From cc0dfe900bdc5cd4af74f940d32c6c57b9820777 Mon Sep 17 00:00:00 2001
From: Chris Fredrickson <cfredric@chromium.org>
Date: Fri, 7 Feb 2025 11:33:11 -0800
Subject: [PATCH] [SAA] Add tentative WPTs for stricter Same Origin Policy
 adherence

Spec issue: https://github.com/privacycg/storage-access/issues/210

These tests currently fail in Chrome (due to inability to properly set
storage-access permission state [https://crbug.com/384959114]). But I
hacked around that while developing and ensured that apart from that
issue, these tests work and behave as expected.

Bug: 379030052
Change-Id: Ic97b4af46bdcb5b92f60a724bc7fe2eef3f40598
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6241903
Commit-Queue: Dylan Cutler <dylancutler@google.com>
Auto-Submit: Chris Fredrickson <cfredric@chromium.org>
Reviewed-by: Dylan Cutler <dylancutler@google.com>
Cr-Commit-Position: refs/heads/main@{#1417468}
---
 ...origin-fetch.sub.https.tentative.window.js | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.js

diff --git a/storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.js b/storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.js
new file mode 100644
index 00000000000000..21592a9225f646
--- /dev/null
+++ b/storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.js
@@ -0,0 +1,79 @@
+// META: script=helpers.js
+// META: script=/cookies/resources/cookie-helper.sub.js
+// META: script=/resources/testdriver.js
+// META: script=/resources/testdriver-vendor.js
+'use strict';
+
+(async function() {
+  // These are cross-site from the current document.
+  const altWww = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+  const altRoot = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
+  const responderPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
+
+  const altRootResponder = `${altRoot}${responderPath}`;
+  const domainCookieString = "cookie=unpartitioned;Secure;SameSite=None;Path=/;Domain={{hosts[alt][]}}";
+
+  async function SetUpResponderFrame(t, url) {
+    const frame = await CreateFrame(url);
+
+    await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'granted']);
+    t.add_cleanup(async () => {
+      await test_driver.delete_all_cookies();
+      await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'prompt']);
+    });
+
+    return frame;
+  }
+
+  promise_test(async (t) => {
+    const frame = await SetUpResponderFrame(t, altRootResponder);
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+
+    const initiallyHasCookieAccess =
+      cookieStringHasCookie("cookie", "unpartitioned",
+        await FetchSubresourceCookiesFromFrame(frame, altWww));
+    if (initiallyHasCookieAccess) {
+      // Nothing to test here; third-party cookies are already accessible.
+      return;
+    }
+
+    assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture.");
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request.");
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+    assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request.");
+
+    // The frame's origin is hosts[alt][], so hosts[alt][www] is same-site but
+    // cross-origin to it.
+    assert_false(
+        cookieStringHasCookie("cookie", "unpartitioned",
+          await FetchSubresourceCookiesFromFrame(frame, altWww)),
+        "same-site cross-origin fetch is not credentialed");
+  }, "Cross-origin fetches from a frame with storage-access are not credentialed by default");
+
+  promise_test(async (t) => {
+    const frame = await SetUpResponderFrame(t, altRootResponder);
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+
+    const initiallyHasCookieAccess =
+      cookieStringHasCookie("cookie", "unpartitioned",
+        await FetchSubresourceCookiesFromFrame(frame, altWww));
+    if (initiallyHasCookieAccess) {
+      // Nothing to test here; third-party cookies are already accessible.
+      return;
+    }
+
+    assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture.");
+    assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request.");
+    await SetDocumentCookieFromFrame(frame, domainCookieString);
+    assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request.");
+
+    // The frame's origin is hosts[alt][], so hosts[alt][www] is same-site but
+    // cross-origin to it.
+    const cross_origin_redirect = `${altRoot}/common/redirect.py?location=${altWww}/storage-access-api/resources/echo-cookie-header.py`;
+    assert_false(
+        cookieStringHasCookie("cookie", "unpartitioned",
+          await FetchFromFrame(frame, cross_origin_redirect)),
+        "fetch is not credentialed after a cross-origin redirect");
+  }, "Cross-origin HTTP redirects from a frame with storage-access are not credentialed by default");
+
+})();