Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/merge_pr_43125
commit458d51295af838f04608bda0dc912aaf88bc1de3[log] [tgz]
authorLiam Brady <lbrady@google.com>Wed Dec 06 20:04:14 2023
committerBlink WPT Bot <blink-w3c-test-autoroller@chromium.org>Wed Dec 06 21:20:51 2023
treee674dc2c6fed3609decf78a1cae6280b6243aaf6
parent8b2ff8f91555ee3cda84ad9bca665d960c4769e7 [diff]
Allow cross-origin subframes to send automatic beacons.

Fenced frames can send out reporting beacons if an event occurs.
However, only same-origin documents are allowed to send automatic
beacons. This restriction is problematic when a subframe from a
third-party ad server is embedded in an ad loaded with a script from
that server. One such use case is when an ad frame embeds a subframe
that loads the actual contents of an ad. This is known as Third-party ad
serving, or 3PAS.

The solution to allow cross-origin subframes to send automatic beacons
involves four parts: subframes will opt in through a header, the main ad
frame will opt in to allow cross-origin subframes to use its automatic
beacon data when sending automatic beacons, the subframe will then be
able to use the automatic beacon data that is stored in its frame tree's
FencedFrameConfig, and the automatic beacon data will be stored
per-document rather than per-fenced frame config.

The opt-in mechanism for the main ad frame's data is a new
"crossOriginExposed" parameter in
`setReportEventDataForAutomaticBeacons()`, which defaults to false.

The opt-in mechanism for the cross-origin subframe is done through a new
"Allow-Fenced-Frame-Automatic-Beacons" response header.

The reason for storing the beacon data per-document is a security one.
With the current setup, a same-origin subframe of an ad frame could set
automatic beacon data, and a different cross-origin subframe could then
use that data. Since those two frames are not direct descendants of each
other, we want to prevent that behavior, and instead only allow
documents to use opted in data set by direct ancestors.

This CL also modifies the automatic beacon web platform tests to
properly handle multiple beacons being sent with the same data. The
automatic beacon store endpoint now accepts a "beacon type" parameter
that is added to the hash when storing/retrieving a beacon. This will
prevent collisions if two beacons with different types are sent with
the same data.

