Bug 1636129 [wpt PR 23461] - [Client-Hints] Fix cross-origin redirect leak, a=testonly

Automatic update from web-platform-tests
[Client-Hints] Fix cross-origin redirect leak (#23461)

Client Hints are not supposed to be sent across cross-origin
redirects unless FeaturePolicy indicates that they should.
This CL enforces that and adds tests to that effect.

Bug: 911952
Change-Id: If3453409385b50f84b7ae188965b81c24f87dfc8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2178572
Auto-Submit: Yoav Weiss <yoavweiss@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Maksim Orlovich <morlovich@chromium.org>
Commit-Queue: Yoav Weiss <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/master@{#768244}

Co-authored-by: Yoav Weiss <yoavweiss@chromium.org>
--

wpt-commits: 917170b66145b2e177eab988ad362870359ec6b9
wpt-pr: 23461

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-iframe-redirect-with-fp-delegation.https.html

@@ -0,0 +1,18 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+
+<script>
+// Make sure that cross origin iframes that gets redirected, and has Feature Policy delegation maintain their Client Hints.
+const test_name = "Iframe redirect with Feature Policy delegation";
+verify_iframe_state("resources/accept-ch-and-redir.py?url=" + get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/accept-ch-stickiness/resources/expect-received.py", test_name);
+
+</script>
+</body>
+</html>
+

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-iframe-redirect-with-fp-delegation.https.html.headers

@@ -0,0 +1,2 @@
+Accept-CH: DPR, Device-Memory
+Feature-Policy: ch-dpr *; ch-device-memory *

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-navigation-redirect.https.html

@@ -0,0 +1,18 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+
+<script>
+// Make sure a cross origin navigation that gets redirected  doesn't keep the initial request's Client Hints.
+const test_name = "cross-origin redirect on navigation";
+verify_navigation_state("resources/accept-ch-and-redir.py?url=" + get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/accept-ch-stickiness/resources/do-not-expect-received.py", test_name);
+
+</script>
+</body>
+</html>
+

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-navigation-redirect.https.html.headers

@@ -0,0 +1 @@
+Accept-CH: DPR, Device-Memory

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-subresource-redirect-with-fp-delegation.https.html

@@ -0,0 +1,17 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+
+<script>
+// Make sure a cross origin subresource that gets redirected with Feature Policy delegation keeps the initial request's Client Hints.
+const test_name = "cross-origin subresource redirect with Feature Policy delegaation";
+verify_subresource_state("resources/accept-ch-and-redir.py?url=" + get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/accept-ch-stickiness/resources/expect-received.py", test_name);
+</script>
+</body>
+</html>
+

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-subresource-redirect-with-fp-delegation.https.html.headers

@@ -0,0 +1,2 @@
+Accept-CH: DPR, Device-Memory
+Feature-Policy: ch-dpr *;ch-device-memory *

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-subresource-redirect.https.html

@@ -0,0 +1,17 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+
+<script>
+// Make sure a cross origin subresource that gets redirected  doesn't keep the initial request's Client Hints.
+const test_name = "cross-origin subresource redirect";
+verify_subresource_state("resources/accept-ch-and-redir.py?url=" + get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/accept-ch-stickiness/resources/do-not-expect-received.py", test_name);
+</script>
+</body>
+</html>
+

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-subresource-redirect.https.html.headers

@@ -0,0 +1 @@
+Accept-CH: DPR, Device-Memory

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-syncxhr-redirect.https.html

@@ -0,0 +1,17 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+
+<script>
+// Make sure a cross origin syn XHR that gets redirected doesn't keep the initial request's Client Hints.
+const test_name = "cross-origin sync XHR redirect";
+verify_syncxhr_state("resources/accept-ch-and-redir.py?url=" + get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/accept-ch-stickiness/resources/do-not-expect-received.py", test_name);
+</script>
+</body>
+</html>
+

testing/web-platform/tests/client-hints/accept-ch-stickiness/cross-origin-syncxhr-redirect.https.html.headers

@@ -0,0 +1 @@
+Accept-CH: DPR, Device-Memory

testing/web-platform/tests/client-hints/accept-ch-stickiness/resources/accept-ch-and-redir-to-do-not-expect.py

@@ -1,2 +0,0 @@
-def main(request, response):
-    return 301, [('Location', 'do-not-expect-received.py'),('Accept-CH', 'device-memory, DPR')], ''

testing/web-platform/tests/client-hints/accept-ch-stickiness/resources/accept-ch-and-redir-to-expect.py

@@ -1,2 +0,0 @@
-def main(request, response):
-    return 301, [('Location', 'expect-received.py'),('Accept-CH', 'device-memory, DPR')], ''

testing/web-platform/tests/client-hints/accept-ch-stickiness/resources/accept-ch-and-redir.py

@@ -0,0 +1,5 @@
+def main(request, response):
+    url = ''
+    if 'url' in request.GET:
+        url = request.GET['url']
+    return 301, [('Location', url),('Accept-CH', 'device-memory, DPR')], ''

testing/web-platform/tests/client-hints/accept-ch-stickiness/resources/accept-ch-test.js

@@ -21,6 +21,20 @@ function verify_initial_state(initial_url, test_name) {
     "hints preferences cached");
 }
 
