR 34740] - [shared storage] implement
 permissions policy, a=testonly

Automatic update from web-platform-tests
[shared storage] implement permissions policy

Add the "shared-storage" permissions policy that disallows all
Shared Storage methods.
https://github.com/WICG/shared-storage/blob/main/README.md#permissions-policy

Due to this change, Shared Storage won't be allowed in Fenced Frames
as Fenced Frames disallow all permissions policies. This decision may
change in the future: https://github.com/WICG/fenced-frame/issues/44

Bug: 1337454
Change-Id: I856d31933032355409585bc376f2b6826f667270
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3710841
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Commit-Queue: Yao Xiao <yaoxia@chromium.org>
Reviewed-by: Dominic Farolino <dom@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1023892}

--

wpt-commits: f5f78fef7de46edae42d644c7956c211bf47fd5e
wpt-pr: 34740
---
 ...ns-policy-default.tentative.https.sub.html | 29 ++++++++
 ...sions-policy-none.tentative.https.sub.html | 29 ++++++++
 ...licy-none.tentative.https.sub.html.headers |  1 +
 ...sions-policy-self.tentative.https.sub.html | 29 ++++++++
 ...licy-self.tentative.https.sub.html.headers |  1 +
 .../resources/permissions-policy-helper.html  | 18 +++++
 .../shared-storage/resources/simple-module.js |  1 +
 .../tests/shared-storage/resources/util.js    | 69 +++++++++++++++++++
 8 files changed, 177 insertions(+)
 create mode 100644 testing/web-platform/tests/shared-storage/permissions-policy-default.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html.headers
 create mode 100644 testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html.headers
 create mode 100644 testing/web-platform/tests/shared-storage/resources/permissions-policy-helper.html
 create mode 100644 testing/web-platform/tests/shared-storage/resources/simple-module.js
 create mode 100644 testing/web-platform/tests/shared-storage/resources/util.js

