From fad3b7b7a1acdd2abcf69371179f4df48e4ff749 Mon Sep 17 00:00:00 2001
From: Blink WPT Bot <blink-w3c-test-autoroller@chromium.org>
Date: Wed, 3 Nov 2021 11:47:44 -0700
Subject: [PATCH] WPT tests for COOP with Reporting-Endpoints header (#31099)

* Test the integration between new Reporting-Endpoints header
  with coop reporters
* Added new cases covering reports sent from redirects.

Bug: 1209057, 1062359
Change-Id: I2e061f2f9e235264d569032204c75df30cdb5220
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3202651
Commit-Queue: Rodney Ding <rodneyding@google.com>
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/main@{#937859}

Co-authored-by: Rodney Ding <rodneyding@google.com>
---
 .../report-only-four-reports.https.html       |  86 ++++++++++
 ...t-only-four-reports.https.html.sub.headers |   6 +
 .../report-to-both_coop-ro.https.html         | 129 ++++++++++++++
 ...t-with-same-origin-allow-popups.https.html | 116 +++++++++++++
 ...rting-redirect-with-unsafe-none.https.html | 135 +++++++++++++++
 .../reporting-coop-navigated-popup.https.html |   4 +-
 ...t-with-same-origin-allow-popups.https.html |   2 +-
 .../reporting/resources/reporting-common.js   | 158 ++++++++++++++----
 8 files changed, 597 insertions(+), 39 deletions(-)
 create mode 100644 html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html
 create mode 100644 html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers
 create mode 100644 html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html
 create mode 100644 html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
 create mode 100644 html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html

