From cb06cee910e1807ceec5ed392888952b21fc30c9 Mon Sep 17 00:00:00 2001
From: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Thu, 25 May 2023 17:43:55 -0700
Subject: [PATCH] Remove uuid-in-package navigation with Web Bundles

This removes the support for the opaque origin iframes with WebBundles
using uuid-in-package: URL resources
(https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading-opaque-origin-iframes.md).

Intent to Deprecate and Remove:
https://groups.google.com/a/chromium.org/g/blink-dev/c/iyhes6tMz2Y

Bug: 1447452
Change-Id: I484594209b216cfe2427a8ca9a3f87cc134af161
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4428820
Reviewed-by: Hayato Ito <hayato@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Reviewed-by: Dominick Ng <dominickn@chromium.org>
Reviewed-by: Rakina Zata Amni <rakina@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1149461}
---
 .../coep.https.tentative.html                 |  45 +-----
 .../corp.https.tentative.html                 |  22 +--
 .../csp-allowed.https.tentative.html          |  33 +----
 .../csp-blocked.https.tentative.html          |  45 +-----
 .../resource-timing.https.tentative.html      |  12 +-
 ...ice-worker-controlled.https.tentative.html |  31 +---
 ...frame-from-web-bundle.https.tentative.html | 134 ------------------
 7 files changed, 14 insertions(+), 308 deletions(-)
 delete mode 100644 web-bundle/subresource-loading/subframe-from-web-bundle.https.tentative.html

diff --git a/web-bundle/subresource-loading/coep.https.tentative.html b/web-bundle/subresource-loading/coep.https.tentative.html
index 4029fc6f815eb9..5e48cb73524aac 100644
--- a/web-bundle/subresource-loading/coep.https.tentative.html
+++ b/web-bundle/subresource-loading/coep.https.tentative.html
@@ -32,10 +32,7 @@
       "resources": [
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
-        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
-        "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
-        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
-        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
+        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js"
       ]
     }
   </script>
@@ -64,11 +61,6 @@
 
     const prefix =
       "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/";
-    const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
-    const corp_same_origin_url =
-      "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
-    const corp_cross_origin_url =
-      "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";
 
     promise_test(async () => {
       const report = await expectCOEPReport(async () => {
@@ -88,40 +80,5 @@
       await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
     }, "Cross-origin subresource with Cross-Origin-Resource-Policy: cross-origin should be loaded.");
 
-    promise_test(async () => {
-      const report = await expectCOEPReport(async () => {
-        const iframe = document.createElement("iframe");
-        iframe.src = no_corp_url;
-        document.body.appendChild(iframe);
-      });
-
-      assert_equals(report.body.blockedURL, no_corp_url);
-      assert_equals(report.body.type, "corp");
-      assert_equals(report.body.disposition, "enforce");
-      assert_equals(report.body.destination, "iframe");
-    }, "uuid-in-package iframe without Cross-Origin-Resource-Policy: header should be blocked and generate a report.");
-
-    promise_test(async () => {
-      const report = await expectCOEPReport(async () => {
-        const iframe = document.createElement("iframe");
-        iframe.src = corp_same_origin_url;
-        document.body.appendChild(iframe);
-      });
-
-      assert_equals(report.body.blockedURL, corp_same_origin_url);
-      assert_equals(report.body.type, "corp");
-      assert_equals(report.body.disposition, "enforce");
-      assert_equals(report.body.destination, "iframe");
-    }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: same-origin should be blocked and generate a report.");
-
-    promise_test(async () => {
-      const iframe = document.createElement("iframe");
-      iframe.src = corp_cross_origin_url;
-      await addElementAndWaitForLoad(iframe);
-      assert_equals(
-        await evalInIframe(iframe, "location.href"),
-        corp_cross_origin_url
-      );
-    }, "uuid-in-package iframe with Cross-Origin-Resource-Policy: cross-origin should not be blocked.");
   </script>
 </body>
diff --git a/web-bundle/subresource-loading/corp.https.tentative.html b/web-bundle/subresource-loading/corp.https.tentative.html
index ce18544b0bd8ee..3c46de6c76890a 100644
--- a/web-bundle/subresource-loading/corp.https.tentative.html
+++ b/web-bundle/subresource-loading/corp.https.tentative.html
@@ -32,10 +32,7 @@
       "resources": [
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/no-corp.js",
         "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-same-origin.js",
-        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js",
-        "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93",
-        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34",
-        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7"
+        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/cors/corp-cross-origin.js"
       ]
     }
   </script>
@@ -52,22 +49,5 @@
       await addScriptAndWaitForExecution(prefix + "corp-cross-origin.js");
     }, "Subresource loading from WebBundles should respect Cross-Origin-Resource-Policy header.");
 
