[SAA] Add tentative WPTs for stricter Same Origin Policy adherence

Spec issue: privacycg/storage-access#210 These tests currently fail in Chrome (due to inability to properly set storage-access permission state [https://crbug.com/384959114]). But I hacked around that while developing and ensured that apart from that issue, these tests work and behave as expected. Bug: 379030052 Change-Id: Ic97b4af46bdcb5b92f60a724bc7fe2eef3f40598 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6241903 Commit-Queue: Dylan Cutler <dylancutler@google.com> Auto-Submit: Chris Fredrickson <cfredric@chromium.org> Reviewed-by: Dylan Cutler <dylancutler@google.com> Cr-Commit-Position: refs/heads/main@{#1417468}
web-platform-tests · Feb 7, 2025 · cc0dfe9 · cc0dfe9
1 parent ddbe997
commit cc0dfe9
Showing 1 changed file with 79 additions and 0 deletions.
diff --git a/storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.js b/storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.js
@@ -0,0 +1,79 @@
+// META: script=helpers.js
+// META: script=/cookies/resources/cookie-helper.sub.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // These are cross-site from the current document.
+  const altWww = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+  const altRoot = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
+  const responderPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
+
+  const altRootResponder = `${altRoot}${responderPath}`;
+  const domainCookieString = "cookie=unpartitioned;Secure;SameSite=None;Path=/;Domain={{hosts[alt][]}}";
+
+  async function SetUpResponderFrame(t, url) {
+    const frame = await CreateFrame(url);
+
+    await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'granted']);
+    t.add_cleanup(async () => {
+      await test_driver.delete_all_cookies();
+      await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'prompt']);
+    });
+
+    return frame;
+  }
+
+  promise_test(async (t) => {
+    const frame = await SetUpResponderFrame(t, altRootResponder);
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+
+    const initiallyHasCookieAccess =
+      cookieStringHasCookie("cookie", "unpartitioned",
+        await FetchSubresourceCookiesFromFrame(frame, altWww));
+    if (initiallyHasCookieAccess) {
+      // Nothing to test here; third-party cookies are already accessible.
+      return;
+    }
+
+    assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture.");
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request.");
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+    assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request.");
+
+    // The frame's origin is hosts[alt][], so hosts[alt][www] is same-site but
+    // cross-origin to it.
+    assert_false(
+        cookieStringHasCookie("cookie", "unpartitioned",
+          await FetchSubresourceCookiesFromFrame(frame, altWww)),
+        "same-site cross-origin fetch is not credentialed");
+  }, "Cross-origin fetches from a frame with storage-access are not credentialed by default");
+
+  promise_test(async (t) => {
+    const frame = await SetUpResponderFrame(t, altRootResponder);
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+
+    const initiallyHasCookieAccess =
+      cookieStringHasCookie("cookie", "unpartitioned",
+        await FetchSubresourceCookiesFromFrame(frame, altWww));
+    if (initiallyHasCookieAccess) {
+      // Nothing to test here; third-party cookies are already accessible.
+      return;
+    }
+
+    assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture.");
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request.");
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+    assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request.");
+
+    // The frame's origin is hosts[alt][], so hosts[alt][www] is same-site but
+    // cross-origin to it.
+    const cross_origin_redirect = `${altRoot}/common/redirect.py?location=${altWww}/storage-access-api/resources/echo-cookie-header.py`;
+    assert_false(
+        cookieStringHasCookie("cookie", "unpartitioned",
+          await FetchFromFrame(frame, cross_origin_redirect)),
+        "fetch is not credentialed after a cross-origin redirect");
+  }, "Cross-origin HTTP redirects from a frame with storage-access are not credentialed by default");
+
+})();