Bug 1526616 [wpt PR 15245] - [ElementTiming] Use TimingAllowOrigin check and remove bubbling, a=testonly

Automatic update from web-platform-tests [ElementTiming] Use TimingAllowOrigin check and remove bubbling This CL changes the security check for ElementTiming from same-origin to TAO, which requires plumbing the OriginalTimingAllowOrigin attribute for the case of 304 responses. It also removes bubbling to be consistent with ResourceTiming. Some tests are fixed to properly use cross-origins within external/wpt, and a cross-origin resource with TAO wildcard test is added. More TAO tests will be added in a followup. Bug: 928425, 879270 Change-Id: I4df40818823e3db9851fbc9586a0bda9c1adcfec Reviewed-on: https://chromium-review.googlesource.com/c/1453074 Commit-Queue: Nicolás Peña Moreno <npm@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/master@{#630019} -- wpt-commits: dcc3641354ccfcf7834bc80c28bf7890b9a8620d wpt-pr: 15245
2019-02-18 19:26:05 +00:00 · 2019-02-18 19:26:05 +00:00 · 183a3fc965
--- a/testing/web-platform/tests/element-timing/cross-origin-element.sub.html
+++ b/testing/web-platform/tests/element-timing/cross-origin-element.sub.html
@ -16,17 +16,20 @@
    // We add the image during onload to be sure that the observer is registered
    // in time for it to observe the element timing.
    // TODO(npm): change observer to use buffered flag.
-    window.onload = () => {
+    window.onload = t.step_func(() => {
      // Add a cross origin image resource.
      const img = document.createElement('img');
-      img.src =
-        'http://localhost:8000/resources/square100.png';
+      img.src = 'http://{{domains[www]}}:{{ports[http][1]}}'
+          + '/element-timing/resources/square100.png';
+      img.setAttribute('elementtiming', 'my_image');
+      img.onload = t.step_func(() => {
+        t.step_timeout( () => {
+          // After some wait, assume observer did not receive the entry, so the test passes.
+          t.done();
+        }, 100);
+      });
      document.body.appendChild(img);
-    };
-    t.step_timeout( () => {
-      // After some wait, assume observer did not receive the entry, so the test passes.
-      t.done();
-    }, 100);
+    });
  }, 'Cross-origin image element is NOT observable.');
 </script>

--- a/testing/web-platform/tests/element-timing/cross-origin-iframe-element.sub.html
+++ b/testing/web-platform/tests/element-timing/cross-origin-iframe-element.sub.html
@ -16,17 +16,19 @@
    // We add the iframe during onload to be sure that the observer is registered
    // in time for it to observe the element timing.
    // TODO(npm): change observer to use buffered flag.
-    window.onload = () => {
+    window.onload = t.step_func(() => {
      // Add a cross origin iframe with an image.
      const iframe = document.createElement('iframe');
-      iframe.src =
-        'http://localhost:8000/performance-timing/element-resources/iframe-with-square.html';
+      iframe.src = 'http://{{domains[www]}}:{{ports[http][1]}}'
+          + '/element-timing/resources/iframe-with-square.html';
      document.body.appendChild(iframe);
-    };
-    t.step_timeout( () => {
-      // After some wait, assume observer did not receive the entry, so the test passes.
-      t.done();
-    }, 300);
+      iframe.onload = t.step_func(() => {
+        t.step_timeout( () => {
+          // After some wait, assume observer did not receive the entry, so the test passes.
+          t.done();
+        }, 100);
+      });
+    });
  }, 'Element from cross origin iframe is NOT observable.');
 </script>