-    promise_test(async () => {
-      const no_corp_url = "uuid-in-package:5eafff38-e0a0-4661-bde0-434255aa9d93";
-      const corp_same_origin_url =
-        "uuid-in-package:7e13b47a-8b91-4a0e-997c-993a5e2f3a34";
-      const corp_cross_origin_url =
-        "uuid-in-package:86d5b696-8867-4454-8b07-51239a0817f7";
-      await iframeLocationTest(no_corp_url);
-      await iframeLocationTest(corp_same_origin_url);
-      await iframeLocationTest(corp_cross_origin_url);
-    }, "uuid-in-package iframes should not be blocked regardless of the Cross-Origin-Resource-Policy header, if Cross-Origin-Embedder-Policy is not set.");
-
-    async function iframeLocationTest(url) {
-      const iframe = document.createElement("iframe");
-      iframe.src = url;
-      await addElementAndWaitForLoad(iframe);
-      assert_equals(await evalInIframe(iframe, "location.href"), url);
-    }
   </script>
 </body>
diff --git a/web-bundle/subresource-loading/csp-allowed.https.tentative.html b/web-bundle/subresource-loading/csp-allowed.https.tentative.html
index 55498eaa4e50fd..890a5ba5bc999d 100644
--- a/web-bundle/subresource-loading/csp-allowed.https.tentative.html
+++ b/web-bundle/subresource-loading/csp-allowed.https.tentative.html
@@ -13,9 +13,7 @@
       https://web-platform.test:8444/resources/testharnessreport.js
       'unsafe-inline';
     img-src
-      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;
-    frame-src
-      https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn"
+      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"
 />
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
@@ -29,8 +27,7 @@
   <script type="webbundle">
     {
       "source": "../resources/wbn/uuid-in-package.wbn",
-      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720",
-                    "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"
+      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"
       ]
     }
   </script>
@@ -59,31 +56,5 @@
     }, "URL matching of script-src CSP should be done based on the bundle URL " +
        "when the subresource URL is uuid-in-package: URL.");
 
-    promise_test(async () => {
-      const frame_url = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
-      const iframe = document.createElement("iframe");
-      iframe.src = frame_url;
-      const load_promise = new Promise((resolve) => {
-        iframe.addEventListener("load", resolve);
-      });
-      document.body.appendChild(iframe);
-      await load_promise;
-      assert_equals(await evalInIframe(iframe, "location.href"), frame_url);
-    }, "URL matching of frame-src CSP should be done based on the bundle URL " +
-       "when the frame URL is uuid-in-package: URL.");
-
-    async function evalInIframe(iframe, code) {
-      const message_promise = new Promise((resolve) => {
-        window.addEventListener(
-          "message",
-          (e) => {
-            resolve(e.data);
-          },
-          { once: true }
-        );
-      });
-      iframe.contentWindow.postMessage(code, "*");
-      return message_promise;
-    }
   </script>
 </body>
diff --git a/web-bundle/subresource-loading/csp-blocked.https.tentative.html b/web-bundle/subresource-loading/csp-blocked.https.tentative.html
index 6700533b58cad6..6e5e82d5399cf1 100644
--- a/web-bundle/subresource-loading/csp-blocked.https.tentative.html
+++ b/web-bundle/subresource-loading/csp-blocked.https.tentative.html
@@ -14,8 +14,6 @@
       'unsafe-inline';
     img-src
       https://web-platform.test:8444/web-bundle/resources/wbn/subresource.wbn;
-    frame-src
-      urn:;
     report-to
       csp-group"
 />
@@ -31,8 +29,7 @@
   <script type="webbundle">
     {
       "source": "../resources/wbn/uuid-in-package.wbn",
-      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720",
-                    "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"]
+      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"]
     }
   </script>
   <script>
@@ -108,33 +105,6 @@
         assert_equals(e.violatedDirective, "script-src-elem");
       }, "URL matching of script-src CSP should be done based on the bundle URL " +
          `when the subresource URL is ${params.prefix} URL.`);
-
-      promise_test(async () => {
-        const urn_uuid = params.prefix + "429fcc4e-0696-4bad-b099-ee9175f023ae";
-        const p = expect_violation();
-        const iframe = document.createElement("iframe");
-        iframe.src = urn_uuid;
-        const load_promise = new Promise((resolve) => {
-          iframe.addEventListener("load", resolve);
-        });
-        document.body.appendChild(iframe);
-        const e = await p;
-        // Currently Chromium is reporting the bundle URL.
-        // TODO(crbug.com/1208659): Consider deeper integration with CSP for
-        // providing the both URLs.
-        assert_equals(e.blockedURI, params.bundle_url);
-        assert_equals(e.violatedDirective, "frame-src");
-
-        // Make sure that the blocked iframe load is finished.
-        await load_promise;
-
-        // The blocked iframe is cross-origin. So accessing
-        // iframe.contentWindow.location should throw a SecurityError.
-        assert_throws_dom("SecurityError", () => {
-          iframe.contentWindow.location.href;
-        });
-      }, "URL matching of frame-src CSP should be done based on the bundle URL " +
-         `when the frame URL is ${params.prefix} URL.`);
     }
 
     promise_test(async () => {
@@ -144,19 +114,16 @@
       const reports = await (await fetch(retrieve_report_url)).json();
       sortReportsByEffectiveDirective(reports);
 
