firefox/testing/web-platform/tests/html/anonymous-iframe/worker-cookies.tentative.https.window.js

// META: timeout=long
// META: variant=?worker=dedicated_worker
// META: variant=?worker=shared_worker
// META: variant=?worker=service_worker
// META: script=/common/get-host-info.sub.js
// META: script=/common/utils.js
// META: script=/common/dispatcher/dispatcher.js
// META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js
// META: script=./resources/common.js

// Execute the same set of tests for every type of worker.
// - DedicatedWorkers
// - SharedWorkers
// - ServiceWorkers.
const params = new URLSearchParams(document.location.search);
const worker_param = params.get("worker") || "dedicated_worker";

const cookie_key = token();
const cookie_value = "cookie_value";
const cookie_origin = get_host_info().HTTPS_REMOTE_ORIGIN;

// Create worker spawned from `context` and return its uuid.
const workerFrom = context => {
  const reply = token();
  send(context, `
    for(deps of [
      "/common/utils.js",
      "/resources/testharness.js",
      "/html/cross-origin-embedder-policy/credentialless/resources/common.js",
    ]) {
      await new Promise(resolve => {
        const script = document.createElement("script");
        script.src = deps;
        script.onload = resolve;
        document.body.appendChild(script);
      });
    }

    const worker_constructor = environments["${worker_param}"];
    const headers = "";
    const [worker, error] = worker_constructor(headers);
    send("${reply}", worker);
  `);
  return receive(reply);
};

// Set a cookie from a top-level document.
promise_test(async test => {
  await setCookie(cookie_origin, cookie_key, cookie_value);
}, "set cookies");

// Control: iframe is not credentialless. The worker can access cookies.
promise_test(async test => {
  const headers = token();
  send(await workerFrom(newIframe(cookie_origin)), `
    fetch("${showRequestHeaders(cookie_origin, headers)}");
  `);
  const cookie = parseCookies(JSON.parse(await receive(headers)));
  assert_equals(cookie[cookie_key], cookie_value)
}, "Worker spawned from normal iframe can access global cookies");

// Experiment: iframe is credentialless.
promise_test(async test => {
  const headers = token();
  send(await workerFrom(newIframeCredentialless(cookie_origin)), `
    fetch("${showRequestHeaders(cookie_origin, headers)}");
  `);
  const cookie = parseCookies(JSON.parse(await receive(headers)));
  assert_equals(cookie[cookie_key], undefined)
}, "Worker spawned from credentialless iframe can't access global cookies");