WebKit Bugzilla
Attachment 341951 Details for
Bug 186287
: Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186287-20180604203104.patch (text/plain), 153.42 KB, created by
Chris Dumez
on 2018-06-04 20:31:05 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2018-06-04 20:31:05 PDT
Size:
153.42 KB
patch
obsolete
>Subversion Revision: 232494 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 945638a637afb4d888d450d4a69a3210c9fc4a34..566bd7336e4b9f1daa16118c8e133cb3d6ce887f 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,48 @@ >+2018-06-04 Chris Dumez <cdumez@apple.com> >+ >+ Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy" >+ https://bugs.webkit.org/show_bug.cgi?id=186287 >+ <rdar://problem/40783352> >+ >+ Reviewed by Youenn Fablet. >+ >+ Tests: http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html >+ http/wpt/cross-origin-window-policy/allow-postmessage.html >+ http/wpt/cross-origin-window-policy/cross-origin-window-policy-header.html >+ http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target.html >+ http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target.html >+ >+ * bindings/js/JSDOMBindingSecurity.cpp: >+ (WebCore::BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginWindowPolicy): >+ * bindings/js/JSDOMBindingSecurity.h: >+ * bindings/js/JSDOMWindowCustom.cpp: >+ (WebCore::effectiveCrossOriginWindowPolicyForAccess): >+ (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): >+ (WebCore::JSDOMWindow::getOwnPropertySlotByIndex): >+ (WebCore::addCrossOriginWindowPropertyNames): >+ (WebCore::addScopedChildrenIndexes): >+ * bindings/scripts/CodeGeneratorJS.pm: >+ (GenerateAttributeGetterBodyDefinition): >+ (GetCrossOriginsOptionsFromExtendedAttributeValue): >+ (GenerateAttributeSetterBodyDefinition): >+ (GenerateOperationBodyDefinition): >+ * bindings/scripts/IDLAttributes.json: >+ * dom/Document.cpp: >+ (WebCore::Document::canNavigate): >+ * loader/FrameLoader.cpp: >+ (WebCore::FrameLoader::didBeginDocument): >+ * page/AbstractDOMWindow.cpp: >+ (WebCore::AbstractDOMWindow::AbstractDOMWindow): >+ * page/AbstractDOMWindow.h: >+ (WebCore::AbstractDOMWindow::crossOriginWindowPolicy): >+ (WebCore::AbstractDOMWindow::setCrossOriginWindowPolicy): >+ * page/DOMWindow.idl: >+ * page/Settings.yaml: >+ * platform/network/HTTPHeaderNames.in: >+ * platform/network/HTTPParsers.cpp: >+ (WebCore::parseCrossOriginWindowPolicyHeader): >+ * platform/network/HTTPParsers.h: >+ > 2018-06-04 Chris Dumez <cdumez@apple.com> > > Unreviewed iOS build fix with recent SDKs. >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 621ff0610eb95d019f9e3c31503f4807ec995a69..5c1e8c05b198ac7901020974bdcaf62c418f7bea 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,15 @@ >+2018-06-04 Chris Dumez <cdumez@apple.com> >+ >+ Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy" >+ https://bugs.webkit.org/show_bug.cgi?id=186287 >+ <rdar://problem/40783352> >+ >+ Reviewed by Youenn Fablet. >+ >+ * Shared/WebPreferences.yaml: >+ * WebProcess/WebPage/WebPage.cpp: >+ (WebKit::WebPage::frameBecameRemote): >+ > 2018-06-04 Dan Bernstein <mitz@apple.com> > > Restored code signing behavior when WK_USE_RESTRICTED_ENTITLEMENTS isnât set. >diff --git a/Source/WebKitLegacy/mac/ChangeLog b/Source/WebKitLegacy/mac/ChangeLog >index 17a1d447b3257fce8edef02ba685903393507892..afa08a9ea23d2a6d4992d6ee41fd4a44bc5d4723 100644 >--- a/Source/WebKitLegacy/mac/ChangeLog >+++ b/Source/WebKitLegacy/mac/ChangeLog >@@ -1,3 +1,20 @@ >+2018-06-04 Chris Dumez <cdumez@apple.com> >+ >+ Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy" >+ https://bugs.webkit.org/show_bug.cgi?id=186287 >+ <rdar://problem/40783352> >+ >+ Reviewed by Youenn Fablet. >+ >+ * WebView/WebPreferenceKeysPrivate.h: >+ * WebView/WebPreferences.mm: >+ (+[WebPreferences initialize]): >+ (-[WebPreferences crossOriginWindowPolicySupportEnabled]): >+ (-[WebPreferences setCrossOriginWindowPolicySupportEnabled:]): >+ * WebView/WebPreferencesPrivate.h: >+ * WebView/WebView.mm: >+ (-[WebView _preferencesChanged:]): >+ > 2018-06-02 Darin Adler <darin@apple.com> > > [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption >diff --git a/Source/WebKitLegacy/win/ChangeLog b/Source/WebKitLegacy/win/ChangeLog >index 7a69577bccdb6ad9146b02ed548356ef8022b704..8d2e6c9519d56469e95dc33dc8db39120b0a20c1 100644 >--- a/Source/WebKitLegacy/win/ChangeLog >+++ b/Source/WebKitLegacy/win/ChangeLog >@@ -1,3 +1,21 @@ >+2018-06-04 Chris Dumez <cdumez@apple.com> >+ >+ Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy" >+ https://bugs.webkit.org/show_bug.cgi?id=186287 >+ <rdar://problem/40783352> >+ >+ Reviewed by Youenn Fablet. >+ >+ * Interfaces/IWebPreferencesPrivate.idl: >+ * WebPreferenceKeysPrivate.h: >+ * WebPreferences.cpp: >+ (WebPreferences::initializeDefaultSettings): >+ (WebPreferences::crossOriginWindowPolicySupportEnabled): >+ (WebPreferences::setCrossOriginWindowPolicySupportEnabled): >+ * WebPreferences.h: >+ * WebView.cpp: >+ (WebView::notifyPreferencesChanged): >+ > 2018-05-30 Yusuke Suzuki <utatane.tea@gmail.com> > > [JSC] Pass VM& parameter as much as possible >diff --git a/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp b/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp >index 2b6758511604146085c3b0f9ee1a0efbafa412a0..f2d98bb352d61efe65fcd3eb63008899f3c7b523 100644 >--- a/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp >+++ b/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp >@@ -100,16 +100,16 @@ bool BindingSecurity::shouldAllowAccessToNode(JSC::ExecState& state, Node* targe > return !target || canAccessDocument(&state, &target->document(), LogSecurityError); > } > >-bool BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginOptions(JSC::ExecState* state, DOMWindow& target, CrossOriginOptions minimumCrossOriginOptions, SecurityReportingOption reportingOption) >+bool BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginWindowPolicy(JSC::ExecState* state, DOMWindow& target, CrossOriginWindowPolicy minimumCrossOriginWindowPolicy, SecurityReportingOption reportingOption) > { > DOMWindow& source = activeDOMWindow(*state); >- ASSERT(minimumCrossOriginOptions > CrossOriginOptions::Deny); >+ ASSERT(minimumCrossOriginWindowPolicy > CrossOriginWindowPolicy::Deny); > >- static_assert(CrossOriginOptions::Deny < CrossOriginOptions::AllowPostMessage && CrossOriginOptions::AllowPostMessage < CrossOriginOptions::Allow, "More restrictive cross-origin options should have lower values"); >+ static_assert(CrossOriginWindowPolicy::Deny < CrossOriginWindowPolicy::AllowPostMessage && CrossOriginWindowPolicy::AllowPostMessage < CrossOriginWindowPolicy::Allow, "More restrictive cross-origin options should have lower values"); > > // Fast path. >- auto effectiveCrossOriginOptions = std::min(source.crossOriginOptions(), target.crossOriginOptions()); >- if (effectiveCrossOriginOptions >= minimumCrossOriginOptions) >+ auto effectiveCrossOriginWindowPolicy = std::min(source.crossOriginWindowPolicy(), target.crossOriginWindowPolicy()); >+ if (effectiveCrossOriginWindowPolicy >= minimumCrossOriginWindowPolicy) > return true; > > return shouldAllowAccessToDOMWindow(state, target, reportingOption); >diff --git a/Source/WebCore/bindings/js/JSDOMBindingSecurity.h b/Source/WebCore/bindings/js/JSDOMBindingSecurity.h >index 5c2af998857f39d73cf7aa0a245735b96e454f15..170462e0b5412d22e211510e9a01e41dccf6dc74 100644 >--- a/Source/WebCore/bindings/js/JSDOMBindingSecurity.h >+++ b/Source/WebCore/bindings/js/JSDOMBindingSecurity.h >@@ -36,7 +36,7 @@ class DOMWindow; > class Frame; > class Node; > >-enum class CrossOriginOptions; >+enum class CrossOriginWindowPolicy; > > void printErrorMessageForFrame(Frame*, const String& message); > >@@ -55,7 +55,7 @@ bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = > bool shouldAllowAccessToFrame(JSC::ExecState&, Frame&, String& message); > bool shouldAllowAccessToNode(JSC::ExecState&, Node*); > >-bool shouldAllowAccessToDOMWindowGivenMinimumCrossOriginOptions(JSC::ExecState*, DOMWindow&, CrossOriginOptions, SecurityReportingOption = LogSecurityError); >+bool shouldAllowAccessToDOMWindowGivenMinimumCrossOriginWindowPolicy(JSC::ExecState*, DOMWindow&, CrossOriginWindowPolicy, SecurityReportingOption = LogSecurityError); > > }; > >diff --git a/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp b/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp >index 5db1d5ccbe1fe8b7fa29d39faadb38813beae8be..d999393ece8376d45a87151b9f9ebfd66673498d 100644 >--- a/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp >+++ b/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp >@@ -56,10 +56,10 @@ > namespace WebCore { > using namespace JSC; > >-static CrossOriginOptions effectiveCrossOriginOptionsForAccess(ExecState& state, AbstractDOMWindow& target) >+static CrossOriginWindowPolicy effectiveCrossOriginWindowPolicyForAccess(ExecState& state, AbstractDOMWindow& target) > { >- static_assert(CrossOriginOptions::Deny < CrossOriginOptions::AllowPostMessage && CrossOriginOptions::AllowPostMessage < CrossOriginOptions::Allow, "More restrictive cross-origin options should have lower values"); >- return std::min(activeDOMWindow(state).crossOriginOptions(), target.crossOriginOptions()); >+ static_assert(CrossOriginWindowPolicy::Deny < CrossOriginWindowPolicy::AllowPostMessage && CrossOriginWindowPolicy::AllowPostMessage < CrossOriginWindowPolicy::Allow, "More restrictive cross-origin options should have lower values"); >+ return std::min(activeDOMWindow(state).crossOriginWindowPolicy(), target.crossOriginWindowPolicy()); > } > > EncodedJSValue JSC_HOST_CALL jsDOMWindowInstanceFunctionShowModalDialog(ExecState*); >@@ -100,18 +100,18 @@ bool jsDOMWindowGetOwnPropertySlotRestrictedAccess(JSDOMGlobalObject* thisObject > return true; > } > >- switch (effectiveCrossOriginOptionsForAccess(state, window)) { >- case CrossOriginOptions::AllowPostMessage: >+ switch (effectiveCrossOriginWindowPolicyForAccess(state, window)) { >+ case CrossOriginWindowPolicy::AllowPostMessage: > if (propertyName == builtinNames.postMessagePublicName()) { > slot.setCustom(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum), windowType == DOMWindowType::Remote ? nonCachingStaticFunctionGetter<jsRemoteDOMWindowInstanceFunctionPostMessage, 0> : nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionPostMessage, 2>); > return true; > } > FALLTHROUGH; >- case CrossOriginOptions::Deny: >+ case CrossOriginWindowPolicy::Deny: > throwSecurityError(state, scope, errorMessage); > slot.setUndefined(); > return false; >- case CrossOriginOptions::Allow: >+ case CrossOriginWindowPolicy::Allow: > break; > } > >@@ -253,13 +253,13 @@ bool JSDOMWindow::getOwnPropertySlotByIndex(JSObject* object, ExecState* state, > > // (1) First, indexed properties. > // These are also allowed cross-origin, so come before the access check. >- switch (effectiveCrossOriginOptionsForAccess(*state, window)) { >- case CrossOriginOptions::Deny: >- case CrossOriginOptions::AllowPostMessage: >+ switch (effectiveCrossOriginWindowPolicyForAccess(*state, window)) { >+ case CrossOriginWindowPolicy::Deny: >+ case CrossOriginWindowPolicy::AllowPostMessage: > if (isCrossOriginAccess()) > break; > FALLTHROUGH; >- case CrossOriginOptions::Allow: >+ case CrossOriginWindowPolicy::Allow: > if (frame && index < frame->tree().scopedChildCount()) { > slot.setValue(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly), toJS(state, frame->tree().scopedChild(index)->document()->domWindow())); > return true; >@@ -348,15 +348,15 @@ static void addCrossOriginWindowPropertyNames(ExecState& state, AbstractDOMWindo > &static_cast<JSVMClientData*>(vm.clientData)->builtinNames().windowPublicName() > }; > >- switch (effectiveCrossOriginOptionsForAccess(state, window)) { >- case CrossOriginOptions::Allow: >+ switch (effectiveCrossOriginWindowPolicyForAccess(state, window)) { >+ case CrossOriginWindowPolicy::Allow: > for (auto* property : properties) > propertyNames.add(*property); > break; >- case CrossOriginOptions::AllowPostMessage: >+ case CrossOriginWindowPolicy::AllowPostMessage: > propertyNames.add(static_cast<JSVMClientData*>(vm.clientData)->builtinNames().postMessagePublicName()); > break; >- case CrossOriginOptions::Deny: >+ case CrossOriginWindowPolicy::Deny: > break; > } > } >@@ -371,11 +371,11 @@ static void addScopedChildrenIndexes(ExecState& state, DOMWindow& window, Proper > if (!frame) > return; > >- switch (effectiveCrossOriginOptionsForAccess(state, window)) { >- case CrossOriginOptions::Allow: >+ switch (effectiveCrossOriginWindowPolicyForAccess(state, window)) { >+ case CrossOriginWindowPolicy::Allow: > break; >- case CrossOriginOptions::Deny: >- case CrossOriginOptions::AllowPostMessage: >+ case CrossOriginWindowPolicy::Deny: >+ case CrossOriginWindowPolicy::AllowPostMessage: > return; > } > >diff --git a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm b/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm >index 910369d20744685dcebaa1364aacca6aee8270c9..0e0701dcf7123aa5ea255e0801006ca33c9366ef 100644 >--- a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm >+++ b/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm >@@ -4707,9 +4707,9 @@ sub GenerateAttributeGetterBodyDefinition > AddToImplIncludes("JSDOMBindingSecurity.h", $conditional); > if ($interface->type->name eq "DOMWindow") { > if ($attribute->extendedAttributes->{DoNotCheckSecurityIf}) { >- my $crossOriginOptions = GetCrossOriginsOptionsFromExtendedAttributeValue($attribute->extendedAttributes->{DoNotCheckSecurityIf}); >+ my $crossOriginWindowPolicy = GetCrossOriginsOptionsFromExtendedAttributeValue($attribute->extendedAttributes->{DoNotCheckSecurityIf}); > AddToImplIncludes("HTTPParsers.h", $conditional); >- push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginOptions(&state, thisObject.wrapped(), $crossOriginOptions, ThrowSecurityError))\n"); >+ push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginWindowPolicy(&state, thisObject.wrapped(), $crossOriginWindowPolicy, ThrowSecurityError))\n"); > } else { > push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(&state, thisObject.wrapped(), ThrowSecurityError))\n"); > } >@@ -4824,9 +4824,9 @@ sub GetCrossOriginsOptionsFromExtendedAttributeValue > { > my $extendedAttributeValue = shift; > >- return "CrossOriginOptions::Allow" if $extendedAttributeValue eq "CrossOriginOptionsAllow"; >- return "CrossOriginOptions::AllowPostMessage" if $extendedAttributeValue eq "CrossOriginOptionsAllowPostMessage"; >- die "Unsupported CrossOriginOptions: " + $extendedAttributeValue; >+ return "CrossOriginWindowPolicy::Allow" if $extendedAttributeValue eq "CrossOriginWindowPolicyAllow"; >+ return "CrossOriginWindowPolicy::AllowPostMessage" if $extendedAttributeValue eq "CrossOriginWindowPolicyAllowPostMessage"; >+ die "Unsupported CrossOriginWindowPolicy: " + $extendedAttributeValue; > } > > sub GenerateAttributeSetterBodyDefinition >@@ -4852,9 +4852,9 @@ sub GenerateAttributeSetterBodyDefinition > AddToImplIncludes("JSDOMBindingSecurity.h", $conditional); > if ($interface->type->name eq "DOMWindow") { > if ($attribute->extendedAttributes->{DoNotCheckSecurityIf}) { >- my $crossOriginOptions = GetCrossOriginsOptionsFromExtendedAttributeValue($attribute->extendedAttributes->{DoNotCheckSecurityIf}); >+ my $crossOriginWindowPolicy = GetCrossOriginsOptionsFromExtendedAttributeValue($attribute->extendedAttributes->{DoNotCheckSecurityIf}); > AddToImplIncludes("HTTPParsers.h", $conditional); >- push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginOptions(&state, thisObject.wrapped(), $crossOriginOptions, ThrowSecurityError))\n"); >+ push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginWindowPolicy(&state, thisObject.wrapped(), $crossOriginWindowPolicy, ThrowSecurityError))\n"); > } else { > push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(&state, thisObject.wrapped(), ThrowSecurityError))\n"); > } >@@ -5079,9 +5079,9 @@ sub GenerateOperationBodyDefinition > AddToImplIncludes("JSDOMBindingSecurity.h", $conditional); > if ($interface->type->name eq "DOMWindow") { > if ($operation->extendedAttributes->{DoNotCheckSecurityIf}) { >- my $crossOriginOptions = GetCrossOriginsOptionsFromExtendedAttributeValue($operation->extendedAttributes->{DoNotCheckSecurityIf}); >+ my $crossOriginWindowPolicy = GetCrossOriginsOptionsFromExtendedAttributeValue($operation->extendedAttributes->{DoNotCheckSecurityIf}); > AddToImplIncludes("HTTPParsers.h", $conditional); >- push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginOptions(state, castedThis->wrapped(), $crossOriginOptions, ThrowSecurityError))\n"); >+ push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindowGivenMinimumCrossOriginWindowPolicy(state, castedThis->wrapped(), $crossOriginWindowPolicy, ThrowSecurityError))\n"); > } else { > push(@$outputArray, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped(), ThrowSecurityError))\n"); > } >diff --git a/Source/WebCore/bindings/scripts/IDLAttributes.json b/Source/WebCore/bindings/scripts/IDLAttributes.json >index 37d61e028ce2287f61cee9b2bc2900417c0a3739..a9991c284bfdfe1809e70bdd3781aa070fd1c42b 100644 >--- a/Source/WebCore/bindings/scripts/IDLAttributes.json >+++ b/Source/WebCore/bindings/scripts/IDLAttributes.json >@@ -163,7 +163,7 @@ > }, > "DoNotCheckSecurityIf": { > "contextsAllowed": ["attribute", "operation"], >- "values": ["CrossOriginOptionsAllow", "CrossOriginOptionsAllowPostMessage"] >+ "values": ["CrossOriginWindowPolicyAllow", "CrossOriginWindowPolicyAllowPostMessage"] > }, > "DoNotCheckSecurityOnGetter": { > "contextsAllowed": ["attribute"] >diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp >index 04576e88f20a9c81efdf71d65ffd1cd895057bb2..50ddc9a160a637a457b16b0367cdb2b3cc4f7591 100644 >--- a/Source/WebCore/dom/Document.cpp >+++ b/Source/WebCore/dom/Document.cpp >@@ -3185,11 +3185,11 @@ bool Document::canNavigate(Frame* targetFrame) > return true; > > if (m_frame != targetFrame) { >- auto sourceCrossOriginOptions = m_frame->window() ? m_frame->window()->crossOriginOptions() : CrossOriginOptions::Allow; >- auto destinationCrossOriginOptions = targetFrame->window() ? targetFrame->window()->crossOriginOptions() : CrossOriginOptions::Allow; >- if (sourceCrossOriginOptions != CrossOriginOptions::Allow || destinationCrossOriginOptions != CrossOriginOptions::Allow) { >+ auto sourceCrossOriginWindowPolicy = m_frame->window() ? m_frame->window()->crossOriginWindowPolicy() : CrossOriginWindowPolicy::Allow; >+ auto destinationCrossOriginWindowPolicy = targetFrame->window() ? targetFrame->window()->crossOriginWindowPolicy() : CrossOriginWindowPolicy::Allow; >+ if (sourceCrossOriginWindowPolicy != CrossOriginWindowPolicy::Allow || destinationCrossOriginWindowPolicy != CrossOriginWindowPolicy::Allow) { > if (m_frame->document() && targetFrame->document() && !m_frame->document()->securityOrigin().canAccess(targetFrame->document()->securityOrigin())) { >- printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("Navigation was not allowed due to Cross-Origin-Options header.")); >+ printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("Navigation was not allowed due to Cross-Origin-Window-Policy header.")); > return false; > } > } >diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp >index 3f5690f09d85552c565bca326d02b6ebbbe73d4f..3fb4f280fa06e80c63d549478782c4357bb549b7 100644 >--- a/Source/WebCore/loader/FrameLoader.cpp >+++ b/Source/WebCore/loader/FrameLoader.cpp >@@ -747,11 +747,11 @@ void FrameLoader::didBeginDocument(bool dispatch) > m_frame.document()->setContentLanguage(headerContentLanguage); > } > >- if (m_frame.settings().crossOriginOptionsSupportEnabled()) { >- String crossOriginOptionsHeader = m_documentLoader->response().httpHeaderField(HTTPHeaderName::CrossOriginOptions); >- if (!crossOriginOptionsHeader.isNull()) { >+ if (m_frame.settings().crossOriginWindowPolicySupportEnabled()) { >+ String crossOriginWindowPolicyHeader = m_documentLoader->response().httpHeaderField(HTTPHeaderName::CrossOriginWindowPolicy); >+ if (!crossOriginWindowPolicyHeader.isNull()) { > ASSERT(m_frame.window()); >- m_frame.window()->setCrossOriginOptions(parseCrossOriginOptionsHeader(crossOriginOptionsHeader)); >+ m_frame.window()->setCrossOriginWindowPolicy(parseCrossOriginWindowPolicyHeader(crossOriginWindowPolicyHeader)); > } > } > } >diff --git a/Source/WebCore/page/AbstractDOMWindow.cpp b/Source/WebCore/page/AbstractDOMWindow.cpp >index 60118dd92062d0898f57849f715152aa52b31d87..6abe03157951f1f6b622dc3f244a23f1f66f37c0 100644 >--- a/Source/WebCore/page/AbstractDOMWindow.cpp >+++ b/Source/WebCore/page/AbstractDOMWindow.cpp >@@ -40,7 +40,7 @@ HashMap<GlobalWindowIdentifier, AbstractDOMWindow*>& AbstractDOMWindow::allWindo > > AbstractDOMWindow::AbstractDOMWindow(GlobalWindowIdentifier&& identifier) > : m_identifier(WTFMove(identifier)) >- , m_crossOriginOptions(CrossOriginOptions::Allow) >+ , m_crossOriginWindowPolicy(CrossOriginWindowPolicy::Allow) > { > ASSERT(!allWindows().contains(identifier)); > allWindows().add(identifier, this); >diff --git a/Source/WebCore/page/AbstractDOMWindow.h b/Source/WebCore/page/AbstractDOMWindow.h >index 64d45a8cacbc0ead0c71d6e404c4023be5d5f998..49917c83ae620d923ba768ed39f982b8a5b12152 100644 >--- a/Source/WebCore/page/AbstractDOMWindow.h >+++ b/Source/WebCore/page/AbstractDOMWindow.h >@@ -35,7 +35,7 @@ namespace WebCore { > > class AbstractFrame; > >-enum class CrossOriginOptions; >+enum class CrossOriginWindowPolicy; > > // FIXME: Rename DOMWindow to LocalWindow and AbstractDOMWindow to DOMWindow. > class AbstractDOMWindow : public RefCounted<AbstractDOMWindow>, public EventTargetWithInlineData { >@@ -54,8 +54,8 @@ public: > using RefCounted::ref; > using RefCounted::deref; > >- CrossOriginOptions crossOriginOptions() { return m_crossOriginOptions; } >- void setCrossOriginOptions(CrossOriginOptions value) { m_crossOriginOptions = value; } >+ CrossOriginWindowPolicy crossOriginWindowPolicy() const { return m_crossOriginWindowPolicy; } >+ void setCrossOriginWindowPolicy(CrossOriginWindowPolicy value) { m_crossOriginWindowPolicy = value; } > > protected: > explicit AbstractDOMWindow(GlobalWindowIdentifier&&); >@@ -66,7 +66,7 @@ protected: > > private: > GlobalWindowIdentifier m_identifier; >- CrossOriginOptions m_crossOriginOptions; >+ CrossOriginWindowPolicy m_crossOriginWindowPolicy; > }; > > } // namespace WebCore >diff --git a/Source/WebCore/page/DOMWindow.idl b/Source/WebCore/page/DOMWindow.idl >index cd412e998c353967994966292a6e8f30abeba5ab..14c392d343ec6025da155d75509c31a84c0a68d7 100644 >--- a/Source/WebCore/page/DOMWindow.idl >+++ b/Source/WebCore/page/DOMWindow.idl >@@ -49,11 +49,11 @@ typedef USVString CSSOMString; > PrimaryGlobal, > ] interface DOMWindow : EventTarget { > // The current browsing context. >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, Unforgeable, ImplementedAs=self] readonly attribute WindowProxy window; >- [Replaceable, DoNotCheckSecurityIf=CrossOriginOptionsAllow] readonly attribute WindowProxy self; >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, Unforgeable, ImplementedAs=self] readonly attribute WindowProxy window; >+ [Replaceable, DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow] readonly attribute WindowProxy self; > [Unforgeable] readonly attribute Document document; > attribute DOMString name; >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, PutForwards=href, Unforgeable] readonly attribute Location? location; // FIXME: Should not be nullable. >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, PutForwards=href, Unforgeable] readonly attribute Location? location; // FIXME: Should not be nullable. > readonly attribute History history; > [EnabledAtRuntime=CustomElements, ImplementedAs=ensureCustomElementRegistry] readonly attribute CustomElementRegistry customElements; > [Replaceable] readonly attribute BarProp locationbar; >@@ -63,18 +63,18 @@ typedef USVString CSSOMString; > [Replaceable] readonly attribute BarProp statusbar; > [Replaceable] readonly attribute BarProp toolbar; > attribute DOMString status; >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, CallWith=IncumbentDocument, ForwardDeclareInHeader] void close(); >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, ForwardDeclareInHeader] readonly attribute boolean closed; >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, CallWith=IncumbentDocument, ForwardDeclareInHeader] void close(); >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, ForwardDeclareInHeader] readonly attribute boolean closed; > void stop(); >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, CallWith=IncumbentWindow, ForwardDeclareInHeader] void focus(); >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, ForwardDeclareInHeader] void blur(); >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, CallWith=IncumbentWindow, ForwardDeclareInHeader] void focus(); >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, ForwardDeclareInHeader] void blur(); > > // Other browsing contexts. >- [Replaceable, DoNotCheckSecurityIf=CrossOriginOptionsAllow, ImplementedAs=self] readonly attribute WindowProxy frames; >- [Replaceable, DoNotCheckSecurityIf=CrossOriginOptionsAllow] readonly attribute unsigned long length; >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, Unforgeable] readonly attribute WindowProxy? top; >- [DoNotCheckSecurityIf=CrossOriginOptionsAllow, CustomSetter] attribute WindowProxy? opener; >- [Replaceable, DoNotCheckSecurityIf=CrossOriginOptionsAllow] readonly attribute WindowProxy? parent; >+ [Replaceable, DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, ImplementedAs=self] readonly attribute WindowProxy frames; >+ [Replaceable, DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow] readonly attribute unsigned long length; >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, Unforgeable] readonly attribute WindowProxy? top; >+ [DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow, CustomSetter] attribute WindowProxy? opener; >+ [Replaceable, DoNotCheckSecurityIf=CrossOriginWindowPolicyAllow] readonly attribute WindowProxy? parent; > [CheckSecurityForNode] readonly attribute Element? frameElement; > [CallWith=ActiveWindow&FirstWindow] WindowProxy? open(optional USVString url = "about:blank", optional DOMString target = "_blank", optional [TreatNullAs=EmptyString] DOMString features = ""); > >@@ -92,7 +92,7 @@ typedef USVString CSSOMString; > long requestAnimationFrame(RequestAnimationFrameCallback callback); // FIXME: Should return an unsigned long. > void cancelAnimationFrame(long handle); // FIXME: handle should be an unsigned long. > >- [CallWith=ScriptState&IncumbentWindow, DoNotCheckSecurityIf=CrossOriginOptionsAllowPostMessage, ForwardDeclareInHeader, MayThrowException] void postMessage(any message, USVString targetOrigin, optional sequence<object> transfer = []); >+ [CallWith=ScriptState&IncumbentWindow, DoNotCheckSecurityIf=CrossOriginWindowPolicyAllowPostMessage, ForwardDeclareInHeader, MayThrowException] void postMessage(any message, USVString targetOrigin, optional sequence<object> transfer = []); > > // Obsolete members, still part of the HTML specification (https://html.spec.whatwg.org/#Window-partial). > void captureEvents(); // Not implemented. Also not in modern standards. Empty function may help compatibility with legacy content. >diff --git a/Source/WebCore/page/Settings.yaml b/Source/WebCore/page/Settings.yaml >index 4b7465fcd0b6172bb995320647cbdf4c3ed8f03e..dd9ed86fa1554cf7d76e49a1fe9667112ee6609a 