Shared Storage: Align createWorklet's default data origin w/addModule's

We align the default data origin for createWorklet with that of
addModule to be the invoking context's origin. We also hook up the
dataOrigin option in createWorklet's options dictionary, so that
the script origin can be manually specified to be used as the data
origin instead.

See WICG/shared-storage#158,
WICG/shared-storage#161, and
https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk.

Bug:353738488
Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c

Author: pythagoraskitty

private-aggregation/private-aggregation-permissions-policy-default.https.sub.html

@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data);
 }, 'In a page with default "private-aggregation" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>

private-aggregation/private-aggregation-permissions-policy-none.https.sub.html

@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data, /*expected_error=*/true);
 }, 'In a page with "private-aggregation=()" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>

private-aggregation/private-aggregation-permissions-policy-self.https.sub.html

@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data, /*expected_error=*/true);
 }, 'In a page with "private-aggregation=(self)" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>

private-aggregation/resources/util.js

@@ -35,8 +35,10 @@ async function CreateWorkletAndVerifyContributeToHistogram(shared_storage_origin
   let url1 = generateURL("/shared-storage/resources/frame1.html",
                          [ancestor_key]);
 
-  let worklet = await sharedStorage.createWorklet(shared_storage_origin +
-          "/private-aggregation/resources/shared-storage-helper-module.js");
+  let worklet = await sharedStorage.createWorklet(
+      shared_storage_origin +
+          '/private-aggregation/resources/shared-storage-helper-module.js',
+      {dataOrigin: 'script-origin'});
 
   let select_url_result = await worklet.selectURL(
     "contribute-to-histogram", [{url: url0}, {url: url1}],

shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html

@@ -15,11 +15,28 @@
 }, 'addModule() with data URL module script');
 
 promise_test(async t => {
-  // Opaque data origins are not permitted.
-  return promise_rejects_dom(t, "InvalidAccessError",
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
                              sharedStorage.createWorklet(
                                `data:application/javascript;alert("Hi!")`));
 }, 'createWorklet() with data URL module script and default data origin');
 
+promise_test(async t => {
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
+                             sharedStorage.createWorklet(
+                                 `data:application/javascript;alert("Hi!")`,
+                                 { dataOrigin: "context-origin" }));
+}, 'createWorklet() with data URL module script and dataOrigin "context-origin"');
+
+promise_test(async t => {
+  // Opaque data origins are not permitted.
+  return promise_rejects_dom(t, "InvalidAccessError",
+                             sharedStorage.createWorklet(
+                                 `data:application/javascript;alert("Hi!")`,
+                                 { dataOrigin: "script-origin" }));
+}, 'createWorklet() with data URL module script and dataOrigin "script-origin"');
 </script>
 </body>

shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html

@@ -9,32 +9,63 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
                          `?name=key0` +
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&access_control_allow_credentials_header=true` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "include" }
+        : { credentials: "include", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "include" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
 
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "key0=1");
-}, 'createWorklet() with cross-origin module script and credentials "include"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>

shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html

@@ -9,31 +9,63 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
                          `?name=key0` +
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "omit" }
+        : { credentials: "omit", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "omit" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
 
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
-}, 'createWorklet() with cross-origin module script and credentials "omit"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>

shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html

@@ -9,31 +9,63 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
                          `?name=key0` +
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "same-origin" }
+        : { credentials: "same-origin", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "same-origin" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
 
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
-}, 'createWorklet() with cross-origin module script and credentials "same-origin"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>

shared-storage/cross-origin-create-worklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html

@@ -9,22 +9,53 @@
 <script>
 'use strict';
 
+const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+
 promise_test(async t => {
   const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   return promise_rejects_dom(t, "OperationError",
     sharedStorage.createWorklet(
       helper_url + `&action=store-cookie`,
       { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Access-Control-Allow-Credentials response ' +
-   'header');
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", default data origin (context origin), and without the ' +
+   'Access-Control-Allow-Credentials response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "context-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "context-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Credentials response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "script-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "script-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Credentials response header');
 
 </script>
 </body>