Bug 1966186 [wpt PR 52503] - Implement Permission Policy & cross-origin check for on-device Web Speech,

evliu-google · lutien · commit 4e5e5b9d48d7 · 2025-05-20T12:01:23.000Z
Automatic update from web-platform-tests Implement Permission Policy & cross-origin check for on-device Web Speech This CL implements a Permission Policy and cross-origin check for the availableOnDevice() and installOnDevice() of the Web Speech API. These are some of the anti-fingerprinting countermeasures described in go/on-device-web-speech-fingerprinting-mitigations. Bug: 40286514 Change-Id: I766e35e4a38b7602cf037e17607662791abcad1a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6533837 Reviewed-by: Fred Shih <ffred@chromium.org> Commit-Queue: Evan Liu <evliu@google.com> Reviewed-by: Ari Chivukula <arichiv@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/main@{#1459582} -- wpt-commits: 215823256aed1bb2b80402cb08b829e0b81636d0 wpt-pr: 52503 Differential Revision: https://phabricator.services.mozilla.com/D250150
diff --git a/testing/web-platform/tests/speech-api/SpeechRecognition-availableOnDevice.https.html b/testing/web-platform/tests/speech-api/SpeechRecognition-availableOnDevice.https.html
@@ -5,7 +5,8 @@
 <script>
 promise_test(async (t) => {
   const lang = "en-US";
-  window.SpeechRecognition = window.SpeechRecognition || window.webkitSpeechRecognition;
+  window.SpeechRecognition = window.SpeechRecognition ||
+    window.webkitSpeechRecognition;
 
   // Test that it returns a promise.
   const resultPromise = SpeechRecognition.availableOnDevice(lang);
@@ -24,7 +25,8 @@
   assert_true(
     result === "unavailable" || result === "downloadable" ||
     result === "downloading" || result === "available",
-    "The resolved value of the availableOnDevice promise should be a valid value."
+    "The resolved value of the availableOnDevice promise should be a " +
+    "valid value."
   );
 }, "SpeechRecognition.availableOnDevice resolves with a string value.");
 
@@ -44,4 +46,138 @@
     frameSpeechRecognition.availableOnDevice("en-US"),
   );
 }, "SpeechRecognition.availableOnDevice rejects in a detached context.");
+
+promise_test(async (t) => {
+  const iframe = document.createElement("iframe");
+  // This policy should make the on-device speech recognition
+  // feature unavailable.
+  iframe.setAttribute("allow", "on-device-speech-recognition 'none'");
+  document.body.appendChild(iframe);
+  t.add_cleanup(() => iframe.remove());
+
+  await new Promise(resolve => {
+    if (iframe.contentWindow &&
+        iframe.contentWindow.document.readyState === 'complete') {
+      resolve();
+    } else {
+      iframe.onload = resolve;
+    }
+  });
+
+  const frameWindow = iframe.contentWindow;
+  const frameSpeechRecognition = frameWindow.SpeechRecognition ||
+    frameWindow.webkitSpeechRecognition;
+
+  assert_true(!!frameSpeechRecognition,
+    "SpeechRecognition should exist in iframe.");
+  assert_true(!!frameSpeechRecognition.availableOnDevice,
+    "availableOnDevice method should exist on SpeechRecognition in iframe.");
+
+  // Call availableOnDevice and expect it to resolve to "unavailable".
+  const availabilityStatus =
+    await frameSpeechRecognition.availableOnDevice("en-US");
+  assert_equals(availabilityStatus, "unavailable",
+    "availableOnDevice should resolve to 'unavailable' if " +
+    "'on-device-speech-recognition' Permission Policy is 'none'."
+  );
+}, "SpeechRecognition.availableOnDevice resolves to 'unavailable' if " +
+  "'on-device-speech-recognition' Permission Policy is 'none'.");
+
+promise_test(async (t) => {
+  const html = `
+    <!DOCTYPE html>
+    <script>
+      window.addEventListener('message', async (event) => {
+        // Ensure we only process the message intended to trigger the test.
