Remove uuid-in-package navigation with Web Bundles

This removes the support for the opaque origin iframes with WebBundles
using uuid-in-package: URL resources
(https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading-opaque-origin-iframes.md).

Intent to Deprecate and Remove:
https://groups.google.com/a/chromium.org/g/blink-dev/c/iyhes6tMz2Y

Bug: 1447452
Change-Id: I484594209b216cfe2427a8ca9a3f87cc134af161
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4428820
Reviewed-by: Hayato Ito <[email protected]>
Commit-Queue: Kunihiko Sakamoto <[email protected]>
Reviewed-by: Reilly Grant <[email protected]>
Reviewed-by: Dominick Ng <[email protected]>
Reviewed-by: Rakina Zata Amni <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1149461}

web-bundle/subresource-loading/coep.https.tentative.html

@@ -32,10 +32,7 @@
       "resources": [
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
-        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
-        "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
-        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
-        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
+        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js"
       ]
     }
   </script>
@@ -64,11 +61,6 @@
 
     const prefix =
       "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/";
-    const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
-    const corp_same_origin_url =
-      "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
-    const corp_cross_origin_url =
-      "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";
 
     promise_test(async () => {
       const report = await expectCOEPReport(async () => {
@@ -88,40 +80,5 @@
       await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
     }, "Cross-origin subresource with Cross-Origin-Resource-Policy: cross-origin should be loaded.");
 
-    promise_test(async () => {
-      const report = await expectCOEPReport(async () => {
-        const iframe = document.createElement("iframe");
-        iframe.src = no_corp_url;
-        document.body.appendChild(iframe);
-      });
-
-      assert_equals(report.body.blockedURL, no_corp_url);
-      assert_equals(report.body.type, "corp");
-      assert_equals(report.body.disposition, "enforce");
-      assert_equals(report.body.destination, "iframe");
-    }, "uuid-in-package iframe without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");
-
-    promise_test(async () => {
-      const report = await expectCOEPReport(async () => {
-        const iframe = document.createElement("iframe");
-        iframe.src = corp_same_origin_url;
-        document.body.appendChild(iframe);
-      });
-
-      assert_equals(report.body.blockedURL, corp_same_origin_url);
-      assert_equals(report.body.type, "corp");
-      assert_equals(report.body.disposition, "enforce");
-      assert_equals(report.body.destination, "iframe");
-    }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: same-origin should be blocked and generate a report.");
-
-    promise_test(async () => {
-      const iframe = document.createElement("iframe");
-      iframe.src = corp_cross_origin_url;
-      await addElementAndWaitForLoad(iframe);
-      assert_equals(
-        await evalInIframe(iframe, "location.href"),
-        corp_cross_origin_url
-      );
-    }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: cross-origin should not be blocked.");
   </script>
 </body>

web-bundle/subresource-loading/corp.https.tentative.html

@@ -32,10 +32,7 @@
       "resources": [
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
-        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
-        "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
-        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
-        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
+        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js"
       ]
     }
   </script>
@@ -52,22 +49,5 @@
       await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
     }, "Subresource loading from WebBundles should respect Cross-Origin-Resource-Policy header.");
 
-    promise_test(async () => {
-      const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
-      const corp_same_origin_url =
-        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
-      const corp_cross_origin_url =
-        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";
-      await iframeLocationTest(no_corp_url);
-      await iframeLocationTest(corp_same_origin_url);
-      await iframeLocationTest(corp_cross_origin_url);
-    }, "uuid-in-package iframes should not be blocked regardless of the Cross-Origin-Resource-Policy header, if Cross-Origin-Embedder-Policy is not set.");
-
-    async function iframeLocationTest(url) {
-      const iframe = document.createElement("iframe");
-      iframe.src = url;
-      await addElementAndWaitForLoad(iframe);
-      assert_equals(await evalInIframe(iframe, "location.href"), url);
-    }
   </script>
 </body>

