[shared storage] Support cross-origin worklet

For the sharedStorage.createWorklet() API, relax the same-origin restriction to additionally allow cross-origin script, in which case a cross-origin worklet will be created. How: - Rely on CORS for the worklet to be created/used by the embedder. - In general, we want to mimic the subframe's process allocation behavior (i.e. it should end up using a process as if an iframe is created with the script URL). It first checks to see whether we can reuse the worklet's creator frame's SiteInstance. If so, use it. Otherwise, leverage the process allocation and management logic from service workers and re-use SiteInstanceImpl::CreateForServiceWorker(). To keep this CL focused, the refactoring will occur in a separate CL, as it will involve refactoring other downstream components like 'UnmatchedServiceWorkerProcessTracker'. Explainer: WICG/shared-storage#130 Spec: WICG/shared-storage#131 Design doc: https://docs.google.com/document/d/1QTaaroCMeFVZVghI6JkUcDvmDQEacjvpyTfk6mpvQhA/edit?usp=sharing Bug: 325302836 Change-Id: I11c1fc87bc76f4400c54d9fa809349d1d1781247
web-platform-tests · Feb 15, 2024 · 3c782b8 · 3c782b8
1 parent efc2d1f
commit 3c782b8
Show file tree

Hide file tree

Showing 6 changed files with 178 additions and 0 deletions.
diff --git a/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html b/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
@@ -0,0 +1,39 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async () => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
+                         `?name=key0` +
+                         `&path=/shared-storage/`;
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+  await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
+
+  const worklet = await sharedStorage.createWorklet(
+    helper_url + `&action=store-cookie`,
+    { credentials: "include" });
+
+  const request_cookie_fetch_response =
+    await fetch(helper_url + `&action=get-cookie`);
+
+  const request_cookie_text = await request_cookie_fetch_response.text();
+
+  assert_equals(request_cookie_text, "key0=1");
+}, 'createWorklet() with cross-origin module script and credentials "include"');
+
+</script>
+</body>
diff --git a/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html b/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
@@ -0,0 +1,38 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async () => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
+                         `?name=key0` +
+                         `&path=/shared-storage/`;
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&token=${ancestor_key}`;
+
+  await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
+
+  const worklet = await sharedStorage.createWorklet(
+    helper_url + `&action=store-cookie`,
+    { credentials: "omit" });
+
+  const request_cookie_fetch_response =
+    await fetch(helper_url + `&action=get-cookie`);
+
+  const request_cookie_text = await request_cookie_fetch_response.text();
+
+  assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
+}, 'createWorklet() with cross-origin module script and credentials "omit"');
+
+</script>
+</body>
diff --git a/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html b/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
@@ -0,0 +1,38 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async () => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
+                         `?name=key0` +
+                         `&path=/shared-storage/`;
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&token=${ancestor_key}`;
+
+  await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
+
+  const worklet = await sharedStorage.createWorklet(
+    helper_url + `&action=store-cookie`,
+    { credentials: "same-origin" });
+
+  const request_cookie_fetch_response =
+    await fetch(helper_url + `&action=get-cookie`);
+
+  const request_cookie_text = await request_cookie_fetch_response.text();
+
+  assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
+}, 'createWorklet() with cross-origin module script and credentials "same-origin"');
+
+</script>
+</body>
diff --git a/...-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html b/...-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" }));
+}, 'createWorklet() with cross-origin module script and credentials ' +
+   '"include", and without the Access-Control-Allow-Credentials response ' +
+   'header');
+
+</script>
+</body>
diff --git a/...rigin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html b/...rigin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
@@ -0,0 +1,28 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" }));
+}, 'createWorklet() with cross-origin module script and credentials ' +
+   '"include", and without the Access-Control-Allow-Origin response header');
+
+</script>
+</body>
diff --git a/shared-storage/resources/credentials-test-helper.py b/shared-storage/resources/credentials-test-helper.py
@@ -13,6 +13,12 @@ def main(request, response):
     response.status = 200
     response.headers.append(b"Content-Type", b"text/javascript")
 
+    if b"access_control_allow_credentials_header" in request.GET:
+      response.headers.append(b"Access-Control-Allow-Credentials", request.GET[b"access_control_allow_credentials_header"])
+
+    if b"access_control_allow_origin_header" in request.GET:
+      response.headers.append(b"Access-Control-Allow-Origin", request.GET[b"access_control_allow_origin_header"])
+
     if action == b"store-cookie":
       cookie = request.headers.get(b"Cookie", b"NO_COOKIE_HEADER")
       request.server.stash.put(token, cookie)