100644 >--- a/Source/WebCore/page/Settings.yaml >+++ b/Source/WebCore/page/Settings.yaml >@@ -744,7 +744,7 @@ clientCoordinatesRelativeToLayoutViewport: > initial: false > onChange: setNeedsRecalcStyleInAllFrames > >-crossOriginOptionsSupportEnabled: >+crossOriginWindowPolicySupportEnabled: > initial: true > > accessibilityEventsEnabled: >diff --git a/Source/WebCore/platform/network/HTTPHeaderNames.in b/Source/WebCore/platform/network/HTTPHeaderNames.in >index 69a20e2f92d7baae9f570df2bccdfc580638dfb7..47f69040e81b92a2f03f2772436eaa4c62e82bf1 100644 >--- a/Source/WebCore/platform/network/HTTPHeaderNames.in >+++ b/Source/WebCore/platform/network/HTTPHeaderNames.in >@@ -50,8 +50,8 @@ Content-Type > Content-Range > Cookie > Cookie2 >-Cross-Origin-Options > Cross-Origin-Resource-Policy >+Cross-Origin-Window-Policy > Date > DNT > Default-Style >diff --git a/Source/WebCore/platform/network/HTTPParsers.cpp b/Source/WebCore/platform/network/HTTPParsers.cpp >index e376e6e32ce5e173698e67c0001904b129fde793..4c3ac52e06275da4086b78573705d703dc7956c4 100644 >--- a/Source/WebCore/platform/network/HTTPParsers.cpp >+++ b/Source/WebCore/platform/network/HTTPParsers.cpp >@@ -913,19 +913,19 @@ CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView header > return CrossOriginResourcePolicy::Invalid; > } > >-CrossOriginOptions parseCrossOriginOptionsHeader(StringView header) >+CrossOriginWindowPolicy parseCrossOriginWindowPolicyHeader(StringView header) > { > header = stripLeadingAndTrailingHTTPSpaces(header); > if (header.isEmpty()) >- return CrossOriginOptions::Allow; >+ return CrossOriginWindowPolicy::Allow; > > if (equalLettersIgnoringASCIICase(header, "deny")) >- return CrossOriginOptions::Deny; >+ return CrossOriginWindowPolicy::Deny; > > if (equalLettersIgnoringASCIICase(header, "allow-postmessage")) >- return CrossOriginOptions::AllowPostMessage; >+ return CrossOriginWindowPolicy::AllowPostMessage; > >- return CrossOriginOptions::Allow; >+ return CrossOriginWindowPolicy::Allow; > } > > } >diff --git a/Source/WebCore/platform/network/HTTPParsers.h b/Source/WebCore/platform/network/HTTPParsers.h >index 7452fdc8c0c79f1c818fdb176c231ec5fa5e5ec2..5d55551b174b39d0b9d1a49c847410e329ccf8e6 100644 >--- a/Source/WebCore/platform/network/HTTPParsers.h >+++ b/Source/WebCore/platform/network/HTTPParsers.h >@@ -72,7 +72,7 @@ enum class CrossOriginResourcePolicy { > }; > > // Should be sorted from most restrictive to most permissive. >-enum class CrossOriginOptions { >+enum class CrossOriginWindowPolicy { > Deny, > AllowPostMessage, > Allow, >@@ -118,7 +118,7 @@ bool isCrossOriginSafeRequestHeader(HTTPHeaderName, const String&); > String normalizeHTTPMethod(const String&); > > WEBCORE_EXPORT CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView); >-CrossOriginOptions parseCrossOriginOptionsHeader(StringView); >+CrossOriginWindowPolicy parseCrossOriginWindowPolicyHeader(StringView); > > inline bool isHTTPSpace(UChar character) > { >diff --git a/Source/WebKit/Shared/WebPreferences.yaml b/Source/WebKit/Shared/WebPreferences.yaml >index 4f75d3417d286784680ae553752333a498c4f5ca..be55d1a3ed1cb3ffbca1edc3345b25327896e795 100644 >--- a/Source/WebKit/Shared/WebPreferences.yaml >+++ b/Source/WebKit/Shared/WebPreferences.yaml >@@ -1097,11 +1097,11 @@ ConstantPropertiesEnabled: > humanReadableDescription: "Enable CSS constant() values" > category: experimental > >-CrossOriginOptionsSupportEnabled: >+CrossOriginWindowPolicySupportEnabled: > type: bool > defaultValue: true >- humanReadableName: "Cross-Origin-Options HTTP Header" >- humanReadableDescription: "Enable support for Cross-Origin-Options HTTP Header" >+ humanReadableName: "Cross-Origin-Window-Policy HTTP Header" >+ humanReadableDescription: "Enable support for Cross-Origin-Window-Policy HTTP Header" > category: experimental > > SpringTimingFunctionEnabled: >diff --git a/Source/WebKit/WebProcess/WebPage/WebPage.cpp b/Source/WebKit/WebProcess/WebPage/WebPage.cpp >index b57f66faadb949cbd5765bb380b35a3b9b5c24fe..9703d4976c1fc92548823e6e8bf5841ace5e59f7 100644 >--- a/Source/WebKit/WebProcess/WebPage/WebPage.cpp >+++ b/Source/WebKit/WebProcess/WebPage/WebPage.cpp >@@ -5951,7 +5951,7 @@ void WebPage::frameBecameRemote(uint64_t frameID, GlobalFrameIdentifier&& remote > > auto remoteFrame = RemoteFrame::create(WTFMove(remoteFrameIdentifier)); > auto remoteWindow = RemoteDOMWindow::create(remoteFrame.copyRef(), WTFMove(remoteWindowIdentifier)); >- remoteWindow->setCrossOriginOptions(previousWindow->crossOriginOptions()); >+ remoteWindow->setCrossOriginWindowPolicy(previousWindow->crossOriginWindowPolicy()); > > remoteFrame->setOpener(frame->coreFrame()->loader().opener()); > >diff --git a/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h b/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h >index a5893212103a9f688cb8dd8f98c96b6521470965..5b7b9ed69cccd9df9f764eefc1d63bc616c8f652 100644 >--- a/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h >+++ b/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h >@@ -173,7 +173,7 @@ > #define WebKitDataTransferItemsEnabledPreferenceKey @"WebKitDataTransferItemsEnabled" > #define WebKitCustomPasteboardDataEnabledPreferenceKey @"WebKitCustomPasteboardDataEnabled" > #define WebKitCacheAPIEnabledPreferenceKey @"WebKitCacheAPIEnabled" >-#define WebKitCrossOriginOptionsSupportEnabledPreferenceKey @"WebKitCrossOriginOptionsSupportEnabled" >+#define WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey @"WebKitCrossOriginWindowPolicySupportEnabled" > #define WebKitFetchAPIEnabledPreferenceKey @"WebKitFetchAPIEnabled" > #define WebKitWritableStreamAPIEnabledPreferenceKey @"WebKitWritableStreamAPIEnabled" > #define WebKitReadableByteStreamAPIEnabledPreferenceKey @"WebKitReadableByteStreamAPIEnabled" >diff --git a/Source/WebKitLegacy/mac/WebView/WebPreferences.mm b/Source/WebKitLegacy/mac/WebView/WebPreferences.mm >index 007e9b868c15157a480c43f77941a1b7b879193f..30c4098638ce632db3425abc80b63aa48d0b8696 100644 >--- a/Source/WebKitLegacy/mac/WebView/WebPreferences.mm >+++ b/Source/WebKitLegacy/mac/WebView/WebPreferences.mm >@@ -634,7 +634,7 @@ + (void)initialize > [NSNumber numberWithBool:NO], WebKitWebGPUEnabledPreferenceKey, > #endif > [NSNumber numberWithBool:NO], WebKitCacheAPIEnabledPreferenceKey, >- [NSNumber numberWithBool:NO], WebKitCrossOriginOptionsSupportEnabledPreferenceKey, >+ [NSNumber numberWithBool:YES], WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey, > [NSNumber numberWithBool:YES], WebKitFetchAPIEnabledPreferenceKey, > > #if ENABLE(STREAMS_API) >@@ -3011,14 +3011,14 @@ - (void)setCacheAPIEnabled:(BOOL)flag > [self _setBoolValue:flag forKey:WebKitCacheAPIEnabledPreferenceKey]; > } > >-- (BOOL)crossOriginOptionsSupportEnabled >+- (BOOL)crossOriginWindowPolicySupportEnabled > { >- return [self _boolValueForKey:WebKitCrossOriginOptionsSupportEnabledPreferenceKey]; >+ return [self _boolValueForKey:WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey]; > } > >-- (void)setCrossOriginOptionsSupportEnabled:(BOOL)flag >+- (void)setCrossOriginWindowPolicySupportEnabled:(BOOL)flag > { >- [self _setBoolValue:flag forKey:WebKitCrossOriginOptionsSupportEnabledPreferenceKey]; >+ [self _setBoolValue:flag forKey:WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey]; > } > > - (BOOL)fetchAPIEnabled >diff --git a/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h b/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h >index 19ac76df250103c5e046c206dd077cd29c8521ab..6fa5a843b4a342021c426b493f3225b5966df684 100644 >--- a/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h >+++ b/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h >@@ -543,8 +543,8 @@ extern NSString *WebPreferencesCacheModelChangedInternalNotification WEBKIT_DEPR > - (BOOL)cacheAPIEnabled; > - (void)setCacheAPIEnabled:(BOOL)enabled; > >-- (BOOL)crossOriginOptionsSupportEnabled; >-- (void)setCrossOriginOptionsSupportEnabled:(BOOL)enabled; >+- (BOOL)crossOriginWindowPolicySupportEnabled; >+- (void)setCrossOriginWindowPolicySupportEnabled:(BOOL)enabled; > > - (void)setFetchAPIEnabled:(BOOL)flag; > - (BOOL)fetchAPIEnabled; >diff --git a/Source/WebKitLegacy/mac/WebView/WebView.mm b/Source/WebKitLegacy/mac/WebView/WebView.mm >index 3b60a0b4c50ae8936692040183b29371886ef0fb..7875a7ea4164fe67249dc9d499ffc98a17533f9a 100644 >--- a/Source/WebKitLegacy/mac/WebView/WebView.mm >+++ b/Source/WebKitLegacy/mac/WebView/WebView.mm >@@ -3070,7 +3070,7 @@ - (void)_preferencesChanged:(WebPreferences *)preferences > > settings.setViewportFitEnabled([preferences viewportFitEnabled]); > settings.setConstantPropertiesEnabled([preferences constantPropertiesEnabled]); >- settings.setCrossOriginOptionsSupportEnabled([preferences crossOriginOptionsSupportEnabled]); >+ settings.setCrossOriginWindowPolicySupportEnabled([preferences crossOriginWindowPolicySupportEnabled]); > > #if ENABLE(GAMEPAD) > RuntimeEnabledFeatures::sharedFeatures().setGamepadsEnabled([preferences gamepadsEnabled]); >diff --git a/Source/WebKitLegacy/win/Interfaces/IWebPreferencesPrivate.idl b/Source/WebKitLegacy/win/Interfaces/IWebPreferencesPrivate.idl >index 4b40c59d26297b3f5f93bf52792762c003ae5046..d1643f3facd336bbe50f4d83f5a2f0c74805a49b 100644 >--- a/Source/WebKitLegacy/win/Interfaces/IWebPreferencesPrivate.idl >+++ b/Source/WebKitLegacy/win/Interfaces/IWebPreferencesPrivate.idl >@@ -234,6 +234,6 @@ interface IWebPreferencesPrivate6 : IWebPreferencesPrivate5 > [uuid(9A49D1DE-53DD-11E8-95E6-003EE1C28AB6)] > interface IWebPreferencesPrivate7 : IWebPreferencesPrivate6 > { >- HRESULT crossOriginOptionsSupportEnabled([out, retval] BOOL* enabled); >- HRESULT setCrossOriginOptionsSupportEnabled([in] BOOL enabled); >+ HRESULT crossOriginWindowPolicySupportEnabled([out, retval] BOOL* enabled); >+ HRESULT setCrossOriginWindowPolicySupportEnabled([in] BOOL enabled); > } >diff --git a/Source/WebKitLegacy/win/WebPreferenceKeysPrivate.h b/Source/WebKitLegacy/win/WebPreferenceKeysPrivate.h >index 60693783c44ccb42ec5d5c5bfe52ae60c08f00dd..3c48fb078dc92d7b947d17695a1640039751be29 100644 >--- a/Source/WebKitLegacy/win/WebPreferenceKeysPrivate.h >+++ b/Source/WebKitLegacy/win/WebPreferenceKeysPrivate.h >@@ -180,7 +180,7 @@ > > #define WebKitMenuItemElementEnabledPreferenceKey "WebKitMenuItemElementEnabled" > >-#define WebKitCrossOriginOptionsSupportEnabledPreferenceKey "WebKitCrossOriginOptionsSupportEnabled" >+#define WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey "WebKitCrossOriginWindowPolicySupportEnabled" > > #define WebKitModernMediaControlsEnabledPreferenceKey "WebKitModernMediaControlsEnabled" > >diff --git a/Source/WebKitLegacy/win/WebPreferences.cpp b/Source/WebKitLegacy/win/WebPreferences.cpp >index 2b8c651d85792153b7ff0f53cd308fb194b96836..e3806fd0bc9d0392fdde71eaecfdbc71cc55b562 100644 >--- a/Source/WebKitLegacy/win/WebPreferences.cpp >+++ b/Source/WebKitLegacy/win/WebPreferences.cpp >@@ -249,7 +249,7 @@ void WebPreferences::initializeDefaultSettings() > CFDictionaryAddValue(defaults, CFSTR(WebKitShouldDisplaySubtitlesPreferenceKey), kCFBooleanFalse); > CFDictionaryAddValue(defaults, CFSTR(WebKitShouldDisplayCaptionsPreferenceKey), kCFBooleanFalse); > CFDictionaryAddValue(defaults, CFSTR(WebKitShouldDisplayTextDescriptionsPreferenceKey), kCFBooleanFalse); >- CFDictionaryAddValue(defaults, CFSTR(WebKitCrossOriginOptionsSupportEnabledPreferenceKey), kCFBooleanFalse); >+ CFDictionaryAddValue(defaults, CFSTR(WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey), kCFBooleanTrue); > > RetainPtr<CFStringRef> linkBehaviorStringRef = adoptCF(CFStringCreateWithFormat(0, 0, CFSTR("%d"), WebKitEditableLinkDefaultBehavior)); > CFDictionaryAddValue(defaults, CFSTR(WebKitEditableLinkBehaviorPreferenceKey), linkBehaviorStringRef.get()); >@@ -2034,17 +2034,17 @@ HRESULT WebPreferences::setMenuItemElementEnabled(BOOL enabled) > return S_OK; > } > >-HRESULT WebPreferences::crossOriginOptionsSupportEnabled(_Out_ BOOL* enabled) >+HRESULT WebPreferences::crossOriginWindowPolicySupportEnabled(_Out_ BOOL* enabled) > { > if (!enabled) > return E_POINTER; >- *enabled = boolValueForKey(WebKitCrossOriginOptionsSupportEnabledPreferenceKey); >+ *enabled = boolValueForKey(WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey); > return S_OK; > } > >-HRESULT WebPreferences::setCrossOriginOptionsSupportEnabled(BOOL enabled) >+HRESULT WebPreferences::setCrossOriginWindowPolicySupportEnabled(BOOL enabled) > { >- setBoolValue(WebKitCrossOriginOptionsSupportEnabledPreferenceKey, enabled); >+ setBoolValue(WebKitCrossOriginWindowPolicySupportEnabledPreferenceKey, enabled); > return S_OK; > } > >diff --git a/Source/WebKitLegacy/win/WebPreferences.h b/Source/WebKitLegacy/win/WebPreferences.h >index 9b78c0062a21c269f23bd7e97b847eb07c90e127..ae76f99bbe348f56864318e4f796ac65f769b217 100644 >--- a/Source/WebKitLegacy/win/WebPreferences.h >+++ b/Source/WebKitLegacy/win/WebPreferences.h >@@ -279,8 +279,8 @@ public: > virtual HRESULT STDMETHODCALLTYPE setServerTimingEnabled(BOOL); > > // IWebPreferencesPrivate7 >- virtual HRESULT STDMETHODCALLTYPE crossOriginOptionsSupportEnabled(_Out_ BOOL*); >- virtual HRESULT STDMETHODCALLTYPE setCrossOriginOptionsSupportEnabled(BOOL); >+ virtual HRESULT STDMETHODCALLTYPE crossOriginWindowPolicySupportEnabled(_Out_ BOOL*); >+ virtual HRESULT STDMETHODCALLTYPE setCrossOriginWindowPolicySupportEnabled(BOOL); > > // WebPreferences > >diff --git a/Source/WebKitLegacy/win/WebView.cpp b/Source/WebKitLegacy/win/WebView.cpp >index 64b7b88dda70a6c6f541de200a71365a8e747be1..34366ea264a5df0e63fcf21702b5578dc51999bf 100644 >--- a/Source/WebKitLegacy/win/WebView.cpp >+++ b/Source/WebKitLegacy/win/WebView.cpp >@@ -5279,10 +5279,10 @@ HRESULT WebView::notifyPreferencesChanged(IWebNotification* notification) > return