[Connection-Allowlist] Implement "redirects=" param for navigations.

Previously, we blocked all redirects for navigations when a Connection
Allowlist header was enforced. We decided to use a global header param
called `redirects=` instead. When the value of the param is "allow",
navigations for redirects will be allowed regardless of destination.
When the value is "block", redirects will be blocked regardless of the
destination.

A follow-up CL will implement this same logic for subresource fetch
redirects.

Bug: 492439215
Change-Id: I2f9de6c9a8f9746b2f7f5206e9476709145b77d5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7667118
Commit-Queue: Andrew Verge <averge@chromium.org>
Reviewed-by: Shivani Sharma <shivanisha@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1602209}

Author: VergeA

connection-allowlist/tentative/navigation-redirect-allow.sub.window.js

@@ -0,0 +1,27 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=resources/navigation_redirect_test.js
+
+// We're loading this page from `http://{{hosts[][]}}`.
+// The connection allowlist header is `Connection-Allowlist:
+// (response-origin);redirects=allow`. Thus, all redirects should succeed.
+
+// Redirect from an allowlisted origin (same-origin):
+// origin: http://{{hosts[][]}} (allowed by allowlist)
+// target: http://{{hosts[][]}} (also allowed)
+// This should SUCCEED, because of the redirects=allow portion of the header.
+navigation_redirect_test(
+    'http://{{hosts[][]}}' + port, 'http://{{hosts[][]}}' + port, SUCCESS);
+
+// Redirect from an allowlisted origin to a different origin:
+// origin: http://{{hosts[][]}} (allowed by allowlist)
+// target: http://{{hosts[alt][]}} (not allowed)
+// This should SUCCEED, because of the redirects=allow portion of the header,
+// regardless of what the target origin is.
+navigation_redirect_test(
+    'http://{{hosts[][]}}' + port, 'http://{{hosts[alt][]}}' + port, SUCCESS);
+
+// Initial navigation to a non-allowlisted origin:
+// origin: http://{{hosts[alt][]}} (not allowed)
+// This is blocked before the redirect even happens.
+navigation_redirect_test(
+    'http://{{hosts[alt][]}}' + port, 'http://{{hosts[][]}}' + port, FAILURE);

connection-allowlist/tentative/navigation-redirect-allow.sub.window.js.headers

@@ -0,0 +1 @@
+Connection-Allowlist: (response-origin);redirects=allow

connection-allowlist/tentative/navigation-redirect-block.sub.window.js

@@ -0,0 +1,26 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=resources/navigation_redirect_test.js
+
+// We're loading this page from `http://{{hosts[][]}}`.
+// The connection allowlist header is `Connection-Allowlist:
+// (response-origin);redirects=block`. Thus, all redirects should fail.
+
+// Redirect from an allowlisted origin (same-origin):
+// origin: http://{{hosts[][]}} (allowed by allowlist)
+// target: http://{{hosts[][]}} (also allowed)
+// This should FAIL, because of the redirects=block portion of the header.
+navigation_redirect_test(
+    'http://{{hosts[][]}}' + port, 'http://{{hosts[][]}}' + port, FAILURE);
+
+// Redirect from an allowlisted origin to a different origin:
+// origin: http://{{hosts[][]}} (allowed by allowlist)
+// target: http://{{hosts[alt][]}} (not allowed)
+// This should FAIL, because of the redirects=block portion of the header.
+navigation_redirect_test(
+    'http://{{hosts[][]}}' + port, 'http://{{hosts[alt][]}}' + port, FAILURE);
+
+// Initial navigation to a non-allowlisted origin:
+// origin: http://{{hosts[alt][]}} (not allowed)
+// This is blocked before the redirect even happens.
+navigation_redirect_test(
+    'http://{{hosts[alt][]}}' + port, 'http://{{hosts[][]}}' + port, FAILURE);

