Origin policy: update feature policy parsing to match the latest spec

This updates the parsing of the feature policy parts of the origin
policy manifest to mostly match the latest spec draft at
https://wicg.github.io/origin-policy/, in particular
https://wicg.github.io/origin-policy/#parsing. That is, it moves away
from "feature-policy": ["... FP string"] to
"features": { "policy": "... FP string" }. This changes the data model
from a list of FP strings to an optional FP string. Additionally, it
removes the failure on parsing errors, as those are no longer in the
spec.

This does not yet properly parse the FP string as a FP directive;
instead it still treats it as a header (so, commas are allowed inside).
A failing test is added for that case, which will be addressed in a
followup CL.

Bug: 751996
Change-Id: I51711ee9381ecfc705683ba0eb870e461fed434e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1965905
Commit-Queue: Domenic Denicola <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Daniel Vogelheim <[email protected]>
Cr-Commit-Position: refs/heads/master@{#726494}

.well-known/origin-policy/policy-features-comma-in-policy

@@ -0,0 +1,5 @@
+{
+  "features": {
+    "policy": "camera 'self' https://example.com/, geolocation 'self' https://example.com/"
+  }
+}

.well-known/origin-policy/policy-features-double-features

@@ -0,0 +1,8 @@
+{
+  "features": {
+    "policy": "camera 'self' https://example.com/"
+  },
+  "features": {
+    "policy": "geolocation 'self' https://example.com/"
+  }
+}

.well-known/origin-policy/policy-features-double-policy

@@ -0,0 +1,6 @@
+{
+  "features": {
+    "policy": "camera 'self' https://example.com/",
+    "policy": "geolocation 'self' https://example.com/"
+  }
+}

.well-known/origin-policy/policy-features-non-object

@@ -0,0 +1,3 @@
+{
+  "features": "camera 'self' https://example.com/"
+}

.well-known/origin-policy/policy-features-non-string

@@ -0,0 +1,5 @@
+{
+  "features": {
+    "policy": ["camera 'self' https://example.com/"]
+  }
+}

.well-known/origin-policy/policy-features-valid

@@ -0,0 +1,5 @@
+{
+  "features": {
+    "policy": "camera 'self' https://example.com/; geolocation 'self' https://example.com/"
+  }
+}

origin-policy/features/comma-in-policy.https.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Commas in "features/policy" cause parse errors and thus no feature policy</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js"></script>
+
+<script>
+"use strict";
+runFPTest({ camera: false, geolocation: false });
+</script>

origin-policy/features/comma-in-policy.https.html.headers

@@ -0,0 +1 @@
+Sec-Origin-Policy: policy=policy-features-comma-in-policy

origin-policy/features/double-features.https.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Of two "features" items only the second counts</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js"></script>
+
+<script>
+"use strict";
+runFPTest({ camera: false, geolocation: true });
+</script>

origin-policy/features/double-features.https.html.headers

@@ -0,0 +1 @@
+Sec-Origin-Policy: policy=policy-features-double-features

origin-policy/features/double-policy.https.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Of two "features/policy" items only the second counts</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js"></script>
+
+<script>
+"use strict";
+runFPTest({ camera: false, geolocation: true });
+</script>

origin-policy/features/double-policy.https.html.headers

@@ -0,0 +1 @@
+Sec-Origin-Policy: policy=policy-features-double-policy

origin-policy/features/helper.js

@@ -0,0 +1,8 @@
+"use strict";
+
+window.runFPTest = ({ camera, geolocation }) => {
+  test(() => {
+    assert_equals(document.featurePolicy.allowsFeature('camera', 'https://example.com/'), camera, 'camera');
+    assert_equals(document.featurePolicy.allowsFeature('geolocation', 'https://example.com/'), geolocation, 'geolocation');
+  });
+};

origin-policy/features/non-object.https.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Non-object "features" member must be ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js"></script>
+
+<script>
+"use strict";
+runFPTest({ camera: false, geolocation: false });
+</script>

origin-policy/features/non-object.https.html.headers

@@ -0,0 +1 @@
+Sec-Origin-Policy: policy=policy-features-non-object

origin-policy/features/non-string.https.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Non-string "features/policy" member must be ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js"></script>
+
+<script>
+"use strict";
+runFPTest({ camera: false, geolocation: false });
+</script>

origin-policy/features/non-string.https.html.headers

@@ -0,0 +1 @@
+Sec-Origin-Policy: policy=policy-features-non-string

origin-policy/features/valid.https.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Valid "features" member</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js"></script>
+
+<script>
+"use strict";
+runFPTest({ camera: true, geolocation: true });
+</script>

origin-policy/features/valid.https.html.headers

@@ -0,0 +1 @@
+Sec-Origin-Policy: policy=policy-features-valid