diff options
Diffstat (limited to 'testing/web-platform/tests/credential-management')
27 files changed, 310 insertions, 47 deletions
diff --git a/testing/web-platform/tests/credential-management/digital-identity.https.html b/testing/web-platform/tests/credential-management/digital-identity.https.html index 82630e2a5b..b2f36d21ee 100644 --- a/testing/web-platform/tests/credential-management/digital-identity.https.html +++ b/testing/web-platform/tests/credential-management/digital-identity.https.html @@ -1,14 +1,22 @@ <!DOCTYPE html> <title>Digital Identity Credential tests.</title> <link rel="help" href="https://wicg.github.io/digital-identities/"> +<script src="/common/get-host-info.sub.js"></script> <script src="/resources/testharness.js"></script> <script src="/resources/testharnessreport.js"></script> <script src="/resources/testdriver.js"></script> <script src="/resources/testdriver-vendor.js"></script> <body> +<script type="module"> +import { buildValidNavigatorIdentityRequest } from './support/digital-identity-helper.js'; + +// This regex removes the filename from the path so that we just get +// the directory. +const host = get_host_info(); +const basePath = window.location.pathname.replace(/\/[^\/]*$/, '/'); +const remoteBaseURL = host.HTTPS_REMOTE_ORIGIN + basePath; -<script> // Builds valid digital identity request for navigator.credentials.get() API. function buildValidNavigatorCredentialsRequest() { return { @@ -34,28 +42,13 @@ function buildValidNavigatorCredentialsRequest() { }; } -// Builds valid digital identity request for navigator.identity.get() API. -function buildValidNavigatorIdentityRequest() { - return { - digital: { - providers: [{ - protocol: "protocol", - selector: { - format: ['mdoc'], - doctype: 'org.iso.18013.5.1.mDL', - fields: [ - 'org.iso.18013.5.1.family_name', - 'org.iso.18013.5.1.portrait', - ] - }, - params: { - nonce: '1234', - readerPublicKey: 'test_reader_public_key', - extraParamAsNeededByDigitalCredentials: true, - }, - }], - }, - }; +async function createIframeAndWaitForMessage(test, iframeUrl) { + const messageWatcher = new EventWatcher(test, window, "message"); + var iframe = document.createElement("iframe"); + iframe.src = iframeUrl; + document.body.appendChild(iframe); + const message = await messageWatcher.wait_for("message"); + return message.data; } // Requires browser to have mode where OS-presented digital-identity-prompt is @@ -96,7 +89,7 @@ promise_test(async t => { promise_test(async t => { let request = buildValidNavigatorIdentityRequest(); let credential = await navigator.identity.get(request); - assert_equals("protocol", credential.protocol); + assert_equals("urn:openid.net:oid4vp", credential.protocol); assert_equals("fake_test_token", credential.data); }, "navigator.identity.get() API works in toplevel frame."); @@ -109,6 +102,12 @@ promise_test(async t => { promise_test(async t => { let request = buildValidNavigatorIdentityRequest(); + request.digital.providers = []; + await promise_rejects_js(t, TypeError, navigator.identity.get(request)); +}, "navigator.identity.get() API fails if there are no providers."); + +promise_test(async t => { + let request = buildValidNavigatorIdentityRequest(); let providerCopy = structuredClone(request.digital.providers[0]); request.digital.providers.push(providerCopy); await promise_rejects_js(t, TypeError, navigator.identity.get(request)); @@ -122,4 +121,18 @@ promise_test(async t=> { abortController.abort(); await promise_rejects_dom(t, "AbortError", requestPromise); }, "navigator.identity.get() promise is rejected when the page aborts the request."); + +promise_test(async t=> { + const message = await createIframeAndWaitForMessage( + t, basePath + "support/digital-identity-iframe.html"); + assert_equals(message.result, "Pass"); + assert_equals(message.data, "fake_test_token"); +}, "navigator.identity.get() succeeds in same-origin iframe"); + +promise_test(async t=> { + const message = await createIframeAndWaitForMessage( + t, remoteBaseURL + "support/digital-identity-iframe.html"); + assert_equals(message.result, "Fail"); + assert_equals(message.errorType, "NotAllowedError"); +}, "navigator.identity.get() fails in cross-origin iframe"); </script> diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html new file mode 100644 index 0000000000..fcda3a3dd5 --- /dev/null +++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<title>Federated Credential Management API network request tests.