[Origin Policy] Implement error reporting via Reporting API
Bug: 751996
Change-Id: I44dfc36dcec55efd2c68d02c06824fcbb94c879d
Reviewed-on: https://chromium-review.googlesource.com/c/1464301
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#635961}
diff --git a/origin-policy/origin-policy-features.https.tentative.html.headers b/origin-policy/origin-policy-features.https.tentative.html.headers
index 3e5ab40..9864518 100644
--- a/origin-policy/origin-policy-features.https.tentative.html.headers
+++ b/origin-policy/origin-policy-features.https.tentative.html.headers
@@ -1 +1 @@
-Sec-Origin-Policy: policy-features
+Sec-Origin-Policy: policy=policy-features
diff --git a/origin-policy/origin-policy-report-to.https.tentative.sub.html b/origin-policy/origin-policy-report-to.https.tentative.sub.html
new file mode 100644
index 0000000..dfef7a1
--- /dev/null
+++ b/origin-policy/origin-policy-report-to.https.tentative.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that Origin Policy report-to are deliverd to the declared reporting group</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <iframe id="frame" src="about:blank"></iframe>
+ <script>
+ // Navigate the frame to a URL that declares an (invalid) origin policy with
+ // a report-to directive.
+ document.getElementById("frame").src =
+ "https://{{hosts[alt][]}}:{{ports[https][0]}}/origin-policy/sec-origin-policy-subframe.html";
+ </script>
+ <script async defer src='/content-security-policy/support/checkReport.sub.js?reportField=policy&reportValue=nonexistingpolicy'>
+ // This re-uses CSP reporting test infrastructure, and contains the actual
+ // test. In addition to sanity checks, it will check whether the report body
+ // contains a key/value pair as indicated by reportField and reportValue.
+ </script>
+</body>
+</html>
diff --git a/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers b/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
new file mode 100644
index 0000000..92a90c3
--- /dev/null
+++ b/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
@@ -0,0 +1 @@
+Set-Cookie: origin-policy-report-to=5b4d35b6-0771-46fe-8700-ed2bb59ed4be; Path=/origin-policy/
diff --git a/origin-policy/origin-policy-single-report.https.tentative.html.headers b/origin-policy/origin-policy-single-report.https.tentative.html.headers
index cb596cf..9456832 100644
--- a/origin-policy/origin-policy-single-report.https.tentative.html.headers
+++ b/origin-policy/origin-policy-single-report.https.tentative.html.headers
@@ -1 +1 @@
-Sec-Origin-Policy: policy-noimg
+Sec-Origin-Policy: policy=policy-noimg
diff --git a/origin-policy/sec-origin-policy-header.html.py b/origin-policy/sec-origin-policy-header.html.py
index 8e62b6c..7754e04 100644
--- a/origin-policy/sec-origin-policy-header.html.py
+++ b/origin-policy/sec-origin-policy-header.html.py
@@ -11,7 +11,7 @@
response_policy = request.GET.first("policy", default="")
if request_policy and response_policy:
- response.headers.set(origin_policy_header, response_policy)
+ response.headers.set(origin_policy_header, "policy=%s" % response_policy)
response.headers.set("Vary", "sec-origin-policy")
response.headers.set("Content-Type", "text/html");
diff --git a/origin-policy/sec-origin-policy-subframe.html b/origin-policy/sec-origin-policy-subframe.html
new file mode 100644
index 0000000..d716ba1
--- /dev/null
+++ b/origin-policy/sec-origin-policy-subframe.html
@@ -0,0 +1,3 @@
+The forbidden frame.
+Content shouldn't matter, because this frame shouldn't be loaded.
+So there.
diff --git a/origin-policy/sec-origin-policy-subframe.html.sub.headers b/origin-policy/sec-origin-policy-subframe.html.sub.headers
new file mode 100644
index 0000000..a046f00
--- /dev/null
+++ b/origin-policy/sec-origin-policy-subframe.html.sub.headers
@@ -0,0 +1,3 @@
+Report-To: { "group": "report-to-group", "max_age": 1000, "endpoints": [{ "url": "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID=5b4d35b6-0771-46fe-8700-ed2bb59ed4be" }] }
+Sec-Origin-Policy: policy=nonexistingpolicy, report-to=report-to-group
+
