1818279 - [wpt-sync] Sync PR 38656 - Add missing checks for same-origin embeds in Storage Access API methods

Status: RESOLVED FIXED

(Testing :: web-platform-tests, task, P4)

Description

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Sync web-platform-tests PR 38656 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/38656
Details from upstream follow.

Chris Fredrickson <cfredric@chromium.org> wrote:

Add missing checks for same-origin embeds in Storage Access API methods

Bug: 1401089
Change-Id: I2a89602e6c70cd965a8a755bade28c9dabc76b57
Reviewed-on: https://chromium-review.googlesource.com/4282637
WPT-Export-Revision: a8bd11f2a87e12be3ee97829a6cba8741c506c5e

Comment 1

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=84236a38c7554fcca18f31590ff4f3fd7a39af0b

Comment 2

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

CI Results

Ran 9 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 18 tests and 2 subtests

Status Summary

Firefox

OK : 6[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] 7[GitHub]
PASS : 34[GitHub] 43[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt]
FAIL : 27[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] 36[GitHub]
TIMEOUT: 10[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-64-2004-qr-debug] 12[Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-opt] 13[GitHub]
ERROR : 2[Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-opt] 3[GitHub] 4[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-64-2004-qr-debug]
NOTRUN : 20[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] 28[GitHub]

Chrome

OK : 17
PASS : 84
FAIL : 16
TIMEOUT: 2
NOTRUN : 1

Safari

OK : 9
PASS : 29
FAIL : 45
TIMEOUT: 9
ERROR : 3
NOTRUN : 25

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

Firefox-only Failures

• /storage-access-api/hasStorageAccess-insecure.sub.window.html [wpt.fyi]
  • [cross-origin-frame] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL
  • [nested-cross-origin-frame] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL
• /storage-access-api/requestStorageAccess-insecure.sub.window.html [wpt.fyi]: TIMEOUT
• /storage-access-api/requestStorageAccess-non-fully-active.sub.https.window.html [wpt.fyi]: TIMEOUT

