diff options
Diffstat (limited to 'testing/web-platform/tests/cookies/third-party-cookies')
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js | 27 | ||||
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-embedder.html (renamed from testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-window.html) | 19 | ||||
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html | 53 | ||||
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html | 40 | ||||
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html | 32 | ||||
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html | 49 | ||||
| -rw-r--r-- | testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html | 2 |
7 files changed, 203 insertions, 19 deletions
diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js b/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js index 2ae2c46a37..c76ac71616 100644 --- a/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js +++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/test-helpers.js @@ -1,10 +1,10 @@ function testHttpCookies({desc, origin, cookieNames, expectsCookie}) { promise_test(async () => { - await assertOriginCanAccessCookies({origin, cookieNames, expectsCookie}); + await assertHttpOriginCanAccessCookies({ origin, cookieNames, expectsCookie }); }, getCookieTestName(expectsCookie, desc, "HTTP")); } -async function assertOriginCanAccessCookies({ +async function assertHttpOriginCanAccessCookies({ origin, cookieNames, expectsCookie, @@ -18,6 +18,29 @@ async function assertOriginCanAccessCookies({ } } +async function assertThirdPartyHttpCookies({ desc, origin, cookieNames, expectsCookie }) { + // Test that these cookies are not available on cross-site subresource requests to the + // origin that set them. + testHttpCookies({ + desc, + origin, + cookieNames, + expectsCookie, + }); + + promise_test(async () => { + const thirdPartyHttpCookie = "3P_http" + await credFetch( + `${origin}/cookies/resources/set.py?${thirdPartyHttpCookie}=foobar;` + + "Secure;Path=/;SameSite=None"); + await assertHttpOriginCanAccessCookies({ + origin, + cookieNames: [thirdPartyHttpCookie], + expectsCookie, + }); + }, desc + ": Cross site window setting HTTP cookies"); +} + function testDomCookies({desc, cookieNames, expectsCookie}) { test(() => { assertDomCanAccessCookie(cookieNames, expectsCookie); diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-window.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-embedder.html index 99418a6749..ec25902a91 100644 --- a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-window.html +++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-embedder.html @@ -1,7 +1,7 @@ <!DOCTYPE html> <meta charset="utf-8"/> <meta name="timeout" content="long"> -<title>Cross-site window</title> +<title>Window embedding a cross-site embed</title> <script src="/resources/testharness.js"></script> <script src="/common/get-host-info.sub.js"></script> <script src="/cookies/resources/cookie-helper.sub.js"></script> @@ -25,27 +25,14 @@ if (window.cookieStore) { cookieNames.push("1P_cs"); } -// Test theses cookies are not available on cross-site subresource requests -// to the origin that set them. -testHttpCookies({ +// Third-party cookies are blocked by default. +assertThirdPartyHttpCookies({ desc: "3P fetch", origin, cookieNames, expectsCookie: false, }); -promise_test(async () => { - const thirdPartyHttpCookie = "3P_http" - await credFetch( - `${origin}/cookies/resources/set.py?${thirdPartyHttpCookie}=foobar;` + - "Secure;Path=/;SameSite=None"); - await assertOriginCanAccessCookies({ - origin, - cookieNames: ["3P_http"], - expectsCookie: false, - }); -}, "Cross site window setting HTTP cookies"); - // Create a cross-site <iframe> which embeds the cookies' origin into this // page. const iframe = document.createElement("iframe"); diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html new file mode 100644 index 0000000000..a09b07e5b7 --- /dev/null +++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-opener.html @@ -0,0 +1,53 @@ +<!DOCTYPE html> +<meta charset="utf-8" /> +<meta name="timeout" content="long"> +<title>Window that opens a popup in a cross-site context</title> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> +<script src="/resources/testharness.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script> + +<body> + <script> + + let origin; + + // Test that parent window passed its origin in the URL parameters correctly. + test(() => { + assert_true(window.location.search.startsWith("?origin=")); + origin = decodeURIComponent(window.location.search.slice( + window.location.search.indexOf("?origin=") + 8)); + }, "Cross-site window opened correctly"); + + // Cookies set by the parent window in a 1P context. + const cookieNames = ["1P_http", "1P_dom"]; + if (window.cookieStore) { + cookieNames.push("1P_cs"); + } + + // Verify whether third-party cookies are blocked by default. + if (navigator.userAgent.toLowerCase().indexOf('firefox') == -1) { + assertThirdPartyHttpCookies({ + desc: "3P fetch", + origin, + cookieNames, + expectsCookie: false, + }); + } else { + // Default behavior for third-party cookie blocking is flaky in Firefox. + throw new AssertionError("Testing default third-party cookie blocking is not implemented in Firefox."); + } + + // Open the cookies' origin in a popup to activate the heuristic. + const popupUrl = new URL( + "/cookies/third-party-cookies/resources/" + + "third-party-cookies-cross-site-popup.html", + origin); + const popup = window.open(popupUrl); + + fetch_tests_from_window(popup); + + </script> +</body> diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html new file mode 100644 index 0000000000..6deb88b5d0 --- /dev/null +++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup-verify.