diff --git a/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html b/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html
new file mode 100644
index 000000000000000..7bfdab133070e95
--- /dev/null
+++ b/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html
@@ -0,0 +1,86 @@
+
+<meta name=timeout content=long>
+<title>A test with both COOP and COOP report only setup using Reporting-Endpoints header</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script
+  src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js?pipe=sub&report_id=2aee31d2-cd11-43bd-b34d-5f081ca3b2b4&report_only_id=d18f1779-e2ab-4a7a-8b1c-44e3a6f440f5"></script>
+
+<script>
+let tests = [
+  // popup origin, popup COOP, popup COEP, popup COOP report-only, popup COEP report-only, expected reports
+
+  // Open a cross-origin popup with both normal and report-only COOP. Four
+  // reports are sent.
+  [
+    CROSS_ORIGIN,
+    `same-origin-allow-popups; report-to="${popupReportEndpoint.name}"`,
+    "require-corp",
+    `same-origin; report-to="${popupReportOnlyEndpoint.name}"`,
+    "require-corp",
+    [
+      {
+        "endpoint": reportEndpoint,
+        "report": {
+          "body": {
+            "disposition": "enforce",
+            "effectivePolicy": "same-origin-allow-popups",
+            "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+            "type": "navigation-from-response"
+          },
+          "url": `${location.href}`,
+          "type": "coop"
+        }
+      },
+      {
+        "endpoint": reportOnlyEndpoint,
+        "report": {
+          "body": {
+            "disposition": "reporting",
+            "effectivePolicy": "same-origin-plus-coep",
+            "nextResponseURL": /uuid=EXECUTOR_UUID$/, // next document URL
+            "type": "navigation-from-response"
+          },
+          "url": `${location.href}`,
+          "type": "coop"
+        }
+      },
+      {
+        "endpoint": popupReportEndpoint,
+        "report": {
+          "body": {
+            "disposition": "enforce",
+            "effectivePolicy": "same-origin-allow-popups",
+            "previousResponseURL": "",
+            "referrer": `${location.origin}/`, // referrer
+            "type": "navigation-to-response"
+          },
+          "url": /uuid=EXECUTOR_UUID$/,
+          "type": "coop"
+        }
+      },
+      {
+        "endpoint": popupReportOnlyEndpoint,
+        "report": {
+          "body": {
+            "disposition": "reporting",
+            "effectivePolicy": "same-origin-plus-coep",
+            "previousResponseURL": "",
+            "referrer": `${location.origin}/`, // referrer
+            "type": "navigation-to-response"
+          },
+          "url": /uuid=EXECUTOR_UUID$/,
+          "type": "coop"
+        }
+      }
+    ]
+  ]
+];
+
+runNavigationDocumentReportingTests(document.title, tests);
+
+</script>
diff --git a/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers b/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers
new file mode 100644
index 000000000000000..de48445f38fafc0
--- /dev/null
+++ b/html/cross-origin-opener-policy/reporting/document-reporting/report-only-four-reports.https.html.sub.headers
@@ -0,0 +1,6 @@
+Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop-report-endpoint"
+Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-report-only-endpoint"
+Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Embedder-Policy-Report-Only: require-corp
+Referrer-Policy: origin
+Reporting-Endpoints: coop-report-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=2aee31d2-cd11-43bd-b34d-5f081ca3b2b4", coop-report-only-endpoint="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?reportID=d18f1779-e2ab-4a7a-8b1c-44e3a6f440f5"
diff --git a/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html b/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html
new file mode 100644
index 000000000000000..43da4b79b30243b
--- /dev/null
+++ b/html/cross-origin-opener-policy/reporting/document-reporting/report-to-both_coop-ro.https.html
@@ -0,0 +1,129 @@
+<title>
+  Both the openee and the opener have a COOP reporter. The report are sent to
+  both side.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/try-access.js"></script>
+<script>
+
+const directory = "/html/cross-origin-opener-policy";
+const origin_opener = get_host_info().HTTPS_ORIGIN;
+const origin_openee = get_host_info().HTTPS_REMOTE_ORIGIN;
+
+function reportToken() {
+  // Report endpoint name must start with lower case alphabet.
+  return token().replace(/./, 'a');
+}
+
+let escapeComma = url => url.replace(/,/g, '\\,');
+
+let genericSetup = async function(test) {
+  // The test window.
+  const this_window_token = token();
+
+  // The "opener" window. This has COOP and a reporter.
+  const opener_token = token();
+  const opener_report_token = reportToken();
+  const opener_reporting = reportingEndpointsHeaders(opener_report_token);
+  const opener_url = origin_opener+ executor_path + opener_reporting.header +
+    opener_reporting.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${opener_token}`;
+
+  // The "openee" window. This has COOP and a reporter.
+  const openee_token = token();
+  const openee_report_token = reportToken();
+  const openee_reporting = reportingEndpointsHeaders(openee_report_token);
+  const openee_url = origin_openee + executor_path + openee_reporting.header +
+    openee_reporting.coopReportOnlySameOriginHeader + coep_header +
+    `&uuid=${openee_token}`;
+
+  // Cleanup at the end of the test.
+  test.add_cleanup(() => {
+    send(openee_token, 'window.close()');
+    send(opener_token, 'window.close()');
+  });
+
+  // 1. Spawn the opener and the openee windows.
+  window.open(opener_url);
+  send(opener_token, `
+    openee = window.open('${escapeComma(openee_url)}');
+  `);
+
+  // 2. Wait for both to be loaded.
+  send(openee_token, `send('${this_window_token}', 'ACK');`);
+  assert_equals(await receive(this_window_token), 'ACK');
+
+  return [
+    this_window_token,
+    opener_token, opener_report_token, opener_url,
+    openee_token, openee_report_token, openee_url,
+  ];
+}
+
+let assert_generic_coop_report = function(report) {
+  assert_equals(report.type, "coop");
+  assert_equals(report.body.disposition, "reporting");
+  assert_equals(report.body.effectivePolicy, "same-origin-plus-coep");
+  assert_equals(report.body.property, "blur");
+}