hr; > settings.setVisualViewportAPIEnabled(!!enabled); > >- hr = prefsPrivate->crossOriginOptionsSupportEnabled(&enabled); >+ hr = prefsPrivate->crossOriginWindowPolicySupportEnabled(&enabled); > if (FAILED(hr)) > return hr; >- settings.setCrossOriginOptionsSupportEnabled(!!enabled); >+ settings.setCrossOriginWindowPolicySupportEnabled(!!enabled); > > hr = preferences->privateBrowsingEnabled(&enabled); > if (FAILED(hr)) >diff --git a/Tools/ChangeLog b/Tools/ChangeLog >index 2fc4f37a91338e4b7c17e0efe577f8c68e37a94b..93b1427b85080357f08daa3aeb4726ac5ec8c84d 100644 >--- a/Tools/ChangeLog >+++ b/Tools/ChangeLog >@@ -1,3 +1,16 @@ >+2018-06-04 Chris Dumez <cdumez@apple.com> >+ >+ Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy" >+ https://bugs.webkit.org/show_bug.cgi?id=186287 >+ <rdar://problem/40783352> >+ >+ Reviewed by Youenn Fablet. >+ >+ * DumpRenderTree/mac/DumpRenderTree.mm: >+ (enableExperimentalFeatures): >+ * DumpRenderTree/win/DumpRenderTree.cpp: >+ (enableExperimentalFeatures): >+ > 2018-06-04 Alexey Proskuryakov <ap@apple.com> > > Add Mojave support to WebKit tools >diff --git a/Tools/DumpRenderTree/mac/DumpRenderTree.mm b/Tools/DumpRenderTree/mac/DumpRenderTree.mm >index c1da7dcadbc78b08cccf5463e06c4558051f4762..e3384b109a6e849a196cad268d404364c1af4e10 100644 >--- a/Tools/DumpRenderTree/mac/DumpRenderTree.mm >+++ b/Tools/DumpRenderTree/mac/DumpRenderTree.mm >@@ -862,7 +862,7 @@ static void enableExperimentalFeatures(WebPreferences* preferences) > [preferences setAccessibilityObjectModelEnabled:YES]; > [preferences setVisualViewportAPIEnabled:YES]; > [preferences setColorFilterEnabled:YES]; >- [preferences setCrossOriginOptionsSupportEnabled:YES]; >+ [preferences setCrossOriginWindowPolicySupportEnabled:YES]; > [preferences setServerTimingEnabled:YES]; > } > >diff --git a/Tools/DumpRenderTree/win/DumpRenderTree.cpp b/Tools/DumpRenderTree/win/DumpRenderTree.cpp >index 9bf7264336db799599a2a49595d5e147953b76eb..a70675280138d73d45285274e871d1e31608f638 100644 >--- a/Tools/DumpRenderTree/win/DumpRenderTree.cpp >+++ b/Tools/DumpRenderTree/win/DumpRenderTree.cpp >@@ -789,7 +789,7 @@ static void enableExperimentalFeatures(IWebPreferences* preferences) > prefsPrivate->setServerTimingEnabled(TRUE); > // FIXME: WebGL2 > // FIXME: WebRTC >- prefsPrivate->setCrossOriginOptionsSupportEnabled(TRUE); >+ prefsPrivate->setCrossOriginWindowPolicySupportEnabled(TRUE); > } > > static void resetWebPreferencesToConsistentValues(IWebPreferences* preferences) >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index a66b52c1f9c089530af7b79717e52113ede971ca..613e2d6a9f80da4714491a9c4ef1af97b670ca6c 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,39 @@ >+2018-06-04 Chris Dumez <cdumez@apple.com> >+ >+ Rename "Cross-Origin-Options" HTTP header to "Cross-Origin-Window-Policy" >+ https://bugs.webkit.org/show_bug.cgi?id=186287 >+ <rdar://problem/40783352> >+ >+ Reviewed by Youenn Fablet. >+ >+ * http/wpt/cross-origin-options/allow-postmessage-expected.txt: Removed. >+ * http/wpt/cross-origin-options/allow-postmessage-from-deny-expected.txt: Removed. >+ * http/wpt/cross-origin-options/allow-postmessage-from-deny.html.headers: Removed. >+ * http/wpt/cross-origin-options/cross-origin-options-header-expected.txt: Removed. >+ * http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt: Removed. >+ * http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt: Removed. >+ * http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html.headers: Removed. >+ * http/wpt/cross-origin-window-policy/allow-postmessage-expected.txt: Added. >+ * http/wpt/cross-origin-window-policy/allow-postmessage-from-deny-expected.txt: Added. >+ * http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html: Renamed from LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html. >+ * http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html.headers: Added. >+ * http/wpt/cross-origin-window-policy/allow-postmessage.html: Renamed from LayoutTests/http/wpt/cross-origin-options/allow-postmessage.html. >+ * http/wpt/cross-origin-window-policy/cross-origin-window-policy-header-expected.txt: Added. >+ * http/wpt/cross-origin-window-policy/cross-origin-window-policy-header.html: Renamed from LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header.html. >+ * http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target-expected.txt: Added. >+ * http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target.html: Renamed from LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html. >+ * http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt: Added. >+ * http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target.html: Renamed from LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html. >+ * http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html: Renamed from LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html. >+ * http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html.headers: Added. >+ * http/wpt/cross-origin-window-policy/resources/destination.html: Renamed from LayoutTests/http/wpt/cross-origin-options/resources/destination.html. >+ * http/wpt/cross-origin-window-policy/resources/navigate-parent-via-anchor.html: Renamed from LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html. >+ * http/wpt/cross-origin-window-policy/resources/navigation-from-subframe-frame.py: Renamed from LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py. >+ (main): >+ * http/wpt/cross-origin-window-policy/resources/serve-cross-origin-window-policy-header.py: Renamed from LayoutTests/http/wpt/cross-origin-options/resources/serve-cross-origin-options-header.py. >+ (main): >+ * http/wpt/cross-origin-window-policy/resources/utils.js: Renamed from LayoutTests/http/wpt/cross-origin-options/resources/utils.js. >+ > 2018-06-04 Ryosuke Niwa <rniwa@webkit.org> > > Moved the corresponding expected results for the tests moved in r232430. >diff --git a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-expected.txt b/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-expected.txt >deleted file mode 100644 >index 0e9998789a63bac7981b9ab67f9a62af248593eb..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-expected.txt >+++ /dev/null >@@ -1,5 +0,0 @@ >- >- >-PASS postMessage() on Cross-origin iframe with 'Cross-Origin-Options: allow-postmessage' HTTP header >-PASS postMessage() on Cross-origin popup with 'Cross-Origin-Options: allow-postmessage' HTTP header >- >diff --git a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny-expected.txt b/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny-expected.txt >deleted file mode 100644 >index 49f6c93d1d47fa77ff99b5940605f56ac1527c8e..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny-expected.txt >+++ /dev/null >@@ -1,5 +0,0 @@ >- >- >-PASS postMessage() on Cross-origin iframe with 'Cross-Origin-Options: allow-postmessage' but current window has 'deny' option >-PASS postMessage() on Cross-origin popup with 'Cross-Origin-Options: allow-postmessage' but current window has 'deny' option >- >diff --git a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html b/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html >deleted file mode 100644 >index 3494f0a27d0687d6653a03a8d1a964db8fd2b926..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html >+++ /dev/null >@@ -1,31 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<head> >-<meta charset="utf-8"> >-<title>Tests calling postMessage() on a window with 'Cross-Origin-Options: allow-postmessage' from a window with 'Cross-Origin-Options: deny'</title> >-<script src="/resources/testharness.js"></script> >-<script src="/resources/testharnessreport.js"></script> >-<script src="/common/utils.js"></script> >-<script src="/common/get-host-info.sub.js"></script> >-<script src="resources/utils.js"></script> >-</head> >-<body> >-<script> >- >-promise_test(function(test) { >- return withIframe("cross-origin-options-allow-postmessage-pong.html", true /* isCrossOrigin */).then((f) => { >- assert_throws("SecurityError", function() { f.contentWindow.length }, "length property access"); >- assert_throws("SecurityError", function() { f.contentWindow.postMessage("PING", "*"); }, "Calling postMessage() should throw"); >- }); >-}, "postMessage() on Cross-origin iframe with 'Cross-Origin-Options: allow-postmessage' but current window has 'deny' option"); >- >-promise_test(function(test) { >- return withPopup("cross-origin-options-allow-postmessage-pong.html", true /* isCrossOrigin */).then((result) => { >- assert_throws("SecurityError", function() { result.window.length }, "length property access"); >- assert_throws("SecurityError", function() { result.window.postMessage("PING", "*"); }, "Calling postMessage() should throw"); >- }); >-}, "postMessage() on Cross-origin popup with 'Cross-Origin-Options: allow-postmessage' but current window has 'deny' option"); >- >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html.headers b/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html.headers >deleted file mode 100644 >index bf59633200a5c1247116c058f54fe7f56359e146..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage-from-deny.html.headers >+++ /dev/null >@@ -1 +0,0 @@ >-Cross-Origin-Options: deny >diff --git a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage.html b/LayoutTests/http/wpt/cross-origin-options/allow-postmessage.html >deleted file mode 100644 >index b11e56296fdab81a2e1f5b129454e7f250e52b31..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/allow-postmessage.html >+++ /dev/null >@@ -1,47 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<head> >-<meta charset="utf-8"> >-<title>Tests that postMessage() works when 'Cross-Origin-Options: allow-postmessage' HTTP header is served</title> >-<script src="/resources/testharness.js"></script> >-<script src="/resources/testharnessreport.js"></script> >-<script src="/common/utils.js"></script> >-<script src="/common/get-host-info.sub.js"></script> >-<script src="resources/utils.js"></script> >-</head> >-<body> >-<script> >- >-promise_test(function(test) { >- return withIframe("cross-origin-options-allow-postmessage-pong.html", true /* isCrossOrigin */).then((f) => { >- return new Promise((resolve) => { >- window.onmessage = (msg) => { >- window.onmessage = null; >- assert_equals(msg.data, "PONG"); >- assert_equals(msg.source, f.contentWindow); >- resolve(); >- }; >- assert_throws("SecurityError", function() { f.contentWindow.length }, "length property access"); >- f.contentWindow.postMessage("PING", "*"); >- }); >- }); >-}, "postMessage() on Cross-origin iframe with 'Cross-Origin-Options: allow-postmessage' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("cross-origin-options-allow-postmessage-pong.html", true /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = (msg) => { >- window.onmessage = null; >- assert_equals(msg.data, "PONG"); >- assert_equals(msg.source, result.window); >- resolve(); >- }; >- assert_throws("SecurityError", function() { result.window.length }, "length property access"); >- result.window.postMessage("PING", "*"); >- }); >- }); >-}, "postMessage() on Cross-origin popup with 'Cross-Origin-Options: allow-postmessage' HTTP header"); >- >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header-expected.txt b/LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header-expected.txt >deleted file mode 100644 >index a03b128eadfe3bc6bd998eb6133fe882a8af8e55..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header-expected.txt >+++ /dev/null >@@ -1,22 +0,0 @@ >- >- >-PASS Cross-origin iframe with 'Cross-Origin-Options: deny' HTTP header >-PASS Cross-origin iframe with 'Cross-Origin-Options: allow-postmessage' HTTP header >-PASS Cross-origin iframe with 'Cross-Origin-Options: alLoW-postMessAgE' HTTP header (mixed case) >-PASS Cross-origin iframe with 'Cross-Origin-Options: deny,allow' HTTP header (multiple values is invalid) >-PASS Cross-origin iframe with 'Cross-Origin-Options:' HTTP header (empty value) >-PASS Cross-origin iframe with 'Cross-Origin-Options: allow' HTTP header >-PASS Cross-origin iframe with 'Cross-Origin-Options: invalid' HTTP header >-PASS Same-origin iframe with 'Cross-Origin-Options: deny' HTTP header >-PASS Same-origin iframe with 'Cross-Origin-Options: allow-postmessage' HTTP header >-PASS Same-origin iframe with 'Cross-Origin-Options: allow' HTTP header >-PASS Same-origin iframe with 'Cross-Origin-Options: invalid' HTTP header >-PASS Cross-origin popup with 'Cross-Origin-Options: deny' HTTP header >-PASS Cross-origin popup with 'Cross-Origin-Options: allow-postmessage' HTTP header >-PASS Cross-origin popup with 'Cross-Origin-Options: allow' HTTP header >-PASS Cross-origin popup with 'Cross-Origin-Options: invalid' HTTP header >-PASS Same-origin popup with 'Cross-Origin-Options: deny' HTTP header >-PASS Same-origin popup with 'Cross-Origin-Options: allow-postmessage' HTTP header >-PASS Same-origin popup with 'Cross-Origin-Options: allow' HTTP header >-PASS Same-origin popup with 'Cross-Origin-Options: invalid' HTTP header >- >diff --git a/LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header.html b/LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header.html >deleted file mode 100644 >index ffad3b341fb72bd4ea9500f7bd4604f89080496b..