diff options
Diffstat (limited to 'testing/web-platform/tests/cookies/schemeful-same-site')
5 files changed, 181 insertions, 0 deletions
diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html b/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html new file mode 100644 index 0000000000..b81b722bf6 --- /dev/null +++ b/testing/web-platform/tests/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script> + window.location = INSECURE_ORIGIN + "/cookies/resources/postToParent.py"; +</script> diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html new file mode 100644 index 0000000000..13397d241a --- /dev/null +++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="/cookies/resources/cookie-helper.sub.js"></script> +</head> +<body onload="doTests()"> + <iframe id="if"> + </iframe> + <script> + function doTests() { + promise_test(async function(t) { + var value = "" + Math.random(); + await resetSameSiteCookies(SECURE_ORIGIN, value); + var child = document.getElementById("if"); + child.src = SECURE_ORIGIN + "/cookies/samesite/resources/iframe-subresource-report.html"; + + // the iframe nested inside if should post COOKIES to here. + var e = await wait_for_message("COOKIES"); + // Cross-scheme iframes should be cross-site and thus the subresources + // shouldn't get Lax or Strict cookies. + assert_cookie(SECURE_ORIGIN, e.data, "samesite_lax", value, false); + assert_cookie(SECURE_ORIGIN, e.data, "samesite_strict", value, false); + assert_cookie(SECURE_ORIGIN, e.data, "samesite_none", value, true); + }, "SameSite cookies with intervening cross-scheme iframe and subresources"); + } + </script> +</body> diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html new file mode 100644 index 0000000000..c1a86690dc --- /dev/null +++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-navigation.tentative.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<meta name="timeout" content="long"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script> + function schemeful_navigation_test(target, expectedSameSiteStatus, title) { + promise_test(async function(t) { + let value = "" + Math.random(); + document.cookie = `samesite_strict=${value}; sameSite=strict; path=/`; + document.cookie = `samesite_lax=${value}; sameSite=lax; path=/`; + + let url = target + "/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html"; + + await new Promise((resolve, reject) => { + window.onmessage = t.step_func(e => { + if (e.source == window.open("", "testwindow" + value)) { + e.source.close(); + const cookies = e.data; + + assert_equals(cookies["samesite_lax"], value, "SameSite=lax cookies can be sent in both cases"); + if (expectedSameSiteStatus === SameSiteStatus.STRICT) { + assert_equals(cookies["samesite_strict"], value, "SameSite=strict cookies can be sent to same-scheme navigations"); + } else if (expectedSameSiteStatus === SameSiteStatus.LAX) { + assert_not_equals(cookies["samesite_strict"], value, "SameSite=strict cookies cannot be sent to cross-scheme navigations"); + } + + resolve(); + } + else {reject();} + }); + + var w = window.open(url, "testwindow" + value); + }); + + },title);} + + schemeful_navigation_test(INSECURE_ORIGIN, SameSiteStatus.STRICT, "Navigate same-scheme"); + schemeful_navigation_test(SECURE_ORIGIN, SameSiteStatus.LAX, "Navigate cross-scheme"); +</script> diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html new file mode 100644 index 0000000000..4ba9286c25 --- /dev/null +++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-subresource.tentative.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<meta charset="utf-8"/> +<meta name="timeout" content="long"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body --> +<body> +<script> + function create_test(target, expectedDomStatus, title) { + promise_test(async t => { + var cookieValue = "" + Math.random(); + document.cookie = `dc_samesite_strict=${cookieValue}; sameSite=strict; path=/`; + document.cookie = `dc_samesite_lax=${cookieValue}; sameSite=lax; path=/`; + // SameSite=None requires `Secure` which complicates the test and we don't + // need it, so don't add it. + + await new Promise((resolve, reject) => { + var iframe = document.createElement("iframe"); + + window.onmessage = t.step_func(e => { + if (e.source == iframe.contentWindow) { + // Cleanup, then verify cookie state: + document.body.removeChild(iframe); + + const cookies = e.data; + + if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) { + assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be sent to same-scheme subresources"); + assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be sent to same-scheme subresources"); + } else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) { + assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies cannot be sent to cross-scheme subresources"); + assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies cannot be sent to cross-scheme subresources"); + } + + resolve(); + } + }); + + iframe.src = target + "/cookies/resources/postToParent.py"; + document.body.appendChild(iframe); + }); + }, title); + } + + // Test that cross-scheme subresources (iframes in this case) are cross-site. + create_test(INSECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-scheme subresources can send lax/strict cookies"); + create_test(SECURE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-scheme subresources cannot sent lax/strict cookies"); +</script> diff --git a/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html new file mode 100644 index 0000000000..7095eee21e --- /dev/null +++ b/testing/web-platform/tests/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html @@ -0,0 +1,57 @@ +<!doctype html> +<html> +<head> + <meta charset=utf-8> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="/cookies/resources/testharness-helpers.js"></script> + <script src="/cookies/resources/cookie-helper.sub.js"></script> +</head> +<body> +<div id=log></div> +<script> + promise_test(async function (t) { + var value = "" + Math.random(); + document.cookie = `schemeful_same_site_websockets_strict=${value}; sameSite=strict; path=/`; + document.cookie = `schemeful_same_site_websockets_lax=${value}; sameSite=lax; path=/`; + await credFetch(SECURE_ORIGIN + "/cookies/resources/setSameSiteNone.py?" + value) + t.add_cleanup(async function() { + await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_strict"); + await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_lax"); + await credFetch(SECURE_ORIGIN + "/cookies/resources/dropSameSiteNone.py"); + }); + + var ws = new WebSocket("ws://{{host}}:{{ports[ws][0]}}/echo-cookie"); + return new Promise((resolve, reject) => { + ws.onclose = t.step_func_done(function () { + assert_unreached("'close' should not fire before 'open'."); + }); + ws.onmessage = t.step_func(function (e) { + ws.onclose = null; + ws.close(); + // Same-scheme WebSockets should get Lax and Strict cookies. + var strictRegex = new RegExp("schemeful_same_site_websockets_strict=" + value); + var laxRegex = new RegExp("schemeful_same_site_websockets_lax=" + value); + assert_regexp_match(e.data, strictRegex, "Same-scheme strict"); + assert_regexp_match(e.data, laxRegex, "Same-scheme strict"); + + var ws2 = new WebSocket("wss://{{host}}:{{ports[wss][0]}}/echo-cookie"); + ws2.onclose = t.step_func_done(function () { + assert_unreached("'close' should not fire before 'open'."); + }); + ws2.onmessage = t.step_func(function (e2) { + ws2.onclose = null; + ws2.close(); + // Cross-scheme WebSockets should only get samesite_none. + var noneRegex = new RegExp("samesite_none_secure=" + value); + assert_regexp_match(e2.data, noneRegex, "Cross-scheme none"); + assert_false(strictRegex.test(e2.data), "Cross-scheme strict"); + assert_false(laxRegex.test(e2.data), "Cross-scheme lax"); + resolve(); + }); + }); + }); + }, "Cross-scheme WebSockets are cross-site"); +</script> +</body> +</html> |