From 0a499ef779b92a4f28e21d1410f70e56979a7403 Mon Sep 17 00:00:00 2001
From: Liam Brady <lbrady@google.com>
Date: Tue, 7 Jan 2025 13:02:30 -0800
Subject: [PATCH] Allow setting automatic beacon data from cross-origin
 subframes.

Cross-origin fenced frames/URN iframes can send automatic reporting
beacons, but currently require data included in these beacons to be
pre-registered via an API call accessible only to a document that is
same-origin to the fenced frame config's mapped URL. This poses a
problem for cross-origin subframes within the same entity (e.g., an ad
frame and a payment subframe from the same company) that need to include
dynamic data, like click information, in the beacon. The current
workaround involves cumbersome postMessage communication and introduces
potential timing issues, highlighting the need for a more practical
solution for cross-origin subframes to set their own beacon data.

This CL relaxes that restriction and lets cross-origin documents set
automatic beacon data as well as use it. This is subject to the same
kinds of opt ins as other cross-origin FFAR features. Namely, the root
frame must opt in via the "Allow-Fenced-Frame-Automatic-Beacons" header,
and the cross-origin subframe setting the data must opt in via the
'crossOriginExposed' parameter in the call to setReportEvent...().

See: https://github.com/WICG/fenced-frame/issues/185

Change-Id: Iea922e737fa870f2edf0c24aa81927535f779d8b
Bug: 382500834
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6074470
Reviewed-by: Andrew Verge <averge@chromium.org>
Reviewed-by: Dominic Farolino <dom@chromium.org>
Commit-Queue: Liam Brady <lbrady@google.com>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1403202}
---
 ...-data-cross-origin-ancestor.sub.https.html | 53 ++++++++++++++++
 ...acon-data-cross-origin-subframe.https.html | 26 +++++---
 ...-beacon-data-multiple-ancestors.https.html | 62 +++++++++++++++++++
 ...atic-beacon-data-set-by-sibling.https.html | 59 ++++++++++++++++++
 .../resources/automatic-beacon-helper.js      |  3 +-
 5 files changed, 191 insertions(+), 12 deletions(-)
 create mode 100644 fenced-frame/automatic-beacon-data-cross-origin-ancestor.sub.https.html
 create mode 100644 fenced-frame/automatic-beacon-data-multiple-ancestors.https.html
 create mode 100644 fenced-frame/automatic-beacon-data-set-by-sibling.https.html