</title> +<link rel="help" href="https://fedidcg.github.io/FedCM"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> + +<body> + +<script type="module"> +import {fedcm_test, + request_options_with_mediation_required, + select_manifest, + fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js'; + +fedcm_test(async t => { + // First, do a regular fedcm request so we that we can be considered + // a returning user below. + let options = request_options_with_mediation_required(); + await fedcm_get_and_select_first_account(t, options); + + // Now do a silent mediation request. + options = request_options_with_mediation_required('manifest_with_continue_on.json'); + options.mediation = 'silent'; + await select_manifest(t, options); + const cred_promise = fedcm_get_and_select_first_account(t, options); + return promise_rejects_dom(t, 'NetworkError', cred_promise); +}, "continue_on with mediation:silent should fail"); + +</script> diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html new file mode 100644 index 0000000000..5bd8ef34fe --- /dev/null +++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<title>Federated Credential Management API network request tests.</title> +<link rel="help" href="https://fedidcg.github.io/FedCM"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> + +<body> + +<script type="module"> +import {fedcm_test, + request_options_with_mediation_required, + select_manifest, + fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js'; + +fedcm_test(async t => { + const options = request_options_with_mediation_required('manifest_with_continue_on.json'); + options.identity.providers[0].nonce = "accountId=jane_doe"; + await select_manifest(t, options); + const cred = await fedcm_get_and_select_first_account(t, options); + // This indicates the account that was selected in the dialog, + // not the account that was specified in IdentityProvider.resolve, + // hence we get 1234 instead of jane_doe. + assert_equals(cred.token, "account=1234"); + + // Now, jane_doe should be considered a returning user. Make sure + // auto reauthentication works. We have to use optional instead of + // silent so that we can open the continue_on popup. + options.mediation = "optional"; + return test_driver.bless('initiate FedCM request', async function() { + let cred2 = await navigator.credentials.get(options); + assert_equals(cred2.token, "account=jane_doe"); + }); +}, "continue_on and IdentityProvider.resolve work correctly."); + +</script> diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html index 3ce1f51e37..c7da5384af 100644 --- a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html @@ -18,7 +18,7 @@ fedcm_test(async t => { const options = request_options_with_mediation_required('manifest_with_continue_on.json'); await select_manifest(t, options); const cred = await fedcm_get_and_select_first_account(t, options); - assert_equals(cred.token, "resolved token"); + assert_equals(cred.token, "account=1234"); }, "continue_on and IdentityProvider.resolve work correctly."); </script> diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html index ef53ed4ffc..0521f4a2ab 100644 --- a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html @@ -29,7 +29,7 @@ fedcm_test(async t => { const options = alt_request_options_with_mediation_required('manifest_with_continue_on.json'); await select_manifest(t, options); const cred = await fedcm_get_and_select_first_account(t, options); - assert_equals(cred.token, "resolved token"); + assert_equals(cred.token, "account=1234"); const iframe_in_idp_scope = `${alt_manifest_origin}/\ credential-management/support/fedcm/userinfo-iframe.html`; diff --git a/testing/web-platform/tests/credential-management/fedcm-context.https.html b/testing/web-platform/tests/credential-management/fedcm-context.https.html index bc1f96eafa..7b3e1032af 100644 --- a/testing/web-platform/tests/credential-management/fedcm-context.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-context.https.html @@ -16,32 +16,32 @@ import {request_options_with_mediation_required, fedcm_test(async t => { let p = navigator.credentials.get(request_options_with_mediation_required()); - const title = await fedcm_get_title_promise(t); - assert_true(title.toLowerCase().includes('sign in')); + const result = await fedcm_get_title_promise(t); + assert_true(result.title.toLowerCase().includes('sign in')); window.test_driver.select_fedcm_account(0); return p; }, "FedCM call defaults to 'signin' context."); fedcm_test(async t => { let p = navigator.credentials.get(request_options_with_context("manifest.py", "signup")); - const title = await fedcm_get_title_promise(t); - assert_true(title.toLowerCase().includes('sign up')); + const result = await fedcm_get_title_promise(t); + assert_true(result.title.toLowerCase().includes('sign up')); window.test_driver.select_fedcm_account(0); return p; }, "FedCM with 'signup' context."); fedcm_test(async t => { let p = navigator.credentials.get(request_options_with_context("manifest.py", "use")); - const title = await fedcm_get_title_promise(t); - assert_true(title.toLowerCase().includes('use')); + const result = await fedcm_get_title_promise(t); + assert_true(result.title.toLowerCase().includes('use')); window.test_driver.select_fedcm_account(0); return p; }, "FedCM with 'use' context."); fedcm_test(async t => { let p = navigator.credentials.get(request_options_with_context("manifest.py", "continue")); - const title = await fedcm_get_title_promise(t); - assert_true(title.toLowerCase().includes('continue')); + const result = await fedcm_get_title_promise(t); + assert_true(result.title.toLowerCase().includes('continue')); window.test_driver.select_fedcm_account(0); return p; }, "FedCM with 'continue' context."); diff --git a/testing/web-platform/tests/credential-management/fedcm-csp.https.html b/testing/web-platform/tests/credential-management/fedcm-csp.https.html index 5925741438..c9a2456e4d 100644 --- a/testing/web-platform/tests/credential-management/fedcm-csp.