-      assert_equals(reports.length, 3, "Report count.");
-
-      assert_equals(reports[0].body.blockedURL, uuid_bundle_url);
-      assert_equals(reports[0].body.effectiveDirective, "frame-src");
+      assert_equals(reports.length, 2, "Report count.");
 
       assert_equals(
-        reports[1].body.blockedURL,
+        reports[0].body.blockedURL,
         "https://web-platform.test:8444/web-bundle/resources/wbn/fail.png"
       );
-      assert_equals(reports[1].body.effectiveDirective, "img-src");
+      assert_equals(reports[0].body.effectiveDirective, "img-src");
 
-      assert_equals(reports[2].body.blockedURL, uuid_bundle_url);
-      assert_equals(reports[2].body.effectiveDirective, "script-src-elem");
+      assert_equals(reports[1].body.blockedURL, uuid_bundle_url);
+      assert_equals(reports[1].body.effectiveDirective, "script-src-elem");
     }, "Check the CSP violation reports.");
   </script>
 </body>
diff --git a/web-bundle/subresource-loading/resource-timing.https.tentative.html b/web-bundle/subresource-loading/resource-timing.https.tentative.html
index a2fe38de0f6206..c486cf1711fcf2 100644
--- a/web-bundle/subresource-loading/resource-timing.https.tentative.html
+++ b/web-bundle/subresource-loading/resource-timing.https.tentative.html
@@ -11,14 +11,12 @@
     });
 
     promise_test(async (t) => {
-      const frame_id = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
       const script_id = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
       const element = createWebBundleElement(
         "../resources/wbn/uuid-in-package.wbn",
-        /*resources=*/ [frame_id, script_id]
+        /*resources=*/ [script_id]
       );
       document.body.appendChild(element);
-      let iframe_entries = 0;
       let script_entries = 0;
       // Declare the report_result function as outputting into stderr
       // because it is used in the WebBundle script to report the script load.
@@ -33,19 +31,15 @@
                 continue;
               }
 
-              if (entries[i].name === frame_id) ++iframe_entries;
               if (entries[i].name === script_id) ++script_entries;
             }
-            if (iframe_entries == 1 && script_entries == 1) {
+            if (script_entries == 1) {
               resolve();
             }
           })
         ).observe({ entryTypes: ["resource"] });
       });
-      // Add iframe and the script so we get the ResourceTiming
-      const iframe = document.createElement("iframe");
-      iframe.src = frame_id;
-      document.body.appendChild(iframe);
+      // Add the script so we get the ResourceTiming
       const script = document.createElement("script");
       script.src = script_id;
       document.body.appendChild(script);
diff --git a/web-bundle/subresource-loading/service-worker-controlled.https.tentative.html b/web-bundle/subresource-loading/service-worker-controlled.https.tentative.html
index d5c2a06837163d..b2e9abe5be3491 100644
--- a/web-bundle/subresource-loading/service-worker-controlled.https.tentative.html
+++ b/web-bundle/subresource-loading/service-worker-controlled.https.tentative.html
@@ -73,12 +73,11 @@
       assert_array_equals(await getRequestedUrls(worker), [iframe_url]);
 
       // Add a web bundle element in the service worker controlled iframe.
-      const frame_id = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
       const script_id = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
 
       const element = createWebBundleElement(
         "../../resources/wbn/uuid-in-package.wbn",
-        /*resources=*/ [frame_id, script_id]
+        /*resources=*/ [script_id]
       );
 
       const element_load_promise = new Promise((resolve) => {
@@ -105,34 +104,6 @@
       // service worker.
       assert_array_equals(await getRequestedUrls(worker), []);
 
