Origin isolation: implement window.originIsolationRestricted
See https://github.com/WICG/origin-isolation/issues/24 and
https://github.com/WICG/origin-isolation/pull/30 for background,
and https://github.com/whatwg/html/pull/5545 for the specification.
Failing test expectations include:
- We implement (3) from
https://github.com/WICG/origin-isolation/issues/24
instead of (2) for now, so we fail getter-sandboxed-iframe. Tracking
at https://crbug.com/1095653.
- The initial about:blank, as well as removed iframes, are not properly
returning true, so about-blank and removing-iframes are failing. Also
tracking at https://crbug.com/1095653.
- data: URLs are not [SecureContext] in Chromium
(https://crbug.com/1095656) so getter-data-url fails.
Note that per ongoing discussion in
https://github.com/WICG/origin-isolation/issues/31 the naming of this
API, as well as its edge-case behavior (e.g. for sandboxed iframes) will
likely change.
Bug: 1042415
Change-Id: I20c2d3e3fec7a5c0f1d12c386999c32fe27b6a34
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2243994
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#782672}
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc
index ca15b62..d6c77f0 100644
--- a/content/browser/frame_host/navigation_controller_impl.cc
+++ b/content/browser/frame_host/navigation_controller_impl.cc
@@ -3304,7 +3304,8 @@
GURL() /* web_bundle_physical_url */,
GURL() /* base_url_override_for_web_bundle */,
node->pending_frame_policy(),
- std::vector<std::string>() /* force_enabled_origin_trials */);
+ std::vector<std::string>() /* force_enabled_origin_trials */,
+ false /* origin_isolation_restricted */);
#if defined(OS_ANDROID)
if (ValidateDataURLAsString(params.data_url_as_string)) {
commit_params->data_url_as_string = params.data_url_as_string->data();
diff --git a/content/browser/frame_host/navigation_entry_impl.cc b/content/browser/frame_host/navigation_entry_impl.cc
index a4ccab7..0c43acd 100644
--- a/content/browser/frame_host/navigation_entry_impl.cc
+++ b/content/browser/frame_host/navigation_entry_impl.cc
@@ -829,7 +829,8 @@
false, network::mojom::IPAddressSpace::kUnknown,
GURL() /* web_bundle_physical_url */,
GURL() /* base_url_override_for_web_bundle */, frame_policy,
- std::vector<std::string>() /* force_enabled_origin_trials */);
+ std::vector<std::string>() /* force_enabled_origin_trials */,
+ false /* origin_isolation_restricted */);
#if defined(OS_ANDROID)
if (NavigationControllerImpl::ValidateDataURLAsString(GetDataURLAsString())) {
commit_params->data_url_as_string = GetDataURLAsString()->data();
diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc
index 6c3252a..1938d370 100644
--- a/content/browser/frame_host/navigation_request.cc
+++ b/content/browser/frame_host/navigation_request.cc
@@ -911,7 +911,8 @@
GURL() /* web_bundle_physical_url */,
GURL() /* base_url_override_for_web_bundle */,
frame_tree_node->pending_frame_policy(),
- std::vector<std::string>() /* force_enabled_origin_trials */);
+ std::vector<std::string>() /* force_enabled_origin_trials */,
+ false /* origin_isolation_restricted */);
// CreateRendererInitiated() should only be triggered when the navigation is
// initiated by a frame in the same process.
@@ -998,7 +999,8 @@
GURL() /* web_bundle_physical_url */,
GURL() /* base_url_override_for_web_bundle */,
frame_tree_node->pending_frame_policy(),
- std::vector<std::string>() /* force_enabled_origin_trials */
+ std::vector<std::string>() /* force_enabled_origin_trials */,
+ false /* origin_isolation_restricted */
);
mojom::BeginNavigationParamsPtr begin_params =
mojom::BeginNavigationParams::New();
@@ -2017,6 +2019,14 @@
kRequestedViaHeaderButNotIsolated;
break;
}
+
+ commit_params_->origin_isolation_restricted =
+ origin_isolation_end_result_ ==
+ OptInOriginIsolationEndResult::kRequestedViaOriginPolicyAndIsolated ||
+ origin_isolation_end_result_ ==
+ OptInOriginIsolationEndResult::kRequestedViaHeaderAndIsolated ||
+ origin_isolation_end_result_ ==
+ OptInOriginIsolationEndResult::kNotRequestedButIsolated;
}
void NavigationRequest::ProcessOriginIsolationEndResult() {
diff --git a/content/common/navigation_params.mojom b/content/common/navigation_params.mojom
index 529999ba..872d11d 100644
--- a/content/common/navigation_params.mojom
+++ b/content/common/navigation_params.mojom
@@ -414,4 +414,7 @@
// The names of origin trials to be force enabled for this navigation.
array<string> force_enabled_origin_trials;
+
+ // Whether origin isolation is restricting certain cross-origin web APIs.