Change-Id: I4af9d7ef34732dcd56c4f6bcf677f48956f7968c
Bug: 1504306
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5018876
Reviewed-by: Dominic Farolino <dom@chromium.org>
Reviewed-by: Garrett Tanzer <gtanzer@chromium.org>
Commit-Queue: Liam Brady <lbrady@google.com>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Alexander Timin <altimin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1234109}
18 files changed
tree: e674dc2c6fed3609decf78a1cae6280b6243aaf6
  1. .github/
  2. .well-known/
  3. accelerometer/
  4. accessibility/
  5. accname/
  6. acid/
  7. ambient-light/
  8. animation-worklet/
  9. annotation-model/
  10. annotation-protocol/
  11. annotation-vocab/
  12. apng/
  13. appmanifest/
  14. attribution-reporting/
  15. audio-output/
  16. autoplay-policy-detection/
  17. avif/
  18. background-fetch/
  19. background-sync/
  20. badging/
  21. battery-status/
  22. beacon/
  23. bluetooth/
  24. browsing-topics/
  25. captured-mouse-events/
  26. clear-site-data/
  27. client-hints/
  28. clipboard-apis/
  29. close-watcher/
  30. common/
  31. compat/
  32. compression/
  33. compute-pressure/
  34. conformance-checkers/
  35. console/
  36. contacts/
  37. content-dpr/
  38. content-index/
  39. content-security-policy/
  40. contenteditable/
  41. cookie-deprecation-label/
  42. cookie-store/
  43. cookies/
  44. core-aam/
  45. cors/
  46. credential-management/
  47. css/
  48. custom-elements/
  49. custom-state-pseudo-class/
  50. delegated-ink/
  51. density-size-correction/
  52. deprecation-reporting/
  53. device-memory/
  54. direct-sockets/
  55. docs/
  56. document-picture-in-picture/
  57. document-policy/
  58. dom/
  59. domparsing/
  60. domxpath/
  61. dpub-aam/
  62. dpub-aria/
  63. ecmascript/
  64. editing/
  65. element-timing/
  66. encoding/
  67. encoding-detection/
  68. encrypted-media/
  69. entries-api/
  70. event-timing/
  71. eventsource/
  72. eyedropper/
  73. feature-policy/
  74. fenced-frame/
  75. fetch/
  76. file-system-access/
  77. FileAPI/
  78. fledge/
  79. focus/
  80. font-access/
  81. fonts/
  82. forced-colors-mode/
  83. fs/
  84. fullscreen/
  85. gamepad/
  86. generic-sensor/
  87. geolocation-API/
  88. geolocation-sensor/
  89. graphics-aam/
  90. graphics-aria/
  91. gyroscope/
  92. hr-time/
  93. html/
  94. html-aam/
  95. html-longdesc/
  96. html-media-capture/
  97. https-upgrades/
  98. idle-detection/
  99. imagebitmap-renderingcontext/
  100. images/
  101. import-maps/
  102. IndexedDB/
  103. inert/
  104. infrastructure/
  105. input-device-capabilities/
  106. input-events/
  107. installedapp/
  108. interfaces/
  109. intersection-observer/
  110. intervention-reporting/
  111. is-input-pending/
  112. jpegxl/
  113. js/
  114. js-self-profiling/
  115. keyboard-lock/
  116. keyboard-map/
  117. largest-contentful-paint/
  118. layout-instability/
  119. lifecycle/
  120. loading/
  121. long-animation-frame/
  122. longtask-timing/
  123. magnetometer/
  124. managed/
  125. mathml/
  126. measure-memory/
  127. media/
  128. media-capabilities/
  129. media-playback-quality/
  130. media-source/
  131. mediacapture-extensions/
  132. mediacapture-fromelement/
  133. mediacapture-handle/
  134. mediacapture-image/
  135. mediacapture-insertable-streams/
  136. mediacapture-record/
  137. mediacapture-region/
  138. mediacapture-streams/
  139. mediasession/
  140. merchant-validation/
  141. mimesniff/
  142. mixed-content/
  143. mst-content-hint/
  144. navigation-api/
  145. navigation-timing/
  146. netinfo/
  147. network-error-logging/
  148. notifications/
  149. old-tests/
  150. orientation-event/
  151. orientation-sensor/
  152. page-lifecycle/
  153. page-visibility/
  154. paint-timing/
  155. parakeet/
  156. payment-handler/
  157. payment-method-basic-card/
  158. payment-method-id/
  159. payment-request/
  160. pending-beacon/
  161. performance-timeline/
  162. periodic-background-sync/
  163. permissions/
  164. permissions-policy/
  165. permissions-request/
  166. permissions-revoke/
  167. picture-in-picture/
  168. png/
  169. pointerevents/
  170. pointerlock/
  171. preload/
  172. presentation-api/
  173. print/
  174. private-aggregation/
  175. private-click-measurement/
  176. proximity/
  177. push-api/
  178. quirks/
  179. referrer-policy/
  180. remote-playback/
  181. reporting/
  182. requestidlecallback/
  183. resize-observer/
  184. resource-timing/
  185. resources/
  186. sanitizer-api/
  187. savedata/
  188. scheduler/
  189. screen-capture/
  190. screen-details/
  191. screen-orientation/
  192. screen-wake-lock/
  193. scroll-animations/
  194. scroll-to-text-fragment/
  195. secure-contexts/
  196. secure-payment-confirmation/
  197. selection/
  198. serial/
  199. server-timing/
  200. service-workers/
  201. shadow-dom/
  202. shape-detection/
  203. shared-storage/
  204. shared-storage-selecturl-limit/
  205. signed-exchange/
  206. soft-navigation-heuristics/
  207. speculation-rules/
  208. speech-api/
  209. storage/
  210. storage-access-api/
  211. streams/
  212. subapps/
  213. subresource-integrity/
  214. svg/
  215. svg-aam/
  216. timing-entrytypes-registry/
  217. tools/
  218. top-level-storage-access-api/
  219. touch-events/
  220. trust-tokens/
  221. trusted-types/
  222. ua-client-hints/
  223. uievents/
  224. upgrade-insecure-requests/
  225. url/
  226. urlpattern/
  227. user-timing/
  228. vibration/
  229. video-rvfc/
  230. virtual-keyboard/
  231. visual-viewport/
  232. wai-aria/
  233. wasm/
  234. web-animations/
  235. web-bundle/
  236. web-locks/
  237. web-nfc/
  238. web-otp/
  239. web-share/
  240. webaudio/
  241. webauthn/
  242. webcodecs/
  243. WebCryptoAPI/
  244. webdriver/
  245. webgl/
  246. webgpu/
  247. webhid/
  248. webidl/
  249. webmessaging/
  250. webmidi/
  251. webnn/
  252. webrtc/
  253. webrtc-encoded-transform/
  254. webrtc-extensions/
  255. webrtc-ice/
  256. webrtc-identity/
  257. webrtc-priority/
  258. webrtc-stats/
  259. webrtc-svc/
  260. websockets/
  261. webstorage/
  262. webtransport/
  263. webusb/
  264. webvr/
  265. webvtt/
  266. webxr/
  267. window-management/
  268. workers/
  269. worklets/
  270. x-frame-options/
  271. xhr/
  272. .azure-pipelines.yml
  273. .gitattributes
  274. .gitignore
  275. .mailmap
  276. .taskcluster.yml
  277. CODE_OF_CONDUCT.md
  278. CODEOWNERS
  279. CONTRIBUTING.md
  280. LICENSE.md
  281. lint.ignore
  282. README.md
  283. wpt
  284. wpt.py
README.md