connection-allowlist/tentative/navigation-redirect-block.sub.window.js.headers

@@ -0,0 +1 @@
+Connection-Allowlist: (response-origin);redirects=block

connection-allowlist/tentative/navigation-redirect-default.sub.window.js

@@ -0,0 +1,31 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=resources/navigation_redirect_test.js
+// The following tests assume the policy `Connection-Allowlist:
+// (response-origin)` has been set. Redirects from a connection-allowlisted URL
+// should be blocked by default.
+
+// We're loading this page from `http://{{hosts[][]}}`.
+// The connection allowlist header is `Connection-Allowlist: (response-origin)`.
+// Thus, only `http://{{hosts[][]}}` is allowlisted for navigations, and no
+// redirects are allowed.
+
+// Redirect from an allowlisted origin (same-origin):
+// origin: http://{{hosts[][]}} (allowed by allowlist)
+// target: http://{{hosts[][]}} (also allowed)
+// This should FAIL because redirects are default-blocked for allowlisted
+// navigations.
+navigation_redirect_test(
+    'http://{{hosts[][]}}' + port, 'http://{{hosts[][]}}' + port, FAILURE);
+
+// Redirect from an allowlisted origin to a different origin:
+// origin: http://{{hosts[][]}} (allowed by allowlist)
+// target: http://{{hosts[alt][]}} (not allowed)
+// This should FAIL.
+navigation_redirect_test(
+    'http://{{hosts[][]}}' + port, 'http://{{hosts[alt][]}}' + port, FAILURE);
+
+// Initial navigation to a non-allowlisted origin:
+// origin: http://{{hosts[alt][]}} (not allowed)
+// This is blocked before the redirect even happens.
+navigation_redirect_test(
+    'http://{{hosts[alt][]}}' + port, 'http://{{hosts[][]}}' + port, FAILURE);

…avigation-redirect.sub.window.js.headers …n-redirect-default.sub.window.js.headersconnection-allowlist/tentative/navigation-redirect.sub.window.js.headers renamed to connection-allowlist/tentative/navigation-redirect-default.sub.window.js.headers connection-allowlist/tentative/navigation-redirect.sub.window.js.headers renamed to connection-allowlist/tentative/navigation-redirect-default.sub.window.js.headers

@@ -0,0 +1,51 @@
+// META: script=/common/get-host-info.sub.js
+
+const port = get_host_info().HTTP_PORT_ELIDED;
+const SUCCESS = true;
+const FAILURE = false;
+
+function navigation_redirect_test(origin, target_origin, expectation) {
+  promise_test(
+      async t => {
+        const iframe = document.createElement('iframe');
+        let received_message = false;
+        const handler = (e) => {
+          if (e.data === 'loaded') {
+            received_message = true;
+          }
+        };
+        window.addEventListener('message', handler);
+        t.add_cleanup(() => window.removeEventListener('message', handler));
+
+        const p = new Promise((resolve) => {
+          iframe.onload = () => {
+            // If onload fires, it might be the success page or an error page.
+            // We wait a short bit to ensure any postMessage has time to arrive.
+            step_timeout(() => resolve(), 50);
+          };
+          iframe.onerror = () => resolve();
+        });
+
+        const target_url = target_origin +
+            '/connection-allowlist/tentative/resources/post-message.html';
+        iframe.src = origin + '/common/redirect.py?status=302&location=' +
+            encodeURIComponent(target_url);
+        document.body.appendChild(iframe);
+        await p;
+        document.body.removeChild(iframe);
+
+        if (expectation === SUCCESS) {
+          assert_true(
+              received_message,
+              `Redirect from ${origin} to ${
+                  target_origin} should have succeeded.`);
+        } else {
+          assert_false(
+              received_message,
+              `Redirect from ${origin} to ${
+                  target_origin} should have failed.`);
+        }
+      },
+      `Redirect from ${origin} to ${target_origin} should ${
+          expectation === SUCCESS ? 'succeed' : 'fail'}.`);
+}