Merging upstream version 125.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

7 files changed, 203 insertions, 19 deletions

diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js b/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js
index 2ae2c46a37..c76ac71616 100644
--- a/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js
+++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js
@@ -1,10 +1,10 @@
 function testHttpCookies({desc, origin, cookieNames, expectsCookie}) {
   promise_test(async () => {
-    await assertOriginCanAccessCookies({origin, cookieNames, expectsCookie});
+    await assertHttpOriginCanAccessCookies({ origin, cookieNames, expectsCookie });
   }, getCookieTestName(expectsCookie, desc, "HTTP"));
 }
 
-async function assertOriginCanAccessCookies({
+async function assertHttpOriginCanAccessCookies({
   origin,
   cookieNames,
   expectsCookie,
@@ -18,6 +18,29 @@ async function assertOriginCanAccessCookies({
   }
 }
 
+async function assertThirdPartyHttpCookies({ desc, origin, cookieNames, expectsCookie }) {
+  // Test that these cookies are not available on cross-site subresource requests to the
+  // origin that set them.
+  testHttpCookies({
+    desc,
+    origin,
+    cookieNames,
+    expectsCookie,
+  });
+
+  promise_test(async () => {
+    const thirdPartyHttpCookie = "3P_http"
+    await credFetch(
+      `${origin}/cookies/resources/set.py?${thirdPartyHttpCookie}=foobar;` +
+      "Secure;Path=/;SameSite=None");
+    await assertHttpOriginCanAccessCookies({
+      origin,
+      cookieNames: [thirdPartyHttpCookie],
+      expectsCookie,
+    });
+  }, desc + ": Cross site window setting HTTP cookies");
+}
+
 function testDomCookies({desc, cookieNames, expectsCookie}) {
   test(() => {
     assertDomCanAccessCookie(cookieNames, expectsCookie);
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-window.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-embedder.html
index 99418a6749..ec25902a91 100644
--- a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-window.html
+++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-embedder.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<title>Cross-site window</title>
+<title>Window embedding a cross-site embed</title>
 <script src="/resources/testharness.js"></script>
 <script src="/common/get-host-info.sub.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -25,27 +25,14 @@ if (window.cookieStore) {
   cookieNames.push("1P_cs");
 }
 
-// Test theses cookies are not available on cross-site subresource requests
-// to the origin that set them.
-testHttpCookies({
+// Third-party cookies are blocked by default.
+assertThirdPartyHttpCookies({
   desc: "3P fetch",
   origin,
   cookieNames,
   expectsCookie: false,
 });
 