+        if (event.data !== "runTestCallAvailableOnDevice") return;
+
+        try {
+          const SpeechRecognition = window.SpeechRecognition ||
+                                    window.webkitSpeechRecognition;
+          if (!SpeechRecognition || !SpeechRecognition.availableOnDevice) {
+            parent.postMessage({
+              type: "error", // Use "error" for API not found or other issues.
+              name: "NotSupportedError",
+              message: "SpeechRecognition.availableOnDevice API not " +
+                       "available in iframe"
+            }, "*");
+            return;
+          }
+
+          // Call availableOnDevice and post its resolution.
+          const availabilityStatus =
+              await SpeechRecognition.availableOnDevice("en-US");
+          parent.postMessage(
+              { type: "resolution", result: availabilityStatus },
+              "*"
+          ); // Post the string status
+        } catch (err) {
+          // Catch any unexpected errors during the API call or message post.
+          parent.postMessage({
+            type: "error",
+            name: err.name,
+            message: err.message
+          }, "*");
+        }
+      });
+    <\/script>
+  `;
+
+  const blob = new Blob([html], { type: "text/html" });
+  const blobUrl = URL.createObjectURL(blob);
+  // Important: Revoke the blob URL after the test to free up resources.
+  t.add_cleanup(() => URL.revokeObjectURL(blobUrl));
+
+  const iframe = document.createElement("iframe");
+  iframe.src = blobUrl;
+  // Sandboxing with "allow-scripts" is needed for the script inside
+  // the iframe to run.
+  // The cross-origin nature is primarily due to the blob URL's origin being
+  // treated as distinct from the parent page's origin for security
+  // purposes.
+  iframe.setAttribute("sandbox", "allow-scripts");
+  document.body.appendChild(iframe);
+  t.add_cleanup(() => iframe.remove());
+
+  await new Promise(resolve => iframe.onload = resolve);
+
+  const testResult = await new Promise((resolve, reject) => {
+    const timeoutId = t.step_timeout(() => {
+      reject(new Error("Test timed out waiting for message from iframe. " +
+                       "Ensure iframe script is correctly posting a message."));
+    }, 6000); // 6-second timeout
+
+    window.addEventListener("message", t.step_func((event) => {
+      // Basic check to ensure the message is from our iframe.
+      if (event.source !== iframe.contentWindow) return;
+      clearTimeout(timeoutId);
+      resolve(event.data);
+    }));
+
+    // Send a distinct message to the iframe to trigger its test logic.
+    iframe.contentWindow.postMessage("runTestCallAvailableOnDevice", "*");
+  });
+
+  // Check if the iframe's script reported an error (e.g., API not found).
+  if (testResult.type === "error") {
+    const errorMessage =
+        `Iframe reported an error: ${testResult.name} - ` +
+        testResult.message;
+    assert_unreached(errorMessage);
+  }
+
+  assert_equals(
+    testResult.type,
+    "resolution",
+    "The call from the iframe should resolve and post a 'resolution' " +
+    "message."
+  );
+  assert_equals(
+    testResult.result, // Expecting the string "unavailable".
+    "unavailable",
+    "availableOnDevice should resolve to 'unavailable' in a cross-origin " +
+    "iframe."
