summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/credential-management
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/credential-management')
-rw-r--r--testing/web-platform/tests/credential-management/digital-identity.https.html61
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html31
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html37
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-context.https.html16
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-csp.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-domainhint.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-iframe.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-loginhint.https.html2
-rw-r--r--testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html25
-rw-r--r--testing/web-platform/tests/credential-management/support/digital-identity-helper.js19
-rw-r--r--testing/web-platform/tests/credential-management/support/digital-identity-iframe.html27
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js15
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py28
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py30
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/continue_on.py4
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json7
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json2
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py2
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/resolve.html11
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py1
-rw-r--r--testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py15
-rw-r--r--testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html10
-rw-r--r--testing/web-platform/tests/credential-management/support/set_cookie1
-rw-r--r--testing/web-platform/tests/credential-management/support/set_cookie.headers1
27 files changed, 310 insertions, 47 deletions
diff --git a/testing/web-platform/tests/credential-management/digital-identity.https.html b/testing/web-platform/tests/credential-management/digital-identity.https.html
index 82630e2a5b..b2f36d21ee 100644
--- a/testing/web-platform/tests/credential-management/digital-identity.https.html
+++ b/testing/web-platform/tests/credential-management/digital-identity.https.html
@@ -1,14 +1,22 @@
<!DOCTYPE html>
<title>Digital Identity Credential tests.</title>
<link rel="help" href="https://wicg.github.io/digital-identities/">
+<script src="/common/get-host-info.sub.js"></script>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<body>
+<script type="module">
+import { buildValidNavigatorIdentityRequest } from './support/digital-identity-helper.js';
+
+// This regex removes the filename from the path so that we just get
+// the directory.
+const host = get_host_info();
+const basePath = window.location.pathname.replace(/\/[^\/]*$/, '/');
+const remoteBaseURL = host.HTTPS_REMOTE_ORIGIN + basePath;
-<script>
// Builds valid digital identity request for navigator.credentials.get() API.
function buildValidNavigatorCredentialsRequest() {
return {
@@ -34,28 +42,13 @@ function buildValidNavigatorCredentialsRequest() {
};
}
-// Builds valid digital identity request for navigator.identity.get() API.
-function buildValidNavigatorIdentityRequest() {
- return {
- digital: {
- providers: [{
- protocol: "protocol",
- selector: {
- format: ['mdoc'],
- doctype: 'org.iso.18013.5.1.mDL',
- fields: [
- 'org.iso.18013.5.1.family_name',
- 'org.iso.18013.5.1.portrait',
- ]
- },
- params: {
- nonce: '1234',
- readerPublicKey: 'test_reader_public_key',
- extraParamAsNeededByDigitalCredentials: true,
- },
- }],
- },
- };
+async function createIframeAndWaitForMessage(test, iframeUrl) {
+ const messageWatcher = new EventWatcher(test, window, "message");
+ var iframe = document.createElement("iframe");
+ iframe.src = iframeUrl;
+ document.body.appendChild(iframe);
+ const message = await messageWatcher.wait_for("message");
+ return message.data;
}
// Requires browser to have mode where OS-presented digital-identity-prompt is
@@ -96,7 +89,7 @@ promise_test(async t => {
promise_test(async t => {
let request = buildValidNavigatorIdentityRequest();
let credential = await navigator.identity.get(request);
- assert_equals("protocol", credential.protocol);
+ assert_equals("urn:openid.net:oid4vp", credential.protocol);
assert_equals("fake_test_token", credential.data);
}, "navigator.identity.get() API works in toplevel frame.");
@@ -109,6 +102,12 @@ promise_test(async t => {
promise_test(async t => {
let request = buildValidNavigatorIdentityRequest();
+ request.digital.providers = [];
+ await promise_rejects_js(t, TypeError, navigator.identity.get(request));
+}, "navigator.identity.get() API fails if there are no providers.");
+
+promise_test(async t => {
+ let request = buildValidNavigatorIdentityRequest();
let providerCopy = structuredClone(request.digital.providers[0]);
request.digital.providers.push(providerCopy);
await promise_rejects_js(t, TypeError, navigator.identity.get(request));
@@ -122,4 +121,18 @@ promise_test(async t=> {
abortController.abort();
await promise_rejects_dom(t, "AbortError", requestPromise);
}, "navigator.identity.get() promise is rejected when the page aborts the request.");
+
+promise_test(async t=> {
+ const message = await createIframeAndWaitForMessage(
+ t, basePath + "support/digital-identity-iframe.html");
+ assert_equals(message.result, "Pass");
+ assert_equals(message.data, "fake_test_token");
+}, "navigator.identity.get() succeeds in same-origin iframe");
+
+promise_test(async t=> {
+ const message = await createIframeAndWaitForMessage(
+ t, remoteBaseURL + "support/digital-identity-iframe.html");
+ assert_equals(message.result, "Fail");
+ assert_equals(message.errorType, "NotAllowedError");
+}, "navigator.identity.get() fails in cross-origin iframe");
</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html
new file mode 100644
index 0000000000..fcda3a3dd5
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API network request tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+ request_options_with_mediation_required,
+ select_manifest,
+ fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+ // First, do a regular fedcm request so we that we can be considered
+ // a returning user below.