web-bundle/subresource-loading/csp-allowed.https.tentative.html

@@ -13,9 +13,7 @@
       https://web-platform.test:8444/resources/testharnessreport.js
       'unsafe-inline';
     img-src
-      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;
-    frame-src
-      https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn"
+      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"
 />
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
@@ -29,8 +27,7 @@
   <script type="webbundle">
     {
       "source": "../resources/wbn/uuid-in-package.wbn",
-      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720",
-                    "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"
+      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"
       ]
     }
   </script>
@@ -59,31 +56,5 @@
     }, "URL matching of script-src CSP should be done based on the bundle URL " +
        "when the subresource URL is uuid-in-package: URL.");
 
-    promise_test(async () => {
-      const frame_url = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
-      const iframe = document.createElement("iframe");
-      iframe.src = frame_url;
-      const load_promise = new Promise((resolve) => {
-        iframe.addEventListener("load", resolve);
-      });
-      document.body.appendChild(iframe);
-      await load_promise;
-      assert_equals(await evalInIframe(iframe, "location.href"), frame_url);
-    }, "URL matching of frame-src CSP should be done based on the bundle URL " +
-       "when the frame URL is uuid-in-package: URL.");
-
-    async function evalInIframe(iframe, code) {
-      const message_promise = new Promise((resolve) => {
-        window.addEventListener(
-          "message",
-          (e) => {
-            resolve(e.data);
-          },
-          { once: true }
-        );
-      });
-      iframe.contentWindow.postMessage(code, "*");
-      return message_promise;
-    }
   </script>
 </body>

web-bundle/subresource-loading/csp-blocked.https.tentative.html

@@ -14,8 +14,6 @@
       'unsafe-inline';
     img-src
       https://web-platform.test:8444/web-bundle/resources/wbn/subresource.wbn;
-    frame-src
-      urn:;
     report-to
       csp-group"
 />
@@ -31,8 +29,7 @@
   <script type="webbundle">
     {
       "source": "../resources/wbn/uuid-in-package.wbn",
-      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720",
-                    "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"]
+      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"]
     }
   </script>
   <script>
@@ -108,33 +105,6 @@
         assert_equals(e.violatedDirective, "script-src-elem");
       }, "URL matching of script-src CSP should be done based on the bundle URL " +
          `when the subresource URL is ${params.prefix} URL.`);
-
-      promise_test(async () => {
-        const urn_uuid = params.prefix + "429fcc4e-0696-4bad-b099-ee9175f023ae";
-        const p = expect_violation();
-        const iframe = document.createElement("iframe");
-        iframe.src = urn_uuid;
-        const load_promise = new Promise((resolve) => {
-          iframe.addEventListener("load", resolve);
-        });
-        document.body.appendChild(iframe);
-        const e = await p;
-        // Currently Chromium is reporting the bundle URL.
-        // TODO(crbug.com/1208659): Consider deeper integration with CSP for
-        // providing the both URLs.
-        assert_equals(e.blockedURI, params.bundle_url);
-        assert_equals(e.violatedDirective, "frame-src");
-
-        // Make sure that the blocked iframe load is finished.
-        await load_promise;
-
-        // The blocked iframe is cross-origin. So accessing
-        // iframe.contentWindow.location should throw a SecurityError.
-        assert_throws_dom("SecurityError", () => {
-          iframe.contentWindow.location.href;
-        });
-      }, "URL matching of frame-src CSP should be done based on the bundle URL " +
-         `when the frame URL is ${params.prefix} URL.`);
     }
 
     promise_test(async () => {
@@ -144,19 +114,16 @@
       const reports = await (await fetch(retrieve_report_url)).json();
       sortReportsByEffectiveDirective(reports);
 