+  );
+}, "SpeechRecognition.availableOnDevice should resolve to 'unavailable' " +
+   "in a cross-origin iframe.");
 </script>
diff --git a/testing/web-platform/tests/speech-api/SpeechRecognition-installOnDevice.https.html b/testing/web-platform/tests/speech-api/SpeechRecognition-installOnDevice.https.html
@@ -154,6 +154,116 @@
       }
     )
   );
-}, "SpeechRecognition.installOnDevice rejects in a detached context " +
-   "(with user gesture).");
+}, "SpeechRecognition.installOnDevice rejects in a detached context.");
+
+promise_test(async (t) => {
+  const iframe = document.createElement("iframe");
+  iframe.setAttribute("allow",
+    "on-device-speech-recognition 'none'");
+  document.body.appendChild(iframe);
+  t.add_cleanup(() => iframe.remove());
+
+  await new Promise(resolve => {
+    if (iframe.contentWindow &&
+        iframe.contentWindow.document.readyState === 'complete') {
+      resolve();
+    } else {
+      iframe.onload = resolve;
+    }
+  });
+
+  const frameWindow = iframe.contentWindow;
+  const frameSpeechRecognition = frameWindow.SpeechRecognition ||
+    frameWindow.webkitSpeechRecognition;
+  const frameDOMException = frameWindow.DOMException;
+
+  assert_true(!!frameSpeechRecognition,
+    "SpeechRecognition should exist in iframe.");
+  assert_true(!!frameSpeechRecognition.installOnDevice,
+    "installOnDevice method should exist on SpeechRecognition in iframe.");
+
+  await promise_rejects_dom(
+    t,
+    "NotAllowedError",
+    frameDOMException,
+    frameSpeechRecognition.installOnDevice("en-US"),
+    "installOnDevice should reject with NotAllowedError if " +
+    "'install-on-device-speech-recognition' Permission Policy is " +
+    "disabled."
+  );
+}, "SpeechRecognition.installOnDevice rejects if " +
+  "'install-on-device-speech-recognition' Permission Policy is disabled.");
+
+promise_test(async (t) => {
+  const html = `
+    <!DOCTYPE html>
+    <script>
+      window.addEventListener('message', async (event) => {
+        try {
+          const SpeechRecognition = window.SpeechRecognition ||
+                                    window.webkitSpeechRecognition;
+          if (!SpeechRecognition || !SpeechRecognition.installOnDevice) {
+            parent.postMessage({
+              type: "rejection",
+              name: "NotSupportedError",
+              message: "API not available"
+            }, "*");
+            return;
+          }
+
+          await SpeechRecognition.installOnDevice("en-US");
+          parent.postMessage({ type: "resolution", result: "success" }, "*");
+        } catch (err) {
+          parent.postMessage({
+            type: "rejection",
+            name: err.name,
+            message: err.message
+          }, "*");
+        }
+      });
+    <\/script>
+  `;
+
+  // Create a cross-origin Blob URL by fetching from remote origin
+  const blob = new Blob([html], { type: "text/html" });
+  const blobUrl = URL.createObjectURL(blob);
+
+  const iframe = document.createElement("iframe");
+  iframe.src = blobUrl;
+  iframe.setAttribute("sandbox", "allow-scripts");
+  document.body.appendChild(iframe);
+  t.add_cleanup(() => iframe.remove());
+
+  await new Promise(resolve => iframe.onload = resolve);
+
+  const testResult = await new Promise((resolve, reject) => {
+    const timeoutId = t.step_timeout(() => {
+      reject(new Error("Timed out waiting for message from iframe"));
+    }, 6000);
+
+    window.addEventListener("message", t.step_func((event) => {
+      if (event.source !== iframe.contentWindow) return;
+      clearTimeout(timeoutId);
+      resolve(event.data);
+    }));
+
+    iframe.contentWindow.postMessage("runTest", "*");
+  });
+
+  assert_equals(
+    testResult.type,
+    "rejection",
+    "Should reject due to cross-origin restriction"
+  );
+  assert_equals(
+    testResult.name,
+    "NotAllowedError",
+    "Should reject with NotAllowedError"
+  );
+  assert_true(
+    testResult.message.includes("cross-origin iframe") ||
+    testResult.message.includes("cross-site subframe"),
+    `Error message should reference cross-origin. Got: "${testResult.message}"`
+  );
+}, "SpeechRecognition.installOnDevice should reject in a cross-origin iframe.");
 </script>