+
+promise_test(async test => {
+  let [
+    this_window_token,
+    opener_token, opener_report_token, opener_url,
+    openee_token, openee_report_token, openee_url,
+  ] = await genericSetup(test);
+
+  send(opener_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js",
+    "tryAccess(openee);")
+  );
+
+  let report_opener =
+    await receiveReport(opener_report_token, "access-from-coop-page-to-openee")
+  let report_openee =
+    await receiveReport(openee_report_token, "access-to-coop-page-from-opener")
+
+  assert_generic_coop_report(report_openee);
+  assert_generic_coop_report(report_opener);
+
+  assert_equals(report_opener.url, opener_url.replace(/"/g, '%22'));
+  assert_equals(report_openee.url, openee_url.replace(/"/g, '%22'));
+  assert_source_location_found(report_opener);
+  assert_source_location_missing(report_openee);
+}, "Access from opener")
+
+promise_test(async test => {
+  let [
+    this_window_token,
+    opener_token, opener_report_token, opener_url,
+    openee_token, openee_report_token, openee_url,
+  ] = await genericSetup(test);
+
+  send(openee_token, addScriptAndTriggerOnload(
+    directory + "/reporting/resources/try-access.js",
+    "tryAccess(opener);")
+  );
+
+  let report_opener =
+    await receiveReport(opener_report_token, "access-to-coop-page-from-openee")
+  let report_openee =
+    await receiveReport(openee_report_token, "access-from-coop-page-to-opener")
+
+  assert_generic_coop_report(report_openee);
+  assert_generic_coop_report(report_opener);
+
+  assert_equals(report_opener.url, opener_url.replace(/"/g, '%22'));
+  assert_equals(report_openee.url, openee_url.replace(/"/g, '%22'));
+  assert_source_location_missing(report_opener);
+  assert_source_location_found(report_openee);
+}, "Access from openee")
+
+</script>
diff --git a/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
new file mode 100644
index 000000000000000..764b4128ff773ce
--- /dev/null
+++ b/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
@@ -0,0 +1,116 @@
+<title>
+  Tests the redirect interaction with COOP same-origin-allow-popups.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script>
+
+const same_origin = {
+  host: get_host_info().HTTPS_ORIGIN,
+  name: "Same origin"
+};
+const cross_origin = {
+  host: get_host_info().HTTPS_REMOTE_ORIGIN,
+  name: "Cross origin"
+};
+
+function reportToken() {
+  // Report endpoint name must start with lower case alphabet.
+  return token().replace(/./, 'a');
+}
+
+// Tests the redirect interaction with COOP same-origin-allow-popups and
+// reporting:
+// 1 - open the opener document on origin same_origin wit COOP
+// same-origin-allow-popups.
+// 2 - opener opens popup with document on origin popup_origin, no COOP and a
+// redirect header (HTTP 302, location).
+// 3 - redirection to a document with origin same_origin and COOP
+// same-origin-allow-popups.
+//
+// The navigation (2) to the first document of the popup stays in the same
+// browsing context group due to the same-origin-allow-popups COOP of the
+// opener.
+// The redirect (3) to the final document does since it compares the
+// popup_origin/unsafe-none document with the
+// same-origin/same-origin-allow-popups document.
+//
+// A opens B, B redirects to C.
+//
+// Document  Origin        COOP
+// --------  ------------  ------------------------
+// A         same-origin   same-origin-allow-popups
+// B         popup-origin  unsafe-none
+// C         same-origin   same-origin-allow-popups
+function redirect_test(popup_origin) {
+  promise_test(async t => {
+    // The test window.
+    const this_window_token = token();
+
+    // The "opener" window. This has COOP same-origin-allow-popups and a
+    // reporter.
+    const opener_token = token();
+    const opener_report_token = reportToken();
+    const opener_reporting = reportingEndpointsHeaders(opener_report_token);
+    const opener_url = same_origin.host + executor_path +
+      opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader +
+      `&uuid=${opener_token}`;
+
+    // The "openee" window.
+    // The initial document does not have COOP and is on popup_origin, it
+    // redirects to a same-origin (with the opener) document with COOP
+    // same-origin-allow-popups.
+    const openee_token = token();
+    const openee_redirect_url = same_origin.host + executor_path +
+      opener_reporting.header + opener_reporting.coopSameOriginAllowPopupsHeader +
+      `&uuid=${openee_token}`;
+    const redirect_header = 'status(302)' +
+      `|header(Location,${encodeURIComponent(
+        openee_redirect_url
+          .replace(/,/g, "\\,")
+          .replace(/\\\\,/g, "\\\\\\,")
+          .replace(/\(/g, "%28")
+          .replace(/\)/g, "%29"))})`;
+    const openee_url = popup_origin.host + executor_path + redirect_header +
+      `&uuid=${openee_token}`;
+    // 1. Create the opener window.
+    let opener_window_proxy = window.open(opener_url);
+    t.add_cleanup(() => send(opener_token, "window.close()"));
+
+    // 2. The opener opens its openee.
+    send(opener_token, `
+      openee = window.open("${openee_url}");
+    `);
+    t.add_cleanup(() => send(openee_token, "window.close()"));
+
+    // 3. Check the opener status on the openee.
+    send(openee_token, `
+      send("${this_window_token}", opener !== null);
+    `);
+    assert_equals(await receive(this_window_token), "false", "opener");
+
+    // 4. Check the openee status on the opener.
+    send(opener_token, `
+      send("${this_window_token}", openee.closed);
+    `);
+    assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+    // 5. Check a report sent to the openee.
+    let report = await receiveReport(
+      opener_report_token,
+      "navigation-to-response");
+    assert_equals(report.type, "coop");
+    assert_equals(report.body.disposition, "enforce");
+    assert_equals(report.body.effectivePolicy, "same-origin-allow-popups");
+  }, `${popup_origin.name} openee redirected to same-origin with same-origin-allow-popups`);
+}
+
+redirect_test(same_origin);
+redirect_test(cross_origin);
+</script>
diff --git a/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html b/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html
new file mode 100644
index 000000000000000..ae94d6871a77c63
--- /dev/null
+++ b/html/cross-origin-opener-policy/reporting/document-reporting/reporting-redirect-with-unsafe-none.https.html
