Bug 1978940 [wpt PR 53937] - Create WPT for allowed_refresh_initiators, a=testonly

Automatic update from web-platform-tests
Create WPT for allowed_refresh_initiators (#53937)

This requires some significant work to setup cookies and requests
initiated by third parties, then confirms that only initiators listed in
`allowed_refresh_initiators` can actually initiate refreshes.

Fixed: 401184805
Change-Id: Id773859758153dd47ae10db378ce1f6141ed5e75
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6777966
Commit-Queue: Daniel Rubery <druberychromium.org>
Reviewed-by: thefrog <thefrogchromium.org>
Reviewed-by: Koji Ishii <kojiichromium.org>
Cr-Commit-Position: refs/heads/main{#1491069}

Co-authored-by: Daniel Rubery <druberychromium.org>
--

wpt-commits: 30380f06ed2b3d4c60f52a0bdc3a8ef80ed7440d
wpt-pr: 53937

UltraBlame original commit: b5622511a733164045b7bf2a7f23912489b470c1

Author: marco-c

testing/web-platform/tests/common/get-host-info.sub.js

@@ -20,6 +20,7 @@ function get_host_info() {
   var REMOTE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('www1.' + ORIGINAL_HOST);
   var OTHER_HOST = '{{domains[www2]}}';
   var NOTSAMESITE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('{{hosts[alt][]}}');
+  var OTHER_NOTSAMESITE_HOST = '{{hosts[alt][www2]}}';
 
   return {
     HTTP_PORT: HTTP_PORT,
@@ -45,6 +46,7 @@ function get_host_info() {
     HTTPS_REMOTE_ORIGIN: 'https://' + REMOTE_HOST + HTTPS_PORT_ELIDED,
     HTTPS_REMOTE_ORIGIN_WITH_CREDS: 'https://foo:bar@' + REMOTE_HOST + HTTPS_PORT_ELIDED,
     HTTPS_NOTSAMESITE_ORIGIN: 'https://' + NOTSAMESITE_HOST + HTTPS_PORT_ELIDED,
+    HTTPS_OTHER_NOTSAMESITE_ORIGIN: 'https://' + OTHER_NOTSAMESITE_HOST + HTTPS_PORT_ELIDED,
     UNAUTHENTICATED_ORIGIN: 'http://' + OTHER_HOST + HTTP_PORT_ELIDED,
     AUTHENTICATED_ORIGIN: 'https://' + OTHER_HOST + HTTPS_PORT_ELIDED
   };

testing/web-platform/tests/device-bound-session-credentials/allowed-refresh-initiators.https.html

@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>DBSC session with varied initiators</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="helper.js" type="module"></script>
+
+<script type="module">
+  import { expireCookie, documentHasCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer } from "./helper.js";
+
+  // Create an iframe that fetches URLs on demand via postMessage.
+  async function createFrame(url) {
+    const frame = document.createElement('iframe');
+    const promise = new Promise((resolve, reject) => {
+      frame.onload = () => resolve(frame);
+      frame.onerror = () => {
+        reject();
+      };
+    });
+    frame.src = url;
+    document.body.appendChild(frame);
+    return promise;
+  }
+
+  async function crossSiteFetch(frame, url) {
+    let promise = new Promise((resolve) => {
+      const listener = (event) => {
+        window.removeEventListener("message", listener);
+        resolve(event.data);
+      };
+      window.addEventListener("message", listener);
+    });
+    frame.contentWindow.postMessage(url, "*");
+    return promise;
+  }
+
+  async function runTest(t, origin, refresh_expected) {
+    await setupShardedServerState({crossSite: true});
+    const expectedCookieAndValue = "auth_cookie=abcdef0123";
+    // Override the attributes to be SameSite=None.
+    const expectedCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;SameSite=None;Secure`;
+    const expectedCookieAndAttributes = `${expectedCookieAndValue};${expectedCookieAttributes}`;
+    addCookieAndSessionCleanup(t);
+
+    configureServer({ allowedRefreshInitiators: [get_host_info().NOTSAMESITE_HOST],
+                      cookieDetails: [ {attributes: expectedCookieAttributes} ],
+                    });
+
+    // Prompt starting a session, and wait until registration completes.
+    const loginResponse = await fetch('login.py');
+    assert_equals(loginResponse.status, 200);
+    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
+
+    const frame = await createFrame(`${origin}/device-bound-session-credentials/url_fetcher.html`);
+
+    // Expire the cookie, and check whether a refresh has occurred.
+    expireCookie(expectedCookieAndAttributes);
+    assert_false(documentHasCookie(expectedCookieAndValue));
+
+    const authStatusAfterExpiry = await crossSiteFetch(frame, `${location.protocol}//${location.host}/device-bound-session-credentials/verify_authenticated.py`);
+    assert_equals(authStatusAfterExpiry, refresh_expected ? 200 : 401);
+    assert_equals(documentHasCookie(expectedCookieAndValue), refresh_expected);
+  }
+
+  promise_test(async t => {
+    await runTest(t, location.origin, /*refresh_expected=*/true);
+  }, "An established session refreshes when initated by the owning site");
+
+  promise_test(async t => {
+    await runTest(t, get_host_info().HTTPS_NOTSAMESITE_ORIGIN, /*refresh_expected=*/true);
+  }, "An established session refreshes when initated by a host in allowed_refresh_initiators");
+
+  promise_test(async t => {
+    await runTest(t, get_host_info().HTTPS_OTHER_NOTSAMESITE_ORIGIN, /*refresh_expected=*/false);
+  }, "An established session does not refresh when initated by a host not in allowed_refresh_initiators");
+</script>

