Bug 1570055 [wpt PR 18174] - Add ability to block same-origin access via document-access feature policy, a=testonly

Automatic update from web-platform-tests
Add ability to block same-origin access via document-access feature policy

Intent to Implement: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Cibo-GNPs7Y/RznlX7WKDAAJ
Spec: https://github.com/whatwg/html/pull/4606

BUG=961448

Change-Id: I3c2ff129a71a8ccb5a0015661770adc7ff22d14b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1726055
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#688994}

--

wpt-commits: 0221225c4e1863839c1505b7efe1230ff1d6ff34
wpt-pr: 18174

testing/web-platform/tests/feature-policy/resources/featurepolicy.js

@@ -251,6 +251,16 @@ function run_all_fp_tests_allow_all(
       },
       'Feature policy "' + feature_name +
           '" can be disabled in cross-origin iframes using "allow" attribute.');
+
+  // 5. Blocked in same-origin iframe with "allow" attribute set to 'none'.
+  async_test(
+      t => {
+        test_feature_availability_with_post_message_result(
+            t, same_origin_frame_pathname, '#' + error_name,
+            feature_name + " 'none'");
+      },
+      'Feature policy "' + feature_name +
+          '" can be disabled in same-origin iframes using "allow" attribute.');
 }
 
 // This function tests that a given policy allows each feature for the correct

testing/web-platform/tests/html/browsers/windows/document-access/document_access_feature_policy.tentative.sub.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <script src=/feature-policy/resources/featurepolicy.js></script>
+  <script>
+    run_all_fp_tests_allow_all(
+      'http://{{domains[www]}}:{{ports[http][0]}}',
+      'document-access',
+      'SecurityError',
+      () => {
+        return new Promise((resolve, reject) => {
+        try {
+            var iframe = document.createElement('iframe');
+            iframe.srcdoc ="<p>same origin iframe</p>";
+            document.documentElement.append(iframe);
+
+            // attempt to access something in a same origin iframe that would
+            // should be prevented by the feature policy.
+            iframe.contentWindow.location.href;
+            resolve();
+          } catch(e) {
+            reject(e);
+          }
+       });
+      });
+  </script>
+</body>

testing/web-platform/tests/html/browsers/windows/document-access/document_access_parent_access.tentative.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<body>
+  <script src=/resources/testharness.js></script>
+  <script src=/resources/testharnessreport.js></script>
+  <iframe allow="document-access 'none'" src="resources/child.html"></iframe>
+  <script>
+    async_test(function (t) {
+      // Ensure post message works correctly.
+      window.onmessage = t.step_func((e) => {
+        if (e.data == 'load') {
+          frames[0].postMessage('ping');
+        } else if (e.data == 'pong') {
+          t.done();
+        }
+      });
+      try {
+        // Test that the parent is not allowed to access the child either.
+        frames[0].alert;
+        assert_unreachable('Security Error should have been thrown');
+      } catch(e) {
+        assert_equals(e.name, 'SecurityError', 'Security Error thrown');
+      }
+    });
+  </script>
+</body>

testing/web-platform/tests/html/browsers/windows/document-access/resources/child.html

@@ -0,0 +1,6 @@
+<script>
+  parent.postMessage('load');
+  window.onmessage = (e) => {
+    parent.postMessage('pong');
+  };
+</script>