+function verify_iframe_state(expect_url, test_name) {
+  promise_test(t => {
+    return new Promise(resolve => {
+      window.addEventListener('message', t.step_func(function(e) {
+        assert_equals(e.data, "PASS", "message from opened frame");
+        fetch("/client-hints/accept-ch-stickiness/resources/clear-site-data.html").then(resolve);
+      }));
+      const iframe = document.createElement("iframe");
+      iframe.src = expect_url;
+      document.body.appendChild(iframe);
+    });
+  }, test_name + " got client hints according to expectations.");
+}
+
 function verify_navigation_state(expect_url, test_name) {
   promise_test(t => {
     return new Promise(resolve => {
@@ -40,14 +54,27 @@ function verify_navigation_state(expect_url, test_name) {
 function verify_subresource_state(expect_url, test_name) {
   promise_test(t => {
     return new Promise(resolve => {
-      let win;
-      window.addEventListener('message', t.step_func(function(e) {
-        win.close();
-        assert_equals(e.data, "PASS", "message from opened page");
+      fetch(expect_url).then(response => response.text()).then(t.step_func(text => {
+        assert_true(text.includes("PASS"));
         fetch("/client-hints/accept-ch-stickiness/resources/clear-site-data.html").then(resolve);
       }));
-      // Open expect_url as a subresource.
-      fetch(expect_url).then(resolve);
+    });
+  }, test_name + " got client hints according to expectations.");
+}
+
+function verify_syncxhr_state(expect_url, test_name) {
+  promise_test(t => {
+    return new Promise(resolve => {
+      const xhr = new XMLHttpRequest();
+      xhr.onreadystatechange = t.step_func(() => {
+        if (xhr.readyState != XMLHttpRequest.DONE) {
+          return;
+        }
+        assert_true(xhr.responseText.includes("PASS"));
+        fetch("/client-hints/accept-ch-stickiness/resources/clear-site-data.html").then(resolve);
+      });
+      xhr.open("GET", expect_url, false /* async */);
+      xhr.send();
     });
   }, test_name + " got client hints according to expectations.");
 }

testing/web-platform/tests/client-hints/accept-ch-stickiness/resources/do-not-expect-received.py

@@ -15,5 +15,5 @@ def main(request, response):
   window.opener.postMessage("%s" , "*");
 </script>
 ''' % (result)
-    headers = [("Content-Type", "text/html")]
+    headers = [("Content-Type", "text/html"), ("Access-Control-Allow-Origin", "*")]
     return 200, headers, content

testing/web-platform/tests/client-hints/accept-ch-stickiness/resources/expect-received.py

@@ -12,8 +12,9 @@ def main(request, response):
 
     content = '''
 <script>
-  window.opener.postMessage("%s" , "*");
+  let messagee = window.opener || window.parent;
+  messagee.postMessage("%s" , "*");
 </script>
 ''' % (result)
-    headers = [("Content-Type", "text/html")]
+    headers = [("Content-Type", "text/html"), ("Access-Control-Allow-Origin", "*")]
     return 200, headers, content

testing/web-platform/tests/client-hints/accept-ch-stickiness/same-origin-navigation-redirect.https.html

@@ -12,7 +12,7 @@
 // header here are a single step, connected via redirect.
 const test_name = "redirect on navigation";
 verify_initial_state(echo, test_name);
-verify_navigation_state("resources/accept-ch-and-redir-to-expect.py", test_name);
+verify_navigation_state("resources/accept-ch-and-redir.py?url=expect-received.py", test_name);
 </script>
 </body>
 </html>

testing/web-platform/tests/client-hints/accept-ch-stickiness/same-origin-subresource-redirect-opted-in.https.html

@@ -0,0 +1,17 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Accept-CH Persistence test</title>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/accept-ch-test.js"></script>
+
+<script>
+// Make sure a same origin subresource that gets redirected keeps the initial request's Client Hints.
+const test_name = "same-origin subresource redirect with opt-in";
+verify_subresource_state("resources/accept-ch-and-redir.py?url=expect-received.py", test_name);
+</script>
+</body>
+</html>
+

testing/web-platform/tests/client-hints/accept-ch-stickiness/same-origin-subresource-redirect-opted-in.https.html.headers

@@ -0,0 +1 @@
+Accept-CH: DPR, Device-Memory

testing/web-platform/tests/client-hints/accept-ch-stickiness/same-origin-subresource-redirect.https.html

@@ -8,11 +8,10 @@
 <script src="resources/accept-ch-test.js"></script>
 
 <script>
-// This is similar to accept-ch-test.js tests, except setting and checking
-// header here are a single step, connected via redirect.
-const test_name = "redirect on navigation";
+// Make sure a same origin subresource without an opt-in that gets redirected doesn't contain Client Hints.
+const test_name = "same-origin subresource redirect with no opt-in";
 verify_initial_state(echo, test_name);
-verify_subresource_state("resources/accept-ch-and-redir-to-do-not-expect.py", test_name);
+verify_subresource_state("resources/accept-ch-and-redir.py?url=do-not-expect-received.py", test_name);
 </script>
 </body>
 </html>