testing/web-platform/tests/device-bound-session-credentials/clear-site-data.https.html

@@ -23,7 +23,7 @@
     const endSessionResponse = await fetch('end_session_via_clear_site_data.py');
     assert_equals(endSessionResponse.status, 200);
     // Need to set up the state again because all cookies were cleared.
-    await setupShardedServerState(testId);
+    await setupShardedServerState({testId});
 
     // Expire the cookie, and confirm it does not get refreshed.
     expireCookie(expectedCookieAndAttributes);
@@ -48,7 +48,7 @@
     const endSessionResponse = await fetch('end_session_via_clear_site_data.py', {method: 'POST', body: '"storage"'});
     assert_equals(endSessionResponse.status, 200);
     // Need to set up the state again because all cookies were cleared.
-    await setupShardedServerState(testId);
+    await setupShardedServerState({testId});
 
     // Expire the cookie, and confirm it does not get refreshed.
     expireCookie(expectedCookieAndAttributes);

testing/web-platform/tests/device-bound-session-credentials/helper.js

@@ -49,10 +49,9 @@ export async function configureServer(obj) {
   assert_equals(response.status, 200);
 }
 
-export async function setupShardedServerState(testId) {
-  const obj = {};
-  if (testId !== undefined) {
-    obj.testId = testId;
+export async function setupShardedServerState(obj) {
+  if (obj === undefined) {
+    obj = {};
   }
   const response = await fetch('setup_sharded_server_state.py', {
     method: 'POST',

testing/web-platform/tests/device-bound-session-credentials/session_manager.py

@@ -46,6 +46,7 @@ def __init__(self):
         self.include_site = True
         self.refresh_endpoint_unavailable = False
         self.response_session_id_override = None
+        self.allowed_refresh_initiators = ["*"]
 
     def next_session_id(self):
         return len(self.session_to_key_map)
@@ -127,6 +128,10 @@ def configure_state_for_test(self, configuration):
         if response_session_id_override is not None:
             self.response_session_id_override = response_session_id_override
 
+        allowed_refresh_initiators = configuration.get("allowedRefreshInitiators")
+        if allowed_refresh_initiators is not None:
+            self.allowed_refresh_initiators = allowed_refresh_initiators
+
     def get_should_refresh_end_session(self):
         return self.should_refresh_end_session
 
@@ -198,7 +203,8 @@ def get_session_instructions_response(self, session_id, request):
                     { "type": "exclude", "domain": request.url_parts.hostname, "path": "/device-bound-session-credentials/set_cookie.py" },
                 ]
             },
-            "credentials": self.get_sessions_instructions_response_credentials(session_id, request)
+            "credentials": self.get_sessions_instructions_response_credentials(session_id, request),
+            "allowed_refresh_initiators": self.allowed_refresh_initiators,
         }
         headers = self.get_session_instructions_response_set_cookie_headers(session_id, request) + [
             ("Content-Type", "application/json"),

testing/web-platform/tests/device-bound-session-credentials/setup_sharded_server_state.py

@@ -9,4 +9,13 @@ def main(request, response):
     if test_id is None:
         test_id = session_manager.initialize_test()
 
-    return (200, [("Set-Cookie", f"test_id={test_id}")], "")
+    headers = [("Set-Cookie", f"test_id={test_id}")]
+    
+    
+    
+    
+    cross_site = request_body.get("crossSite")
+    if cross_site is not None and cross_site:
+        headers = [("Set-Cookie", f"test_id={test_id};SameSite=None;Secure")]
+
+    return (200, headers, "")

testing/web-platform/tests/device-bound-session-credentials/url_fetcher.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<body>
+  <script>
+    'use strict';
+
+    window.addEventListener("message", async (event) => {
+      const response = await fetch(event.data, {credentials: "include"});
+      event.source.postMessage(response.status, "*");
+    });
+  </script>
+</body>