[Connection-Allowlist] Enforce for cross-origin document prefetch

Enforce by passing the network restriction id to
URLLoaderFactoryParamsHelper::CreateForPrefetch.

The param is used by CrossOriginPrefetchLoaderFactory, which is for
<link> prefetch that:
- is cross-origin
- having attribute `as="document"`

Note: Browser test is not added for header triggered prefetch because
crbug.com/40752428 makes the test flaky. The WPT that also uses header
triggered prefetch somehow does not flake in try bots.

Bug: 447954811, 507078585
Change-Id: I31b41b063c75026b52c28a1dbfb04f58deb10a90
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7832782
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org>
Reviewed-by: Andrew Verge <averge@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1631576}

Author: xiaochen-z

connection-allowlist/tentative/link_header_prefetch_as_document_allow.sub.window.js

@@ -0,0 +1,13 @@
+// META: script=/common/utils.js
+// META: script=resources/utils.js
+//
+// The test assumes the policy `Connection-Allowlist:
+// "*://:subdomain.{{hosts[alt][]}}:*"` has been set in the response. The
+// response also contains a link header that triggers a prefetch to the
+// cross-origin KV server at http://{{hosts[alt][www]}}:{{ports[http][0]}}.
+
+promise_test(async () => {
+  const result =
+      await nextValueFromServer('d5c4b2a1-7e8d-4c60-91da-2a57191363c2');
+  assert_equals(result, 'hello');
+}, 'Link header prefetch (as=document) to an allow-listed url succeeds.');

connection-allowlist/tentative/link_header_prefetch_as_document_allow.sub.window.js.sub.headers

@@ -0,0 +1,2 @@
+Connection-Allowlist: (response-origin "*://:subdomain.{{hosts[alt][]}}:*" "*://*:*/*\\?*&ignore-allowlist=true*")
+Link: <http://{{hosts[alt][www]}}:{{ports[http][0]}}/connection-allowlist/tentative/resources/key-value-store.py?key=d5c4b2a1-7e8d-4c60-91da-2a57191363c2&value=hello>; rel=prefetch; as=document

connection-allowlist/tentative/link_header_prefetch_as_document_deny.sub.window.js

@@ -0,0 +1,16 @@
+// META: script=/common/utils.js
+// META: script=resources/utils.js
+// META: timeout=long
+//
+// The test assumes the policy `Connection-Allowlist: (response-origin)` has
+// been set in the response. The response also contains a link header that
+// triggers a prefetch to the cross-origin KV server at
+// http://{{hosts[][www]}}:{{ports[http][0]}}.
+
+promise_test(async (t) => {
+  const result = await Promise.race([
+    new Promise(r => t.step_timeout(r, 1000)),
+    nextValueFromServer('a9853747-3a23-4802-a907-327ce0a888f0')
+  ]);
+  assert_true(typeof result === 'undefined');
+}, 'Link header prefetch (as=document) to a not allow-listed url fails.');

connection-allowlist/tentative/link_header_prefetch_as_document_deny.sub.window.js.sub.headers

@@ -0,0 +1,2 @@
+Connection-Allowlist: (response-origin "*://*:*/*\\?*&ignore-allowlist=true*")
+Link: <http://{{hosts[][www]}}:{{ports[http][0]}}/connection-allowlist/tentative/resources/key-value-store.py?key=a9853747-3a23-4802-a907-327ce0a888f0&value=hello>; rel=prefetch; as=document

connection-allowlist/tentative/link_rel_prefetch_as_document.sub.window.js

@@ -0,0 +1,64 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=resources/utils.js
+// META: timeout=long
+
+const port = get_host_info().HTTP_PORT_ELIDED;
+const SUCCESS = true;
+const FAILURE = false;
+
+function prefetch_test(origin, expectation) {
+  promise_test(
+      async t => {
+        const key = token();
+        const value = 'hello';
+        const params = new URLSearchParams();
+        params.set('key', key);
+        params.set('value', value);
+
+        const link = document.createElement('link');
+        link.rel = 'prefetch';
+        link.as = 'document';
+        link.href = `${origin}${STORE_URL}?${params.toString()}`;
+        document.head.appendChild(link);
+        t.add_cleanup(() => link.remove());
+
+        if (expectation === SUCCESS) {
+          const result = await nextValueFromServer(key);
+          assert_equals(result, value);
+        } else {
+          const result = await Promise.race([
+            new Promise(r => t.step_timeout(r, 1000)), nextValueFromServer(key)
+          ]);
+          assert_true(typeof result === 'undefined');
+        }
+      },
+      `Prefetch (as=document) to ${origin} ${
+          expectation === SUCCESS ? 'succeeds' : 'fails'}.`);
+}
+
+const test_cases = [
+  // Page loads originate from `http://hosts[][]`; prefetching this origin
+  // succeeds, while subdomains fail as they are cross-origin but not
+  // allow-listed.
+  {origin: 'http://{{hosts[][]}}' + port, expectation: SUCCESS},
+  {origin: 'http://{{hosts[][www]}}' + port, expectation: FAILURE},
+  {origin: 'http://{{hosts[][www1]}}' + port, expectation: FAILURE},
+  {origin: 'http://{{hosts[][www2]}}' + port, expectation: FAILURE},
+  {origin: 'http://{{hosts[][天気の良い日]}}' + port, expectation: FAILURE},
+  {origin: 'http://{{hosts[][élève]}}' + port, expectation: FAILURE},
+
+  // The pattern we've specified in the header ("*://*.hosts[alt]:*/") will
+  // match any subdomain of `hosts[alt]` (though not, as it turns out,
+  // `hosts[alt]` itself.
+  {origin: 'http://{{hosts[alt][]}}' + port, expectation: FAILURE},
+  {origin: 'http://{{hosts[alt][www]}}' + port, expectation: SUCCESS},
+  {origin: 'http://{{hosts[alt][www1]}}' + port, expectation: SUCCESS},
+  {origin: 'http://{{hosts[alt][www2]}}' + port, expectation: SUCCESS},
+  {origin: 'http://{{hosts[alt][天気の良い日]}}' + port, expectation: SUCCESS},
+  {origin: 'http://{{hosts[alt][élève]}}' + port, expectation: SUCCESS},
+];
+
+for (let i = 0; i < test_cases.length; i++) {
+  prefetch_test(test_cases[i].origin, test_cases[i].expectation);
+}

connection-allowlist/tentative/link_rel_prefetch_as_document.sub.window.js.sub.headers

@@ -0,0 +1 @@
+Connection-Allowlist: (response-origin "*://:subdomain.{{hosts[alt][]}}:*" "*://*:*/*\\?*&ignore-allowlist=true*")