Bug 1695722 [wpt PR 27842] - [credentialless]: WPT iframe localStorage, a=testonly

Automatic update from web-platform-tests
[credentialless]: WPT iframe localStorage

Check whether <iframe> inside a COEP:credentialless document have access
to its localStorage.

This is an adaptation from:
[WPT cookie full credentialless]
https://chromium-review.googlesource.com/c/chromium/src/+/2723531
but checking the localStorage instead of cookies.

Bug: 1175099
Change-Id: I27716c99c9c7301ccd6d8fb4f44fbe67dae68223
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2726242
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#859749}

--

wpt-commits: 68594ce25726aca27ad81ba3098639fe9f1bed69
wpt-pr: 27842

testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/iframe-load-cookie.tentative.https.html

@@ -12,31 +12,6 @@ const cookie_key = "coep_credentialless_iframe_load_cookie";
 const cookie_same_origin = "same_origin";
 const cookie_cross_origin = "cross_origin";
 
-// Open a new window with a given |origin|, loaded with COEP:credentialless. The
-// new document will execute any scripts sent toward the token it returns.
-const newCredentiallessWindow = (origin) => {
-  const main_document_token = token();
-  const url = origin + executor_path + coep_credentialless +
-    `&uuid=${main_document_token}`;
-  const w = window.open(url);
-  add_completion_callback(() => w.close());
-  return main_document_token;
-};
-
-// Create a new iframe, loaded with COEP:credentialless.
-// The new document will execute any scripts sent toward the token it returns.
-const newCredentiallessIframe = (parent_token, child_origin) => {
-  const sub_document_token = token();
-  const iframe_url = child_origin + executor_path + coep_credentialless +
-    `&uuid=${sub_document_token}`;
-  send(parent_token, `
-    let iframe = document.createElement("iframe");
-    iframe.src = "${iframe_url}";
-    document.body.appendChild(iframe);
-  `)
-  return sub_document_token;
-};
-
 // Fetch a resource, returns the HTTP request cookies.
 const cookieFromResource = async (document_token, resource_origin) => {
   const resource_token = token();

testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/iframe-local-storage.tentative.https.html

@@ -0,0 +1,61 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="./resources/common.js"></script>
+<script src="./resources/dispatcher.js"></script>
+<script>
+
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const local_storage_key = "coep_credentialless_iframe_local_storage";
+const local_storage_same_origin = "same_origin";
+const local_storage_cross_origin = "cross_origin";
+
+promise_test_parallel(async test => {
+  // Add an item in the localStorage on same_origin.
+  localStorage.setItem(local_storage_key, local_storage_same_origin);
+
+  // Add an item in the localStorage on cross_origin.
+  {
+    const w_token = token();
+    const w_url = cross_origin + executor_path + `&uuid=${w_token}`;
+    const w = window.open(w_url);
+    const reply_token = token();
+    send(w_token, `
+      localStorage.setItem("${local_storage_key}",
+                           "${local_storage_cross_origin}");
+      send("${reply_token}", "done");
+    `);
+    assert_equals(await receive(reply_token), "done");
+    w.close();
+  }
+
+  let credentialless_window = newCredentiallessWindow(same_origin);
+
+  promise_test_parallel(async test => {
+    let iframe = newCredentiallessIframe(credentialless_window, same_origin);
+    let reply_token = token();
+    send(iframe, `
+      let value = localStorage.getItem("${local_storage_key}");
+      send("${reply_token}", value);
+    `)
+    assert_equals(
+      await receive(reply_token),
+      local_storage_same_origin
+    );
+  }, "same_origin iframe can access the localStorage");
+
+  promise_test_parallel(async test => {
+    let iframe = newCredentiallessIframe(credentialless_window, cross_origin);
+    let reply_token = token();
+    send(iframe, `
+      let value = localStorage.getItem("${local_storage_key}");
+      send("${reply_token}", value);
+    `)
+    assert_equals(await receive(reply_token), "")
+  }, "cross_origin iframe can't access the localStorage");
+
+}, "Setup")
+
+</script>

testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/resources/common.js

@@ -40,3 +40,29 @@ let parseCookies = function(headers_json) {
       return acc;
     }, {});
 }
+
+// Open a new window with a given |origin|, loaded with COEP:credentialless. The
+// new document will execute any scripts sent toward the token it returns.
+const newCredentiallessWindow = (origin) => {
+  const main_document_token = token();
+  const url = origin + executor_path + coep_credentialless +
+    `&uuid=${main_document_token}`;
+  const w = window.open(url);
+  add_completion_callback(() => w.close());
+  return main_document_token;
+};
+
+// Create a new iframe, loaded with COEP:credentialless.
+// The new document will execute any scripts sent toward the token it returns.
+const newCredentiallessIframe = (parent_token, child_origin) => {
+  const sub_document_token = token();
+  const iframe_url = child_origin + executor_path + coep_credentialless +
+    `&uuid=${sub_document_token}`;
+  send(parent_token, `
+    let iframe = document.createElement("iframe");
+    iframe.src = "${iframe_url}";
+    document.body.appendChild(iframe);
+  `)
+  return sub_document_token;
+};
+