Bug 1632500 - Part 2: Add a test case for ensuring the sub-iframes won't get storage access if the cookie behavior is REJECT_TRACKER. r=baku

Differential Revision: https://phabricator.services.mozilla.com/D72310

toolkit/components/antitracking/test/browser/3rdPartyWO.html

@@ -65,7 +65,7 @@ onmessage = function(e) {
       }
     });
   }).then(_ => {
-    // This time the tracker must have been able to ontain first-party storage
+    // This time the tracker must have been able to obtain first-party storage
     // access because it has had user interaction before.
     let runnableStr = `(() => {return (${e.data.nonBlockingCallback});})();`;
     let runnable = eval(runnableStr); // eslint-disable-line no-eval

toolkit/components/antitracking/test/browser/antitracking_head.js

@@ -910,6 +910,13 @@ this.AntiTracking = {
         }
       );
 
+      await AntiTracking._maybeDoSubIframeTest(
+        browser,
+        cookieBehavior,
+        blockingCallback,
+        iframeSandbox
+      );
+
       info("Removing the tab");
       BrowserTestUtils.removeTab(tab);
 
@@ -1123,6 +1130,13 @@ this.AntiTracking = {
         }
       );
 
+      await AntiTracking._maybeDoSubIframeTest(
+        browser,
+        cookieBehavior,
+        blockingCallback,
+        iframeSandbox
+      );
+
       info("Removing the tab");
       BrowserTestUtils.removeTab(tab);
 
@@ -1132,6 +1146,88 @@ this.AntiTracking = {
     });
   },
 
+  async _maybeDoSubIframeTest(
+    browser,
+    cookieBehavior,
+    blockingCallback,
+    iframeSandbox
+  ) {
+    // We would do an additional test for sub-iframe if the cookie behavior is
+    // BEHAVIOR_REJECT_TRACKER. The sub-iframes shouldn't get the the storage
+    // access even they have the storage permission.
+    if (cookieBehavior !== BEHAVIOR_REJECT_TRACKER) {
+      return;
+    }
+
+    info("Create a first-level iframe to test sub iframes.");
+    let iframeBrowsingContext = await SpecialPowers.spawn(
+      browser,
+      [{ page: TEST_IFRAME_PAGE }],
+      async function(obj) {
+        // Add an iframe.
+        let ifr = content.document.createElement("iframe");
+        let loading = new content.Promise(resolve => {
+          ifr.onload = resolve;
+        });
+        content.document.body.appendChild(ifr);
+        ifr.src = obj.page;
+        await loading;
+
+        return ifr.browsingContext;
+      }
+    );
+
+    info("Create a second-level 3rd party content which should be blocked");
+    await SpecialPowers.spawn(
+      iframeBrowsingContext,
+      [
+        {
+          page: TEST_3RD_PARTY_PAGE_UI,
+          blockingCallback: blockingCallback.toString(),
+          iframeSandbox,
+        },
+      ],
+      async function(obj) {
+        let ifr = content.document.createElement("iframe");
+        let loading = new content.Promise(resolve => {
+          ifr.onload = resolve;
+        });
+        if (typeof obj.iframeSandbox == "string") {
+          ifr.setAttribute("sandbox", obj.iframeSandbox);
+        }
+        content.document.body.appendChild(ifr);
+        ifr.src = obj.page;
+        await loading;
+
+        await new content.Promise(resolve => {
+          content.addEventListener("message", function msg(event) {
+            if (event.data.type == "finish") {
+              content.removeEventListener("message", msg);
+              resolve();
+              return;
+            }
+
+            if (event.data.type == "ok") {
+              ok(event.data.what, event.data.msg);
+              return;
+            }
+
+            if (event.data.type == "info") {
+              info(event.data.msg);
+              return;
+            }
+
+            ok(false, "Unknown message");
+          });
+          ifr.contentWindow.postMessage(
+            { callback: obj.blockingCallback },
+            "*"
+          );
+        });
+      }
+    );
+  },
+
   async _isThirdPartyPageClassifiedAsTracker(topPage, thirdPartyDomainURI) {
     let channel;
     await new Promise((resolve, reject) => {

toolkit/components/antitracking/test/browser/browser.ini

@@ -19,6 +19,7 @@ support-files =
   partitionedstorage_head.js
   storageprincipal_head.js
   cookiesCORS.sjs
+  iframe.html
   image.sjs
   imageCacheWorker.js
   page.html

toolkit/components/antitracking/test/browser/head.js

@@ -28,6 +28,7 @@ const TEST_TOP_PAGE_5 = TEST_DOMAIN_5 + TEST_PATH + "page.html";
 const TEST_TOP_PAGE_6 = TEST_DOMAIN_6 + TEST_PATH + "page.html";
 const TEST_EMBEDDER_PAGE = TEST_DOMAIN + TEST_PATH + "embedder.html";
 const TEST_POPUP_PAGE = TEST_DOMAIN + TEST_PATH + "popup.html";
+const TEST_IFRAME_PAGE = TEST_DOMAIN + TEST_PATH + "iframe.html";
 const TEST_3RD_PARTY_PAGE = TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdParty.html";
 const TEST_3RD_PARTY_PAGE_HTTP =
   TEST_3RD_PARTY_DOMAIN_HTTP + TEST_PATH + "3rdParty.html";

toolkit/components/antitracking/test/browser/iframe.html

@@ -0,0 +1,8 @@
+<html>
+<head>
+  <title>Just a first-level iframe</title>
+</head>
+<body>
+  <h1>This is the first-level iframe</h1>
+</body>
+</html>