93 lines
3.5 KiB
JavaScript
93 lines
3.5 KiB
JavaScript
// META: variant=?request_origin=same_origin&worker_dip=none&window_dip=none
|
|
// META: variant=?request_origin=same_origin&worker_dip=none&window_dip=credentialless
|
|
// META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=none
|
|
// META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=credentialless
|
|
// META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=none
|
|
// META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=credentialless
|
|
// META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=none
|
|
// META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=credentialless
|
|
// META: timeout=long
|
|
// META: script=/common/get-host-info.sub.js
|
|
// META: script=/common/utils.js
|
|
// META: script=/common/dispatcher/dispatcher.js
|
|
// META: script=./resources/common.js
|
|
|
|
// Test description:
|
|
// Request a resource from a SharedWorker. Check the request's cookies.
|
|
//
|
|
// Variant:
|
|
// - The Window DIP policy: none or credentialless.
|
|
// - The SharedWorker DIP policy: none or credentialless.
|
|
// - The SharedWorker's request URL origin: same-origin or cross-origin.
|
|
|
|
const same_origin = get_host_info().HTTPS_ORIGIN;
|
|
const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
|
|
const cookie_key = token();
|
|
const cookie_same_origin = "same_origin";
|
|
const cookie_cross_origin = "cross_origin";
|
|
|
|
const variants = new URLSearchParams(window.location.search);
|
|
const window_dip = variants.get('window_dip') == 'none'
|
|
? dip_none
|
|
: dip_credentialless;
|
|
const worker_dip = variants.get('worker_dip') == 'none'
|
|
? dip_none
|
|
: dip_credentialless;
|
|
const request_origin = variants.get('request_origin') == 'same-origin'
|
|
? same_origin
|
|
: cross_origin;
|
|
|
|
// When using DIP:credentialless: cross-origin no-cors request do not include
|
|
// credentials. Note: This must not depend on the window's DIP policy.
|
|
const worker_expected_cookie =
|
|
request_origin == same_origin
|
|
? cookie_same_origin
|
|
: (worker_dip == dip_credentialless
|
|
? undefined
|
|
: cookie_cross_origin);
|
|
|
|
// From a JSON representing the `response` HTTP headers key-values, return the
|
|
// cookie corresponding to the `cookie_key`.
|
|
const get_cookie = (response) => {
|
|
const headers_credentialless = JSON.parse(response);
|
|
return parseCookies(headers_credentialless)[cookie_key];
|
|
}
|
|
|
|
promise_test(async test => {
|
|
// 0. Populate cookies for the two origins.
|
|
await Promise.all([
|
|
setCookie(same_origin, cookie_key, cookie_same_origin +
|
|
cookie_same_site_none),
|
|
setCookie(cross_origin, cookie_key, cookie_cross_origin +
|
|
cookie_same_site_none),
|
|
]);
|
|
|
|
// 1. Create the popup with the `window_dip` DIP policy:
|
|
const popup = environments.document(window_dip)[0];
|
|
|
|
// 2. Create the worker with the `worker_dip` DIP policy:
|
|
const worker_token = token();
|
|
const worker_error = token();
|
|
const worker_src = same_origin + executor_worker_path + worker_dip +
|
|
`&uuid=${worker_token}`;
|
|
send(popup, `
|
|
let worker = new SharedWorker("${worker_src}", {});
|
|
worker.onerror = () => {
|
|
send("${worker_error}", "Worker blocked");
|
|
}
|
|
`);
|
|
|
|
// 3. Request the resource from the worker, with the `request_origin` origin.
|
|
const request_token = token();
|
|
const request_url = showRequestHeaders(request_origin, request_token);
|
|
send(worker_token, `fetch("${request_url}", {
|
|
mode: 'no-cors',
|
|
credentials: 'include',
|
|
})`);
|
|
const request_cookie = await Promise.race([
|
|
receive(worker_error),
|
|
receive(request_token).then(get_cookie)
|
|
]);
|
|
|
|
assert_equals(request_cookie, worker_expected_cookie);
|
|
})
|