1872926 - [wpt-sync] Sync PR 43847 - Add CookieSettingOverride to allow ABA embeds to send cookies using CORS

Status: RESOLVED FIXED

(Testing :: web-platform-tests, task, P4)

Description

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Sync web-platform-tests PR 43847 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/43847
Details from upstream follow.

Dylan Cutler <dylancutler@google.com> wrote:

Add CookieSettingOverride to allow ABA embeds to send cookies using CORS

For now, this functionality is gated behind a base::Feature that is
disabled by default.

This CL does not interact with SameSite semantics, and still
maintains that only SameSite=None cookies are allowed in ABA contexts.
This exception is for 3P cookie blocking only.

This exception cannot be applied to cookies accessed via JS.

Bug:1513690
Change-Id: Id5964224403b7eb9aab69cebe69095530da5baa5
Reviewed-on: https://chromium-review.googlesource.com/5147868
WPT-Export-Revision: 9ec46aa1908746c4692168f36d048387953ecff5

Comment 1

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=17e3f2c3df1f9995e2edb7c98a33c50d23f4f396

Comment 2

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

CI Results

Ran 0 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 21 tests and 2 subtests

Status Summary

Firefox

OK : 16
PASS : 55
FAIL : 51
TIMEOUT: 10
NOTRUN : 8

Chrome

OK : 20
PASS : 96
FAIL : 20
TIMEOUT: 2
NOTRUN : 2

Safari

OK : 16
PASS : 32
FAIL : 74
TIMEOUT: 10
NOTRUN : 8

Links

GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

• /storage-access-api/hasStorageAccess-ABA.tentative.sub.https.window.html [wpt.fyi]
  • [ABA] document.hasStorageAccess() should not be allowed by default unless in top-level frame or same-origin iframe.: FAIL (Chrome: FAIL, Safari: FAIL)
• /storage-access-api/requestStorageAccess-ABA.tentative.sub.https.window.html [wpt.fyi]
  • [ABA] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: PASS, Safari: FAIL)
  • [ABA] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [ABA] document.requestStorageAccess() should resolve without permission grant or user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [ABA] document.requestStorageAccess() should resolve with denied permission: FAIL (Chrome: PASS, Safari: FAIL)
• /storage-access-api/requestStorageAccess-cross-origin-iframe-navigation.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • Self-initiated reloads preserve storage access: TIMEOUT (Chrome: FAIL, Safari: TIMEOUT)
  • Self-initiated same-origin navigations preserve storage access: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • Non-self-initiated same-origin navigations do not preserve storage access: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
  • Self-initiated cross-origin navigations do not preserve storage access: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-cross-site-iframe.sub.https.window.html [wpt.fyi]
  • [cross-site-frame] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: FAIL, Safari: FAIL)
  • [cross-site-frame] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [cross-site-frame] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission: FAIL (Chrome: FAIL, Safari: FAIL)
• /storage-access-api/requestStorageAccess-cross-site-sibling-iframes.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • Grants have per-frame scope: TIMEOUT (Chrome: FAIL, Safari: TIMEOUT)
  • Cross-site sibling iframes should not be able to take advantage of the existing permission grant requested by others.: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-dedicated-worker.tentative.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • Workers inherit storage access: TIMEOUT (Chrome: PASS, Safari: TIMEOUT)
  • Workers don't observe parent's storage access: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess-nested-cross-origin-iframe.sub.https.window.html [wpt.fyi]
  • [nested-cross-origin-frame] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-origin-frame] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-origin-frame] document.requestStorageAccess() should resolve without permission grant or user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-origin-frame] document.requestStorageAccess() should resolve with denied permission: FAIL (Chrome: PASS, Safari: FAIL)
• /storage-access-api/requestStorageAccess-nested-cross-site-iframe.sub.https.window.html [wpt.fyi]
  • [nested-cross-site-frame] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: FAIL, Safari: FAIL)
  • [nested-cross-site-frame] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-cross-site-frame] document.requestStorageAccess() should be rejected with a NotAllowedError with denied permission: FAIL (Chrome: FAIL, Safari: FAIL)
• /storage-access-api/requestStorageAccess-nested-same-origin-iframe.sub.https.window.html [wpt.fyi]
  • [nested-same-origin-frame] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: FAIL, Safari: FAIL)
  • [nested-same-origin-frame] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [nested-same-origin-frame] document.requestStorageAccess() should resolve without permission grant or user gesture: FAIL (Chrome: FAIL, Safari: FAIL)
  • [nested-same-origin-frame] document.requestStorageAccess() should resolve with denied permission: FAIL (Chrome: FAIL, Safari: FAIL)
