Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 181 insertions, 0 deletions

diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html b/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html
new file mode 100644
index 0000000000..b81b722bf6
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+      window.location = INSECURE_ORIGIN + "/cookies/resources/postToParent.py";
+</script>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html
new file mode 100644
index 0000000000..13397d241a
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/cookies/resources/cookie-helper.sub.js"></script>
+</head>
+<body onload="doTests()">
+  <iframe id="if">
+  </iframe>
+  <script>
+  function doTests() {
+    promise_test(async function(t) {
+      var value = "" + Math.random();
+      await resetSameSiteCookies(SECURE_ORIGIN, value);
+      var child = document.getElementById("if");
+      child.src = SECURE_ORIGIN + "/cookies/samesite/resources/iframe-subresource-report.html";
+
+      // the iframe nested inside if should post COOKIES to here.
+      var e = await wait_for_message("COOKIES");
+      // Cross-scheme iframes should be cross-site and thus the subresources
+      // shouldn't get Lax or Strict cookies.
+      assert_cookie(SECURE_ORIGIN, e.data, "samesite_lax", value, false);
+      assert_cookie(SECURE_ORIGIN, e.data, "samesite_strict", value, false);
+      assert_cookie(SECURE_ORIGIN, e.data, "samesite_none", value, true);
+    }, "SameSite cookies with intervening cross-scheme iframe and subresources");
+  }
+  </script>
+</body>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html
new file mode 100644
index 0000000000..c1a86690dc
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function schemeful_navigation_test(target, expectedSameSiteStatus, title) {
+    promise_test(async function(t) {
+      let value = "" + Math.random();
+      document.cookie = `samesite_strict=${value}; sameSite=strict; path=/`;
+      document.cookie = `samesite_lax=${value}; sameSite=lax; path=/`;
+
+      let url = target + "/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html";
+
+      await new Promise((resolve, reject) => {
+          window.onmessage = t.step_func(e => {
+            if (e.source == window.open("", "testwindow" + value)) {
+              e.source.close();
+              const cookies = e.data;
+
+              assert_equals(cookies["samesite_lax"], value, "SameSite=lax cookies can be sent in both cases");
+              if (expectedSameSiteStatus === SameSiteStatus.STRICT) {
+                assert_equals(cookies["samesite_strict"], value, "SameSite=strict cookies can be sent to same-scheme navigations");
+              } else if (expectedSameSiteStatus === SameSiteStatus.LAX) {
+                assert_not_equals(cookies["samesite_strict"], value, "SameSite=strict cookies cannot be sent to cross-scheme navigations");
+              }
+
+              resolve();
+            }
+            else {reject();}
+          });
+
+          var w = window.open(url, "testwindow" + value);
+        });
+
+    },title);}
+
+  schemeful_navigation_test(INSECURE_ORIGIN, SameSiteStatus.STRICT, "Navigate same-scheme");
+  schemeful_navigation_test(SECURE_ORIGIN, SameSiteStatus.LAX, "Navigate cross-scheme");
+</script>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html
new file mode 100644
index 0000000000..4ba9286c25
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
+<body>
+<script>
+  function create_test(target, expectedDomStatus, title) {
+    promise_test(async t => {
+      var cookieValue = "" + Math.random();
+      document.cookie = `dc_samesite_strict=${cookieValue}; sameSite=strict; path=/`;
+      document.cookie = `dc_samesite_lax=${cookieValue}; sameSite=lax; path=/`;
+      // SameSite=None requires `Secure` which complicates the test and we don't
+      // need it, so don't add it.
+
+      await new Promise((resolve, reject) => {
+        var iframe = document.createElement("iframe");
+
+        window.onmessage = t.step_func(e => {
+          if (e.source == iframe.contentWindow) {
+            // Cleanup, then verify cookie state:
+            document.body.removeChild(iframe);
+
+            const cookies = e.data;
+
+            if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) {
+              assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be sent to same-scheme subresources");
+              assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be sent to same-scheme subresources");
+            } else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) {
+              assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies cannot be sent to cross-scheme subresources");
+              assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies cannot be sent to cross-scheme subresources");
+            }
+
+            resolve();
+          }
+        });
+
+        iframe.src = target + "/cookies/resources/postToParent.py";
+        document.body.appendChild(iframe);
+      });
+    }, title);
+  }
+
+  // Test that cross-scheme subresources (iframes in this case) are cross-site.
+  create_test(INSECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-scheme subresources can send lax/strict cookies");
+  create_test(SECURE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-scheme subresources cannot sent lax/strict cookies");
+</script>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html
new file mode 100644
index 0000000000..7095eee21e
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html
@@ -0,0 +1,57 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset=utf-8>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/cookies/resources/testharness-helpers.js"></script>
+  <script src="/cookies/resources/cookie-helper.sub.js"></script>
+</head>
+<body>
+<div id=log></div>
+<script>
+  promise_test(async function (t) {
+    var value = "" + Math.random();
+    document.cookie = `schemeful_same_site_websockets_strict=${value}; sameSite=strict; path=/`;
+    document.cookie = `schemeful_same_site_websockets_lax=${value}; sameSite=lax; path=/`;
+    await credFetch(SECURE_ORIGIN + "/cookies/resources/setSameSiteNone.py?" + value)
+    t.add_cleanup(async function() {
+      await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_strict");
+      await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_lax");
+      await credFetch(SECURE_ORIGIN + "/cookies/resources/dropSameSiteNone.py");
+    });
+
+    var ws = new WebSocket("ws://{{host}}:{{ports[ws][0]}}/echo-cookie");
+    return new Promise((resolve, reject) => {
+      ws.onclose = t.step_func_done(function () {
+        assert_unreached("'close' should not fire before 'open'.");
+      });
+      ws.onmessage = t.step_func(function (e) {
+        ws.onclose = null;
+        ws.close();
+        // Same-scheme WebSockets should get Lax and Strict cookies.
+        var strictRegex = new RegExp("schemeful_same_site_websockets_strict=" + value);
+        var laxRegex = new RegExp("schemeful_same_site_websockets_lax=" + value);
+        assert_regexp_match(e.data, strictRegex, "Same-scheme strict");
+        assert_regexp_match(e.data, laxRegex, "Same-scheme strict");
+
+        var ws2 = new WebSocket("wss://{{host}}:{{ports[wss][0]}}/echo-cookie");
+        ws2.onclose = t.step_func_done(function () {
+          assert_unreached("'close' should not fire before 'open'.");
+        });
+        ws2.onmessage = t.step_func(function (e2) {
+          ws2.onclose = null;
+          ws2.close();
+          // Cross-scheme WebSockets should only get samesite_none.
+          var noneRegex = new RegExp("samesite_none_secure=" + value);
+          assert_regexp_match(e2.data, noneRegex, "Cross-scheme none");
+          assert_false(strictRegex.test(e2.data), "Cross-scheme strict");
+          assert_false(laxRegex.test(e2.data), "Cross-scheme lax");
+          resolve();
+        });
+      });
+    });
+  }, "Cross-scheme WebSockets are cross-site");
+</script>
+</body>
+</html>