diff --git a/testing/web-platform/tests/shared-storage/permissions-policy-default.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/permissions-policy-default.tentative.https.sub.html
new file mode 100644
index 0000000000000..f055ae0421f6c
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/permissions-policy-default.tentative.https.sub.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/permissions-policy/resources/permissions-policy.js></script>
+  <script src="/shared-storage/resources/util.js"></script>
+  <script>
+    'use strict';
+    const same_origin_src = '/shared-storage/resources/permissions-policy-helper.html';
+    const cross_origin_src = 'https://{{domains[www]}}:{{ports[https][0]}}' +
+      same_origin_src;
+    const header = 'Default permissions policy';
+
+    promise_test(async t => {
+      const allowed = await AreSharedStorageMethodsAllowedByPermissionsPolicy();
+      assert_true(allowed);
+    }, header + ' allows sharedStorage in the current page.');
+
+    async_test(t => {
+      test_feature_availability('shared-storage', t, same_origin_src,
+          expect_feature_available_default);
+    }, header + ' allows sharedStorage in same-origin iframes.');
+
+    async_test(t => {
+      test_feature_availability('shared-storage', t, cross_origin_src,
+          expect_feature_available_default);
+    }, header + ' allows sharedStorage in cross-origin iframes.');
+  </script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html
new file mode 100644
index 0000000000000..7154061d50aba
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/permissions-policy/resources/permissions-policy.js></script>
+  <script src="/shared-storage/resources/util.js"></script>
+  <script>
+    'use strict';
+    const same_origin_src = '/shared-storage/resources/permissions-policy-helper.html';
+    const cross_origin_src = 'https://{{domains[www]}}:{{ports[https][0]}}' +
+      same_origin_src;
+    const header = 'permissions policy header shared-storage=()';
+
+    promise_test(async t => {
+      const allowed = await AreSharedStorageMethodsAllowedByPermissionsPolicy();
+      assert_false(allowed);
+    }, header + ' disallows sharedStorage in the current page.');
+
+    async_test(t => {
+      test_feature_availability('shared-storage', t, same_origin_src,
+          expect_feature_unavailable_default);
+    }, header + ' disallows sharedStorage in same-origin iframes.');
+
+    async_test(t => {
+      test_feature_availability('shared-storage', t, cross_origin_src,
+          expect_feature_unavailable_default);
+    }, header + ' disallows sharedStorage in cross-origin iframes.');
+  </script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html.headers b/testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html.headers
new file mode 100644
index 0000000000000..9903f7c578df6
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/permissions-policy-none.tentative.https.sub.html.headers
@@ -0,0 +1 @@
+Permissions-Policy: shared-storage=()
diff --git a/testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html
new file mode 100644
index 0000000000000..bde32a5c30660
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/permissions-policy/resources/permissions-policy.js></script>
+  <script src="/shared-storage/resources/util.js"></script>
+  <script>
+    'use strict';
+    const same_origin_src = '/shared-storage/resources/permissions-policy-helper.html';
+    const cross_origin_src = 'https://{{domains[www]}}:{{ports[https][0]}}' +
+      same_origin_src;
+    const header = 'permissions policy header shared-storage=(self)';
+
+    promise_test(async t => {
+      const allowed = await AreSharedStorageMethodsAllowedByPermissionsPolicy();
+      assert_true(allowed);
+    }, header + ' allows sharedStorage in the current page.');
+
+    async_test(t => {
+      test_feature_availability('shared-storage', t, same_origin_src,
+          expect_feature_available_default);
+    }, header + ' allows sharedStorage in same-origin iframes.');
+
+    async_test(t => {
+      test_feature_availability('shared-storage', t, cross_origin_src,
+          expect_feature_unavailable_default);
+    }, header + ' disallows sharedStorage in cross-origin iframes.');
+  </script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html.headers b/testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html.headers
new file mode 100644
index 0000000000000..36c95f2b087ba
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/permissions-policy-self.tentative.https.sub.html.headers
@@ -0,0 +1 @@
+Permissions-Policy: shared-storage=(self)
diff --git a/testing/web-platform/tests/shared-storage/resources/permissions-policy-helper.html b/testing/web-platform/tests/shared-storage/resources/permissions-policy-helper.html
new file mode 100644
index 0000000000000..d87092aad1d2e
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/resources/permissions-policy-helper.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<body>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/shared-storage/resources/util.js"></script>
+  <script>
+  'use strict';
+
+  window.onload = async function() {
+    if (await AreSharedStorageMethodsAllowedByPermissionsPolicy()) {
+      parent.postMessage({ type: 'availability-result', enabled: true }, '*');
+      return;
+    }
+
+    parent.postMessage({ type: 'availability-result', enabled: false }, '*');
+  }
+  </script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/resources/simple-module.js b/testing/web-platform/tests/shared-storage/resources/simple-module.js
new file mode 100644
index 0000000000000..ad9a93a7c160f
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/resources/simple-module.js
@@ -0,0 +1 @@
+'use strict';
diff --git a/testing/web-platform/tests/shared-storage/resources/util.js b/testing/web-platform/tests/shared-storage/resources/util.js
new file mode 100644
index 0000000000000..4dea9837646dc
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/resources/util.js
@@ -0,0 +1,69 @@
+'use strict';
+
+// Execute all shared storage methods and capture their errors. Return true if
+// the permissions policy allows all of them; return false if the permissions
+// policy disallows all of them. Precondition: only these two outcomes are
+// possible.
+async function AreSharedStorageMethodsAllowedByPermissionsPolicy() {
+  let permissionsPolicyDeniedCount = 0;
+  const errorMessage = 'The \"shared-storage\" Permissions Policy denied the method on window.sharedStorage.';
+
+  try {
+    await window.sharedStorage.worklet.addModule('/shared-storage/resources/simple-module.js');
+  } catch (e) {
+    assert_equals(e.message, errorMessage);
+    ++permissionsPolicyDeniedCount;
+  }
+
+  try {
+    await window.sharedStorage.run('operation');
+  } catch (e) {
+    assert_equals(e.message, errorMessage);
+    ++permissionsPolicyDeniedCount;
+  }
+
+  try {
+    // Run selectURL() with without addModule() and this should always fail.
+    // Check the error message to distinguish between the permissions policy
+    // error and the missing addModule() error.
+    await sharedStorage.selectURL("operation", [{url: "1.html"}]);
+    assert_unreached("did not fail");
+  } catch (e) {
+    if (e.message === errorMessage) {
+      ++permissionsPolicyDeniedCount;
+    }
+  }
+
+  try {
+    await window.sharedStorage.set('a', 'b');
+  } catch (e) {
+    assert_equals(e.message, errorMessage);
+    ++permissionsPolicyDeniedCount;
+  }
+
+  try {
+    await window.sharedStorage.append('a', 'b');
+  } catch (e) {
+    assert_equals(e.message, errorMessage);
+    ++permissionsPolicyDeniedCount;
+  }
+
+  try {
+    await window.sharedStorage.clear();
+  } catch (e) {
+    assert_equals(e.message, errorMessage);
+    ++permissionsPolicyDeniedCount;
+  }
+
+  try {
+    await window.sharedStorage.delete('a');
+  } catch (e) {
+    assert_equals(e.message, errorMessage);
+    ++permissionsPolicyDeniedCount;
+  }
+
+  if (permissionsPolicyDeniedCount === 0)
+    return true;
+
+  return false;
+}
\ No newline at end of file