From 183a3fc9655adaaac482b7a77490e7cf1c99ae98 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 18 Feb 2019 19:26:05 +0000
Subject: [PATCH] Bug 1526616 [wpt PR 15245] - [ElementTiming] Use
 TimingAllowOrigin check and remove bubbling, a=testonly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Automatic update from web-platform-tests
[ElementTiming] Use TimingAllowOrigin check and remove bubbling

This CL changes the security check for ElementTiming from same-origin to
TAO, which requires plumbing the OriginalTimingAllowOrigin attribute for
the case of 304 responses. It also removes bubbling to be consistent with
ResourceTiming. Some tests are fixed to properly use cross-origins within
external/wpt, and a cross-origin resource with TAO wildcard test is
added. More TAO tests will be added in a followup.

Bug: 928425, 879270
Change-Id: I4df40818823e3db9851fbc9586a0bda9c1adcfec
Reviewed-on: https://chromium-review.googlesource.com/c/1453074
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/master@{#630019}

--

wpt-commits: dcc3641354ccfcf7834bc80c28bf7890b9a8620d
wpt-pr: 15245
---
 ...ent.html => cross-origin-element.sub.html} | 19 ++++----
 ...l => cross-origin-iframe-element.sub.html} | 18 +++----
 .../image-TAO-wildcard.sub.html               | 47 +++++++++++++++++++
 .../element-timing/observe-child-element.html | 17 +++----
 .../element-timing/resources/TAOImage.py      | 45 ++++++++++++++++++
 5 files changed, 122 insertions(+), 24 deletions(-)
 rename testing/web-platform/tests/element-timing/{cross-origin-element.html => cross-origin-element.sub.html} (68%)
 rename testing/web-platform/tests/element-timing/{cross-origin-iframe-element.html => cross-origin-iframe-element.sub.html} (71%)
 create mode 100644 testing/web-platform/tests/element-timing/image-TAO-wildcard.sub.html
 create mode 100644 testing/web-platform/tests/element-timing/resources/TAOImage.py

diff --git a/testing/web-platform/tests/element-timing/cross-origin-element.html b/testing/web-platform/tests/element-timing/cross-origin-element.sub.html
similarity index 68%
rename from testing/web-platform/tests/element-timing/cross-origin-element.html
rename to testing/web-platform/tests/element-timing/cross-origin-element.sub.html
index 1b899b00e3ab..ed820d0e6655 100644
--- a/testing/web-platform/tests/element-timing/cross-origin-element.html
+++ b/testing/web-platform/tests/element-timing/cross-origin-element.sub.html
@@ -16,17 +16,20 @@
     // We add the image during onload to be sure that the observer is registered
     // in time for it to observe the element timing.
     // TODO(npm): change observer to use buffered flag.
-    window.onload = () => {
+    window.onload = t.step_func(() => {
       // Add a cross origin image resource.
       const img = document.createElement('img');
-      img.src =
-        'http://localhost:8000/resources/square100.png';
+      img.src = 'http://{{domains[www]}}:{{ports[http][1]}}'
+          + '/element-timing/resources/square100.png';
+      img.setAttribute('elementtiming', 'my_image');
+      img.onload = t.step_func(() => {
+        t.step_timeout( () => {
+          // After some wait, assume observer did not receive the entry, so the test passes.
+          t.done();
+        }, 100);
+      });
       document.body.appendChild(img);
-    };
-    t.step_timeout( () => {
-      // After some wait, assume observer did not receive the entry, so the test passes.
-      t.done();
-    }, 100);
+    });
   }, 'Cross-origin image element is NOT observable.');
 </script>
 
diff --git a/testing/web-platform/tests/element-timing/cross-origin-iframe-element.html b/testing/web-platform/tests/element-timing/cross-origin-iframe-element.sub.html
similarity index 71%
rename from testing/web-platform/tests/element-timing/cross-origin-iframe-element.html
rename to testing/web-platform/tests/element-timing/cross-origin-iframe-element.sub.html
index 7f73881cc972..a369d25bd43c 100644
--- a/testing/web-platform/tests/element-timing/cross-origin-iframe-element.html
+++ b/testing/web-platform/tests/element-timing/cross-origin-iframe-element.sub.html
@@ -16,17 +16,19 @@
     // We add the iframe during onload to be sure that the observer is registered
     // in time for it to observe the element timing.
     // TODO(npm): change observer to use buffered flag.
-    window.onload = () => {
+    window.onload = t.step_func(() => {
       // Add a cross origin iframe with an image.
       const iframe = document.createElement('iframe');
-      iframe.src =
-        'http://localhost:8000/performance-timing/element-resources/iframe-with-square.html';
+      iframe.src = 'http://{{domains[www]}}:{{ports[http][1]}}'
+          + '/element-timing/resources/iframe-with-square.html';
       document.body.appendChild(iframe);
-    };
-    t.step_timeout( () => {
-      // After some wait, assume observer did not receive the entry, so the test passes.
-      t.done();
-    }, 300);
+      iframe.onload = t.step_func(() => {
+        t.step_timeout( () => {
+          // After some wait, assume observer did not receive the entry, so the test passes.
+          t.done();
+        }, 100);
+      });
+    });
   }, 'Element from cross origin iframe is NOT observable.');
 </script>
 