-promise_test(async () => {
-  const thirdPartyHttpCookie = "3P_http"
-  await credFetch(
-    `${origin}/cookies/resources/set.py?${thirdPartyHttpCookie}=foobar;` +
-    "Secure;Path=/;SameSite=None");
-  await assertOriginCanAccessCookies({
-    origin,
-    cookieNames: ["3P_http"],
-    expectsCookie: false,
-  });
-}, "Cross site window setting HTTP cookies");
-
 // Create a cross-site <iframe> which embeds the cookies' origin into this
 // page.
 const iframe = document.createElement("iframe");
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html
new file mode 100644
index 0000000000..a09b07e5b7
--- /dev/null
+++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<meta charset="utf-8" />
+<meta name="timeout" content="long">
+<title>Window that opens a popup in a cross-site context</title>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script>
+
+<body>
+  <script>
+
+    let origin;
+
+    // Test that parent window passed its origin in the URL parameters correctly.
+    test(() => {
+      assert_true(window.location.search.startsWith("?origin="));
+      origin = decodeURIComponent(window.location.search.slice(
+        window.location.search.indexOf("?origin=") + 8));
+    }, "Cross-site window opened correctly");
+
+    // Cookies set by the parent window in a 1P context.
+    const cookieNames = ["1P_http", "1P_dom"];
+    if (window.cookieStore) {
+      cookieNames.push("1P_cs");
+    }
+
+    // Verify whether third-party cookies are blocked by default.
+    if (navigator.userAgent.toLowerCase().indexOf('firefox') == -1) {
+      assertThirdPartyHttpCookies({
+        desc: "3P fetch",
+        origin,
+        cookieNames,
+        expectsCookie: false,
+      });
+    } else {
+      // Default behavior for third-party cookie blocking is flaky in Firefox.
+      throw new AssertionError("Testing default third-party cookie blocking is not implemented in Firefox.");
+    }
+
+    // Open the cookies' origin in a popup to activate the heuristic.
+    const popupUrl = new URL(
+      "/cookies/third-party-cookies/resources/" +
+      "third-party-cookies-cross-site-popup.html",
+      origin);
+    const popup = window.open(popupUrl);
+
+    fetch_tests_from_window(popup);
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html
new file mode 100644
index 0000000000..6deb88b5d0
--- /dev/null
+++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<meta charset="utf-8" />
+<meta name="timeout" content="long">
+<title>Verifies heuristics enabled by popup</title>
+<script src="/resources/testharness.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script>
+
+<body>
+  <script>
+
+    // Test that parent window passed its parameters in the URL correctly.
+    test(() => {
+      assert_true(window.location.search.includes("?desc="));
+      assert_true(window.location.search.includes("&origin="));
+
+      desc = decodeURIComponent(window.location.search.slice(
+        window.location.search.indexOf("?desc=") + 6,
+        window.location.search.indexOf("&origin=")));
+      origin = decodeURIComponent(window.location.search.slice(
+        window.location.search.indexOf("&origin=") + 8));
+    }, "Cross-site verify opened correctly");
+
+    // Cookies set by the parent window in a 1P context.
+    const cookieNames = ["1P_http", "1P_dom"];
+    if (window.cookieStore) {
+      cookieNames.push("1P_cs");
+    }
+
+    // Third-party cookies are allowed after the popup heuristic grant.
+    assertThirdPartyHttpCookies({
+      desc,
+      origin,
+      cookieNames,
+      expectsCookie: true,
+    });
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html
new file mode 100644
index 0000000000..7addc7943c
--- /dev/null
+++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<meta charset="utf-8" />
+<meta name="timeout" content="long">
+<title>Cross-site popup</title>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script>
+
+<body>
+  <button id="button" onclick="userInteractionCallback()">Click for user interaction</button>
+
+  <script>
+    const origin = window.origin;
+    const crossSiteOrigin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN + self.location.pathname;
+
+    function userInteractionCallback() {
+      // Third-party cookies are now allowed.
+      const verify3pAllowedUrl = new URL(
+        `./third-party-cookies-cross-site-popup-verify.html?desc=3P_fetch_with_heuristics&origin=${encodeURIComponent(origin)}`,
+        crossSiteOrigin);
+      const verify3pAllowedPopup = window.open(verify3pAllowedUrl);
+      fetch_tests_from_window(verify3pAllowedPopup);
+    };
+
+    test_driver.set_test_context(window.opener.opener);
+    test_driver.click(document.getElementById("button"));
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html
new file mode 100644
index 0000000000..32e7ab6d9a
--- /dev/null
+++ b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<meta charset="utf-8" />
+<meta name="timeout" content="long">
+<title>Test third-party cookie heuristics</title>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script>
+
+<body>
+  <script>
+    document.body.onload = async () => {
+      // Set SameSite=None cookie in a 1P context using HTTP.
+      const attributes = "Secure;Path=/;SameSite=None";
+      const httpCookieName = "1P_http";
+      await credFetch(
+        `${self.origin}/cookies/resources/set.py?${httpCookieName}=foobar;${attributes}`);
+
+      // Set another cookie using document.cookie.
+      const domCookieName = "1P_dom";
+      document.cookie = `${domCookieName}=foobar;${attributes}`;
+
+      const cookieNames = [httpCookieName, domCookieName];
+
+      // Set another cookie using the CookieStore API, if supported.
+      if (window.cookieStore) {
+        const cookieStoreCookieName = "1P_cs";
+        await cookieStore.set({
+          name: cookieStoreCookieName,
+          value: "foobar",
+          path: "/",
+          sameSite: "none",
+        });
+        cookieNames.push(cookieStoreCookieName);
+      }
+
+      // Open a cross-site window which will open a popup with the current origin.
+      const crossSiteUrl = new URL(
+        `./resources/third-party-cookies-cross-site-popup-opener.html?origin=${encodeURIComponent(self.origin)}`,
+        get_host_info().HTTPS_NOTSAMESITE_ORIGIN + self.location.pathname);
+      const popup = window.open(crossSiteUrl);
+      fetch_tests_from_window(popup);
+    };
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html
index 184649ff5b..018849c827 100644
--- a/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html
+++ b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html
@@ -61,7 +61,7 @@ document.body.onload = async () => {
   // Open a cross-site window which will embed the current origin in a
   // third-party context.
   const crossSiteUrl = new URL(
-      `./resources/third-party-cookies-cross-site-window.html?origin=${
+      `./resources/third-party-cookies-cross-site-embedder.html?origin=${
           encodeURIComponent(self.origin)}`,
       get_host_info().HTTPS_NOTSAMESITE_ORIGIN + self.location.pathname);
   const popup = window.open(crossSiteUrl);