wpcom.js: Remove problematic "whitelist" langauge #43395

[sarayourfriend]

Changes proposed in this Pull Request

• Rename wpcom.js/test-whitelist to wpcom.js/test-allow-deny-lists`

Testing instructions

• Ensure wpcom.js unit tests pass

Addresses part of #43395

[matticbot]

Test live: https://calypso.live/?branch=update/remove-problematic-language-whitelist-blacklist-wpcomjs

[matticbot]

This PR does not affect the size of JS and CSS bundles shipped to the user's browser.

Generated by performance advisor bot at iscalypsofastyet.com.

[sarayourfriend]

Linting errors are pre-existing and out of scope for this PR.

[sarayourfriend]

@retrofox It looks like you were the original author of these files, so just pinging you for a quick review if you have a chance. Thanks!

@jsnajdr pinging you as you originally committed but I know you're pressed for time so no worries about reviewing or not.

[jsnajdr]

The test-whitelist name was not very self-explaining, and unfortunately this rename further obfuscates it.

Some sensitive API endpoints (e.g., /me/settings) can be called only from certain allowed domains which are controlled by a8c: wordpress.com, a8c.com, widgets.wp.com... The REST proxy frame and the server handlers check the Origin header and deny the request if doesn't come from a trusted one.

Not every random site can load the REST proxy iframe and send any kind of request, even authenticated. E.g., anyone can list posts on a public site, Jetpack sites (not controlled by a8c) can send a limited subset, Atomic and Simple sites are further limited, and only handful of origins have full access.

The tests in test-whitelist test these limited APIs and therefore need to be run from an allowed origin.

Good name would be test-need-complete-access-origin or something like that.

[sarayourfriend]

Okay, thank you! I was struggling to figure out an appropriate alternative. I'll make the updates 😊

[jsnajdr]

👍