--- a/testing/web-platform/tests/element-timing/image-TAO-wildcard.sub.html
+++ b/testing/web-platform/tests/element-timing/image-TAO-wildcard.sub.html
@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<meta charset=utf-8>
+<title>Element Timing: observe elements from same-origin iframes</title>
+<body>
+<style>
+body {
+  margin: 0;
+}
+</style>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/element-timing-helpers.js"></script>
+<script>
+  async_test((t) => {
+    let beforeRender;
+    const observer = new PerformanceObserver(
+      t.step_func_done((entryList) => {
+        assert_equals(entryList.getEntries().length, 1);
+        const entry = entryList.getEntries()[0];
+        checkElement(entry, 'my_image', beforeRender);
+        // Assume viewport has size at least 20, so the element is fully visible.
+        checkRect(entry, [0, 20, 0, 20]);
+      })
+    );
+    observer.observe({entryTypes: ['element']});
+    // We add the image during onload to be sure that the observer is registered
+    // in time for it to observe the element timing.
+    // TODO(npm): change observer to use buffered flag.
+    window.onload = t.step_func(() => {
+      const img = document.createElement('img');
+      img.src = 'http://{{domains[www]}}:{{ports[http][1]}}/'
+          + 'element-timing/resources/TAOImage.py?tao=wildcard';
+      img.setAttribute('elementtiming', 'my_image');
+      img.onload = t.step_func(() => {
+        // After a short delay, assume that the entry was not dispatched.
+        t.step_timeout(() => {
+          assert_unreached("Should have received an entry!");
+          t.done();
+        }, 100);
+      });
+      document.body.appendChild(img);
+      beforeRender = performance.now();
+    });
+  }, 'Cross-origin element with wildcard TAO is observed.');
+</script>
+
+</body>
--- a/testing/web-platform/tests/element-timing/observe-child-element.html
+++ b/testing/web-platform/tests/element-timing/observe-child-element.html
@ -11,15 +11,10 @@ body {
 <script src="/resources/testharnessreport.js"></script>
 <script src="resources/element-timing-helpers.js"></script>
 <script>
-  let beforeRender;
  async_test((t) => {
    const observer = new PerformanceObserver(
      t.step_func_done((entryList) => {
-        assert_equals(entryList.getEntries().length, 1);
-        const entry = entryList.getEntries()[0];
-        checkElement(entry, 'my_image', beforeRender);
-        // Assume viewport has size at least 100, so the element is fully visible.
-        checkRect(entry, [0, 100, 0, 100]);
+        assert_unreached("Should not have received an entry!");
      })
    );
    observer.observe({entryTypes: ['element']});
@ -30,10 +25,16 @@ body {
      // Add iframe with an image of width and height equal to 100.
      const iframe = document.createElement('iframe');
      iframe.src = 'resources/iframe-with-square.html';
+      iframe.onload = () => {
+        // After a short delay, assume that the entry was not dispatched to the
+        // parent frame.
+        t.step_timeout(() => {
+          t.done();
+        }, 100);
+      }
      document.body.appendChild(iframe);
-      beforeRender = performance.now();
    };
-  }, 'Element from same-origin iframe is observable.');
+  }, 'Element in child iframe is not observed, even if same-origin.');
 </script>

 </body>
--- a/testing/web-platform/tests/element-timing/resources/TAOImage.py
+++ b/testing/web-platform/tests/element-timing/resources/TAOImage.py
@ -0,0 +1,45 @@
+import os
+
+def main(request, response):
+    origin = request.GET.first('origin', '');
+    if origin:
+        response.headers.set('Access-Control-Allow-Origin', origin)
+
+    tao = request.GET.first('tao')
+
+    if tao == 'wildcard':
+    # wildcard, pass
+        response.headers.set('Timing-Allow-Origin', '*')
+    elif tao == 'null':
+    # null, fail
+        response.headers.set('Timing-Allow-Origin', 'null')
+    elif tao == 'origin':
+    # case-sensitive match for origin, pass
+        response.headers.set('Timing-Allow-Origin', origin)
+    elif tao == 'space':
+    # space separated list of origin and wildcard, fail
+        response.headers.set('Timing-Allow-Origin', (origin + ' *'))
+    elif tao == 'multi':
+    # more than one TAO values, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', origin)
+        response.headers.append('Timing-Allow-Origin', '*')
+    elif tao == 'multi_wildcard':
+    # multiple wildcards, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', '*')
+        response.headers.append('Timing-Allow-Origin', '*')
+    elif tao == 'match_origin':
+    # contains a match of origin, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', origin)
+        response.headers.append('Timing-Allow-Origin', "fake")
+    elif tao == 'match_wildcard':
+    # contains a wildcard, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', "fake")
+        response.headers.append('Timing-Allow-Origin', '*')
+    elif tao == 'uppercase':
+    # non-case-sensitive match for origin, fail
+        response.headers.set('Timing-Allow-Origin', origin.upper())
+    else:
+        pass
+    response.headers.set("Cache-Control", "no-cache, must-revalidate");
+    image_path = os.path.join(os.path.dirname(__file__), "square20.png");
+    response.content = open(image_path, mode='rb').read();