+ bool origin_isolation_restricted = false;
};
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 8bac6a6..4c89b04 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -1010,6 +1010,9 @@
navigation_params->force_fetch_cache_mode =
blink::mojom::FetchCacheMode::kDefault;
}
+
+ navigation_params->origin_isolation_restricted =
+ commit_params.origin_isolation_restricted;
}
// Fills in the origin policy associated with this response, if any is present.
diff --git a/third_party/blink/public/web/web_navigation_params.h b/third_party/blink/public/web/web_navigation_params.h
index e2faca5..62d8c3d 100644
--- a/third_party/blink/public/web/web_navigation_params.h
+++ b/third_party/blink/public/web/web_navigation_params.h
@@ -390,6 +390,9 @@
// A list of origin trial names to enable for the document being loaded.
WebVector<WebString> force_enabled_origin_trials;
+
+ // Whether origin isolation is restricting certain cross-origin web APIs.
+ bool origin_isolation_restricted = false;
};
} // namespace blink
diff --git a/third_party/blink/renderer/core/frame/local_dom_window.cc b/third_party/blink/renderer/core/frame/local_dom_window.cc
index 3bb7fbf..314bc6c 100644
--- a/third_party/blink/renderer/core/frame/local_dom_window.cc
+++ b/third_party/blink/renderer/core/frame/local_dom_window.cc
@@ -1770,6 +1770,14 @@
origin_policy_ids_ = ids;
}
+bool LocalDOMWindow::originIsolationRestricted() const {
+ return origin_isolation_restricted_;
+}
+
+void LocalDOMWindow::SetOriginIsolationRestricted(bool value) {
+ origin_isolation_restricted_ = value;
+}
+
int LocalDOMWindow::requestIdleCallback(V8IdleRequestCallback* callback,
const IdleRequestOptions* options) {
if (!GetFrame())
diff --git a/third_party/blink/renderer/core/frame/local_dom_window.h b/third_party/blink/renderer/core/frame/local_dom_window.h
index 3d1691a..6e4ebdb 100644
--- a/third_party/blink/renderer/core/frame/local_dom_window.h
+++ b/third_party/blink/renderer/core/frame/local_dom_window.h
@@ -283,6 +283,10 @@
const Vector<String>& originPolicyIds() const;
void SetOriginPolicyIds(const Vector<String>&);
+ // https://github.com/whatwg/html/pull/5545
+ bool originIsolationRestricted() const;
+ void SetOriginIsolationRestricted(bool);
+
// Idle callback extensions
int requestIdleCallback(V8IdleRequestCallback*, const IdleRequestOptions*);
void cancelIdleCallback(int id);
@@ -445,6 +449,8 @@
Vector<String> origin_policy_ids_;
+ bool origin_isolation_restricted_ = false;
+
mutable Member<ApplicationCache> application_cache_;
scoped_refptr<SerializedScriptValue> pending_state_object_;
diff --git a/third_party/blink/renderer/core/frame/window.idl b/third_party/blink/renderer/core/frame/window.idl
index ba57f303..f162439 100644
--- a/third_party/blink/renderer/core/frame/window.idl
+++ b/third_party/blink/renderer/core/frame/window.idl
@@ -73,8 +73,10 @@
[Custom, NotEnumerable, CrossOrigin] getter object (DOMString name);
// the user agent
+ // includes https://github.com/whatwg/html/pull/5545 (originIsolationRestricted)
[Affects=Nothing, LogActivity=GetterOnly] readonly attribute Navigator navigator;
[LogActivity=GetterOnly, SecureContext=RestrictAppCacheToSecureContexts, RuntimeEnabled=AppCache] readonly attribute ApplicationCache applicationCache;
+ [RuntimeEnabled=OriginIsolationHeader, SecureContext] readonly attribute boolean originIsolationRestricted;
// user prompts
[Measure, CallWith=ScriptState] void alert();
diff --git a/third_party/blink/renderer/core/loader/document_loader.cc b/third_party/blink/renderer/core/loader/document_loader.cc
index d818ef37..f68b1835 100644
--- a/third_party/blink/renderer/core/loader/document_loader.cc
+++ b/third_party/blink/renderer/core/loader/document_loader.cc
@@ -236,7 +236,8 @@
initiator_origin_trial_features_(
CopyInitiatorOriginTrials(params_->initiator_origin_trial_features)),
force_enabled_origin_trials_(
- CopyForceEnabledOriginTrials(params_->force_enabled_origin_trials)) {
+ CopyForceEnabledOriginTrials(params_->force_enabled_origin_trials)),
+ origin_isolation_restricted_(params_->origin_isolation_restricted) {
DCHECK(frame_);
// TODO(nasko): How should this work with OOPIF?