diff --git a/testing/web-platform/tests/element-timing/image-TAO-wildcard.sub.html b/testing/web-platform/tests/element-timing/image-TAO-wildcard.sub.html
new file mode 100644
index 000000000000..6d5abe21c3c3
--- /dev/null
+++ b/testing/web-platform/tests/element-timing/image-TAO-wildcard.sub.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<meta charset=utf-8>
+<title>Element Timing: observe elements from same-origin iframes</title>
+<body>
+<style>
+body {
+  margin: 0;
+}
+</style>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/element-timing-helpers.js"></script>
+<script>
+  async_test((t) => {
+    let beforeRender;
+    const observer = new PerformanceObserver(
+      t.step_func_done((entryList) => {
+        assert_equals(entryList.getEntries().length, 1);
+        const entry = entryList.getEntries()[0];
+        checkElement(entry, 'my_image', beforeRender);
+        // Assume viewport has size at least 20, so the element is fully visible.
+        checkRect(entry, [0, 20, 0, 20]);
+      })
+    );
+    observer.observe({entryTypes: ['element']});
+    // We add the image during onload to be sure that the observer is registered
+    // in time for it to observe the element timing.
+    // TODO(npm): change observer to use buffered flag.
+    window.onload = t.step_func(() => {
+      const img = document.createElement('img');
+      img.src = 'http://{{domains[www]}}:{{ports[http][1]}}/'
+          + 'element-timing/resources/TAOImage.py?tao=wildcard';
+      img.setAttribute('elementtiming', 'my_image');
+      img.onload = t.step_func(() => {
+        // After a short delay, assume that the entry was not dispatched.
+        t.step_timeout(() => {
+          assert_unreached("Should have received an entry!");
+          t.done();
+        }, 100);
+      });
+      document.body.appendChild(img);
+      beforeRender = performance.now();
+    });
+  }, 'Cross-origin element with wildcard TAO is observed.');
+</script>
+
+</body>
diff --git a/testing/web-platform/tests/element-timing/observe-child-element.html b/testing/web-platform/tests/element-timing/observe-child-element.html
index 5bb8290893a7..83cc2ef94b3f 100644
--- a/testing/web-platform/tests/element-timing/observe-child-element.html
+++ b/testing/web-platform/tests/element-timing/observe-child-element.html
@@ -11,15 +11,10 @@ body {
 <script src="/resources/testharnessreport.js"></script>
 <script src="resources/element-timing-helpers.js"></script>
 <script>
-  let beforeRender;
   async_test((t) => {
     const observer = new PerformanceObserver(
       t.step_func_done((entryList) => {
-        assert_equals(entryList.getEntries().length, 1);
-        const entry = entryList.getEntries()[0];
-        checkElement(entry, 'my_image', beforeRender);
-        // Assume viewport has size at least 100, so the element is fully visible.
-        checkRect(entry, [0, 100, 0, 100]);
+        assert_unreached("Should not have received an entry!");
       })
     );
     observer.observe({entryTypes: ['element']});
@@ -30,10 +25,16 @@ body {
       // Add iframe with an image of width and height equal to 100.
       const iframe = document.createElement('iframe');
       iframe.src = 'resources/iframe-with-square.html';
+      iframe.onload = () => {
+        // After a short delay, assume that the entry was not dispatched to the
+        // parent frame.
+        t.step_timeout(() => {
+          t.done();
+        }, 100);
+      }
       document.body.appendChild(iframe);
-      beforeRender = performance.now();
     };
-  }, 'Element from same-origin iframe is observable.');
+  }, 'Element in child iframe is not observed, even if same-origin.');
 </script>
 
 </body>
diff --git a/testing/web-platform/tests/element-timing/resources/TAOImage.py b/testing/web-platform/tests/element-timing/resources/TAOImage.py
new file mode 100644
index 000000000000..5d042c48941d
--- /dev/null
+++ b/testing/web-platform/tests/element-timing/resources/TAOImage.py
@@ -0,0 +1,45 @@
+import os
+
+def main(request, response):
+    origin = request.GET.first('origin', '');
+    if origin:
+        response.headers.set('Access-Control-Allow-Origin', origin)
+
+    tao = request.GET.first('tao')
+
+    if tao == 'wildcard':
+    # wildcard, pass
+        response.headers.set('Timing-Allow-Origin', '*')
+    elif tao == 'null':
+    # null, fail
+        response.headers.set('Timing-Allow-Origin', 'null')
+    elif tao == 'origin':
+    # case-sensitive match for origin, pass
+        response.headers.set('Timing-Allow-Origin', origin)
+    elif tao == 'space':
+    # space separated list of origin and wildcard, fail
+        response.headers.set('Timing-Allow-Origin', (origin + ' *'))
+    elif tao == 'multi':
+    # more than one TAO values, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', origin)
+        response.headers.append('Timing-Allow-Origin', '*')
+    elif tao == 'multi_wildcard':
+    # multiple wildcards, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', '*')
+        response.headers.append('Timing-Allow-Origin', '*')
+    elif tao == 'match_origin':
+    # contains a match of origin, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', origin)
+        response.headers.append('Timing-Allow-Origin', "fake")
+    elif tao == 'match_wildcard':
+    # contains a wildcard, separated by comma, pass
+        response.headers.set('Timing-Allow-Origin', "fake")
+        response.headers.append('Timing-Allow-Origin', '*')
+    elif tao == 'uppercase':
+    # non-case-sensitive match for origin, fail
+        response.headers.set('Timing-Allow-Origin', origin.upper())
+    else:
+        pass
+    response.headers.set("Cache-Control", "no-cache, must-revalidate");
+    image_path = os.path.join(os.path.dirname(__file__), "square20.png");
+    response.content = open(image_path, mode='rb').read();