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/cross-origin-options-header.html >+++ /dev/null >@@ -1,198 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<head> >-<meta charset="utf-8"> >-<title>Basic testing for Cross-Origin-Options HTTP header</title> >-<script src="/resources/testharness.js"></script> >-<script src="/resources/testharnessreport.js"></script> >-<script src="/common/utils.js"></script> >-<script src="/common/get-host-info.sub.js"></script> >-<script src="resources/utils.js"></script> >-</head> >-<body> >-<script> >- >-// Test frame has a subframe so we expect an indexed property with index 0. >-crossOriginPropertyNames.push('0'); >- >-function checkIframePropertyValues(w) >-{ >- assert_equals(w.parent, window, "'parent' property value"); >- assert_equals(w.top, window, "'top' property value"); >- assert_equals(w.opener, null, "'opener' property value"); >- assert_equals(w.length, 1, "'length' property value"); >- assert_not_throwing(function() { w[0]; }, "Subframe access via index"); >- assert_equals(w['subframe'], w[0], "Subframe access by name"); >-} >- >-function checkPopupPropertyValues(w) >-{ >- assert_equals(w.parent, w, "'parent' property value"); >- assert_equals(w.top, w, "'top' property value"); >- assert_equals(w.opener, window, "'opener' property value"); >- assert_equals(w.length, 1, "'length' property value"); >- assert_not_throwing(function() { w[0]; }, "Subframe access via index"); >- assert_equals(w['subframe'], w[0], "Subframe access by name"); >-} >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=deny", true /* isCrossOrigin */).then((f) => { >- testCrossOriginOption(f.contentWindow, "deny", true /* isCrossOrigin */); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options: deny' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=allow-postmessage", true /* isCrossOrigin */).then((f) => { >- testCrossOriginOption(f.contentWindow, "allow-postmessage", true /* isCrossOrigin */); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options: allow-postmessage' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=alLoW-postMessAgE", true /* isCrossOrigin */).then((f) => { >- testCrossOriginOption(f.contentWindow, "allow-postmessage", true /* isCrossOrigin */); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options: alLoW-postMessAgE' HTTP header (mixed case)"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=deny,allow", true /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- // Invalid input: should be treated as "allow". >- testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options: deny,allow' HTTP header (multiple values is invalid)"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=", true /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- // Empty value: should be treated as "allow". >- testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options:' HTTP header (empty value)"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=allow", true /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options: allow' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=invalid", true /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Cross-origin iframe with 'Cross-Origin-Options: invalid' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=deny", false /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- testCrossOriginOption(w, "deny", false /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Same-origin iframe with 'Cross-Origin-Options: deny' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=allow-postmessage", false /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- testCrossOriginOption(w, "allow-postmessage", false /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Same-origin iframe with 'Cross-Origin-Options: allow-postmessage' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=allow", false /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Same-origin iframe with 'Cross-Origin-Options: allow' HTTP header"); >- >-promise_test(function(test) { >- return withIframe("serve-cross-origin-options-header.py?value=invalid", false /* isCrossOrigin */).then((f) => { >- const w = f.contentWindow; >- testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >- >- checkIframePropertyValues(w); >- }); >-}, "Same-origin iframe with 'Cross-Origin-Options: invalid' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=deny", true /* isCrossOrigin */).then((result) => { >- testCrossOriginOption(result.window, "deny", true /* isCrossOrigin */); >- }); >-}, "Cross-origin popup with 'Cross-Origin-Options: deny' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=allow-postmessage", true /* isCrossOrigin */).then((result) => { >- testCrossOriginOption(result.window, "allow-postmessage", true /* isCrossOrigin */); >- }); >-}, "Cross-origin popup with 'Cross-Origin-Options: allow-postmessage' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=allow", true /* isCrossOrigin */).then((result) => { >- const w = result.window; >- testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >- >- checkPopupPropertyValues(w); >- }); >-}, "Cross-origin popup with 'Cross-Origin-Options: allow' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=invalid", true /* isCrossOrigin */).then((result) => { >- const w = result.window; >- testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >- >- checkPopupPropertyValues(w); >- }); >-}, "Cross-origin popup with 'Cross-Origin-Options: invalid' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=deny", false /* isCrossOrigin */).then((result) => { >- const w = result.window; >- testCrossOriginOption(w, "deny", false /* isCrossOrigin */); >- >- checkPopupPropertyValues(w); >- }); >-}, "Same-origin popup with 'Cross-Origin-Options: deny' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=allow-postmessage", false /* isCrossOrigin */).then((result) => { >- const w = result.window; >- testCrossOriginOption(w, "allow-postmessage", false /* isCrossOrigin */); >- >- checkPopupPropertyValues(w); >- }); >-}, "Same-origin popup with 'Cross-Origin-Options: allow-postmessage' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=allow", false /* isCrossOrigin */).then((result) => { >- const w = result.window; >- testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >- >- checkPopupPropertyValues(w); >- }); >-}, "Same-origin popup with 'Cross-Origin-Options: allow' HTTP header"); >- >-promise_test(function(test) { >- return withPopup("serve-cross-origin-options-header.py?value=invalid", false /* isCrossOrigin */).then((result) => { >- const w = result.window; >- testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >- >- checkPopupPropertyValues(w); >- }); >-}, "Same-origin popup with 'Cross-Origin-Options: invalid' HTTP header"); >- >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt b/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt >deleted file mode 100644 >index b38f90007ae400e6f4e739aa7ef30fb1b2213909..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt >+++ /dev/null >@@ -1,9 +0,0 @@ >-CONSOLE MESSAGE: line 23: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/serve-cross-origin-options-header.py?value=deny' from frame with URL 'http://localhost:8800/WebKit/cross-origin-options/navigation-from-opener-via-open-target.html'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 44: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/serve-cross-origin-options-header.py?value=allow-postmessage' from frame with URL 'http://localhost:8800/WebKit/cross-origin-options/navigation-from-opener-via-open-target.html'. Navigation was not allowed due to Cross-Origin-Options header. >- >- >-PASS 'Cross-Origin-Options: deny' prevents navigation from opener via open() target >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from opener via open() target >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from opener via open() target >- >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html b/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html >deleted file mode 100644 >index 4e83bd74f75a024e9b013a5855ed9fc9293c21c0..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html >+++ /dev/null >@@ -1,73 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<head> >-<meta charset="utf-8"> >-<title>Tests that 'Cross-Origin-Options: deny / allow-postmessage' prevents a cross-origin opener from navigating us</title> >-<script src="/resources/testharness.js"></script> >-<script src="/resources/testharnessreport.js"></script> >-<script src="/common/utils.js"></script> >-<script src="/common/get-host-info.sub.js"></script> >-<script src="resources/utils.js"></script> >-</head> >-<body> >-<script> >- >-promise_test(t => { >- return withPopup("serve-cross-origin-options-header.py?value=deny", true /* isCrossOrigin */, "foo1").then((result) => { >- return new Promise((resolve) => { >- window.onmessage = (msg) => { >- assert_not_equals(msg.source, result.window, "Existing window should not navigate"); >- } >- >- let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-options/resources/destination.html"; >- w = open(destinationURL, "foo1"); >- // If a window with the given name is found but cannot be navigated, a new one is created, as if we could >- // not find the given window. >- assert_not_equals(w, result.window, "open() should a new window"); >- >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: deny' prevents navigation from opener via open() target"); >- >-promise_test(t => { >- return withPopup("serve-cross-origin-options-header.py?value=allow-postmessage", true /* isCrossOrigin */, "foo2").then((result) => { >- return new Promise((resolve) => { >- window.onmessage = (msg) => { >- assert_not_equals(msg.source, result.window, "Existing window should not navigate"); >- } >- >- let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-options/resources/destination.html"; >- w = open(destinationURL, "foo2"); >- // If a window with the given name is found but cannot be navigated, a new one is created, as if we could >- // not find the given window. >- assert_not_equals(w, result.window, "open() should a new window"); >- >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from opener via open() target"); >- >-promise_test(t => { >- return withPopup("serve-cross-origin-options-header.py?value=allow", true /* isCrossOrigin */, "foo3").then((result) => { >- return new Promise((resolve) => { >- window.onmessage = () => { >- window.onmessage = null; >- resolve(); >- } >- >- let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-options/resources/destination.html"; >- w = open(destinationURL, "foo3"); >- assert_equals(w, result.window, "open() should return the same window"); >- }); >- }); >-}, "'Cross-Origin-Options: allow' does not prevent navigation from opener via open() target"); >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt b/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >deleted file mode 100644 >index 79b49043b737ea1ef72b63507782dc09398bba93..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >+++ /dev/null >@@ -1,35 +0,0 @@ >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >- >- >-PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>) >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>) >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>) >-PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>) >-PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName) >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName) >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>) >- >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html b/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html >deleted file mode 100644 >index 23ce5605ba154236ecb9607dd665358a3a31851f..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html >+++ /dev/null >@@ -1,119 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<head> >-<meta charset="utf-8"> >-<title>Tests that 'Cross-Origin-Options: deny / allow-postmessage' prevents a cross-origin iframe from navigating us</title> >-<script src="/resources/testharness.js"></script> >-<script src="/resources/testharnessreport.js"></script> >-<script src="/common/utils.js"></script> >-<script src="/common/get-host-info.sub.js"></script> >-<script src="resources/utils.js"></script> >-</head> >-<body> >-<script> >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=deny&target=_top", false /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = t.unreached_func("Should not have navigated"); >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=_top", false /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = t.unreached_func("Should not have navigated"); >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=allow&target=_top", false /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = () => { >- resolve(); >- }; >- }); >- }); >-}, "'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=deny&target=_parent", false /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = t.unreached_func("Should not have navigated"); >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent", false /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = t.unreached_func("Should not have navigated"); >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=allow&target=_parent", false /* isCrossOrigin */).then((result) => { >- return new Promise((resolve) => { >- window.onmessage = () => { >- resolve(); >- }; >- }); >- }); >-}, "'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=deny&target=foo1", false /* isCrossOrigin */, "foo1").then((result) => { >- return new Promise((resolve) => { >- window.onmessage = t.unreached_func("Should not have navigated"); >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2", false /* isCrossOrigin */, "foo2").then((result) => { >- return new Promise((resolve) => { >- window.onmessage = t.unreached_func("Should not have navigated"); >- t.step_timeout(() => { >- window.onmessage = null; >- resolve(); >- }, 200); >- }); >- }); >-}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName)"); >- >-promise_test(t => { >- return withPopup("navigation-from-subframe-frame.py?value=allow&target=foo3", false /* isCrossOrigin */, "foo3").then((result) => { >- return new Promise((resolve) => { >- window.onmessage = () => { >- resolve(); >- }; >- }); >- }); >-}, "'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>)"); >- >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html b/LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html >deleted file mode 100644 >index 9a67dd7f60c14d62fcd15a6cacea687b4d0f5836..