Bug 1554764 [wpt PR 16720] - Add feature policy for client hints, used for third-party subresources., a=testonly

Automatic update from web-platform-tests Add feature policy for client hints, used for third-party subresources. This disables all client hints for third parties by default, except for the simplified UA hint. Feature Policy can then be used to delegate specific hints. Currently, only the hints which were previously being sent to third parties on Android are available for delagation. A follow- up CL adds the remaining ones. Bug: 968201 Change-Id: Idea42e814078592f3bdaec67bd931a99cfaea046 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1567927 Commit-Queue: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/master@{#664347} -- Add the remaining Client Hints to Feature Policy. This allows all client hints to be potentially delegated to third-party requests. By default, no hints (Except for the simplified UA hint) are sent with any third party resource requests, but these can be enabled for specific origins through the use of Feature Policy. Bug: 968201 Change-Id: I60a94deb0e5553b85da351f08cbabfc8ae0f6e65 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1584400 Commit-Queue: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/master@{#664498} -- wp5At-commits: e3d17026a01cfe9350663ef03346c65be63c366f, 519b228e4717f4c196a6ce58bcefb71ebf7909d8 wpt-pr: 16720
2019-06-13 16:01:06 +00:00 · 2019-06-13 16:01:06 +00:00 · 68d9fc39c6
--- a/testing/web-platform/tests/client-hints/accept_ch_feature_policy.tentative.sub.https.html
+++ b/testing/web-platform/tests/client-hints/accept_ch_feature_policy.tentative.sub.https.html
@ -0,0 +1,64 @@
+<html>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+
+// If the response for the HTML file contains "Accept-CH" in the response
+// headers, then the browser should attach the specified client hints in the
+// HTTP request headers depending on whether the resource is being fetched from
+// the same origin or a different origin. Test this functionality by fetching
+// same-origin and cross-origin resources from this page. The response headers
+// for this page include "Accept-CH: device-memory, dpr, viewport-width, rtt, downlink, ect".
+//
+// echo_client_hints_received.py sets the response headers depending on the set
+// of client hints it receives in the request headers.
+
+promise_test(t => {
+  return fetch(get_host_info()["HTTPS_ORIGIN"] + "/client-hints/echo_client_hints_received.py").then(r => {
+    assert_equals(r.status, 200)
+    // Verify that the browser includes client hints in the headers for a
+    // same-origin fetch which not specifically excluded via Feature-Policy.
+    assert_true(r.headers.has("device-memory-received"), "device-memory-received");
+    assert_false(r.headers.has("dpr-received"), "dpr-received");
+    assert_false(r.headers.has("lang-received"), "lang-received");
+    assert_true(r.headers.has("viewport-width-received"), "viewport-width-received");
+
+    assert_true(r.headers.has("rtt-received"), "rtt-received");
+    var rtt = parseInt(r.headers.get("rtt-received"));
+    assert_greater_than_equal(rtt, 0);
+    assert_less_than_equal(rtt, 3000);
+    assert_equals(rtt % 50, 0, 'rtt must be a multiple of 50 msec');
+
+    assert_true(r.headers.has("downlink-received"), "downlink-received");
+    var downlinkKbps  = r.headers.get("downlink-received") * 1000;
+    assert_greater_than_equal(downlinkKbps, 0);
+    assert_less_than_equal(downlinkKbps, 10000);
+
+    assert_in_array(r.headers.get("ect-received"), ["slow-2g", "2g",
+          "3g", "4g"], 'ect-received is unexpected');
+  });
+}, "Accept-CH header test");
+
+promise_test(t => {
+  return fetch(get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/echo_client_hints_received.py").then(r => {
+    assert_equals(r.status, 200)
+    // Verify that the browser includes client hints in the headers for a
+    // cross-origin fetch which are specifically requested via Feature-Policy.
+    assert_true(r.headers.has("device-memory-received"), "device-memory-received");
+    assert_false(r.headers.has("dpr-received"), "dpr-received");
+    assert_false(r.headers.has("lang-received"), "lang-received");
+    assert_false(r.headers.has("viewport-width-received"), "viewport-width-received");
+    assert_false(r.headers.has("rtt-received"), "rtt-received");
+    assert_false(r.headers.has("downlink-received"), "downlink-received");
