Run CORP on nested frame navigations

This implements WICG/cross-origin-embedder-policy#11. Change-Id: I7bb07f0616cc947c8a84fa140af58984046c7587 Bug: 887967
web-platform-tests · Feb 26, 2020 · 56aa1a7 · 56aa1a7
1 parent a4677f6
commit 56aa1a7
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 2 deletions.
diff --git a/html/cross-origin-embedder-policy/none.https.html b/html/cross-origin-embedder-policy/none.https.html
@@ -84,6 +84,8 @@
   assert_equals(win, null);
 }, `"require-corp" top-level noopener popup: navigating to "none" should succeed`);
 
+// CORP is checked because COEP of the frame is "require-corp". The parent
+// frame's COEP value doesn't matter.
 async_test(t => {
   const frame = document.createElement("iframe");
   const id = token();
@@ -94,8 +96,33 @@
       t.done();
     }
   }));
-  frame.src = `${HOST.HTTPS_NOTSAMESITE_ORIGIN}${BASE}/navigate-require-corp-same-site.sub.html?token=${id}`;
+  // REMOTE_ORIGIN is cross-origin, same-site.
+  frame.src = `${HOST.HTTPS_REMOTE_ORIGIN}${BASE}/navigate-require-corp-same-site.sub.html?token=${id}`;
   document.body.append(frame);
-}, 'CORP: same-site is not checked.');
+}, 'CORP: same-site is checked and allowed.');
+
+// CORP is checked because COEP of the frame is "require-corp". The parent
+// frame's COEP value doesn't matter.
+async_test(t => {
+  const frame = document.createElement("iframe");
+  const id = token();
+  t.add_cleanup(() => frame.remove());
+  let loaded = false;
+  window.addEventListener('message', t.step_func((e) => {
+    if (e.data === id) {
+        loaded = true;
+    }
+  }));
+  t.step_timeout(() => {
+    // Make sure the iframe didn't load. See https://github.com/whatwg/html/issues/125 for why a
+    // timeout is used here. Long term all network error handling should be similar and have a
+    // reliable event.
+    assert_false(loaded);
+    t.done();
+  }, 2000);
 
+  // NOTESAMESITE_ORIGIN is cross-origin, cross-site.
+  frame.src = `${HOST.HTTPS_NOTSAMESITE_ORIGIN}${BASE}/navigate-require-corp-same-site.sub.html?token=${id}`;
+  document.body.append(frame);
+}, 'CORP: same-site is checked and blocked.');
 </script>
diff --git a/html/cross-origin-opener-policy/resources/postback.html.headers b/html/cross-origin-opener-policy/resources/postback.html.headers
@@ -1 +1,2 @@
 Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Resource-Policy: cross-origin
diff --git a/html/infrastructure/safe-passing-of-structured-data/resources/echo-iframe.html.headers b/html/infrastructure/safe-passing-of-structured-data/resources/echo-iframe.html.headers
@@ -1 +1,2 @@
 Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Resource-Policy: cross-origin
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		Cross-Origin-Embedder-Policy: require-corp
		Cross-Origin-Resource-Policy: cross-origin