New Tests That Don't Pass

• /storage-access-api/hasStorageAccess-insecure.sub.window.html [wpt.fyi]
  • [top-level-context] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-frame] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL (Chrome: PASS, Safari: FAIL)
  • [cross-origin-frame] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL (Chrome: PASS, Safari: PASS)
  • [nested-same-origin-frame] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-origin-frame] document.hasStorageAccess() should be disallowed in insecure contexts: FAIL (Chrome: PASS, Safari: PASS)
  • [top-level-context] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [cross-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-same-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
• /storage-access-api/hasStorageAccess.sub.https.window.html [wpt.fyi]
  • [top-level-context] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [cross-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-same-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-origin-frame] document.hasStorageAccess() should reject in a document that isn't fully active.: FAIL (Chrome: PASS, Safari: FAIL)
• /storage-access-api/requestStorageAccess-cross-origin-iframe-navigation.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • Self-initiated same-origin navigations preserve storage access: TIMEOUT (Chrome: FAIL, Safari: TIMEOUT)
• /storage-access-api/requestStorageAccess-cross-origin-iframe.sub.https.window.html [wpt.fyi]: ERROR (Chrome: OK, Safari: ERROR)
  • [cross-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError by default with no user gesture: NOTRUN
  • [cross-origin-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture: NOTRUN
  • [cross-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError without permission grant: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [cross-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [cross-origin-frame] document.requestStorageAccess() should resolve in top-level frame or otherwise reject with a NotAllowedError with no user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [cross-origin-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture, and should allow cookie access: NOTRUN (Chrome: PASS, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-cross-origin-sibling-iframes.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • Grants have per-frame scope: TIMEOUT (Chrome: FAIL, Safari: TIMEOUT)
• /storage-access-api/requestStorageAccess-insecure.sub.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: OK)
  • [non-fully-active] document.requestStorageAccess() should reject when run in a detached frame: TIMEOUT (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccess() should reject when run in a detached DOMParser document: NOTRUN (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccess() should be rejected when called with a user gesture in insecure context: NOTRUN
• /storage-access-api/requestStorageAccess-nested-cross-origin-iframe.sub.https.window.html [wpt.fyi]: ERROR [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-64-2004-qr-debug], TIMEOUT [Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-opt, GitHub] (Chrome: OK, Safari: TIMEOUT)
  • [nested-cross-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError by default with no user gesture: NOTRUN
  • [nested-cross-origin-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture: NOTRUN
  • [nested-cross-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError without permission grant: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [nested-cross-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [nested-cross-origin-frame] document.requestStorageAccess() should resolve in top-level frame or otherwise reject with a NotAllowedError with no user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [nested-cross-origin-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture, and should allow cookie access: NOTRUN (Chrome: PASS, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-nested-same-origin-iframe.sub.https.window.html [wpt.fyi]: ERROR [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-64-2004-qr-debug], TIMEOUT [Gecko-linux1804-64-qr-opt, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-opt, GitHub] (Chrome: OK, Safari: TIMEOUT)
  • [nested-same-origin-frame] document.requestStorageAccess() should be rejected with a NotAllowedError by default with no user gesture: NOTRUN
  • [nested-same-origin-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture: NOTRUN
  • [nested-same-origin-frame] document.requestStorageAccess() should resolve without permission grant or user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [nested-same-origin-frame] document.requestStorageAccess() should resolve with denied permission: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [nested-same-origin-frame] document.requestStorageAccess() should resolve in top-level frame or otherwise reject with a NotAllowedError with no user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [nested-same-origin-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture, and should allow cookie access: NOTRUN (Chrome: PASS, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-non-fully-active.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: OK)
  • [non-fully-active] document.requestStorageAccess() should not resolve when run in a detached frame: TIMEOUT (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccess() should not resolve when run in a detached DOMParser document: NOTRUN (Chrome: PASS, Safari: FAIL)
• /storage-access-api/requestStorageAccess.sub.https.window.html [wpt.fyi]: ERROR (Chrome: OK, Safari: ERROR)
  • [top-level-context] document.requestStorageAccess() should be rejected with a NotAllowedError by default with no user gesture: NOTRUN
  • [top-level-context] document.requestStorageAccess() should be resolved when called properly with a user gesture: NOTRUN
  • [top-level-context] document.requestStorageAccess() should resolve without permission grant or user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [top-level-context] document.requestStorageAccess() should resolve with denied permission: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [top-level-context] document.requestStorageAccess() should resolve in top-level frame or otherwise reject with a NotAllowedError with no user gesture: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [top-level-context] document.requestStorageAccess() should be resolved when called properly with a user gesture, and should allow cookie access: NOTRUN (Chrome: PASS, Safari: NOTRUN)
• /storage-access-api/storage-access-permission.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
  • Permissions grants are observable across same-origin iframes: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
  • IFrame tests: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
• /storage-access-api/storageAccess.testdriver.sub.html [wpt.fyi]
  • Set up storage access rules: FAIL
  • [third-party-blocked-on-first-party-site] Cookie access is allowed: false: FAIL
  • [third-party-blocked-all] Cookie access is allowed: false: FAIL
  • TestDriver - Set Storage Access Command Tests: FAIL (Chrome: FAIL, Safari: PASS)
• /top-level-storage-access-api/tentative/requestStorageAccessForOrigin-insecure.sub.window.html [wpt.fyi]
  • [insecure-context] document.requestStorageAccessForOrigin() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [insecure-context] document.requestStorageAccessForOrigin() should be rejected by default with no user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessForOrigin() should not resolve when run in a detached frame: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessForOrigin() should not resolve when run in a detached DOMParser document: FAIL (Chrome: PASS, Safari: FAIL)
  • [insecure-context] document.requestStorageAccessForOrigin() should be rejected when called in an insecure context: FAIL (Chrome: PASS, Safari: FAIL)
  • [frame-on-insecure-page] document.requestStorageAccessForOrigin() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [frame-on-insecure-page] document.requestStorageAccessForOrigin() should be rejected when called in an iframe: FAIL (Chrome: FAIL, Safari: FAIL)
• /top-level-storage-access-api/tentative/requestStorageAccessForOrigin.sub.https.window.html [wpt.fyi]
  • [top-level-context] document.requestStorageAccessForOrigin() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessForOrigin() should be rejected when called with no argument: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessForOrigin() should be rejected by default with no user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessForOrigin() should not resolve when run in a detached frame: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessForOrigin() should not resolve when run in a detached DOMParser document: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessForOrigin() should be resolved when called properly with a user gesture and the same site: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessForOrigin() should be rejected when called with an invalid site: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessForOrigin() should be rejected when called with an opaque origin: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessForOrigin() should be resolved when called properly with a user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-frame] document.requestStorageAccessForOrigin() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-frame] document.requestStorageAccessForOrigin() should be rejected when called with no argument: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-frame] document.requestStorageAccessForOrigin() should be rejected when called in an iframe: FAIL (Chrome: FAIL, Safari: FAIL)
• /storage-access-api/requestStorageAccess-cross-site-iframe.sub.https.window.html [wpt.fyi]: ERROR (Chrome: OK, Safari: ERROR)
  • [cross-site-frame] document.requestStorageAccess() should resolve in top-level frame or otherwise reject with a NotAllowedError with no user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [cross-site-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture, and should allow cookie access: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [cross-site-frame] document.requestStorageAccess() should be rejected with a NotAllowedError without permission grant: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [cross-site-frame] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-nested-cross-site-iframe.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • [nested-cross-site-frame] document.requestStorageAccess() should resolve in top-level frame or otherwise reject with a NotAllowedError with no user gesture: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [nested-cross-site-frame] document.requestStorageAccess() should be resolved when called properly with a user gesture, and should allow cookie access: NOTRUN (Chrome: PASS, Safari: NOTRUN)
  • [nested-cross-site-frame] document.requestStorageAccess() should be rejected with a NotAllowedError without permission grant: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • [nested-cross-site-frame] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
• /top-level-storage-access-api/tentative/top-level-storage-access-permission.sub.https.window.html [wpt.fyi]
  • Permission default state can be queried: FAIL (Chrome: FAIL, Safari: FAIL)

Comment 3

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/73b16abb0933
[wpt PR 38656] - Add missing checks for same-origin embeds in Storage Access API methods, a=testonly
https://hg.mozilla.org/integration/autoland/rev/40cf908873ab
[wpt PR 38656] - Update wpt metadata, a=testonly

Comment 4

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/73b16abb0933
https://hg.mozilla.org/mozilla-central/rev/40cf908873ab