summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/cookies/schemeful-same-site
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/cookies/schemeful-same-site')
-rw-r--r--testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html6
-rw-r--r--testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html28
-rw-r--r--testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html41
-rw-r--r--testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html49
-rw-r--r--testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html57
5 files changed, 181 insertions, 0 deletions
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html b/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html
new file mode 100644
index 0000000000..b81b722bf6
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+ window.location = INSECURE_ORIGIN + "/cookies/resources/postToParent.py";
+</script>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html
new file mode 100644
index 0000000000..13397d241a
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/cookies/resources/cookie-helper.sub.js"></script>
+</head>
+<body onload="doTests()">
+ <iframe id="if">
+ </iframe>
+ <script>
+ function doTests() {
+ promise_test(async function(t) {
+ var value = "" + Math.random();
+ await resetSameSiteCookies(SECURE_ORIGIN, value);
+ var child = document.getElementById("if");
+ child.src = SECURE_ORIGIN + "/cookies/samesite/resources/iframe-subresource-report.html";
+
+ // the iframe nested inside if should post COOKIES to here.
+ var e = await wait_for_message("COOKIES");
+ // Cross-scheme iframes should be cross-site and thus the subresources
+ // shouldn't get Lax or Strict cookies.
+ assert_cookie(SECURE_ORIGIN, e.data, "samesite_lax", value, false);
+ assert_cookie(SECURE_ORIGIN, e.data, "samesite_strict", value, false);
+ assert_cookie(SECURE_ORIGIN, e.data, "samesite_none", value, true);
+ }, "SameSite cookies with intervening cross-scheme iframe and subresources");
+ }
+ </script>
+</body>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html
new file mode 100644
index 0000000000..c1a86690dc
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+ function schemeful_navigation_test(target, expectedSameSiteStatus, title) {
+ promise_test(async function(t) {
+ let value = "" + Math.random();
+ document.cookie = `samesite_strict=${value}; sameSite=strict; path=/`;
+ document.cookie = `samesite_lax=${value}; sameSite=lax; path=/`;
+
+ let url = target + "/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html";
+
+ await new Promise((resolve, reject) => {
+ window.onmessage = t.step_func(e => {
+ if (e.source == window.open("", "testwindow" + value)) {
+ e.source.close();
+ const cookies = e.data;
+
+ assert_equals(cookies["samesite_lax"], value, "SameSite=lax cookies can be sent in both cases");
+ if (expectedSameSiteStatus === SameSiteStatus.STRICT) {
+ assert_equals(cookies["samesite_strict"], value, "SameSite=strict cookies can be sent to same-scheme navigations");
+ } else if (expectedSameSiteStatus === SameSiteStatus.LAX) {
+ assert_not_equals(cookies["samesite_strict"], value, "SameSite=strict cookies cannot be sent to cross-scheme navigations");
+ }
+
+ resolve();
+ }
+ else {reject();}
+ });
+
+ var w = window.open(url, "testwindow" + value);
+ });
+
+ },title);}
+
+ schemeful_navigation_test(INSECURE_ORIGIN, SameSiteStatus.STRICT, "Navigate same-scheme");
+ schemeful_navigation_test(SECURE_ORIGIN, SameSiteStatus.LAX, "Navigate cross-scheme");
+</script>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html
new file mode 100644
index 0000000000..4ba9286c25
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
+<body>
+<script>
+ function create_test(target, expectedDomStatus, title) {
+ promise_test(async t => {
+ var cookieValue = "" + Math.random();
+ document.cookie = `dc_samesite_strict=${cookieValue}; sameSite=strict; path=/`;
+ document.cookie = `dc_samesite_lax=${cookieValue}; sameSite=lax; path=/`;
+ // SameSite=None requires `Secure` which complicates the test and we don't
+ // need it, so don't add it.
+
+ await new Promise((resolve, reject) => {
+ var iframe = document.createElement("iframe");
+
+ window.onmessage = t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ // Cleanup, then verify cookie state:
+ document.body.removeChild(iframe);
+
+ const cookies = e.data;
+
+ if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) {
+ assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be sent to same-scheme subresources");
+ assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be sent to same-scheme subresources");
+ } else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) {
+ assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies cannot be sent to cross-scheme subresources");
+ assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies cannot be sent to cross-scheme subresources");
+ }
+
+ resolve();
+ }
+ });
+
+ iframe.src = target + "/cookies/resources/postToParent.py";
+ document.body.appendChild(iframe);
+ });
+ }, title);
+ }
+
+ // Test that cross-scheme subresources (iframes in this case) are cross-site.
+ create_test(INSECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-scheme subresources can send lax/strict cookies");
+ create_test(SECURE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-scheme subresources cannot sent lax/strict cookies");
+</script>
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html
new file mode 100644
index 0000000000..7095eee21e
--- /dev/null
+++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html
@@ -0,0 +1,57 @@
+<!doctype html>
+<html>
+<head>
+ <meta charset=utf-8>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/cookies/resources/testharness-helpers.js"></script>
+ <script src="/cookies/resources/cookie-helper.sub.js"></script>
+</head>
+<body>
+<div id=log></div>
+<script>
+ promise_test(async function (t) {
+ var value = "" + Math.random();
+ document.cookie = `schemeful_same_site_websockets_strict=${value}; sameSite=strict; path=/`;
+ document.cookie = `schemeful_same_site_websockets_lax=${value}; sameSite=lax; path=/`;
+ await credFetch(SECURE_ORIGIN + "/cookies/resources/setSameSiteNone.py?" + value)
+ t.add_cleanup(async function() {
+ await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_strict");
+ await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_lax");
+ await credFetch(SECURE_ORIGIN + "/cookies/resources/dropSameSiteNone.py");
+ });
+
+ var ws = new WebSocket("ws://{{host}}:{{ports[ws][0]}}/echo-cookie");
+ return new Promise((resolve, reject) => {
+ ws.onclose = t.step_func_done(function () {
+ assert_unreached("'close' should not fire before 'open'.");
+ });
+ ws.onmessage = t.step_func(function (e) {
+ ws.onclose = null;
+ ws.close();
+ // Same-scheme WebSockets should get Lax and Strict cookies.
+ var strictRegex = new RegExp("schemeful_same_site_websockets_strict=" + value);
+ var laxRegex = new RegExp("schemeful_same_site_websockets_lax=" + value);
+ assert_regexp_match(e.data, strictRegex, "Same-scheme strict");
+ assert_regexp_match(e.data, laxRegex, "Same-scheme strict");
+
+ var ws2 = new WebSocket("wss://{{host}}:{{ports[wss][0]}}/echo-cookie");
+ ws2.onclose = t.step_func_done(function () {
+ assert_unreached("'close' should not fire before 'open'.");
+ });
+ ws2.onmessage = t.step_func(function (e2) {
+ ws2.onclose = null;
+ ws2.close();
+ // Cross-scheme WebSockets should only get samesite_none.
+ var noneRegex = new RegExp("samesite_none_secure=" + value);
+ assert_regexp_match(e2.data, noneRegex, "Cross-scheme none");
+ assert_false(strictRegex.test(e2.data), "Cross-scheme strict");
+ assert_false(laxRegex.test(e2.data), "Cross-scheme lax");
+ resolve();
+ });
+ });
+ });
+ }, "Cross-scheme WebSockets are cross-site");
+</script>
+</body>
+</html>