+    assert_false(r.headers.has("ect-received"), "ect-received");
+  });
+}, "Cross-Origin Accept-CH header test");
+
+
+
+</script>
+
+</body>
+</html>
--- a/testing/web-platform/tests/client-hints/accept_ch_feature_policy.tentative.sub.https.html.headers
+++ b/testing/web-platform/tests/client-hints/accept_ch_feature_policy.tentative.sub.https.html.headers
@ -0,0 +1,2 @@
+Accept-CH: device-memory, dpr, viewport-width, rtt, downlink, ect, lang
+Feature-Policy: ch-device-memory *; ch-dpr 'none'; ch-viewport-width 'self'; ch-lang 'none'
--- a/testing/web-platform/tests/client-hints/accept_ch_no_feature_policy.tentative.sub.https.html
+++ b/testing/web-platform/tests/client-hints/accept_ch_no_feature_policy.tentative.sub.https.html
@ -0,0 +1,62 @@
+<html>
+<body>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+
+// If the response for the HTML file contains "Accept-CH" in the response
+// headers, then the browser should attach the specified client hints in the
+// HTTP request headers depending on whether the resource is being fetched from
+// the same origin or a different origin. Test this functionality by fetching
+// same-origin and cross-origin resources from this page. The response headers
+// for this page include "Accept-CH: device-memory, dpr, viewport-width, rtt, downlink, ect".
+//
+// echo_client_hints_received.py sets the response headers depending on the set
+// of client hints it receives in the request headers.
+
+promise_test(t => {
+  return fetch(get_host_info()["HTTPS_ORIGIN"] + "/client-hints/echo_client_hints_received.py").then(r => {
+    assert_equals(r.status, 200)
+    // Verify that the browser includes client hints in the headers for a
+    // same-origin fetch with the default feature policy in place.
+    assert_true(r.headers.has("device-memory-received"), "device-memory-received");
+    assert_true(r.headers.has("dpr-received"), "dpr-received");
+    assert_true(r.headers.has("viewport-width-received"), "viewport-width-received");
+
+    assert_true(r.headers.has("rtt-received"), "rtt-received");
+    var rtt = parseInt(r.headers.get("rtt-received"));
+    assert_greater_than_equal(rtt, 0);
+    assert_less_than_equal(rtt, 3000);
+    assert_equals(rtt % 50, 0, 'rtt must be a multiple of 50 msec');
+
+    assert_true(r.headers.has("downlink-received"), "downlink-received");
+    var downlinkKbps  = r.headers.get("downlink-received") * 1000;
+    assert_greater_than_equal(downlinkKbps, 0);
+    assert_less_than_equal(downlinkKbps, 10000);
+
+    assert_in_array(r.headers.get("ect-received"), ["slow-2g", "2g",
+          "3g", "4g"], 'ect-received is unexpected');
+  });
+}, "Accept-CH header test");
+
+promise_test(t => {
+  return fetch(get_host_info()["HTTPS_REMOTE_ORIGIN"] + "/client-hints/echo_client_hints_received.py").then(r => {
+    assert_equals(r.status, 200)
+    // Verify that the browser includes no client hints in the headers for a
+    // cross-origin fetch with the default feature policy in place.
+    assert_false(r.headers.has("device-memory-received"), "device-memory-received");
+    assert_false(r.headers.has("dpr-received"), "dpr-received");
+    assert_false(r.headers.has("viewport-width-received"), "viewport-width-received");
+    assert_false(r.headers.has("rtt-received"), "rtt-received");
+    assert_false(r.headers.has("downlink-received"), "downlink-received");
+    assert_false(r.headers.has("ect-received"), "ect-received");
+  });
+}, "Cross-Origin Accept-CH header test");
+
+
+
+</script>
+
+</body>
+</html>
--- a/testing/web-platform/tests/client-hints/accept_ch_no_feature_policy.tentative.sub.https.html.headers
+++ b/testing/web-platform/tests/client-hints/accept_ch_no_feature_policy.tentative.sub.https.html.headers
@ -0,0 +1 @@
+Accept-CH: device-memory, dpr, viewport-width, rtt, downlink, ect
--- a/testing/web-platform/tests/client-hints/echo_client_hints_received.py
+++ b/testing/web-platform/tests/client-hints/echo_client_hints_received.py
@ -5,6 +5,8 @@ def main(request, response):
    """

    response.headers.append("Access-Control-Allow-Origin", "*")
+    response.headers.append("Access-Control-Allow-Headers", "*")
+    response.headers.append("Access-Control-Expose-Headers", "*")

    if "device-memory" in request.headers:
            response.headers.set("device-memory-received", request.headers.get("device-memory"))
				`@ -0,0 +1 @@`
				`Accept-CH: device-memory, dpr, viewport-width, rtt, downlink, ect`