@@ -0,0 +1,135 @@
+<title>
+  Tests the redirect interaction with COOP unsafe-none.
+</title>
+<meta name=timeout content=long>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/get-host-info.sub.js></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/html/cross-origin-opener-policy/resources/common.js"></script>
+<script src="/html/cross-origin-opener-policy/reporting/resources/reporting-common.js"></script>
+<script>
+
+const same_origin = {
+  host: get_host_info().HTTPS_ORIGIN,
+  name: "Same origin"
+};
+const cross_origin = {
+  host: get_host_info().HTTPS_REMOTE_ORIGIN,
+  name: "Cross origin"
+};
+
+function reportToken() {
+  // Report endpoint name must start with lower case alphabet.
+  return token().replace(/./, 'a');
+}
+
+// Repeated call receive() to fetch all reports received within 1 second.
+async function fetchReportsByID(uuid){
+  let timeStart = new Date().getTime();
+  const reports = [];
+  while(new Date().getTime() - timeStart < 1000) {
+    // Promise.race is used to timeout since receive() has no timeout mechanism.
+    reports.push(...await Promise.race([
+      receive(uuid).then(JSON.parse),
+      new Promise(resolve => step_timeout(resolve, 1000, []))
+    ]));
+  }
+  return reports;
+}
+
+function fetchReportByType(reports, type){
+  return reports.filter((report)=> (report.body.type === type));
+}
+
+  // Tests the redirect interaction with COOP unsafe-none and reporting:
+  // 1 - open the opener document on origin same_origin with COOP
+  // unsafe-none.
+  // 2 - opener opens popup with document on origin popup_origin, with COOP
+  // same-origin, Reporting-Endpoints header and a redirect header
+  // (HTTP 302, location).
+  // 3 - redirection to a document with origin same-origin and COOP
+  // unsafe-none.
+  //
+  // Navigation 2) should generate a report sent to B's reporter(navigation-to).
+  // Navigation 3) should generate a report sent to B's reporter(navigation-from).
+  //
+  // A opens B, B redirects to C.
+  //
+  // Document  Origin        COOP
+  // --------  ------------  ------------------------
+  // A         same-origin   unsafe-none
+  // B         popup-origin  same-origin
+  // C         same-origin   unsafe-none
+function redirect_test(popup_origin) {
+  promise_test(async t => {
+    // The test window.
+    const this_window_token = token();
+
+    // The "opener" window. This has COOP unsafe-none and no reporter.
+    const opener_token = token();
+    const opener_url = same_origin.host + executor_path +
+      `&uuid=${opener_token}`;
+
+    // The "openee" window.
+    // The initial document have COOP, reporter and is on popup_origin, it
+    // redirects to a same-origin (with the opener) document with no COOP.
+    const openee_token = token();
+    const openee_report_token = reportToken();
+    const openee_reporting = reportingEndpointsHeaders(openee_report_token);
+    const openee_redirect_url = same_origin.host + executor_path +
+      `&uuid=${openee_token}`;
+    const redirect_header = '|status(302)' +
+      `|header(Location,${encodeURIComponent(
+        openee_redirect_url)})`;
+    const openee_url = (popup_origin.host + executor_path
+      + openee_reporting.header + openee_reporting.coopSameOriginHeader
+      + redirect_header + `&uuid=${openee_token}`)
+      .replace(/,/g, "\\,")
+      .replace(/\\\\,/g, "\\\\\\,")
+      .replace(/\(/g, "%28")
+      .replace(/\)/g, "%29");
+    // 1. Create the opener window.
+    let opener_window_proxy = window.open(opener_url);
+    t.add_cleanup(() => send(opener_token, "window.close()"));
+
+    // 2. The opener opens its openee.
+    send(opener_token, `
+      openee = window.open(\`${openee_url}\`);
+    `);
+    t.add_cleanup(() => send(openee_token, "window.close()"));
+
+    // 3. Check the opener status on the openee.
+    send(openee_token, `
+      send("${this_window_token}", opener !== null);
+    `);
+    assert_equals(await receive(this_window_token), "false", "opener");
+
+    // 4. Check the openee status on the opener.
+    send(opener_token, `
+      send("${this_window_token}", openee.closed);
+    `);
+    assert_equals(await receive(this_window_token), "true", "openee.closed");
+
+    // 5. Check a report sent to B's reporting endpoint when A opens B.
+    const reports = await fetchReportsByID(openee_report_token);
+    const navigationToReport = fetchReportByType(
+      reports, "navigation-to-response");
+    assert_equals(navigationToReport.length, 1);
+    assert_equals(navigationToReport[0].type, "coop");
+    assert_equals(navigationToReport[0].body.disposition, "enforce");
+    assert_equals(navigationToReport[0].body.effectivePolicy, "same-origin");
+    // 6. Check a report sent to B's reporting endpoint when B redirects to C.
+    const navigationFromReport = fetchReportByType(
+      reports, "navigation-from-response");
+    assert_equals(navigationFromReport.length, 1);
+    assert_equals(navigationFromReport[0].type, "coop");
+    assert_equals(navigationFromReport[0].body.disposition, "enforce");
+    assert_equals(navigationFromReport[0].body.effectivePolicy, "same-origin");
+  }, `${popup_origin.name} openee redirected to same-origin with unsafe-none`);
+}
+
+redirect_test(same_origin);
+redirect_test(cross_origin);
+</script>
diff --git a/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html b/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html
index 68ecd913756fa25..ae91e7dc04b1cb6 100644
--- a/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html
+++ b/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-coop-navigated-popup.https.html
@@ -21,11 +21,11 @@
   const coopToken= token();
   await reportingTest(async resolve => {
     const noCOOPUrl = executor_path +
-      `|header(report-to,${encodeURIComponent(getReportEndpoints(location.origin))})` +
+      convertToWPTHeaderPipe(getReportToHeader(location.origin)) +
       `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(`unsafe-none; report-to="${popupReportEndpoint.name}"`)})` +
       `&uuid=${noCoopToken}`;
     const coopUrl = executor_path +
-      `|header(report-to,${encodeURIComponent(getReportEndpoints(location.origin))})` +
+      convertToWPTHeaderPipe(getReportToHeader(location.origin)) +
       `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(`same-origin; report-to="${redirectReportEndpoint.name}"`)})` +
       `&uuid=${coopToken}`;
 
