[fetch-later] Fix quota allocation for sandbox iframes. (web-platform-tests#54777)

chromium-wpt-export-bot · mingyc · web-flow · commit 7e701bc39454 · 2025-09-16T18:49:49.000-04:00
When the [`reserve deferred-fetch quota`][1] step for a iframe, i.e. `GetContainerDeferredFetchPolicyOnNavigation()`, is triggered, it requires a `originToNavigateTo` of the target url. If the iframe is sandboxed, its final url origin after navigation would be "null" in terms of parent's view. However, it is not avaiable at this step which is under `FrameLoader::StartNavigation()`. This CL manually provides such info using `sandbox_flags` from the owner (iframe)'s frame policy, and pass that into `GetContainerDeferredFetchPolicyOnNavigation()`. [1]: https://fetch.spec.whatwg.org/#reserve-deferred-fetch-quota Bug: 410528357 Change-Id: Ia1041e486f55e56b1cced64affd124de63a264a4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6905117 Commit-Queue: Ming-Ying Chung <mych@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/main@{#1513441} Co-authored-by: Ming-Ying Chung <mych@chromium.org>
diff --git a/fetch/fetch-later/quota/cross-origin-iframe/sandboxed-iframe.https.window.js b/fetch/fetch-later/quota/cross-origin-iframe/sandboxed-iframe.https.window.js
@@ -0,0 +1,67 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/fetch/fetch-later/resources/fetch-later-helper.js
+// META: script=/fetch/fetch-later/quota/resources/helper.js
+'use strict';
+
+const {HTTPS_ORIGIN, HTTPS_NOTSAMESITE_ORIGIN} = get_host_info();
+
+// Skips FormData & URLSearchParams, as browser adds extra bytes to them
+// in addition to the user-provided content. It is difficult to test a
+// request right at the quota limit.
+// Skips File & Blob as it's difficult to estimate what additional data are
+// added into them.
+const dataType = BeaconDataType.String;
+
+// Request headers are counted into total request size.
+const headers = new Headers({'Content-Type': 'text/plain;charset=UTF-8'});
+
+const requestUrl = `${HTTPS_ORIGIN}/`;
+const quota = getRemainingQuota(QUOTA_PER_ORIGIN, requestUrl, headers);
+const SMALL_REQUEST_BODY_SIZE = 4 * 1024;  // 4KB, well within minimal quota.
+
+// This test validates the correct behavior for a sandboxed iframe without the
+// 'allow-same-origin' token.
+//
+// Such an iframe should be treated as cross-origin, even if its `src` attribute
+// points to a same-origin URL. Therefore, it should be allocated its own
+// separate "minimal quota" (8KB) for fetchLater() requests and should NOT share
+// the parent document's primary quota pool.
+//
+// The test works by first completely exhausting the parent document's quota.
+// Then, it creates the sandboxed iframe and attempts to send a small request
+// from it.
+//
+// The expected result is that the iframe's request SUCCEEDS, because it should
+// have its own independent 8KB quota to use.
+//
+// NOTE: This test will FAIL until the underlying bug is fixed. The bug causes
+// the sandboxed iframe to be incorrectly treated as same-origin, making it try
+// to use the parent's already-exhausted quota, which leads to a premature
+// QuotaExceededError.
+promise_test(async test => {
+  const controller = new AbortController();
+  test.add_cleanup(() => controller.abort());
+
+  // Step 1: Exhaust the parent frame's entire fetchLater() quota.
+  fetchLater(requestUrl, {
+    method: 'POST',
+    signal: controller.signal,
+    body: makeBeaconData(generatePayload(quota), dataType),
+    referrer: '',  // Referrer is part of the quota, so we control it.
+  });
+
+  // Step 2: Create a sandboxed iframe and attempt a small fetchLater()
+  // call from it. This should succeed as it should have its own 8KB quota.
+  await loadFetchLaterIframe(
+      HTTPS_ORIGIN,  // The iframe's src is same-origin.
+      {
+        targetUrl: requestUrl,
+        activateAfter: 0,
+        method: 'POST',
+        bodyType: dataType,
+        bodySize: SMALL_REQUEST_BODY_SIZE,
+        referrer: '',