@@ -1671,6 +1672,9 @@
}
}
+ frame_->DomWindow()->SetOriginIsolationRestricted(
+ origin_isolation_restricted_);
+
WillCommitNavigation();
Document* document = frame_->DomWindow()->InstallNewDocument(init);
diff --git a/third_party/blink/renderer/core/loader/document_loader.h b/third_party/blink/renderer/core/loader/document_loader.h
index b5a06f7..10aaaca 100644
--- a/third_party/blink/renderer/core/loader/document_loader.h
+++ b/third_party/blink/renderer/core/loader/document_loader.h
@@ -566,6 +566,8 @@
// Whether the document can be scrolled on load
bool navigation_scroll_allowed_ = true;
+
+ bool origin_isolation_restricted_ = false;
};
DECLARE_WEAK_IDENTIFIER_MAP(DocumentLoader);
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/about-blank.https.sub.html b/third_party/blink/web_tests/external/wpt/origin-isolation/about-blank.https.sub.html
index ec24853..50a07ff 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/about-blank.https.sub.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/about-blank.https.sub.html
@@ -11,7 +11,8 @@
insertIframe,
setBothDocumentDomains,
testSameAgentCluster,
- testDifferentAgentClusters
+ testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -25,6 +26,10 @@
testDifferentAgentClusters([0, 1], "about:blank to child2");
testDifferentAgentClusters([1, 0], "child2 to about:blank");
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "about:blank");
+testOriginIsolationRestricted(1, false, "child2");
+
async function insertAboutBlankIframe() {
const iframe = document.createElement("iframe");
document.body.append(iframe);
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/getter-data-url.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-data-url.https.html
new file mode 100644
index 0000000..da2c87b
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-data-url.https.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.originIsolationRestricted for a data: URL</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import {
+ waitForIframe,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
+
+promise_setup(() => {
+ const iframe = document.createElement("iframe");
+
+ // This copies parts of resources/send-origin-isolation-header.py that allow
+ // us to reuse testOriginIsolationRestricted.
+ iframe.src = `data:text/html,<script>
+ window.onmessage = () => {
+ parent.postMessage(self.originIsolationRestricted, "*");
+ };
+ </` + `script>
+ `;
+
+ const waitPromise = waitForIframe(iframe);
+ document.body.append(iframe);
+ return waitPromise;
+});
+
+// The data: URL iframe has an opaque origin, so it definitely should return
+// false. It's pretty unlikely that it would return true anyway, since we can't
+// set the header on the iframe, but we should test it to make sure there isn't
+// some strange main page -> data: URL iframe inheritance going on.
+
+testOriginIsolationRestricted(0, false);
+</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/getter-data-url.https.html.headers b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-data-url.https.html.headers
new file mode 100644
index 0000000..ea3f6b33
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-data-url.https.html.headers
@@ -0,0 +1 @@
+Origin-Isolation: ?1
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/getter-removed-iframe.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-removed-iframe.sub.https.html
new file mode 100644
index 0000000..a137346
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-removed-iframe.sub.https.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.crossOriginIsolated for a removed frame</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import { navigateIframe } from "./resources/helpers.mjs";
+
+promise_test(async () => {
+ // We cannot use insertIframe because it sets both `document.domain`s. That
+ // shouldn't matter, but Chrome has a bug (https://crbug.com/1095145), so
+ // let's avoid making the test needlessly fail because of that bug.