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html >+++ /dev/null >@@ -1,17 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<body> >-<script> >-addEventListener('message', (msg) => { >- if (event.data === "PING") >- event.source.postMessage("PONG", "*"); >- }); >- window.addEventListener('load', () => { >- const ownerWindow = window.opener ? window.opener : window.top; >- try { >- ownerWindow.postMessage("READY", "*"); >- } catch (e) { } >- }); >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html.headers b/LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html.headers >deleted file mode 100644 >index cfb12bb1061bd5a091450ebf113ccede967a9397..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/cross-origin-options-allow-postmessage-pong.html.headers >+++ /dev/null >@@ -1 +0,0 @@ >-Cross-Origin-Options: allow-postmessage >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/destination.html b/LayoutTests/http/wpt/cross-origin-options/resources/destination.html >deleted file mode 100644 >index 1516877b449aecabe5f80f1c4bbb68602bba31e4..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/destination.html >+++ /dev/null >@@ -1,7 +0,0 @@ >-<body> >-DESTINATION >-<script> >-if (window.opener) >- window.opener.postMessage("navigated", "*"); >-</script> >-</body> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html b/LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html >deleted file mode 100644 >index 940399bf868efe455151cb79c0c819f5c001bfb3..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html >+++ /dev/null >@@ -1,18 +0,0 @@ >-<!DOCTYPE html> >-<html> >-<head> >-<script src="/common/get-host-info.sub.js"></script> >-</head> >-<body> >-<a id="testAnchor">Click me</a> >-<script> >-const RESOURCES_DIR = "/WebKit/cross-origin-options/resources/"; >-onload = () => { >- let params = new URLSearchParams(location.search); >- testAnchor.target= params.get('target') >- testAnchor.href = get_host_info().HTTP_ORIGIN + RESOURCES_DIR + "destination.html"; >- testAnchor.click(); >-} >-</script> >-</body> >-</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py b/LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py >deleted file mode 100644 >index 5854c5900df04ec8d9aa9d6b1322e832bcc8b832..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py >+++ /dev/null >@@ -1,17 +0,0 @@ >-def main(request, response): >- headers = [("Content-Type", "text/html"), >- ("Cross-Origin-Options", request.GET['value']),] >- return 200, headers, """<!DOCTYPE html> >-<html> >-<head> >-<script src="/common/get-host-info.sub.js"></script> >-</head> >-<body> >-<script> >-const RESOURCES_DIR = "/WebKit/cross-origin-options/resources/"; >-let f = document.createElement("iframe"); >-f.src = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR + "navigate-parent-via-anchor.html?target=%s"; >-document.body.prepend(f); >-</script> >-</body> >-</html>""" % request.GET['target'] >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/serve-cross-origin-options-header.py b/LayoutTests/http/wpt/cross-origin-options/resources/serve-cross-origin-options-header.py >deleted file mode 100644 >index ea90655adc31b53bdce62aa824536bc997126235..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/serve-cross-origin-options-header.py >+++ /dev/null >@@ -1,14 +0,0 @@ >-def main(request, response): >- headers = [("Content-Type", "text/html"), >- ("Cross-Origin-Options", request.GET['value']),] >- return 200, headers, """TEST >- <iframe name="subframe"></iframe> >- <script> >- window.addEventListener('load', () => { >- const ownerWindow = window.opener ? window.opener : window.top; >- try { >- ownerWindow.postMessage("READY", "*"); >- } catch (e) { } >- }); >- </script> >- """ >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/utils.js b/LayoutTests/http/wpt/cross-origin-options/resources/utils.js >deleted file mode 100644 >index bdfd66e75dac143224db979b1392efd69861cb57..0000000000000000000000000000000000000000 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/utils.js >+++ /dev/null >@@ -1,150 +0,0 @@ >-const RESOURCES_DIR = "/WebKit/cross-origin-options/resources/"; >- >-function isCrossOriginWindow(w) >-{ >- try { >- w.name; >- } catch (e) { >- return true; >- } >- return false; >-} >- >-async function waitForCrossOriginLoad(w) >-{ >- return new Promise((resolve) => { >- window.addEventListener('message', (msg) => { >- if (msg.source != w || msg.data != "READY") >- return; >- resolve(); >- }); >- >- let handle = setInterval(() => { >- if (isCrossOriginWindow(w)) { >- clearInterval(handle); >- try { >- w.postMessage; >- } catch (e) { >- // No point in waiting for "READY" message from window since postMessage is >- // not available. >- resolve(); >- } >- } >- }, 5); >- }); >-} >- >-async function withIframe(resourceFile, crossOrigin) >-{ >- return new Promise((resolve) => { >- let resourceURL = crossOrigin ? get_host_info().HTTP_REMOTE_ORIGIN : get_host_info().HTTP_ORIGIN; >- resourceURL += RESOURCES_DIR; >- resourceURL += resourceFile; >- let frame = document.createElement("iframe"); >- frame.src = resourceURL; >- if (crossOrigin) { >- document.body.appendChild(frame); >- waitForCrossOriginLoad(frame.contentWindow).then(() => { >- resolve(frame); >- }); >- } else { >- frame.onload = function() { resolve(frame); }; >- document.body.appendChild(frame); >- } >- }); >-} >- >-async function withPopup(resourceFile, crossOrigin, windowName) >-{ >- return new Promise((resolve) => { >- let resourceURL = crossOrigin ? get_host_info().HTTP_REMOTE_ORIGIN : get_host_info().HTTP_ORIGIN; >- resourceURL += RESOURCES_DIR; >- resourceURL += resourceFile; >- >- let w = open(resourceURL, windowName); >- if (crossOrigin) { >- waitForCrossOriginLoad(w).then(() => { >- resolve({ 'window': w }); >- }); >- } else { >- w.onload = function() { resolve({ 'window': w }); }; >- } >- }); >-} >- >-const crossOriginPropertyNames = [ 'blur', 'close', 'closed', 'focus', 'frames', 'length', 'location', 'opener', 'parent', 'postMessage', 'self', 'top', 'window' ]; >-const forbiddenPropertiesCrossOrigin = ["name", "document", "history", "locationbar", "status", "frameElement", "navigator", "alert", "localStorage", "sessionStorage", "event", "foo", "bar"]; >- >-function assert_not_throwing(f, message) >-{ >- try { >- f(); >- } catch (e) { >- assert_unreached(message); >- } >-} >- >-function checkCrossOriginPropertiesAccess(w) >-{ >- for (let crossOriginPropertyName of crossOriginPropertyNames) >- assert_not_throwing(function() { w[crossOriginPropertyName]; }, "Accessing property '" + crossOriginPropertyName +"' on Window should not throw"); >- >- assert_false(w.closed, "'closed' property value"); >- assert_equals(w.frames, w, "'frames' property value"); >- assert_equals(w.self, w, "'self' property value"); >- assert_equals(w.window, w, "'window' property value"); >- >- assert_not_throwing(function() { w.blur(); }, "Calling blur() on Window should should throw"); >- assert_not_throwing(function() { w.focus(); }, "Calling focus() on Window should should throw"); >- assert_not_throwing(function() { w.postMessage('test', '*'); }, "Calling postMessage() on Window should should throw"); >-} >- >-function testCrossOriginOption(w, headerValue, isCrossOrigin) >-{ >- if (!isCrossOrigin) { >- checkCrossOriginPropertiesAccess(w); >- for (let forbiddenPropertyCrossOrigin of forbiddenPropertiesCrossOrigin) >- assert_not_throwing(function() { eval("w." + forbiddenPropertyCrossOrigin); }, "Accessing property '" + forbiddenPropertyCrossOrigin + "' on Window should not throw"); >- assert_not_throwing(function() { w.foo = 1; }, "Setting expando property should not throw"); >- assert_equals(w.foo, 1, "expando property value"); >- return; >- } >- >- // Cross-origin case. >- for (let forbiddenPropertyCrossOrigin of forbiddenPropertiesCrossOrigin) { >- assert_throws("SecurityError", function() { eval("w." + forbiddenPropertyCrossOrigin); }, "Accessing property '" + forbiddenPropertyCrossOrigin + "' on Window should throw"); >- let desc = Object.getOwnPropertyDescriptor(window, forbiddenPropertyCrossOrigin); >- if (desc && desc.value) >- assert_throws("SecurityError", function() { desc.value.call(w); }, "Calling function '" + forbiddenPropertyCrossOrigin + "' on Window should throw (using getter from other window)"); >- else if (desc && desc.get) >- assert_throws("SecurityError", function() { desc.get.call(w); }, "Accessing property '" + forbiddenPropertyCrossOrigin + "' on Window should throw (using getter from other window)"); >- } >- assert_throws("SecurityError", function() { w.foo = 1; }, "Setting an expando property should throw"); >- >- if (headerValue == "deny" || headerValue == "allow-postmessage") { >- for (let crossOriginPropertyName of crossOriginPropertyNames) { >- if (headerValue == "allow-postmessage" && crossOriginPropertyName == "postMessage") { >- assert_not_throwing(function() { w[crossOriginPropertyName]; }, "Accessing property '" + crossOriginPropertyName +"' on Window should not throw"); >- } else { >- assert_throws("SecurityError", function() { w[crossOriginPropertyName]; }, "Accessing '" + crossOriginPropertyName + "' property"); >- >- let desc = Object.getOwnPropertyDescriptor(window, crossOriginPropertyName); >- if (desc && desc.value) >- assert_throws("SecurityError", function() { desc.value.call(w); }, "Calling function '" + crossOriginPropertyName + "' on Window should throw (using getter from other window)"); >- else if (desc && desc.get) >- assert_throws("SecurityError", function() { desc.get.call(w); }, "Accessing property '" + crossOriginPropertyName + "' on Window should throw (using getter from other window)"); >- } >- } >- if (headerValue == "allow-postmessage") { >- assert_not_throwing(function() { w.postMessage('test', '*'); }, "Calling postMessage() on Window should not throw"); >- assert_not_throwing(function() { Object.getOwnPropertyDescriptor(window, 'postMessage').value.call(w, 'test', '*'); }, "Calling postMessage() on Window should not throw (using getter from other window)"); >- } >- >- assert_array_equals(Object.getOwnPropertyNames(w).sort(), headerValue == "allow-postmessage" ? ['postMessage'] : [], "Object.getOwnPropertyNames()"); >- >- return; >- } >- >- assert_array_equals(Object.getOwnPropertyNames(w).sort(), crossOriginPropertyNames.sort(), "Object.getOwnPropertyNames()"); >- checkCrossOriginPropertiesAccess(w); >-} >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-expected.txt b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..13c6be7fcab1099bd82a5a0858333faec6dfd83d >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS postMessage() on Cross-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header >+PASS postMessage() on Cross-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header >+ >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny-expected.txt b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..412c968a6977b9c133a4907e073fc1ff03b1131b >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS postMessage() on Cross-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' but current window has 'deny' option >+PASS postMessage() on Cross-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' but current window has 'deny' option >+ >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bf5fb4b520560c7538436bb0dadc880bc0a1a518 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Tests calling postMessage() on a window with 'Cross-Origin-Window-Policy: allow-postmessage' from a window with 'Cross-Origin-Window-Policy: deny'</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+promise_test(function(test) { >+ return withIframe("cross-origin-window-policy-allow-postmessage-pong.html", true /* isCrossOrigin */).then((f) => { >+ assert_throws("SecurityError", function() { f.contentWindow.length }, "length property access"); >+ assert_throws("SecurityError", function() { f.contentWindow.postMessage("PING", "*"); }, "Calling postMessage() should throw"); >+ }); >+}, "postMessage() on Cross-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' but current window has 'deny' option"); >+ >+promise_test(function(test) { >+ return withPopup("cross-origin-window-policy-allow-postmessage-pong.html", true /* isCrossOrigin */).then((result) => { >+ assert_throws("SecurityError", function() { result.window.length }, "length property access"); >+ assert_throws("SecurityError", function() { result.window.postMessage("PING", "*"); }, "Calling postMessage() should throw"); >+ }); >+}, "postMessage() on Cross-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' but current window has 'deny' option"); >+ >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html.headers b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..6a2d256e26baae1f0de09eabf4202f57ae2a5073 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage-from-deny.html.headers >@@ -0,0 +1 @@ >+Cross-Origin-Window-Policy: deny >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage.html b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cc5a56876b0ae4ef7427e073646d53a7ba8125b1 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/allow-postmessage.html >@@ -0,0 +1,47 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Tests that postMessage() works when 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header is