diff --git a/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html b/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
index d337541dfff01e8..b19cdd5a9c1e131 100644
--- a/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
+++ b/html/cross-origin-opener-policy/reporting/navigation-reporting/reporting-redirect-with-same-origin-allow-popups.https.html
@@ -22,7 +22,7 @@
 
 // Tests the redirect interaction with COOP same-origin-allow-popups and
 // reporting:
-// 1 - open the opener document on origin same_origin wit COOP
+// 1 - open the opener document on origin same_origin with COOP
 // same-origin-allow-popups.
 // 2 - opener opens popup with document on origin popup_origin, no COOP and a
 // redirect header (HTTP 302, location).
diff --git a/html/cross-origin-opener-policy/reporting/resources/reporting-common.js b/html/cross-origin-opener-policy/reporting/resources/reporting-common.js
index 246c9224a3aed46..48d48aa3884710e 100644
--- a/html/cross-origin-opener-policy/reporting/resources/reporting-common.js
+++ b/html/cross-origin-opener-policy/reporting/resources/reporting-common.js
@@ -190,50 +190,68 @@ async function reportingTest(testFunction, executorToken, expectedReports) {
   await Promise.all(Array.from(expectedReports, checkForExpectedReport));
 }
 
-function getReportEndpoints(host) {
-  result = "";
-  reportEndpoints.forEach(
-    reportEndpoint => {
-      let reportToJSON = {
-        'group': `${reportEndpoint.name}`,
-        'max_age': 3600,
-        'endpoints': [
-          {
-            'url': `${host}/reporting/resources/report.py?reportID=${reportEndpoint.reportID}`
-          },
-        ]
-      };
-      result += JSON.stringify(reportToJSON)
-                        .replace(/,/g, '\\,')
-                        .replace(/\(/g, '\\\(')
-                        .replace(/\)/g, '\\\)=')
-                + "\\,";
-    }
-  );
-  return result.slice(0, -2);
+function convertToWPTHeaderPipe([name, value]) {
+  return `header(${name}, ${encodeURIComponent(value)})`;
+}
+
+function getReportToHeader(host) {
+  return [
+    "Report-To",
+    reportEndpoints.map(
+      reportEndpoint => {
+        const reportToJSON = {
+          'group': `${reportEndpoint.name}`,
+          'max_age': 3600,
+          'endpoints': [{
+            'url': `${host}${getReportEndpointURL(reportEndpoint.reportID)}`
+          }]
+        };
+        // Escape comma as required by wpt pipes.
+        return JSON.stringify(reportToJSON)
+          .replace(/,/g, '\\,')
+          .replace(/\(/g, '\\\(')
+          .replace(/\)/g, '\\\)=');
+      }
+    ).join("\\, ")];
+}
+
+function getReportingEndpointsHeader(host) {
+  return [
+    "Reporting-Endpoints",
+    reportEndpoints.map(reportEndpoint => {
+      return `${reportEndpoint.name}="${host}${getReportEndpointURL(reportEndpoint.reportID)}"`;
+    }).join("\\, ")];
+}
+
+// Return Report and Report-Only policy headers.
+function getPolicyHeaders(coop, coep, coopRo, coepRo) {
+  return [
+    [`Cross-Origin-Opener-Policy`, coop],
+    [`Cross-Origin-Embedder-Policy`, coep],
+    [`Cross-Origin-Opener-Policy-Report-Only`, coopRo],
+    [`Cross-Origin-Embedder-Policy-Report-Only`, coepRo]];
 }
 