-      // Add a uuid-in-package URL iframe element in the service worker controlled
-      // iframe.
-      const inner_iframe = iframe.contentDocument.createElement("iframe");
-      inner_iframe.src = frame_id;
-      const load_promise = new Promise((resolve) => {
-        inner_iframe.addEventListener("load", () => {
-          resolve();
-        });
-      });
-      iframe.contentDocument.body.appendChild(inner_iframe);
-      await load_promise;
-      // The urn uuld URL iframe request should not intercepted by the service
-      // worker.
-      assert_array_equals(await getRequestedUrls(worker), []);
-
-      // Check if the uuid-in-package URL iframe element is loaded correctly.
-      const message_promise = new Promise((resolve) => {
-        window.addEventListener(
-          "message",
-          (e) => {
-            resolve(e.data);
-          },
-          { once: true }
-        );
-      });
-      // location.href is evaluated in the uuid-in-package URL iframe element.
-      inner_iframe.contentWindow.postMessage("location.href", "*");
-      assert_equals(await message_promise, frame_id);
     }, "Both Web Bundle request and Subresource fetch requests inside the Web " + "Bundle should skip the service worker.");
   </script>
 </body>
diff --git a/web-bundle/subresource-loading/subframe-from-web-bundle.https.tentative.html b/web-bundle/subresource-loading/subframe-from-web-bundle.https.tentative.html
deleted file mode 100644
index 9e08ccdd29c43a..00000000000000
--- a/web-bundle/subresource-loading/subframe-from-web-bundle.https.tentative.html
+++ /dev/null
@@ -1,134 +0,0 @@
-<!DOCTYPE html>
-<title>Subframe loading from Web Bundles</title>
-<link
-  rel="help"
-  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
-/>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="../resources/test-helpers.js"></script>
-<body>
-  <script>
-    setup(() => {
-      assert_true(HTMLScriptElement.supports("webbundle"));
-    });
-
-    promise_test(async (t) => {
-      const bundle_url = "../resources/wbn/uuid-in-package.wbn";
-      const frame_url = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
-      const iframe = await createWebBundleElementAndIframe(
-        t,
-        bundle_url,
-        frame_url
-      );
-      // The iframe is cross-origin. So accessing iframe.contentWindow.location
-      // should throw a SecurityError.
-      assert_throws_dom("SecurityError", () => {
-        iframe.contentWindow.location.href;
-      });
-    }, "The uuid-in-package: URL iframe must be cross-origin.");
-
-    uuid_iframe_test(
-      "location.href",
-      "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae",
-      "location.href in opaque-origin iframe."
-    );
-
-    uuid_iframe_test(
-      "(" +
-        (() => {
-          try {
-            let result = window.localStorage;
-            return "no error";
-          } catch (e) {
-            return e.name;
-          }
-        }).toString() +
-        ")()",
-      "SecurityError",
-      "Accesing window.localStorage should throw a SecurityError."
-    );
-
-    uuid_iframe_test(
-      "(" +
-        (() => {
-          try {
-            let result = window.sessionStorage;
-            return "no error";
-          } catch (e) {
-            return e.name;
-          }
-        }).toString() +
-        ")()",
-      "SecurityError",
-      "Accesing window.sessionStorage should throw a SecurityError."
-    );
-
-    uuid_iframe_test(
-      "(" +
-        (() => {
-          try {
-            let result = document.cookie;
-            return "no error";
-          } catch (e) {
-            return e.name;
-          }
-        }).toString() +
-        ")()",
-      "SecurityError",
-      "Accesing document.cookie should throw a SecurityError."
-    );
-
-    uuid_iframe_test(
-      "(" +
-        (() => {
-          try {
-            let request = window.indexedDB.open("db");
-            return "no error";
-          } catch (e) {
-            return e.name;
-          }
-        }).toString() +
-        ")()",
-      "SecurityError",
-      "Opening an indexedDB should throw a SecurityError."
-    );
-
-    uuid_iframe_test(
-      "window.caches === undefined",
-      true,
-      "window.caches should be undefined."
-    );
-
-    function uuid_iframe_test(code, expected, name) {
-      promise_test(async (t) => {
-        const bundle_url = "../resources/wbn/uuid-in-package.wbn";
-        const frame_url =
-          "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
-        const iframe = await createWebBundleElementAndIframe(
-          t,
-          bundle_url,
-          frame_url
-        );
-        assert_equals(await evalInIframe(iframe, code), expected);
-      }, name + "uuid-in-package");
-    }
-
-    async function createWebBundleElementAndIframe(t, bundle_url, frame_url) {
-      const element = createWebBundleElement(bundle_url, [frame_url]);
-      document.body.appendChild(element);
-      const iframe = document.createElement("iframe");
-      t.add_cleanup(() => {
-        document.body.removeChild(element);
-        document.body.removeChild(iframe);
-      });
-      iframe.src = frame_url;
-      const load_promise = new Promise((resolve) => {
-        iframe.addEventListener("load", resolve);
-      });
-      document.body.appendChild(iframe);
-      await load_promise;
-      return iframe;
-    }
-  </script>
-</body>