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<meta charset="utf-8" /> +<meta name="timeout" content="long"> +<title>Verifies heuristics enabled by popup</title> +<script src="/resources/testharness.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script> + +<body> + <script> + + // Test that parent window passed its parameters in the URL correctly. + test(() => { + assert_true(window.location.search.includes("?desc=")); + assert_true(window.location.search.includes("&origin=")); + + desc = decodeURIComponent(window.location.search.slice( + window.location.search.indexOf("?desc=") + 6, + window.location.search.indexOf("&origin="))); + origin = decodeURIComponent(window.location.search.slice( + window.location.search.indexOf("&origin=") + 8)); + }, "Cross-site verify opened correctly"); + + // Cookies set by the parent window in a 1P context. + const cookieNames = ["1P_http", "1P_dom"]; + if (window.cookieStore) { + cookieNames.push("1P_cs"); + } + + // Third-party cookies are allowed after the popup heuristic grant. + assertThirdPartyHttpCookies({ + desc, + origin, + cookieNames, + expectsCookie: true, + }); + + </script> +</body> diff --git a/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html new file mode 100644 index 0000000000..7addc7943c --- /dev/null +++ b/testing/web-platform/tests/cookies/third-party-cookies/resources/third-party-cookies-cross-site-popup.html @@ -0,0 +1,32 @@ +<!DOCTYPE html> +<meta charset="utf-8" /> +<meta name="timeout" content="long"> +<title>Cross-site popup</title> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> +<script src="/resources/testharness.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script> + +<body> + <button id="button" onclick="userInteractionCallback()">Click for user interaction</button> + + <script> + const origin = window.origin; + const crossSiteOrigin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN + self.location.pathname; + + function userInteractionCallback() { + // Third-party cookies are now allowed. + const verify3pAllowedUrl = new URL( + `./third-party-cookies-cross-site-popup-verify.html?desc=3P_fetch_with_heuristics&origin=${encodeURIComponent(origin)}`, + crossSiteOrigin); + const verify3pAllowedPopup = window.open(verify3pAllowedUrl); + fetch_tests_from_window(verify3pAllowedPopup); + }; + + test_driver.set_test_context(window.opener.opener); + test_driver.click(document.getElementById("button")); + + </script> +</body> diff --git a/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html new file mode 100644 index 0000000000..32e7ab6d9a --- /dev/null +++ b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookie-heuristics.tentative.https.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<meta charset="utf-8" /> +<meta name="timeout" content="long"> +<title>Test third-party cookie heuristics</title> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script src="/cookies/third-party-cookies/resources/test-helpers.js"></script> + +<body> + <script> + document.body.onload = async () => { + // Set SameSite=None cookie in a 1P context using HTTP. + const attributes = "Secure;Path=/;SameSite=None"; + const httpCookieName = "1P_http"; + await credFetch( + `${self.origin}/cookies/resources/set.py?${httpCookieName}=foobar;${attributes}`); + + // Set another cookie using document.cookie. + const domCookieName = "1P_dom"; + document.cookie = `${domCookieName}=foobar;${attributes}`; + + const cookieNames = [httpCookieName, domCookieName]; + + // Set another cookie using the CookieStore API, if supported. + if (window.cookieStore) { + const cookieStoreCookieName = "1P_cs"; + await cookieStore.set({ + name: cookieStoreCookieName, + value: "foobar", + path: "/", + sameSite: "none", + }); + cookieNames.push(cookieStoreCookieName); + } + + // Open a cross-site window which will open a popup with the current origin. + const crossSiteUrl = new URL( + `./resources/third-party-cookies-cross-site-popup-opener.html?origin=${encodeURIComponent(self.origin)}`, + get_host_info().HTTPS_NOTSAMESITE_ORIGIN + self.location.pathname); + const popup = window.open(crossSiteUrl); + fetch_tests_from_window(popup); + }; + + </script> +</body> diff --git a/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html index 184649ff5b..018849c827 100644 --- a/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html +++ b/testing/web-platform/tests/cookies/third-party-cookies/third-party-cookies.tentative.https.html @@ -61,7 +61,7 @@ document.body.onload = async () => { // Open a cross-site window which will embed the current origin in a // third-party context. const crossSiteUrl = new URL( - `./resources/third-party-cookies-cross-site-window.html?origin=${ + `./resources/third-party-cookies-cross-site-embedder.html?origin=${ encodeURIComponent(self.origin)}`, get_host_info().HTTPS_NOTSAMESITE_ORIGIN + self.location.pathname); const popup = window.open(crossSiteUrl); |