 function navigationReportingTest(testName, host, coop, coep, coopRo, coepRo,
-    expectedReports ){
+  expectedReports) {
   const executorToken = token();
   const callbackToken = token();
   promise_test(async t => {
-    await reportingTest( async resolve => {
+    await reportingTest(async resolve => {
+      const openee_headers = [
+        getReportToHeader(host.origin),
+        ...getPolicyHeaders(coop, coep, coopRo, coepRo)
+      ].map(convertToWPTHeaderPipe);
       const openee_url = host.origin + executor_path +
-      `|header(report-to,${encodeURIComponent(getReportEndpoints(host.origin))})` +
-      `|header(Cross-Origin-Opener-Policy,${encodeURIComponent(coop)})` +
-      `|header(Cross-Origin-Embedder-Policy,${encodeURIComponent(coep)})` +
-      `|header(Cross-Origin-Opener-Policy-Report-Only,${encodeURIComponent(coopRo)})` +
-      `|header(Cross-Origin-Embedder-Policy-Report-Only,${encodeURIComponent(coepRo)})`+
-      `&uuid=${executorToken}`;
+        openee_headers.join('|') + `&uuid=${executorToken}`;
       const openee = window.open(openee_url);
       const uuid = token();
       t.add_cleanup(() => send(uuid, "window.close()"));
 
       // 1. Make sure the new document is loaded.
       send(executorToken, `
-        send("${callbackToken}", "Ready");
-      `);
+      send("${callbackToken}", "Ready");
+    `);
       let reply = await receive(callbackToken);
       assert_equals(reply, "Ready");
       resolve();
@@ -241,6 +259,43 @@ function navigationReportingTest(testName, host, coop, coep, coopRo, coepRo,
   }, `coop reporting test ${testName} to ${host.name} with ${coop}, ${coep}, ${coopRo}, ${coepRo}`);
 }
 