+        sandbox: 'allow-scripts',  // Sandboxed, but NOT allow-same-origin.
+      });
+}, `A sandboxed iframe (without allow-same-origin) should be treated as cross-origin and have its own minimal quota.`);
diff --git a/fetch/fetch-later/quota/same-origin-iframe/sandboxed-iframe.https.window.js b/fetch/fetch-later/quota/same-origin-iframe/sandboxed-iframe.https.window.js
@@ -0,0 +1,63 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/fetch/fetch-later/resources/fetch-later-helper.js
+// META: script=/fetch/fetch-later/quota/resources/helper.js
+'use strict';
+
+const {HTTPS_ORIGIN} = get_host_info();
+
+// Skips FormData & URLSearchParams, as browser adds extra bytes to them
+// in addition to the user-provided content. It is difficult to test a
+// request right at the quota limit.
+// Skips File & Blob as it's difficult to estimate what additional data are
+// added into them.
+const dataType = BeaconDataType.String;
+
+// Request headers are counted into total request size.
+const headers = new Headers({'Content-Type': 'text/plain;charset=UTF-8'});
+
+const requestUrl = `${HTTPS_ORIGIN}/`;
+const quota = getRemainingQuota(QUOTA_PER_ORIGIN, requestUrl, headers);
+const SMALL_REQUEST_BODY_SIZE = 4 * 1024;  // 4KB.
+
+// This test validates the correct behavior for a sandboxed iframe that includes
+// the 'allow-same-origin' token.
+//
+// Such an iframe should be treated as same-origin. Therefore, it should share
+// the parent document's primary 64KB quota pool for fetchLater() requests.
+//
+// The test works by first having the parent document consume its entire quota.
+// Then, it creates the 'allow-same-origin' sandboxed iframe and attempts to
+// send a small request.
+//
+// The expected result is that the iframe's request is REJECTED with a
+// QuotaExceededError, proving that it is correctly sharing the parent's
+// (already exhausted) quota.
+promise_test(async test => {
+  const controller = new AbortController();
+  test.add_cleanup(() => controller.abort());
+
+  // Step 1: Exhaust the parent frame's entire fetchLater() quota.
+  fetchLater(requestUrl, {
+    method: 'POST',
+    signal: controller.signal,
+    body: makeBeaconData(generatePayload(quota), dataType),
+    referrer: '',  // Referrer is part of the quota, so we control it.
+  });
+
+  // Step 2: From a sandboxed 'allow-same-origin' iframe, attempt to send a
+  // small request. This should fail as the shared quota is already gone.
+  await loadFetchLaterIframe(
+      HTTPS_ORIGIN,  // The iframe's src is same-origin.
+      {
+        targetUrl: requestUrl,
+        activateAfter: 0,
+        method: 'POST',
+        bodyType: dataType,
+        bodySize: SMALL_REQUEST_BODY_SIZE,
+        referrer: '',
+        sandbox: 'allow-scripts allow-same-origin',
+        expect: new FetchLaterIframeExpectation(
+            FetchLaterExpectationType.ERROR_DOM, 'QuotaExceededError'),
+      });
+}, `A sandboxed iframe with 'allow-same-origin' should be treated as same-origin and share the parent's quota.`);
diff --git a/fetch/fetch-later/resources/fetch-later-helper.js b/fetch/fetch-later/resources/fetch-later-helper.js
@@ -305,6 +305,11 @@ class FetchLaterIframeOptions {
      */
     this.allowDeferredFetch;
 
+    /**
+     * @type {string=} The sandbox attribute to apply to the iframe.
+     */
+    this.sandbox;
+
     /**
      * @type {FetchLaterIframeExpectation=} The expectation on the iframe's
      * behavior.
@@ -460,6 +465,7 @@ async function loadFetchLaterIframe(origin, {
   bodyType = undefined,
   bodySize = undefined,
   allowDeferredFetch = false,
+  sandbox = undefined,
   expect = undefined
 } = {}) {
   if (uuid && targetUrl && !targetUrl.includes(uuid)) {
@@ -489,6 +495,9 @@ async function loadFetchLaterIframe(origin, {
   if (allowDeferredFetch) {
     iframe.allow = 'deferred-fetch';
   }
+  if (sandbox) {
+    iframe.sandbox = sandbox;
+  }
   iframe.src = url;
 
   const messageReceived = new Promise((resolve, reject) => {
