Bug 1919939 [wpt PR 48213] - [Partitioned Popins] Popin-Policy Respon…

…se Header (Default none), a=testonly

Automatic update from web-platform-tests
[Partitioned Popins] Popin-Policy Response Header (Default none)

Every top-frame response for a popin must include a Popin-Policy header
that permits the popin's opener's top-frame-origin. This is to ensure
popins cannot be opened in a partitioned context other than the one they
are designed to.

This CL requires the header to exist and permit access, whereas before
omitting the header would permit access.

Explainer: https://explainers-by-googlers.github.io/partitioned-popins/
I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/ApU_zUmpQ2g/

Bug: 340606651
Change-Id: I4577cefe3687c1cf0501a4c195161f1335d8023b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5865610
Reviewed-by: Dana Fried <[email protected]>
Auto-Submit: Ari Chivukula <[email protected]>
Commit-Queue: Rakina Zata Amni <[email protected]>
Reviewed-by: Rakina Zata Amni <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1356212}

--

wpt-commits: 14686909771afddb61df9d8fc9a46eaeabb8df76
wpt-pr: 48213

testing/web-platform/tests/html/browsers/browsing-the-web/remote-context-helper/resources/executor-window.py

@@ -24,9 +24,15 @@ def main(request, response):
   start_on = query.get("startOn")
   start_on_s = f"'{start_on[0]}'" if start_on else "null"
 
+  headers = [("Content-Type", "text/html")]
+  # We always permit partitioned popins to be loaded for testing.
+  # See https://explainers-by-googlers.github.io/partitioned-popins/
+  if request.headers.get(b"Sec-Popin-Context") == b"partitioned":
+    headers.append((b'Popin-Policy', b"partitioned=*"))
+
   # This sets a base href so that even if this content e.g. data or blob URLs
   # document, relative URLs will resolve.
-  return (status, [("Content-Type", "text/html")], f"""
+  return (status, headers, f"""
 <!DOCTYPE HTML>
 <base href="{html.escape(request.url)}">
 <script src="/common/dispatcher/dispatcher.js"></script>

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.close.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.cookies-popin.py

@@ -3,6 +3,7 @@ def main(request, response):
     id = request.GET[b'id']
     headers = setNoCacheAndCORSHeaders(request, response)
     headers[0] = (b"Content-Type", b"text/html")
+    headers.append((b'Popin-Policy', b"partitioned=*"))
     cookies = readCookies(request)
     message = b"ReadOnLoad:"
     if cookies.get(b"first-party-strict") == id:

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.localStorage-popin.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.permissions-popin.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.proxy-popin.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.recursive.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.request-header.http.py

@@ -3,6 +3,7 @@ def main(request, response):
     # Step 4 (partitioned-popins/partitioned-popins.request-header.tentative.https.window.js)
     headers = setNoCacheAndCORSHeaders(request, response)
     headers[0] = (b"Content-Type", b"text/html")
+    headers.append((b'Popin-Policy', b"partitioned=*"))
     message = request.GET[b'message']
     message += b"HTTP("
     message += request.headers.get(b"Sec-Popin-Context", b"missing")

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.request-header.initial.py

@@ -6,4 +6,5 @@ def main(request, response):
     message += b")-"
     headers = setNoCacheAndCORSHeaders(request, response)
     headers.append((b'Location', b"/partitioned-popins/resources/partitioned-popins.request-header.http.py?message=" + message))
+    headers.append((b'Popin-Policy', b"partitioned=*"))
     return 302, headers, b'{"redirect": true}'

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.request-header.js.py

@@ -3,6 +3,7 @@ def main(request, response):
     # Step 5 (partitioned-popins/partitioned-popins.request-header.tentative.https.window.js)
     headers = setNoCacheAndCORSHeaders(request, response)
     headers[0] = (b"Content-Type", b"text/html")
+    headers.append((b'Popin-Policy', b"partitioned=*"))
     message = request.GET[b'message']
     message += b"JS("
     message += request.headers.get(b"Sec-Popin-Context", b"missing")

testing/web-platform/tests/partitioned-popins/resources/partitioned-popins.wait.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/popinContextType.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*

testing/web-platform/tests/partitioned-popins/resources/popinContextTypesSupported.html.headers

@@ -0,0 +1 @@
+Popin-Policy: partitioned=*