Use (site, site) for SAA grants

This updates storage-access permissions to apply on an (embedded site, top-level site) scope as detailed in privacycg/storage-access#159. For adding WPT tests, I patched up the web_test_permission_manager to special-case the storage-access permission to (site, site) scope. I kept things intentionally simple for now but we could consider abstracting out the scope into a "permission key" concept in that file, as it is done in the permissions spec now. There's follow-up work here to make this (and the existing top-level site scope) sync up with the scope that is defined in content settings, see https://crbug.com/1422971 Bug: 1418470 Change-Id: I316f682d24d962f79fcac332365790bca383c6ee
web-platform-tests · Mar 21, 2023 · d126995 · d126995
1 parent 3f91ec4
commit d126995
Showing 1 changed file with 23 additions and 4 deletions.
diff --git a/storage-access-api/storage-access-permission.sub.https.window.js b/storage-access-api/storage-access-permission.sub.https.window.js
@@ -4,16 +4,17 @@
 'use strict';
 
 (async function() {
-  // This is cross-domain from the current document.
+  // These are cross-domain from the current document.
   const wwwAlt = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+  const www1Alt = "https://{{hosts[alt][www1]}}:{{ports[https][0]}}";
+  const responder_html = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
 
   if (window === window.top) {
     // Test the interaction between two (same-origin) iframes.
     promise_test(async (t) => {
-      const responder_html = `${wwwAlt}/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js`;
       const [frame1, frame2] = await Promise.all([
-        CreateFrame(responder_html),
-        CreateFrame(responder_html),
+        CreateFrame(wwwAlt + responder_html),
+        CreateFrame(wwwAlt + responder_html),
       ]);
 
       t.add_cleanup(async () => {
@@ -27,6 +28,24 @@
       assert_equals(state, "granted");
     }, "Permissions grants are observable across same-origin iframes");
 
+    // Test the interaction between two cross-origin but same-site iframes.
+    promise_test(async (t) => {
+      const [frame1, frame2] = await Promise.all([
+        CreateFrame(wwwAlt + responder_html),
+        CreateFrame(www1Alt + responder_html),
+      ]);
+
+      t.add_cleanup(async () => {
+        await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'prompt']);
+      });
+
+      const observed = ObservePermissionChange(frame2);
+      await SetPermissionInFrame(frame1, [{ name: 'storage-access' }, 'granted']);
+
+      const state = await observed;
+      assert_equals(state, "granted");
+    }, "Permissions grants are observable across same-site iframes");
+
     promise_test(async (t) => {
       // Finally run the simple tests below in a separate cross-origin iframe.
       await RunTestsInIFrame('https://{{domains[www]}}:{{ports[https][0]}}/storage-access-api/resources/permissions-iframe.https.html');