The web-platform-tests Project

Taskcluster CI Status documentation manifest Python 3

The web-platform-tests Project is a cross-browser test suite for the Web-platform stack. Writing tests in a way that allows them to be run in all browsers gives browser projects confidence that they are shipping software that is compatible with other implementations, and that later implementations will be compatible with their implementations. This in turn gives Web authors/developers confidence that they can actually rely on the Web platform to deliver on the promise of working across browsers and devices without needing extra layers of abstraction to paper over the gaps left by specification editors and implementors.

The most important sources of information and activity are:

  • github.com/web-platform-tests/wpt: the canonical location of the project's source code revision history and the discussion forum for changes to the code
  • web-platform-tests.org: the documentation website; details how to set up the project, how to write tests, how to give and receive peer review, how to serve as an administrator, and more
  • wpt.live: a public deployment of the test suite, allowing anyone to run the tests by visiting from an Internet-enabled browser of their choice
  • wpt.fyi: an archive of test results collected from an array of web browsers on a regular basis
  • Real-time chat room: the wpt:matrix.org matrix channel; includes participants located around the world, but busiest during the European working day.
  • Mailing list: a public and low-traffic discussion list
  • RFCs: a repo for requesting comments on substantial changes that would impact other stakeholders or users; people who work on WPT infra are encouraged to watch the repo.

If you'd like clarification about anything, don't hesitate to ask in the chat room or on the mailing list.

Setting Up the Repo

Clone or otherwise get https://github.com/web-platform-tests/wpt.

Note: because of the frequent creation and deletion of branches in this repo, it is recommended to “prune” stale branches when fetching updates, i.e. use git pull --prune (or git fetch -p && git merge).

Running the Tests

See the documentation website and in particular the system setup for running tests locally.

Command Line Tools

The wpt command provides a frontend to a variety of tools for working with and running web-platform-tests. Some of the most useful commands are:

  • wpt serve - For starting the wpt http server
  • wpt run - For running tests in a browser
  • wpt lint - For running the lint against all tests
  • wpt manifest - For updating or generating a MANIFEST.json test manifest
  • wpt install - For installing the latest release of a browser or webdriver server on the local machine.
  • wpt serve-wave - For starting the wpt http server and the WAVE test runner. For more details on how to use the WAVE test runner see the documentation.

Windows Notes

On Windows wpt commands must be prefixed with python or the path to the python binary (if python is not in your %PATH%).

python wpt [command]

Alternatively, you may also use Bash on Ubuntu on Windows in the Windows 10 Anniversary Update build, then access your windows partition from there to launch wpt commands.

Please make sure git and your text editor do not automatically convert line endings, as it will cause lint errors. For git, please set git config core.autocrlf false in your working tree.

Publication

The master branch is automatically synced to wpt.live and w3c-test.org.

Contributing

Save the Web, Write Some Tests!

Absolutely everyone is welcome to contribute to test development. No test is too small or too simple, especially if it corresponds to something for which you've noted an interoperability bug in a browser.

The way to contribute is just as usual:

  • Fork this repository (and make sure you're still relatively in sync with it if you forked a while ago).
  • Create a branch for your changes: git checkout -b topic.
  • Make your changes.
  • Run ./wpt lint as described above.
  • Commit locally and push that to your repo.
  • Create a pull request based on the above.

Issues with web-platform-tests

If you spot an issue with a test and are not comfortable providing a pull request per above to fix it, please file a new issue. Thank you!