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-csp.https.html @@ -3,6 +3,8 @@ <link rel="help" href="https://fedidcg.github.io/FedCM"> <script src="/resources/testharness.js"></script> <script src="/resources/testharnessreport.js"></script> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> <body> diff --git a/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html b/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html index 3e07491d48..20b4569a05 100644 --- a/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html @@ -22,7 +22,7 @@ fedcm_test(async t => { let options = request_options_with_domain_hint('manifest.py', 'nomatch'); - const cred = fedcm_get_and_select_first_account(t, options); + const cred = navigator.credentials.get(options); // We expect a mismatch dialog. const type = await fedcm_get_dialog_type_promise(t); assert_equals(type, 'ConfirmIdpLogin'); diff --git a/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html b/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html index cff5036f39..36a4de7900 100644 --- a/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html @@ -20,7 +20,7 @@ fedcm_test(async t => { let test_options = request_options_with_mediation_required("manifest_redirect_accounts.json"); await select_manifest(t, test_options); - const cred = fedcm_get_and_select_first_account(t, test_options); + const cred = navigator.credentials.get(test_options); // We expect a mismatch dialog. const type = await fedcm_get_dialog_type_promise(t); assert_equals(type, 'ConfirmIdpLogin'); diff --git a/testing/web-platform/tests/credential-management/fedcm-iframe.https.html b/testing/web-platform/tests/credential-management/fedcm-iframe.https.html index dc0c17dea6..6a9bec677c 100644 --- a/testing/web-platform/tests/credential-management/fedcm-iframe.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-iframe.https.html @@ -2,6 +2,8 @@ <link rel="help" href="https://wicg.github.io/FedCM"> <script src="/resources/testharness.js"></script> <script src="/resources/testharnessreport.js"></script> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> <script src="/common/get-host-info.sub.js"></script> <div id=log> <script type="module"> diff --git a/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html b/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html index edae955a76..fe35007a87 100644 --- a/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html +++ b/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html @@ -19,7 +19,7 @@ fedcm_test(async t => { await mark_signed_in(); let options = request_options_with_login_hint('manifest.py', 'nomatch'); - const cred = fedcm_get_and_select_first_account(t, options); + const cred = navigator.credentials.get(options); // We expect a mismatch dialog. const type = await fedcm_get_dialog_type_promise(t); assert_equals(type, 'ConfirmIdpLogin'); diff --git a/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html new file mode 100644 index 0000000000..77ecdaff9f --- /dev/null +++ b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<title>Federated Credential Management API SameSite=None tests.</title> +<link rel="help" href="https://fedidcg.github.io/FedCM"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> + +<body> + +<script type="module"> +import {fedcm_test, + alt_request_options_with_mediation_required, + select_manifest, + fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js'; + +fedcm_test(async t => { + const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json'); + await select_manifest(t, options); + const cred = await fedcm_get_and_select_first_account(t, options); + assert_equals(cred.token, "token"); + assert_equals(cred.isAutoSelected, false); +}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies."); + +</script> diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-helper.js b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js new file mode 100644 index 0000000000..2020d6cda7 --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js @@ -0,0 +1,19 @@ +// Builds valid digital identity request for navigator.identity.get() API. +export function buildValidNavigatorIdentityRequest() { + return { + digital: { + providers: [{ + protocol: "urn:openid.net:oid4vp", + request: JSON.stringify({ + // Based on https://github.com/openid/OpenID4VP/issues/125 + client_id: "client.example.org", + client_id_scheme: "web-origin", + nonce: "n-0S6_WzA2Mj", + presentation_definition: { + // Presentation Exchange request, omitted for brevity + } + }), + }], + }, + }; +} diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html new file mode 100644 index 0000000000..8e193ff09f --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html @@ -0,0 +1,27 @@ +<!doctype html> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> +<script type="module"> +import { buildValidNavigatorIdentityRequest } from './digital-identity-helper.js'; + +// Loading digital-identity-iframe.html in the test will make a digital credential call on load, and +// trigger a postMessage upon completion. +// +// message { +// string result: "Pass" | "Fail" +// string data: credential.token +// string errorType: error.data +// } + +window.onload = async () => { + try { + let request = buildValidNavigatorIdentityRequest(); + let credential = await navigator.identity.get(request); + + window.top.postMessage({result: "Pass", data: credential.data}, '*'); + } catch (error) { + window.top.postMessage({result: "Fail", errorType: error.name}, '*'); + } +}; + +</script> diff --git a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js index 765b3cc48a..f0031fa531 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js +++ b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js @@ -8,7 +8,9 @@ export function open_and_wait_for_popup(origin, path) { // We rely on the popup page to send us a message when done. const popup_message_handler = (event) => { - if (event.origin == origin) { + // We use new URL() to ensure the two origins are normalized the same + // way (especially so that default ports are handled identically). + if (new URL(event.origin).toString() == new URL(origin).toString()) { popup_window.close(); window.removeEventListener('message', popup_message_handler); resolve(); @@ -22,7 +24,7 @@ export function open_and_wait_for_popup(origin, path) { // Set the identity provider cookie. export function set_fedcm_cookie(host) { if (host == undefined) { - document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure'; + document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure'; return Promise.resolve(); } else { return open_and_wait_for_popup(host, '/credential-management/support/set_cookie'); @@ -102,6 +104,15 @@ credential-management/support/fedcm/${manifest_filename}`; // Test wrapper which does FedCM-specific setup. export function fedcm_test(test_func, test_name) { promise_test(async t => { + // Ensure we start from a clean slate. + await test_driver.delete_all_cookies(); + // Turn off delays that are not useful in tests. + try { + await test_driver.set_fedcm_delay_enabled(false); + } catch (e) { + // Failure is not critical; it just might slow down tests. + } + await set_fedcm_cookie(); await set_alt_fedcm_cookie(); await test_func(t); diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py new file mode 100644 index 0000000000..a6f385feac --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py @@ -0,0 +1,28 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.accountsCheck(request) + if (request_error): + return request_error + if request.cookies.get(b"same_site_strict") == b"1": + return (546, [], "Should not send SameSite=Strict cookies") + if request.headers.get(b"Sec-Fetch-Site") != b"cross-site": + return (538, [], "Wrong Sec-Fetch-Site header") + + response.headers.set(b"Content-Type", b"application/json") + + return """ +{ + "accounts": [{ + "id": "1234", + "given_name": "John", + "name": "John Doe", + "email": "john_doe@idp.example", + "picture": "https://idp.example/profile/123", + "approved_clients": ["123", "456", "789"], + "login_hints": ["john_doe"], + "domain_hints": ["idp.example", "example"] + }] +} +""" diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py new file mode 100644 index 0000000000..faea06edc3 --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py @@ -0,0 +1,30 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.accountsCheck(request) + if (request_error): + return request_error + + response.headers.set(b"Content-Type", b"application/json") + + return """ +{ + "accounts": [{ + "id": "1234", + "given_name": "John", + "name": "John Doe", + "email": "john_doe@idp.example", + "picture": "https://idp.example/profile/123", + "login_hints": ["john_doe"], + "domain_hints": ["idp.example", "example"] + }, + { + "id": "jane_doe", + "given_name": "Jane", + "name": "Jane Doe", + "email": "jane_doe@idp.example", + "picture": "https://idp.example/profile/5678" + }] +} +""" diff --git a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py index 42b4f3f8fd..1b4831b51d 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py +++ b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py @@ -8,5 +8,7 @@ def main(request, response): response.headers.set(b"Content-Type", b"application/json") - return "{\"continue_on\": \"resolve.html\"}" + account = request.POST.get(b"account_id").decode("utf-8") + nonce = request.POST.get(b"nonce").decode("utf-8") + return "{\"continue_on\": \"resolve.html?selected=%s&%s\"}" % (account, nonce) diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json new file mode 100644 index 0000000000..d730415983 --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json @@ -0,0 +1,7 @@ +{ + "accounts_endpoint": "accounts_check_same_site_strict.py", + "client_metadata_endpoint": "client_metadata.py", + "id_assertion_endpoint": "token_check_same_site_strict.py", + "login_url": "login.html" +} + diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json index 3f5a954b87..d7673c7e1b 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json +++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json @@ -1,5 +1,5 @@ { - "accounts_endpoint": "accounts.py", + "accounts_endpoint": "accounts_no_approved_clients.py", "client_metadata_endpoint": "client_metadata.py", "id_assertion_endpoint": "continue_on.py", "disconnect_endpoint": "disconnect.py", diff --git a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py index b774496d5d..6c610e6e20 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py +++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py @@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request): def commonCredentialedRequestCheck(request): if request.cookies.get(b"cookie") != b"1": return (537, [], "Missing cookie") - if request.headers.get(b"Sec-Fetch-Site") != b"none": - return (538, [], "Wrong Sec-Fetch-Site header") def commonPostCheck(request): if not request.headers.get(b"Origin"): diff --git a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html index 87f5112cfd..dbdc28c324 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html +++ b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html @@ -1,7 +1,16 @@ <!DOCTYPE html> <script> async function doResolve() { - IdentityProvider.resolve("resolved token"); + let params = new URLSearchParams(document.location.search); + let options = {}; + if (params.get("accountId")) { + options.accountId = params.get("accountId"); + } + let token = "resolved token"; + if (params.get("selected")) { + token = "account=" + params.get("selected"); + } + IdentityProvider.resolve(token, options); } window.onload = doResolve; </script> diff --git a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py index ab34992210..15adf11324 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py +++ b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py @@ -15,6 +15,7 @@ def main(request, response): // If this page was opened as a popup, notify the opener. if (window.opener) { window.opener.postMessage("done_loading", "*"); + window.close(); } </script> Sent header value: {}".format(header_value) diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py new file mode 100644 index 0000000000..8a4b3a234b --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py @@ -0,0 +1,15 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.tokenCheck(request) + if (request_error): + return request_error + if request.cookies.get(b"same_site_strict") == b"1": + return (546, [], "Should not send SameSite=Strict cookies") + + response.headers.set(b"Content-Type", b"application/json") + response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) + response.headers.set(b"Access-Control-Allow-Credentials", "true") + + return "{\"token\": \"token\"}" diff --git a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html index 532db7047a..681fcd6787 100644 --- a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html +++ b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html @@ -3,13 +3,17 @@ <fencedframe></fencedframe> <script> -const url = new URL("mark_signedin", location.href); -document.querySelector("fencedframe").config = new FencedFrameConfig(url); - // If this page was opened as a popup, notify the opener when we are done loading. if (window.opener) { window.onload = function() { window.opener.postMessage("done_loading", "*"); }; } + +// This code is intentionally after the onload listener registration +// because it can throw if FencedFrameConfig is not defined. In that +// case, we still want to notify the opener to avoid a test timeout. +const url = new URL("mark_signedin", location.href); +document.querySelector("fencedframe").config = new FencedFrameConfig(url); + </script> diff --git a/testing/web-platform/tests/credential-management/support/set_cookie b/testing/web-platform/tests/credential-management/support/set_cookie index 1080b366e4..2c3196058a 100644 --- a/testing/web-platform/tests/credential-management/support/set_cookie +++ b/testing/web-platform/tests/credential-management/support/set_cookie @@ -6,6 +6,7 @@ // If this page was opened as a popup, notify the opener. if (window.opener) { window.opener.postMessage("done_loading", "*"); + window.close(); } </script> </body> diff --git a/testing/web-platform/tests/credential-management/support/set_cookie.headers b/testing/web-platform/tests/credential-management/support/set_cookie.headers index b19ff933a6..4226ff4c99 100644 --- a/testing/web-platform/tests/credential-management/support/set_cookie.headers +++ b/testing/web-platform/tests/credential-management/support/set_cookie.headers @@ -1,2 +1,3 @@ Content-Type: text/html Set-Cookie: cookie=1; SameSite=None; Secure +Set-Cookie: same_site_strict=1; SameSite=Strict; Secure |