-      assert_equals(reports.length, 3, "Report count.");
-
-      assert_equals(reports[0].body.blockedURL, uuid_bundle_url);
-      assert_equals(reports[0].body.effectiveDirective, "frame-src");
+      assert_equals(reports.length, 2, "Report count.");
 
       assert_equals(
-        reports[1].body.blockedURL,
+        reports[0].body.blockedURL,
         "https://web-platform.test:8444/web-bundle/resources/wbn/fail.png"
       );
-      assert_equals(reports[1].body.effectiveDirective, "img-src");
+      assert_equals(reports[0].body.effectiveDirective, "img-src");
 
-      assert_equals(reports[2].body.blockedURL, uuid_bundle_url);
-      assert_equals(reports[2].body.effectiveDirective, "script-src-elem");
+      assert_equals(reports[1].body.blockedURL, uuid_bundle_url);
+      assert_equals(reports[1].body.effectiveDirective, "script-src-elem");
     }, "Check the CSP violation reports.");
   </script>
 </body>

web-bundle/subresource-loading/resource-timing.https.tentative.html

@@ -11,14 +11,12 @@
     });
 
     promise_test(async (t) => {
-      const frame_id = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
       const script_id = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
       const element = createWebBundleElement(
         "../resources/wbn/uuid-in-package.wbn",
-        /*resources=*/ [frame_id, script_id]
+        /*resources=*/ [script_id]
       );
       document.body.appendChild(element);
-      let iframe_entries = 0;
       let script_entries = 0;
       // Declare the report_result function as outputting into stderr
       // because it is used in the WebBundle script to report the script load.
@@ -33,19 +31,15 @@
                 continue;
               }
 
-              if (entries[i].name === frame_id) ++iframe_entries;
               if (entries[i].name === script_id) ++script_entries;
             }
-            if (iframe_entries == 1 && script_entries == 1) {
+            if (script_entries == 1) {
               resolve();
             }
           })
         ).observe({ entryTypes: ["resource"] });
       });
-      // Add iframe and the script so we get the ResourceTiming
-      const iframe = document.createElement("iframe");
-      iframe.src = frame_id;
-      document.body.appendChild(iframe);
+      // Add the script so we get the ResourceTiming
       const script = document.createElement("script");
       script.src = script_id;
       document.body.appendChild(script);

web-bundle/subresource-loading/service-worker-controlled.https.tentative.html

@@ -73,12 +73,11 @@
       assert_array_equals(await getRequestedUrls(worker), [iframe_url]);
 
       // Add a web bundle element in the service worker controlled iframe.
-      const frame_id = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
       const script_id = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
 
       const element = createWebBundleElement(
         "../../resources/wbn/uuid-in-package.wbn",
-        /*resources=*/ [frame_id, script_id]
+        /*resources=*/ [script_id]
       );
 
       const element_load_promise = new Promise((resolve) => {
@@ -105,34 +104,6 @@
       // service worker.
       assert_array_equals(await getRequestedUrls(worker), []);
 
-      // Add a uuid-in-package URL iframe element in the service worker controlled
-      // iframe.
-      const inner_iframe = iframe.contentDocument.createElement("iframe");
-      inner_iframe.src = frame_id;
-      const load_promise = new Promise((resolve) => {
-        inner_iframe.addEventListener("load", () => {
-          resolve();
-        });
-      });
-      iframe.contentDocument.body.appendChild(inner_iframe);
-      await load_promise;
-      // The urn uuld URL iframe request should not intercepted by the service
-      // worker.
-      assert_array_equals(await getRequestedUrls(worker), []);
-
-      // Check if the uuid-in-package URL iframe element is loaded correctly.
-      const message_promise = new Promise((resolve) => {
-        window.addEventListener(
-          "message",
-          (e) => {
-            resolve(e.data);
-          },
-          { once: true }
-        );
-      });
-      // location.href is evaluated in the uuid-in-package URL iframe element.
-      inner_iframe.contentWindow.postMessage("location.href", "*");
-      assert_equals(await message_promise, frame_id);
     }, "Both Web Bundle request and Subresource fetch requests inside the Web " + "Bundle should skip the service worker.");
   </script>
 </body>