+function navigationDocumentReportingTest(testName, host, coop, coep, coopRo,
+  coepRo, expectedReports) {
+  const executorToken = token();
+  const callbackToken = token();
+  promise_test(async t => {
+    const openee_headers = [
+      getReportingEndpointsHeader(host.origin),
+      ...getPolicyHeaders(coop, coep, coopRo, coepRo)
+    ].map(convertToWPTHeaderPipe);
+    const openee_url = host.origin + executor_path +
+      openee_headers.join('|') + `&uuid=${executorToken}`;
+    window.open(openee_url);
+    t.add_cleanup(() => send(executorToken, "window.close()"));
+    // Have openee window send a message through dispatcher, once we receive
+    // the Ready message from dispatcher it means the openee is fully loaded.
+    send(executorToken, `
+      send("${callbackToken}", "Ready");
+    `);
+    let reply = await receive(callbackToken);
+    assert_equals(reply, "Ready");
+
+    await wait(1000);
+
+    expectedReports = expectedReports.map(
+      (report) => replaceValuesInExpectedReport(report, executorToken));
+    return Promise.all(expectedReports.map(
+      async ({ endpoint, report: expectedReport }) => {
+        await pollReports(endpoint);
+        for (let report of endpoint.reports) {
+          assert_true(isObjectAsExpected(report, expectedReport),
+            `report received for endpoint: ${endpoint.name} ${JSON.stringify(report)} should match ${JSON.stringify(expectedReport)}`);
+        }
+        assert_equals(endpoint.reports.length, 1, `has exactly one report for ${endpoint.name}`)
+      }));
+  }, `coop document reporting test ${testName} to ${host.name} with ${coop}, ${coep}, ${coopRo}, ${coepRo}`);
+}
+
 // Run an array of reporting tests then verify there's no reports that were not
 // expected.
 // Tests' elements contain: host, coop, coep, coop-report-only,
@@ -254,6 +309,17 @@ async function runNavigationReportingTests(testName, tests) {
   verifyRemainingReports();
 }
 
+// Run an array of reporting tests using Reporting-Endpoints header then
+// verify there's no reports that were not expected.
+// Tests' elements contain: host, coop, coep, coop-report-only,
+// coep-report-only, expectedReports.
+// See isObjectAsExpected for explanations regarding the matching behavior.
+function runNavigationDocumentReportingTests(testName, tests) {
+  clearReportsOnServer();
+  tests.forEach(test => {
+    navigationDocumentReportingTest(testName, ...test);
+  });
+}
 
 function verifyRemainingReports() {
   promise_test(t => {
@@ -275,7 +341,6 @@ const receiveReport = async function(uuid, type) {
     if (reports == "timeout")
       return "timeout";
     reports = JSON.parse(reports);
-
     for(report of reports) {
       if (report?.body?.type == type)
         return report;
@@ -283,6 +348,17 @@ const receiveReport = async function(uuid, type) {
   }
 }
 
+// Build a set of 'Cross-Origin-Opener-Policy' and
+// 'Cross-Origin-Opener-Policy-Report-Only' headers.
+const coopHeaders = function (uuid) {
+  return {
+    coopSameOriginHeader: `|header(Cross-Origin-Opener-Policy,same-origin%3Breport-to="${uuid}")`,
+    coopSameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy,same-origin-allow-popups%3Breport-to="${uuid}")`,
+    coopReportOnlySameOriginHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin%3Breport-to="${uuid}")`,
+    coopReportOnlySameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin-allow-popups%3Breport-to="${uuid}")`
+  };
+}
+
 // Build a set of headers to tests the reporting API. This defines a set of
 // matching 'Report-To', 'Cross-Origin-Opener-Policy' and
 // 'Cross-Origin-Opener-Policy-Report-Only' headers.
@@ -302,9 +378,19 @@ const reportToHeaders = function(uuid) {
 
   return {
     header: `|header(report-to,${reportToJSON})`,
-    coopSameOriginHeader: `|header(Cross-Origin-Opener-Policy,same-origin%3Breport-to="${uuid}")`,
-    coopSameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy,same-origin-allow-popups%3Breport-to="${uuid}")`,
-    coopReportOnlySameOriginHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin%3Breport-to="${uuid}")`,
-    coopReportOnlySameOriginAllowPopupsHeader: `|header(Cross-Origin-Opener-Policy-Report-Only,same-origin-allow-popups%3Breport-to="${uuid}")`,
+    ...coopHeaders(uuid)
+  };
+};
+
+// Build a set of headers to tests the reporting API. This defines a set of
+// matching 'Reporting-Endpoints', 'Cross-Origin-Opener-Policy' and
+// 'Cross-Origin-Opener-Policy-Report-Only' headers.
+const reportingEndpointsHeaders = function (uuid) {
+  const report_endpoint_url = dispatcher_path + `?uuid=${uuid}`;
+  const reporting_endpoints_header = `${uuid}="${report_endpoint_url}"`;
+
+  return {
+    header: `|header(Reporting-Endpoints,${reporting_endpoints_header})`,
+    ...coopHeaders(uuid)
   };
 };