• /storage-access-api/requestStorageAccess-same-site-iframe.sub.https.window.html [wpt.fyi]
  • [same-site-frame] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-site-frame] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-site-frame] document.requestStorageAccess() should resolve without permission grant or user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-site-frame] document.requestStorageAccess() should resolve with denied permission: FAIL (Chrome: PASS, Safari: FAIL)
• /storage-access-api/requestStorageAccess-web-socket.tentative.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
  • WebSocket inherits storage access: TIMEOUT (Chrome: PASS, Safari: TIMEOUT)
  • WebSocket omits unpartitioned cookies without storage access: NOTRUN (Chrome: FAIL, Safari: NOTRUN)
• /storage-access-api/requestStorageAccess.sub.https.window.html [wpt.fyi]
  • [top-level-context] document.requestStorageAccess() should resolve in top-level frame or same-site iframe, otherwise reject with a NotAllowedError with no user gesture.: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccess() should be resolved with no user gesture when a permission grant exists, and should allow cookie access: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccess() should resolve without permission grant or user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccess() should resolve with denied permission: FAIL (Chrome: PASS, Safari: FAIL)
• /storage-access-api/storage-access-permission.sub.https.window.html [wpt.fyi]: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
  • Permissions grants are observable across same-origin iframes: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
  • Permissions grants are observable across same-site iframes: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
  • IFrame tests: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
• /storage-access-api/storageAccess.testdriver.sub.html [wpt.fyi]
  • TestDriver - Set Storage Access Command Tests: FAIL (Chrome: FAIL, Safari: PASS)
• /top-level-storage-access-api/tentative/requestStorageAccessFor-insecure.sub.window.html [wpt.fyi]
  • [top-level-context] document.requestStorageAccessFor() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be rejected by default with no user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached frame: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached DOMParser document: FAIL (Chrome: PASS, Safari: FAIL)
  • [frame-on-insecure-page] document.requestStorageAccessFor() should be supported on the document interface in embedded iframes: FAIL (Chrome: PASS, Safari: FAIL)
  • [frame-on-insecure-page] document.requestStorageAccessFor() should be rejected when called in an iframe: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be rejected when called in an insecure context: FAIL (Chrome: PASS, Safari: FAIL)
• /top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.html [wpt.fyi]
  • [top-level-context] document.requestStorageAccessFor() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be rejected when called with no argument: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be rejected by default with no user gesture: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached frame: FAIL (Chrome: PASS, Safari: FAIL)
  • [non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached DOMParser document: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be resolved without a user gesture with an existing permission: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccess() should be resolved without a user gesture after a successful requestStorageAccessFor() call: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be resolved when called properly with a user gesture and the same origin: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be rejected when called with an invalid origin: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] document.requestStorageAccessFor() should be rejected when called with an opaque origin: FAIL (Chrome: PASS, Safari: FAIL)
  • [top-level-context] Top-level storage access only allows cross-site subresource requests to access cookie when using CORS mode.: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-iframe] document.requestStorageAccessFor() should be supported on the document interface: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-iframe] document.requestStorageAccessFor() should be rejected when called with no argument: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-iframe] document.requestStorageAccessFor() should be rejected when called in an iframe: FAIL (Chrome: PASS, Safari: FAIL)
  • [same-origin-iframe] Existing top-level storage access permission should not allow cookie access for the cross-site subresource requests made in a non-top-level context.: FAIL (Chrome: FAIL, Safari: FAIL)
• /top-level-storage-access-api/tentative/top-level-storage-access-permission.sub.https.window.html [wpt.fyi]
  • Permission default state can be queried: FAIL (Chrome: PASS, Safari: FAIL)

Comment 3

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8867efa9599e
[wpt PR 43847] - Add CookieSettingOverride to allow ABA embeds to send cookies using CORS, a=testonly

Comment 4

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/8867efa9599e