+ const iframe = document.createElement("iframe");
+ const navigatePromise = navigateIframe(iframe, "{{hosts[][]}}", "?1");
+ document.body.append(iframe);
+ await navigatePromise;
+
+ const frameWindow = iframe.contentWindow;
+
+ assert_equals(frameWindow.originIsolationRestricted, true, "before");
+ iframe.remove();
+ assert_equals(frameWindow.originIsolationRestricted, true, "after");
+}, "Removing the iframe does not change originIsolationRestricted");
+</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/getter-removed-iframe.sub.https.html.headers b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-removed-iframe.sub.https.html.headers
new file mode 100644
index 0000000..ea3f6b33
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-removed-iframe.sub.https.html.headers
@@ -0,0 +1 @@
+Origin-Isolation: ?1
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https.html
new file mode 100644
index 0000000..366fae6
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>window.originIsolationRestricted for a sandboxed frame</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<div id="log"></div>
+
+<script type="module">
+import {
+ navigateIframe,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
+
+// We do this manually instead of using insertIframe because we want to add a
+// sandbox="" attribute and we don't want to set both document.domains.
+promise_setup(() => {
+ const iframe = document.createElement("iframe");
+ iframe.sandbox = "allow-scripts";
+ const navigatePromise = navigateIframe(iframe, "{{hosts[][]}}", "?1");
+ document.body.append(iframe);
+ return navigatePromise;
+});
+
+// Because sandboxed iframes have an opaque origin, their agent cluster key is
+// always an origin, so there are no additional restrictions imposed by origin
+// isolation. Thus the getter returns false.
+
+testOriginIsolationRestricted(0, false);
+</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https.html.headers b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https.html.headers
new file mode 100644
index 0000000..ea3f6b33
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https.html.headers
@@ -0,0 +1 @@
+Origin-Isolation: ?1
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/insecure-http.sub.html b/third_party/blink/web_tests/external/wpt/origin-isolation/insecure-http.sub.html
index 1e78b133..83df16af 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/insecure-http.sub.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/insecure-http.sub.html
@@ -16,4 +16,9 @@
// All isolation requests are ignored, since this is over insecure HTTP.
// So both end up in the site-keyed agent cluster.
testSameAgentCluster([self, 0]);
+
+// Has to be promise_test because we used promise_setup().
+promise_test(async () => {
+ assert_false("originIsolationRestricted" in window);
+}, "The getter must not exist");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-bad-subdomain.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-bad-subdomain.sub.https.html
index ae55f5d..cfa39aa 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-bad-subdomain.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-bad-subdomain.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testSameAgentCluster,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
let frameIndex = 0;
for (const badValue of ["", "?0", "true", "\"?1\"", "1", "?2", "(?1)"]) {
@@ -17,6 +21,7 @@
// Since the header values are bad there should be no isolation
testSameAgentCluster([self, frameIndex], `"${badValue}"`);
+ testOriginIsolationRestricted(frameIndex, false, `"${badValue}"`);
++frameIndex;
}
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-same.sub.https.html
index 8e32649..ece3b973 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-same.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testSameAgentCluster,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][]}}", "?1");
@@ -16,4 +20,6 @@
// Since they're same-origin, and the parent loaded without isolation, the
// child's request for isolation gets ignored, and both end up site-keyed.
testSameAgentCluster([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-subdomain.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-subdomain.sub.https.html
index 7f4a941..ab060e2 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-subdomain.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-subdomain.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testDifferentAgentClusters,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,4 +21,6 @@
// so the parent ends up in the site-keyed agent cluster and the child in the
// origin-keyed one.
testDifferentAgentClusters([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html
index 0208ac3..e1459b9 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child-yes-with-params-subdomain.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testDifferentAgentClusters,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][www]}}", "?1;param1;param2=value2");
@@ -17,4 +21,6 @@
// so the parent ends up in the site-keyed agent cluster and the child in the
// origin-keyed one.
testDifferentAgentClusters([self, 0]);
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html
index c019ef2..17ee8a6 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-different.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -30,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testDifferentAgentClusters([0, 1], "child1 to child2");
testDifferentAgentClusters([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, true, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html
index 9ca18f8..17b82bc09 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-no-child2-yes-children-same.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testSameAgentCluster,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
// Must be sequential, not parallel: the non-isolated frame must load first.