diff --git a/fenced-frame/automatic-beacon-data-cross-origin-ancestor.sub.https.html b/fenced-frame/automatic-beacon-data-cross-origin-ancestor.sub.https.html
new file mode 100644
index 00000000000000..e66d2adddb01a8
--- /dev/null
+++ b/fenced-frame/automatic-beacon-data-cross-origin-ancestor.sub.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<title>Test window.fence.setReportEventDataForAutomaticBeacons</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="resources/utils.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-actions.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/automatic-beacon-helper.js"></script>
+
+<body>
+<script>
+promise_test(async(t) => {
+  // This test creates the following frame tree:
+  // Root Frame (A)
+  //  └─Fenced Frame (A)
+  //     └─IFrame (B) [sets data]
+  //        └─IFrame (C) [performs navigation]
+  // It then checks that C's navigation uses the data set in B, even if B is
+  // cross-origin to fencedframe A.
+  const fencedframe = await attachFencedFrameContext({
+    generator_api: 'fledge', register_beacon: true
+  });
+
+  const beacon = {
+    eventType: "reserved.top_navigation_start",
+    eventData: "This is the start data",
+    destination: ["buyer"],
+    crossOriginExposed: true
+  }
+
+  await fencedframe.execute(async (beacon) => {
+    const iframe = await attachIFrameContext({
+      origin: 'https://{{hosts[][www2]}}:{{ports[https][1]}}'
+    });
+    // IFrame (C) is created during this setupAutomaticBeacon() call. The data
+    // for IFrame (B) is also set during this call.
+    return setupAutomaticBeacon(iframe, [beacon],
+        "resources/close.html", NavigationTrigger.CrossOriginClick,
+        "_blank");
+  }, [beacon]);
+
+  await multiClick(10, 10, fencedframe.element)
+
+  await verifyBeaconData(beacon.eventType, beacon.eventData,
+      get_host_info().HTTPS_REMOTE_ORIGIN);
+}, 'An automatic beacon can use data set by a cross-origin ancestor.');
+
+</script>
+</body>
diff --git a/fenced-frame/automatic-beacon-data-cross-origin-subframe.https.html b/fenced-frame/automatic-beacon-data-cross-origin-subframe.https.html
index d97bf370dc9a76..2082de1b784fa0 100644
--- a/fenced-frame/automatic-beacon-data-cross-origin-subframe.https.html
+++ b/fenced-frame/automatic-beacon-data-cross-origin-subframe.https.html
@@ -30,22 +30,28 @@
       origin: get_host_info().HTTPS_REMOTE_ORIGIN,
       headers: [['Allow-Fenced-Frame-Automatic-Beacons', 'true']]
     });
-    return setupAutomaticBeacon(iframe, [beacon],
-        "resources/close.html", NavigationTrigger.Click,
+    await setupAutomaticBeacon(iframe, [beacon],
+        "resources/close.html", NavigationTrigger.ClickOnce,
         "_blank");
+    return iframe.execute(() => {
+      // Test that automatic beacon data is set correctly in the subframe. Data
+      // that is not cross-origin exposed should not be able to be set in a
+      // cross-origin subframe, even if the same frame that sets the data
+      // triggers the report.
+      window.fence.setReportEventDataForAutomaticBeacons({
+        eventType: "reserved.top_navigation_start",
+        eventData: "This should not be the data",
+        destination: ["buyer"],
+        crossOriginExposed: false
+      });
+    });
   }, [beacon]);
 
   await multiClick(10, 10, fencedframe.element)
 
-  // An automatic beacon should be sent, but no data should be attached to it,
-  // as it shouldn't have been able to be set from a cross-origin subframe.
-  await verifyBeaconData(beacon.eventType, "<No data>",
+  await verifyBeaconData(beacon.eventType, beacon.eventData,
       get_host_info().HTTPS_REMOTE_ORIGIN);
-
-  // Leaving this fenced frame around for subsequent tests can lead to
-  // flakiness.
-  document.body.removeChild(fencedframe.element);
-}, 'A cross origin subframe cannot set automatic beacon data.');
+}, 'A cross origin subframe can set automatic beacon data.');
 
