[Partitioned Popins] Limit cross-origin popin opener access

This CL mirrors the COOP restrict-properties work to prevent the use of the opener proxy for/by a popin for any actions other than postMessage() or closed. The difference between https://chromium-review.googlesource.com/c/chromium/src/+/5800429 and this CL is that enforcement is limited here to cross-origin cases. There will be enforcement of same-origin cases in a future CL, but we will not enforce it as a security boundary (independent process) for now. All of this work is behind an experimental flag "PartitionedPopins" so will not be enabled by default. Explainer: https://explainers-by-googlers.github.io/partitioned-popins/ I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/ApU_zUmpQ2g/ Bug: 340606651 Change-Id: I5a852fc2f598e311142a25a434656592fe9185a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5854082 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Daniel Cheng <[email protected]> Reviewed-by: Rakina Zata Amni <[email protected]> Commit-Queue: Rakina Zata Amni <[email protected]> Cr-Commit-Position: refs/heads/main@{#1354277}
web-platform-tests · Sep 12, 2024 · 3a73b22 · 3a73b22
1 parent 15415f5
commit 3a73b22
Show file tree

Hide file tree

Showing 4 changed files with 158 additions and 0 deletions.
diff --git a/partitioned-popins/partitioned-popins.proxy-cross.tentative.sub.https.window.js b/partitioned-popins/partitioned-popins.proxy-cross.tentative.sub.https.window.js
@@ -0,0 +1,37 @@
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+// META: script=/partitioned-popins/resources/proxy-helpers.js
+
+'use strict';
+
+// Spec: https://explainers-by-googlers.github.io/partitioned-popins/
+// Step 1 (window) Set up listener to resolve messages as they come in.
+// Step 2 (window) Open cross-site popin.
+// Step 3 (popin) Set up listener to resolve messages as they come in.
+// Step 4 (popin) Test and report usable methods against window.
+// Step 5 (window) Test and compare usable methods against popin.
+// Step 6 (popin) Cleanup.
+// Step 7 (window) Cleanup.
+
+async_test(t => {
+  let popin_proxy;
+
+  // Step 1
+  window.addEventListener("message", t.step_func(e => {
+    switch (e.data.type) {
+      case 'ready':
+        // Step 5
+        assert_equals(e.data.message, "Closed,Then,");
+        assert_equals(getUsableMethods(popin_proxy), "Closed,Then,");
+        popin_proxy.postMessage({type: "cleanup"}, "*");
+        break;
+      case 'cleanup':
+        // Step 7
+        t.done();
+        break;
+    }
+  }));
+
+  // Step 2
+  popin_proxy = window.open("https://{{hosts[alt][]}}:{{ports[https][0]}}/partitioned-popins/resources/partitioned-popins.proxy-popin.html", '_blank', 'popin');
+}, "Verify cross-site Partitioned Popins proxies only have access to postMessage and closed methods.");
diff --git a/partitioned-popins/partitioned-popins.proxy-same.tentative.https.window.js b/partitioned-popins/partitioned-popins.proxy-same.tentative.https.window.js
@@ -0,0 +1,39 @@
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+// META: script=/partitioned-popins/resources/proxy-helpers.js
+
+'use strict';
+
+// Spec: https://explainers-by-googlers.github.io/partitioned-popins/
+// Step 1 (window) Set up listener to resolve messages as they come in.
+// Step 2 (window) Open same-origin popin.
+// Step 3 (popin) Set up listener to resolve messages as they come in.
+// Step 4 (popin) Test and report usable methods against window.
+// Step 5 (window) Test and compare usable methods against popin.
+// Step 6 (popin) Cleanup.
+// Step 7 (window) Cleanup.
+
+// TODO(crbug.com/340606651): Remove expectations file and secure same-origin popins.
+
+async_test(t => {
+  let popin_proxy;
+
+  // Step 1
+  window.addEventListener("message", t.step_func(e => {
+    switch (e.data.type) {
+      case 'ready':
+        // Step 5
+        assert_equals(e.data.message, "Closed,Then,");
+        assert_equals(getUsableMethods(popin_proxy), "Closed,Then,");
+        popin_proxy.postMessage({type: "cleanup"}, "*");
+        break;
+      case 'cleanup':
+        // Step 7
+        t.done();
+        break;
+    }
+  }));
+
+  // Step 2
+  popin_proxy = window.open("/partitioned-popins/resources/partitioned-popins.proxy-popin.html", '_blank', 'popin');
+}, "Verify same-origin Partitioned Popins proxies only have access to postMessage and closed methods.");
diff --git a/partitioned-popins/resources/partitioned-popins.proxy-popin.html b/partitioned-popins/resources/partitioned-popins.proxy-popin.html
@@ -0,0 +1,24 @@
+<!doctype html>
+<meta charset="utf-8">
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/partitioned-popins/resources/proxy-helpers.js"></script>
+<script>
+(async function() {
+  test_driver.set_test_context(window.opener);
+
+  // Step 3 (partitioned-popins/partitioned-popins.proxy-{}.tentative.sub.https.window.js)
+  window.addEventListener("message", e => {
+    switch (e.data.type) {
+      case 'cleanup':
+        // Step 6 (partitioned-popins/partitioned-popins.proxy-{}.tentative.sub.https.window.js)
+        window.opener.postMessage({type: "cleanup"}, "*");
+        window.close();
+        break;
+    }
+  });
+
+  // Step 4 (partitioned-popins/partitioned-popins.proxy-{}.tentative.sub.https.window.js)
+  window.opener.postMessage({type: "ready", message: getUsableMethods(window.opener)}, "*");
+})();
+</script>
diff --git a/partitioned-popins/resources/proxy-helpers.js b/partitioned-popins/resources/proxy-helpers.js
@@ -0,0 +1,58 @@
+'use strict';
+
+function customMethod() {
+}
+
+let customAttribute = "";
+
+function getUsableMethods(proxy) {
+  let message = "";
+  try {
+    proxy.closed;
+    message += "Closed,"
+  } catch (_) {}
+  try {
+    proxy.blur();
+    message += "Blur,"
+  } catch (_) {}
+  try {
+    proxy.onblur;
+    message += "OnBlur,"
+  } catch (_) {}
+  try {
+    proxy.opener;
+    message += "Opener,"
+  } catch (_) {}
+  try {
+    proxy.length;
+    message += "Length,"
+  } catch (_) {}
+  try {
+    proxy.name = "foo";
+    message += "Name,"
+  } catch (_) {}
+  try {
+    proxy[0];
+    message += "AnonymousIndex,"
+  } catch (_) {}
+  try {
+    proxy['test'];
+    message += "AnonymousName,"
+  } catch (_) {}
+  try {
+    proxy.customMethod();
+    message += "CustomMethod,"
+  } catch (_) {}
+  try {
+    proxy.customAttribute;
+    message += "CustomAttributeGet,"
+  } catch (_) {}
+  try {
+    proxy.customAttribute = "";
+    message += "CustomAttributeSet,"
+  } catch (_) {}
+  if (proxy.then == undefined) {
+    message += "Then,"
+  }
+  return message;
+}