@@ -25,4 +29,8 @@
testSameAgentCluster([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html
index 2947e629..f6955c5 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-no-child1-yes-child2-no-children-same.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -30,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, false, "parent");
+testOriginIsolationRestricted(0, true, "child1");
+testOriginIsolationRestricted(1, true, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-same.sub.https.html
index aa1dd94..7edebe9b 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-same.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testSameAgentCluster,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][]}}");
@@ -16,4 +20,7 @@
// Since they're same-origin, and the parent loaded with isolation, the
// child's non-request for isolation gets ignored, and both end up origin-keyed.
testSameAgentCluster([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-subdomain.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-subdomain.sub.https.html
index 5055d29..f0cd3c48 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-subdomain.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-no-subdomain.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testDifferentAgentClusters,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][www]}}");
@@ -17,4 +21,7 @@
// as is the child's non-request. So the parent ends up in the origin-keyed
// agent cluster and the child ends up in the site-keyed one.
testDifferentAgentClusters([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-same.sub.https.html
index 3d99486..c491781 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-same.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testSameAgentCluster } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testSameAgentCluster,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][]}}", "?1");
@@ -16,4 +20,7 @@
// Both request isolation, and they're same-origin, so they both end up in the
// same origin-keyed agent cluster.
testSameAgentCluster([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html
index afc8f5b..fc5b1984 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child-yes-subdomain.sub.https.html
@@ -7,7 +7,11 @@
<div id="log"></div>
<script type="module">
-import { insertIframe, testDifferentAgentClusters } from "./resources/helpers.mjs";
+import {
+ insertIframe,
+ testDifferentAgentClusters,
+ testOriginIsolationRestricted
+} from "./resources/helpers.mjs";
promise_setup(async () => {
await insertIframe("{{hosts[][www]}}", "?1");
@@ -17,4 +21,7 @@
// cluster (the base domain's origin), and the child ends up in a different
// origin-keyed agent cluster (the www subdomain's origin).
testDifferentAgentClusters([self, 0]);
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html
index 77a77d5..1635bd6 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-different.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -30,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html
index b3f18e8..0f2f2902 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-no-children-same.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -30,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-different.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-different.sub.https.html
index 8e7b4d3e..c830e15 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-different.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-different.sub.https.html
@@ -9,8 +9,8 @@
<script type="module">
import {
insertIframe,
- testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -31,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testDifferentAgentClusters([0, 1], "child1 to child2");
testDifferentAgentClusters([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, true, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-same.sub.https.html
index 260ac80..dc157a9e 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-no-child2-yes-children-same.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -30,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
+testOriginIsolationRestricted(1, false, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-no-children-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-no-children-same.sub.https.html
index ae54fcd0..033fdd2 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-no-children-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-no-children-same.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -30,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child1");
+testOriginIsolationRestricted(1, true, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-different.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-different.sub.https.html
index 775f7535..2c1f134 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-different.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-different.sub.https.html
@@ -9,8 +9,8 @@
<script type="module">
import {
insertIframe,
- testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -31,4 +31,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testDifferentAgentClusters([0, 1], "child1 to child2");
testDifferentAgentClusters([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child1");
+testOriginIsolationRestricted(1, true, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-same.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-same.sub.https.html
index a3b0939..2de08307 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-same.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/parent-yes-child1-yes-child2-yes-children-same.sub.https.html
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
promise_setup(async () => {
@@ -31,4 +32,8 @@
testDifferentAgentClusters([self, 1], "Parent to child2");
testSameAgentCluster([0, 1], "child1 to child2");
testSameAgentCluster([1, 0], "child2 to child1");
+
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, true, "child1");
+testOriginIsolationRestricted(1, true, "child2");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/removing-iframes.sub.https.html b/third_party/blink/web_tests/external/wpt/origin-isolation/removing-iframes.sub.https.html
index 2f01562..3a6d91c4 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/removing-iframes.sub.https.html
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/removing-iframes.sub.https.html
@@ -1,6 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8">
-<title>Parent is isolated, child1 is not isolated, child1 navigates to a different site, child2 gets inserted and is isolated, child1 navigates back</title>
+<title>A non-isolated child at a given origin causes future children to also be non-isolated even after the iframe is removed</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
@@ -11,6 +11,7 @@
insertIframe,
testSameAgentCluster,
testDifferentAgentClusters,
+ testOriginIsolationRestricted
} from "./resources/helpers.mjs";
let frame1;
@@ -22,6 +23,8 @@
// as is the child's non-request. So the parent ends up in the origin-keyed
// agent cluster and the child ends up in the site-keyed one.
testDifferentAgentClusters([self, 0], "Before");
+testOriginIsolationRestricted(self, true, "parent");
+testOriginIsolationRestricted(0, false, "child1");
promise_test(async () => {
frame1.remove();
@@ -37,4 +40,7 @@
testDifferentAgentClusters([self, 1], "Parent to child3");
testSameAgentCluster([0, 1], "child2 to child3");
testSameAgentCluster([1, 0], "child3 to child2");
+
+testOriginIsolationRestricted(0, false, "child2");
+testOriginIsolationRestricted(1, false, "child3");
</script>
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/README.md b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/README.md
new file mode 100644
index 0000000..dd5e192b
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/README.md
@@ -0,0 +1,6 @@
+Why are there `.headers` files here for the `.mjs` scripts?