 </script>
 </body>
diff --git a/fenced-frame/automatic-beacon-data-multiple-ancestors.https.html b/fenced-frame/automatic-beacon-data-multiple-ancestors.https.html
new file mode 100644
index 00000000000000..5fd85805bbc527
--- /dev/null
+++ b/fenced-frame/automatic-beacon-data-multiple-ancestors.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<title>Test window.fence.setReportEventDataForAutomaticBeacons</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="resources/utils.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-actions.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/automatic-beacon-helper.js"></script>
+
+<body>
+<script>
+promise_test(async(t) => {
+  // This test creates the following frame tree:
+  // Root Frame (A)
+  //  └─Fenced Frame (A1) [sets valid data]
+  //     └─IFrame (A2) [sets invalid data]
+  //        └─IFrame (B) [performs navigation]
+  // It then checks that B's navigation uses the data set in A1 and not A2,
+  // since A1's data is valid for B to use.
+  const fencedframe = await attachFencedFrameContext({
+    generator_api: 'fledge', register_beacon: true
+  });
+
+  const valid_beacon = {
+    eventType: "reserved.top_navigation_start",
+    eventData: "This is the start data",
+    destination: ["buyer"],
+    crossOriginExposed: true
+  }
+
+  const invalid_beacon = {
+    eventType: "reserved.top_navigation_start",
+    eventData: "This data should not be used",
+    destination: ["buyer"],
+    crossOriginExposed: false
+  }
+
+  await fencedframe.execute(async (valid_beacon, invalid_beacon)=> {
+    window.fence.setReportEventDataForAutomaticBeacons(valid_beacon);
+
+    const iframe = await attachIFrameContext();
+    await iframe.execute((valid_beacon, invalid_beacon) => {
+      window.fence.setReportEventDataForAutomaticBeacons(invalid_beacon);
+    }, [valid_beacon, invalid_beacon]);
+
+    return setupAutomaticBeacon(iframe, [],
+        "resources/close.html", NavigationTrigger.CrossOriginClick,
+        "_blank");
+  }, [valid_beacon, invalid_beacon]);
+
+  await multiClick(10, 10, fencedframe.element)
+
+  await verifyBeaconData(valid_beacon.eventType, valid_beacon.eventData,
+      get_host_info().HTTPS_REMOTE_ORIGIN);
+}, 'An automatic beacon from uses the first valid ancestor-set data.');
+
+</script>
+</body>
diff --git a/fenced-frame/automatic-beacon-data-set-by-sibling.https.html b/fenced-frame/automatic-beacon-data-set-by-sibling.https.html
new file mode 100644
index 00000000000000..94e35577c9f4e5
--- /dev/null
+++ b/fenced-frame/automatic-beacon-data-set-by-sibling.https.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<title>Test window.fence.setReportEventDataForAutomaticBeacons</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="resources/utils.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-actions.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/automatic-beacon-helper.js"></script>
+
+<body>
+<script>
+promise_test(async(t) => {
+  // This test creates the following frame tree:
+  // Root Frame (A)
+  // └─Fenced Frame (A)
+  //    ├─IFrame (B) [performs navigation]
+  //    └─IFrame (B) [sets data]
+  // It then checks that B's navigation sends an automatic beacon without data,
+  // even if a different B sets automatic beacon data.
+  const fencedframe = await attachFencedFrameContext({
+    generator_api: 'fledge', register_beacon: true
+  });
+
+  const beacon = {
+    eventType: "reserved.top_navigation_start",
+    eventData: "This data should not be sent",
+    destination: ["buyer"],
+    crossOriginExposed: true
+  }
+
+  await fencedframe.execute(async (beacon) => {
+    const iframe_a = await attachIFrameContext({
+      origin: get_host_info().HTTPS_REMOTE_ORIGIN,
+      headers: [['Allow-Fenced-Frame-Automatic-Beacons', 'true']]
+    });
+    const iframe_b = await attachIFrameContext({
+      origin: get_host_info().HTTPS_REMOTE_ORIGIN,
+      headers: [['Allow-Fenced-Frame-Automatic-Beacons', 'true']]
+    });
+    iframe_b.execute((beacon) => {
+      window.fence.setReportEventDataForAutomaticBeacons(beacon);
+    }, [beacon]);
+    await setupAutomaticBeacon(iframe_a, [],
+        "resources/close.html", NavigationTrigger.ClickOnce,
+        "_blank");
+  }, [beacon]);
+
+  await multiClick(10, 10, fencedframe.element)
+
+  await verifyBeaconData(beacon.eventType, "<No data>",
+      get_host_info().HTTPS_REMOTE_ORIGIN);
+}, 'An automatic beacon does not use data set by a same-origin sibling.');
+
+</script>
+</body>
diff --git a/fenced-frame/resources/automatic-beacon-helper.js b/fenced-frame/resources/automatic-beacon-helper.js
index 36c10c904edf84..9b343db826e8a9 100644
--- a/fenced-frame/resources/automatic-beacon-helper.js
+++ b/fenced-frame/resources/automatic-beacon-helper.js
@@ -60,8 +60,7 @@ async function setupAutomaticBeacon(
               window.fence.setReportEventDataForAutomaticBeacons(beacon_event);
             });
             // Add a cross-origin iframe that will perform the top-level
-            // navigation. Do not set the 'Allow-Fenced-Frame-Automatic-Beacons'
-            // header to true.
+            // navigation.
             const iframe = await attachIFrameContext({
               origin: get_host_info().HTTPS_REMOTE_ORIGIN,
               headers: [[