served</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+promise_test(function(test) { >+ return withIframe("cross-origin-window-policy-allow-postmessage-pong.html", true /* isCrossOrigin */).then((f) => { >+ return new Promise((resolve) => { >+ window.onmessage = (msg) => { >+ window.onmessage = null; >+ assert_equals(msg.data, "PONG"); >+ assert_equals(msg.source, f.contentWindow); >+ resolve(); >+ }; >+ assert_throws("SecurityError", function() { f.contentWindow.length }, "length property access"); >+ f.contentWindow.postMessage("PING", "*"); >+ }); >+ }); >+}, "postMessage() on Cross-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("cross-origin-window-policy-allow-postmessage-pong.html", true /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = (msg) => { >+ window.onmessage = null; >+ assert_equals(msg.data, "PONG"); >+ assert_equals(msg.source, result.window); >+ resolve(); >+ }; >+ assert_throws("SecurityError", function() { result.window.length }, "length property access"); >+ result.window.postMessage("PING", "*"); >+ }); >+ }); >+}, "postMessage() on Cross-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header"); >+ >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/cross-origin-window-policy-header-expected.txt b/LayoutTests/http/wpt/cross-origin-window-policy/cross-origin-window-policy-header-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e4a8d11d3754893f6cdce0ad8216bc1ace691870 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/cross-origin-window-policy-header-expected.txt >@@ -0,0 +1,22 @@ >+ >+ >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy: deny' HTTP header >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy: alLoW-postMessAgE' HTTP header (mixed case) >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy: deny,allow' HTTP header (multiple values is invalid) >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy:' HTTP header (empty value) >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy: allow' HTTP header >+PASS Cross-origin iframe with 'Cross-Origin-Window-Policy: invalid' HTTP header >+PASS Same-origin iframe with 'Cross-Origin-Window-Policy: deny' HTTP header >+PASS Same-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header >+PASS Same-origin iframe with 'Cross-Origin-Window-Policy: allow' HTTP header >+PASS Same-origin iframe with 'Cross-Origin-Window-Policy: invalid' HTTP header >+PASS Cross-origin popup with 'Cross-Origin-Window-Policy: deny' HTTP header >+PASS Cross-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header >+PASS Cross-origin popup with 'Cross-Origin-Window-Policy: allow' HTTP header >+PASS Cross-origin popup with 'Cross-Origin-Window-Policy: invalid' HTTP header >+PASS Same-origin popup with 'Cross-Origin-Window-Policy: deny' HTTP header >+PASS Same-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header >+PASS Same-origin popup with 'Cross-Origin-Window-Policy: allow' HTTP header >+PASS Same-origin popup with 'Cross-Origin-Window-Policy: invalid' HTTP header >+ >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/cross-origin-window-policy-header.html b/LayoutTests/http/wpt/cross-origin-window-policy/cross-origin-window-policy-header.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b2b7a37f396d542db391d69a91076f86658dc009 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/cross-origin-window-policy-header.html >@@ -0,0 +1,198 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Basic testing for Cross-Origin-Window-Policy HTTP header</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+// Test frame has a subframe so we expect an indexed property with index 0. >+crossOriginPropertyNames.push('0'); >+ >+function checkIframePropertyValues(w) >+{ >+ assert_equals(w.parent, window, "'parent' property value"); >+ assert_equals(w.top, window, "'top' property value"); >+ assert_equals(w.opener, null, "'opener' property value"); >+ assert_equals(w.length, 1, "'length' property value"); >+ assert_not_throwing(function() { w[0]; }, "Subframe access via index"); >+ assert_equals(w['subframe'], w[0], "Subframe access by name"); >+} >+ >+function checkPopupPropertyValues(w) >+{ >+ assert_equals(w.parent, w, "'parent' property value"); >+ assert_equals(w.top, w, "'top' property value"); >+ assert_equals(w.opener, window, "'opener' property value"); >+ assert_equals(w.length, 1, "'length' property value"); >+ assert_not_throwing(function() { w[0]; }, "Subframe access via index"); >+ assert_equals(w['subframe'], w[0], "Subframe access by name"); >+} >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=deny", true /* isCrossOrigin */).then((f) => { >+ testCrossOriginOption(f.contentWindow, "deny", true /* isCrossOrigin */); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy: deny' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=allow-postmessage", true /* isCrossOrigin */).then((f) => { >+ testCrossOriginOption(f.contentWindow, "allow-postmessage", true /* isCrossOrigin */); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=alLoW-postMessAgE", true /* isCrossOrigin */).then((f) => { >+ testCrossOriginOption(f.contentWindow, "allow-postmessage", true /* isCrossOrigin */); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy: alLoW-postMessAgE' HTTP header (mixed case)"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=deny,allow", true /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ // Invalid input: should be treated as "allow". >+ testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy: deny,allow' HTTP header (multiple values is invalid)"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=", true /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ // Empty value: should be treated as "allow". >+ testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy:' HTTP header (empty value)"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=allow", true /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy: allow' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=invalid", true /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Cross-origin iframe with 'Cross-Origin-Window-Policy: invalid' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=deny", false /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ testCrossOriginOption(w, "deny", false /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Same-origin iframe with 'Cross-Origin-Window-Policy: deny' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=allow-postmessage", false /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ testCrossOriginOption(w, "allow-postmessage", false /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Same-origin iframe with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=allow", false /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Same-origin iframe with 'Cross-Origin-Window-Policy: allow' HTTP header"); >+ >+promise_test(function(test) { >+ return withIframe("serve-cross-origin-window-policy-header.py?value=invalid", false /* isCrossOrigin */).then((f) => { >+ const w = f.contentWindow; >+ testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >+ >+ checkIframePropertyValues(w); >+ }); >+}, "Same-origin iframe with 'Cross-Origin-Window-Policy: invalid' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=deny", true /* isCrossOrigin */).then((result) => { >+ testCrossOriginOption(result.window, "deny", true /* isCrossOrigin */); >+ }); >+}, "Cross-origin popup with 'Cross-Origin-Window-Policy: deny' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=allow-postmessage", true /* isCrossOrigin */).then((result) => { >+ testCrossOriginOption(result.window, "allow-postmessage", true /* isCrossOrigin */); >+ }); >+}, "Cross-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=allow", true /* isCrossOrigin */).then((result) => { >+ const w = result.window; >+ testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >+ >+ checkPopupPropertyValues(w); >+ }); >+}, "Cross-origin popup with 'Cross-Origin-Window-Policy: allow' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=invalid", true /* isCrossOrigin */).then((result) => { >+ const w = result.window; >+ testCrossOriginOption(w, "allow", true /* isCrossOrigin */); >+ >+ checkPopupPropertyValues(w); >+ }); >+}, "Cross-origin popup with 'Cross-Origin-Window-Policy: invalid' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=deny", false /* isCrossOrigin */).then((result) => { >+ const w = result.window; >+ testCrossOriginOption(w, "deny", false /* isCrossOrigin */); >+ >+ checkPopupPropertyValues(w); >+ }); >+}, "Same-origin popup with 'Cross-Origin-Window-Policy: deny' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=allow-postmessage", false /* isCrossOrigin */).then((result) => { >+ const w = result.window; >+ testCrossOriginOption(w, "allow-postmessage", false /* isCrossOrigin */); >+ >+ checkPopupPropertyValues(w); >+ }); >+}, "Same-origin popup with 'Cross-Origin-Window-Policy: allow-postmessage' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=allow", false /* isCrossOrigin */).then((result) => { >+ const w = result.window; >+ testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >+ >+ checkPopupPropertyValues(w); >+ }); >+}, "Same-origin popup with 'Cross-Origin-Window-Policy: allow' HTTP header"); >+ >+promise_test(function(test) { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=invalid", false /* isCrossOrigin */).then((result) => { >+ const w = result.window; >+ testCrossOriginOption(w, "allow", false /* isCrossOrigin */); >+ >+ checkPopupPropertyValues(w); >+ }); >+}, "Same-origin popup with 'Cross-Origin-Window-Policy: invalid' HTTP header"); >+ >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target-expected.txt b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0e9c84f98ae8e30a3dd033636a12fe3f0c3df954 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: line 23: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/serve-cross-origin-window-policy-header.py?value=deny' from frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/navigation-from-opener-via-open-target.html'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 44: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/serve-cross-origin-window-policy-header.py?value=allow-postmessage' from frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/navigation-from-opener-via-open-target.html'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+ >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from opener via open() target >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from opener via open() target >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from opener via open() target >+ >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target.html b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2a7918b698685fe2c8529bbc8fde25338f6d9fa0 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-opener-via-open-target.html >@@ -0,0 +1,73 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Tests that 'Cross-Origin-Window-Policy: deny / allow-postmessage' prevents a cross-origin opener from navigating us</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+promise_test(t => { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=deny", true /* isCrossOrigin */, "foo1").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = (msg) => { >+ assert_not_equals(msg.source, result.window, "Existing window should not navigate"); >+ } >+ >+ let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-window-policy/resources/destination.html"; >+ w = open(destinationURL, "foo1"); >+ // If a window with the given name is found but cannot be navigated, a new one is created, as if we could >+ // not find the given window. >+ assert_not_equals(w, result.window, "open() should a new window"); >+ >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: deny' prevents navigation from opener via open() target"); >+ >+promise_test(t => { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=allow-postmessage", true /* isCrossOrigin */, "foo2").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = (msg) => { >+ assert_not_equals(msg.source, result.window, "Existing window should not navigate"); >+ } >+ >+ let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-window-policy/resources/destination.html"; >+ w = open(destinationURL, "foo2"); >+ // If a window with the given name is found but cannot be navigated, a new one is created, as if we could >+ // not find the given window. >+ assert_not_equals(w, result.window, "open() should a new window"); >+ >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from opener via open() target"); >+ >+promise_test(t => { >+ return withPopup("serve-cross-origin-window-policy-header.py?value=allow", true /* isCrossOrigin */, "foo3").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ window.onmessage = null; >+ resolve(); >+ } >+ >+ let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-window-policy/resources/destination.html"; >+ w = open(destinationURL, "foo3"); >+ assert_equals(w, result.window, "open() should return the same window"); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow' does not prevent navigation from opener via open() target"); >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2699278e01d5e10a2273e0bba4418f7eda0a5f6a >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt >@@ -0,0 +1,35 @@ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+ >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>) >+ >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target.html b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3c9f01a8cbb09a380d2fc61891c27045da9797c8 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target.html >@@ -0,0 +1,119 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Tests that 'Cross-Origin-Window-Policy: deny / allow-postmessage' prevents a cross-origin iframe from navigating us</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=deny&target=_top", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=_top", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow&target=_top", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ resolve(); >+ }; >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=deny&target=_parent", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow&target=_parent", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ resolve(); >+ }; >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=deny&target=foo1", false /* isCrossOrigin */, "foo1").