+
+Because `../getter-sandboxed-iframe.sub.https.html` is testing an opaque origin,
+which is cross-origin with these scripts. Since `<script type="module">`
+respects the same-origin policy, we need CORS headers to allow them to be
+accessed.
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs
index 038c0f3..2c6760a3 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs
@@ -30,6 +30,8 @@
} catch (e) {
parent.postMessage(e.name, "*");
}
+ } else if (e.data.command === "get originIsolationRestricted") {
+ parent.postMessage(self.originIsolationRestricted, "*");
}
// We could also receive e.data === "WebAssembly.Module message received",
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs.headers b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs.headers
new file mode 100644
index 0000000..cb762eff
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/child-frame-script.mjs.headers
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs
index 8943707..50ca1ab4 100644
--- a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs
@@ -159,6 +159,32 @@
}
/**
+ * Creates a promise_test() to check the value of the originIsolationRestricted
+ * getter in the given testFrame.
+ * @param {Window|number} testFrame - Either self, or a frame index to test.
+ * @param {boolean} expected - The expected value for originIsolationRestricted.
+ * @param {string=} testLabelPrefix - A prefix used in the test names. This can
+ * be omitted if the function is only used once in a test file.
+ */
+export function testOriginIsolationRestricted(testFrame, expected, testLabelPrefix) {
+ const prefix = testLabelPrefix === undefined ? "" : `${testLabelPrefix}: `;
+
+ if (testFrame === self) {
+ // Need to use promise_test() even though it's sync because we use
+ // promise_setup() in many tests.
+ promise_test(async () => {
+ assert_equals(self.originIsolationRestricted, expected);
+ }, `${prefix}originIsolationRestricted must equal ${expected}`);
+ } else {
+ promise_test(async () => {
+ const frameWindow = frames[testFrame];
+ const result = await getOriginIsolationRestricted(frameWindow);
+ assert_equals(result, expected);
+ }, `${prefix}originIsolationRestricted must equal ${expected}`);
+ }
+}
+
+/**
* Sends a WebAssembly.Module instance to the given Window, and waits for it to
* send back a message indicating whether it got the module or got a
* messageerror event. (This relies on the given Window being derived from
@@ -197,6 +223,13 @@
assert_equals(whatHappened, "document.domain is set");
}
+async function getOriginIsolationRestricted(frameWindow) {
+ // This function is coupled to ./send-origin-isolation-header.py, which ensures
+ // that sending such a message will result in a message back.
+ frameWindow.postMessage({ command: "get originIsolationRestricted" }, "*");
+ return waitForMessage(frameWindow);
+}
+
function getIframeURL(hostname, header) {
const url = new URL("send-origin-isolation-header.py", import.meta.url);
url.hostname = hostname;
diff --git a/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs.headers b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs.headers
new file mode 100644
index 0000000..cb762eff
--- /dev/null
+++ b/third_party/blink/web_tests/external/wpt/origin-isolation/resources/helpers.mjs.headers
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *
diff --git a/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-navigated-expected.txt b/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-navigated-expected.txt
index b19a808..fe27a995 100644
--- a/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-navigated-expected.txt
+++ b/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-navigated-expected.txt
@@ -185,6 +185,7 @@
PASS oldChildWindow.onwheel is newChildWindow.onwheel
PASS oldChildWindow.opener is newChildWindow.opener
PASS oldChildWindow.origin is newChildWindow.origin
+PASS oldChildWindow.originIsolationRestricted is newChildWindow.originIsolationRestricted
PASS oldChildWindow.outerHeight is newChildWindow.outerHeight
PASS oldChildWindow.outerWidth is newChildWindow.outerWidth
PASS oldChildWindow.pageXOffset is newChildWindow.pageXOffset
diff --git a/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-and-gced-expected.txt b/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-and-gced-expected.txt
index e376b69..9d8cd87 100644
--- a/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-and-gced-expected.txt
+++ b/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-and-gced-expected.txt
@@ -152,6 +152,7 @@
PASS childWindow.onwheel is null
PASS childWindow.opener is null
PASS childWindow.origin is 'file://'
+PASS childWindow.originIsolationRestricted is false
PASS childWindow.outerHeight is 0
PASS childWindow.outerWidth is 0
PASS childWindow.pageXOffset is 0
diff --git a/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt b/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt
index d1302b5..0fdddbd 100644
--- a/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt
+++ b/third_party/blink/web_tests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt
@@ -152,6 +152,7 @@
PASS childWindow.onwheel is null
PASS childWindow.opener is null
PASS childWindow.origin is 'file://'
+PASS childWindow.originIsolationRestricted is false
PASS childWindow.outerHeight is 0
PASS childWindow.outerWidth is 0
PASS childWindow.pageXOffset is 0
diff --git a/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/about-blank.https.sub-expected.txt b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/about-blank.https.sub-expected.txt
new file mode 100644
index 0000000..909286f
--- /dev/null
+++ b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/about-blank.https.sub-expected.txt
@@ -0,0 +1,12 @@
+This is a testharness.js-based test.