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2", false /* isCrossOrigin */, "foo2").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow&target=foo3", false /* isCrossOrigin */, "foo3").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ resolve(); >+ }; >+ }); >+ }); >+}, "'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>)"); >+ >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html b/LayoutTests/http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9a67dd7f60c14d62fcd15a6cacea687b4d0f5836 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<script> >+addEventListener('message', (msg) => { >+ if (event.data === "PING") >+ event.source.postMessage("PONG", "*"); >+ }); >+ window.addEventListener('load', () => { >+ const ownerWindow = window.opener ? window.opener : window.top; >+ try { >+ ownerWindow.postMessage("READY", "*"); >+ } catch (e) { } >+ }); >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html.headers b/LayoutTests/http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..f5e68b2b916fb0157437a2bbf75340e69d0900e5 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/cross-origin-window-policy-allow-postmessage-pong.html.headers >@@ -0,0 +1 @@ >+Cross-Origin-Window-Policy: allow-postmessage >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/destination.html b/LayoutTests/http/wpt/cross-origin-window-policy/resources/destination.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1516877b449aecabe5f80f1c4bbb68602bba31e4 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/destination.html >@@ -0,0 +1,7 @@ >+<body> >+DESTINATION >+<script> >+if (window.opener) >+ window.opener.postMessage("navigated", "*"); >+</script> >+</body> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/navigate-parent-via-anchor.html b/LayoutTests/http/wpt/cross-origin-window-policy/resources/navigate-parent-via-anchor.html >new file mode 100644 >index 0000000000000000000000000000000000000000..68ba0a732ea1e090775615848ff7cfc15bf6111f >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/navigate-parent-via-anchor.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<script src="/common/get-host-info.sub.js"></script> >+</head> >+<body> >+<a id="testAnchor">Click me</a> >+<script> >+const RESOURCES_DIR = "/WebKit/cross-origin-window-policy/resources/"; >+onload = () => { >+ let params = new URLSearchParams(location.search); >+ testAnchor.target= params.get('target') >+ testAnchor.href = get_host_info().HTTP_ORIGIN + RESOURCES_DIR + "destination.html"; >+ testAnchor.click(); >+} >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/navigation-from-subframe-frame.py b/LayoutTests/http/wpt/cross-origin-window-policy/resources/navigation-from-subframe-frame.py >new file mode 100644 >index 0000000000000000000000000000000000000000..f1210e06f4b0671308a1d0786f85a2c5f13bb3a1 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/navigation-from-subframe-frame.py >@@ -0,0 +1,17 @@ >+def main(request, response): >+ headers = [("Content-Type", "text/html"), >+ ("Cross-Origin-Window-Policy", request.GET['value']),] >+ return 200, headers, """<!DOCTYPE html> >+<html> >+<head> >+<script src="/common/get-host-info.sub.js"></script> >+</head> >+<body> >+<script> >+const RESOURCES_DIR = "/WebKit/cross-origin-window-policy/resources/"; >+let f = document.createElement("iframe"); >+f.src = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR + "navigate-parent-via-anchor.html?target=%s"; >+document.body.prepend(f); >+</script> >+</body> >+</html>""" % request.GET['target'] >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/serve-cross-origin-window-policy-header.py b/LayoutTests/http/wpt/cross-origin-window-policy/resources/serve-cross-origin-window-policy-header.py >new file mode 100644 >index 0000000000000000000000000000000000000000..ffe7017ba295ee7abd84d78227b0c07208d0a72c >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/serve-cross-origin-window-policy-header.py >@@ -0,0 +1,14 @@ >+def main(request, response): >+ headers = [("Content-Type", "text/html"), >+ ("Cross-Origin-Window-Policy", request.GET['value']),] >+ return 200, headers, """TEST >+ <iframe name="subframe"></iframe> >+ <script> >+ window.addEventListener('load', () => { >+ const ownerWindow = window.opener ? window.opener : window.top; >+ try { >+ ownerWindow.postMessage("READY", "*"); >+ } catch (e) { } >+ }); >+ </script> >+ """ >diff --git a/LayoutTests/http/wpt/cross-origin-window-policy/resources/utils.js b/LayoutTests/http/wpt/cross-origin-window-policy/resources/utils.js >new file mode 100644 >index 0000000000000000000000000000000000000000..82bd7be825cc0c481f136e4f94295ce374faafeb >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-window-policy/resources/utils.js >@@ -0,0 +1,150 @@ >+const RESOURCES_DIR = "/WebKit/cross-origin-window-policy/resources/"; >+ >+function isCrossOriginWindow(w) >+{ >+ try { >+ w.name; >+ } catch (e) { >+ return true; >+ } >+ return false; >+} >+ >+async function waitForCrossOriginLoad(w) >+{ >+ return new Promise((resolve) => { >+ window.addEventListener('message', (msg) => { >+ if (msg.source != w || msg.data != "READY") >+ return; >+ resolve(); >+ }); >+ >+ let handle = setInterval(() => { >+ if (isCrossOriginWindow(w)) { >+ clearInterval(handle); >+ try { >+ w.postMessage; >+ } catch (e) { >+ // No point in waiting for "READY" message from window since postMessage is >+ // not available. >+ resolve(); >+ } >+ } >+ }, 5); >+ }); >+} >+ >+async function withIframe(resourceFile, crossOrigin) >+{ >+ return new Promise((resolve) => { >+ let resourceURL = crossOrigin ? get_host_info().HTTP_REMOTE_ORIGIN : get_host_info().HTTP_ORIGIN; >+ resourceURL += RESOURCES_DIR; >+ resourceURL += resourceFile; >+ let frame = document.createElement("iframe"); >+ frame.src = resourceURL; >+ if (crossOrigin) { >+ document.body.appendChild(frame); >+ waitForCrossOriginLoad(frame.contentWindow).then(() => { >+ resolve(frame); >+ }); >+ } else { >+ frame.onload = function() { resolve(frame); }; >+ document.body.appendChild(frame); >+ } >+ }); >+} >+ >+async function withPopup(resourceFile, crossOrigin, windowName) >+{ >+ return new Promise((resolve) => { >+ let resourceURL = crossOrigin ? get_host_info().HTTP_REMOTE_ORIGIN : get_host_info().HTTP_ORIGIN; >+ resourceURL += RESOURCES_DIR; >+ resourceURL += resourceFile; >+ >+ let w = open(resourceURL, windowName); >+ if (crossOrigin) { >+ waitForCrossOriginLoad(w).then(() => { >+ resolve({ 'window': w }); >+ }); >+ } else { >+ w.onload = function() { resolve({ 'window': w }); }; >+ } >+ }); >+} >+ >+const crossOriginPropertyNames = [ 'blur', 'close', 'closed', 'focus', 'frames', 'length', 'location', 'opener', 'parent', 'postMessage', 'self', 'top', 'window' ]; >+const forbiddenPropertiesCrossOrigin = ["name", "document", "history", "locationbar", "status", "frameElement", "navigator", "alert", "localStorage", "sessionStorage", "event", "foo", "bar"]; >+ >+function assert_not_throwing(f, message) >+{ >+ try { >+ f(); >+ } catch (e) { >+ assert_unreached(message); >+ } >+} >+ >+function checkCrossOriginPropertiesAccess(w) >+{ >+ for (let crossOriginPropertyName of crossOriginPropertyNames) >+ assert_not_throwing(function() { w[crossOriginPropertyName]; }, "Accessing property '" + crossOriginPropertyName +"' on Window should not throw"); >+ >+ assert_false(w.closed, "'closed' property value"); >+ assert_equals(w.frames, w, "'frames' property value"); >+ assert_equals(w.self, w, "'self' property value"); >+ assert_equals(w.window, w, "'window' property value"); >+ >+ assert_not_throwing(function() { w.blur(); }, "Calling blur() on Window should should throw"); >+ assert_not_throwing(function() { w.focus(); }, "Calling focus() on Window should should throw"); >+ assert_not_throwing(function() { w.postMessage('test', '*'); }, "Calling postMessage() on Window should should throw"); >+} >+ >+function testCrossOriginOption(w, headerValue, isCrossOrigin) >+{ >+ if (!isCrossOrigin) { >+ checkCrossOriginPropertiesAccess(w); >+ for (let forbiddenPropertyCrossOrigin of forbiddenPropertiesCrossOrigin) >+ assert_not_throwing(function() { eval("w." + forbiddenPropertyCrossOrigin); }, "Accessing property '" + forbiddenPropertyCrossOrigin + "' on Window should not throw"); >+ assert_not_throwing(function() { w.foo = 1; }, "Setting expando property should not throw"); >+ assert_equals(w.foo, 1, "expando property value"); >+ return; >+ } >+ >+ // Cross-origin case. >+ for (let forbiddenPropertyCrossOrigin of forbiddenPropertiesCrossOrigin) { >+ assert_throws("SecurityError", function() { eval("w." + forbiddenPropertyCrossOrigin); }, "Accessing property '" + forbiddenPropertyCrossOrigin + "' on Window should throw"); >+ let desc = Object.getOwnPropertyDescriptor(window, forbiddenPropertyCrossOrigin); >+ if (desc && desc.value) >+ assert_throws("SecurityError", function() { desc.value.call(w); }, "Calling function '" + forbiddenPropertyCrossOrigin + "' on Window should throw (using getter from other window)"); >+ else if (desc && desc.get) >+ assert_throws("SecurityError", function() { desc.get.call(w); }, "Accessing property '" + forbiddenPropertyCrossOrigin + "' on Window should throw (using getter from other window)"); >+ } >+ assert_throws("SecurityError", function() { w.foo = 1; }, "Setting an expando property should throw"); >+ >+ if (headerValue == "deny" || headerValue == "allow-postmessage") { >+ for (let crossOriginPropertyName of crossOriginPropertyNames) { >+ if (headerValue == "allow-postmessage" && crossOriginPropertyName == "postMessage") { >+ assert_not_throwing(function() { w[crossOriginPropertyName]; }, "Accessing property '" + crossOriginPropertyName +"' on Window should not throw"); >+ } else { >+ assert_throws("SecurityError", function() { w[crossOriginPropertyName]; }, "Accessing '" + crossOriginPropertyName + "' property"); >+ >+ let desc = Object.getOwnPropertyDescriptor(window, crossOriginPropertyName); >+ if (desc && desc.value) >+ assert_throws("SecurityError", function() { desc.value.call(w); }, "Calling function '" + crossOriginPropertyName + "' on Window should throw (using getter from other window)"); >+ else if (desc && desc.get) >+ assert_throws("SecurityError", function() { desc.get.call(w); }, "Accessing property '" + crossOriginPropertyName + "' on Window should throw (using getter from other window)"); >+ } >+ } >+ if (headerValue == "allow-postmessage") { >+ assert_not_throwing(function() { w.postMessage('test', '*'); }, "Calling postMessage() on Window should not throw"); >+ assert_not_throwing(function() { Object.getOwnPropertyDescriptor(window, 'postMessage').value.call(w, 'test', '*'); }, "Calling postMessage() on Window should not throw (using getter from other window)"); >+ } >+ >+ assert_array_equals(Object.getOwnPropertyNames(w).sort(), headerValue == "allow-postmessage" ? ['postMessage'] : [], "Object.getOwnPropertyNames()"); >+ >+ return; >+ } >+ >+ assert_array_equals(Object.getOwnPropertyNames(w).sort(), crossOriginPropertyNames.sort(), "Object.getOwnPropertyNames()"); >+ checkCrossOriginPropertiesAccess(w); >+} >diff --git a/LayoutTests/platform/wk2/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt b/LayoutTests/platform/wk2/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >deleted file mode 100644 >index df4ff4ef44d67d2ddca5a3314755bfadb892b2bf..0000000000000000000000000000000000000000 >--- a/LayoutTests/platform/wk2/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >+++ /dev/null >@@ -1,35 +0,0 @@ >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >- >-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >- >- >-PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>) >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>) >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>) >-PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>) >-PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName) >-PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName) >-PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>) >- >diff --git a/LayoutTests/platform/wk2/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt b/LayoutTests/platform/wk2/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bbb2a907e75a6f4a0ebbf227cdafa12664fffaca >--- /dev/null >+++ b/LayoutTests/platform/wk2/http/wpt/cross-origin-window-policy/navigation-from-subframe-via-anchor-target-expected.txt >@@ -0,0 +1,35 @@ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-window-policy/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-window-policy/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Window-Policy header. >+ >+ >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Window-Policy: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Window-Policy: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Window-Policy: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>) >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=341951">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186287
:
341927
|
341932
| 341951