+PASS parent to about:blank: message event must occur
+PASS parent to about:blank: setting document.domain must give sync access
+PASS about:blank to child2: messageerror event must occur
+PASS about:blank to child2: setting document.domain must not give sync access
+PASS child2 to about:blank: messageerror event must occur
+PASS child2 to about:blank: setting document.domain must not give sync access
+PASS parent: originIsolationRestricted must equal true
+FAIL about:blank: originIsolationRestricted must equal true assert_equals: expected true but got false
+PASS child2: originIsolationRestricted must equal false
+Harness: the test ran to completion.
+
diff --git a/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/getter-data-url.https-expected.txt b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/getter-data-url.https-expected.txt
new file mode 100644
index 0000000..1005bf868
--- /dev/null
+++ b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/getter-data-url.https-expected.txt
@@ -0,0 +1,4 @@
+This is a testharness.js-based test.
+FAIL originIsolationRestricted must equal false assert_equals: expected (boolean) false but got (undefined) undefined
+Harness: the test ran to completion.
+
diff --git a/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https-expected.txt b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https-expected.txt
new file mode 100644
index 0000000..27bb46f
--- /dev/null
+++ b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/getter-sandboxed-iframe.sub.https-expected.txt
@@ -0,0 +1,4 @@
+This is a testharness.js-based test.
+FAIL originIsolationRestricted must equal false assert_equals: expected false but got true
+Harness: the test ran to completion.
+
diff --git a/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/removing-iframes.sub.https-expected.txt b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/removing-iframes.sub.https-expected.txt
index 5c0fe8e..d0e97142 100644
--- a/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/removing-iframes.sub.https-expected.txt
+++ b/third_party/blink/web_tests/virtual/no-auto-wpt-origin-isolation/external/wpt/origin-isolation/removing-iframes.sub.https-expected.txt
@@ -1,6 +1,8 @@
This is a testharness.js-based test.
PASS Before: messageerror event must occur
PASS Before: setting document.domain must not give sync access
+PASS parent: originIsolationRestricted must equal true
+PASS child1: originIsolationRestricted must equal false
PASS Remove the iframe and insert new ones
PASS Parent to child2: messageerror event must occur
PASS Parent to child2: setting document.domain must not give sync access
@@ -10,5 +12,7 @@
FAIL child2 to child3: setting document.domain must give sync access assert_equals: expected "accessed document successfully" but got "SecurityError"
FAIL child3 to child2: message event must occur assert_equals: expected "WebAssembly.Module message received" but got "messageerror"
FAIL child3 to child2: setting document.domain must give sync access assert_equals: expected "accessed document successfully" but got "SecurityError"
+FAIL child2: originIsolationRestricted must equal false assert_equals: expected false but got true
+PASS child3: originIsolationRestricted must equal false
Harness: the test ran to completion.
diff --git a/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt b/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
index 07e84854..011c315 100644
--- a/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
+++ b/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
@@ -11853,6 +11853,7 @@
getter onwebkittransitionend
getter onwheel
getter origin
+ getter originIsolationRestricted
getter originPolicyIds
getter outerHeight
getter outerWidth