+ let options = request_options_with_mediation_required();
+ await fedcm_get_and_select_first_account(t, options);
+
+ // Now do a silent mediation request.
+ options = request_options_with_mediation_required('manifest_with_continue_on.json');
+ options.mediation = 'silent';
+ await select_manifest(t, options);
+ const cred_promise = fedcm_get_and_select_first_account(t, options);
+ return promise_rejects_dom(t, 'NetworkError', cred_promise);
+}, "continue_on with mediation:silent should fail");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html
new file mode 100644
index 0000000000..5bd8ef34fe
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API network request tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+ request_options_with_mediation_required,
+ select_manifest,
+ fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+ const options = request_options_with_mediation_required('manifest_with_continue_on.json');
+ options.identity.providers[0].nonce = "accountId=jane_doe";
+ await select_manifest(t, options);
+ const cred = await fedcm_get_and_select_first_account(t, options);
+ // This indicates the account that was selected in the dialog,
+ // not the account that was specified in IdentityProvider.resolve,
+ // hence we get 1234 instead of jane_doe.
+ assert_equals(cred.token, "account=1234");
+
+ // Now, jane_doe should be considered a returning user. Make sure
+ // auto reauthentication works. We have to use optional instead of
+ // silent so that we can open the continue_on popup.
+ options.mediation = "optional";
+ return test_driver.bless('initiate FedCM request', async function() {
+ let cred2 = await navigator.credentials.get(options);
+ assert_equals(cred2.token, "account=jane_doe");
+ });
+}, "continue_on and IdentityProvider.resolve work correctly.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html
index 3ce1f51e37..c7da5384af 100644
--- a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html
@@ -18,7 +18,7 @@ fedcm_test(async t => {
const options = request_options_with_mediation_required('manifest_with_continue_on.json');
await select_manifest(t, options);
const cred = await fedcm_get_and_select_first_account(t, options);
- assert_equals(cred.token, "resolved token");
+ assert_equals(cred.token, "account=1234");
}, "continue_on and IdentityProvider.resolve work correctly.");
</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html
index ef53ed4ffc..0521f4a2ab 100644
--- a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html
@@ -29,7 +29,7 @@ fedcm_test(async t => {
const options = alt_request_options_with_mediation_required('manifest_with_continue_on.json');
await select_manifest(t, options);
const cred = await fedcm_get_and_select_first_account(t, options);
- assert_equals(cred.token, "resolved token");
+ assert_equals(cred.token, "account=1234");
const iframe_in_idp_scope = `${alt_manifest_origin}/\
credential-management/support/fedcm/userinfo-iframe.html`;
diff --git a/testing/web-platform/tests/credential-management/fedcm-context.https.html b/testing/web-platform/tests/credential-management/fedcm-context.https.html
index bc1f96eafa..7b3e1032af 100644
--- a/testing/web-platform/tests/credential-management/fedcm-context.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-context.https.html
@@ -16,32 +16,32 @@ import {request_options_with_mediation_required,
fedcm_test(async t => {
let p = navigator.credentials.get(request_options_with_mediation_required());
- const title = await fedcm_get_title_promise(t);
- assert_true(title.toLowerCase().includes('sign in'));
+ const result = await fedcm_get_title_promise(t);
+ assert_true(result.title.toLowerCase().includes('sign in'));
window.test_driver.select_fedcm_account(0);
return p;
}, "FedCM call defaults to 'signin' context.");
fedcm_test(async t => {
let p = navigator.credentials.get(request_options_with_context("manifest.py", "signup"));
- const title = await fedcm_get_title_promise(t);
- assert_true(title.toLowerCase().includes('sign up'));
+ const result = await fedcm_get_title_promise(t);
+ assert_true(result.title.toLowerCase().includes('sign up'));
window.test_driver.select_fedcm_account(0);
return p;
}, "FedCM with 'signup' context.");
fedcm_test(async t => {
let p = navigator.credentials.get(request_options_with_context("manifest.py", "use"));
- const title = await fedcm_get_title_promise(t);
- assert_true(title.toLowerCase().includes('use'));
+ const result = await fedcm_get_title_promise(t);
+ assert_true(result.title.toLowerCase().includes('use'));
window.test_driver.select_fedcm_account(0);
return p;
}, "FedCM with 'use' context.");
fedcm_test(async t => {
let p = navigator.credentials.get(request_options_with_context("manifest.py", "continue"));
- const title = await fedcm_get_title_promise(t);
- assert_true(title.toLowerCase().includes('continue'));
+ const result = await fedcm_get_title_promise(t);
+ assert_true(result.title.toLowerCase().includes('continue'));
window.test_driver.select_fedcm_account(0);
return p;
}, "FedCM with 'continue' context.");
diff --git a/testing/web-platform/tests/credential-management/fedcm-csp.https.html b/testing/web-platform/tests/credential-management/fedcm-csp.https.html
index 5925741438..c9a2456e4d 100644
--- a/testing/web-platform/tests/credential-management/fedcm-csp.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-csp.https.html
@@ -3,6 +3,8 @@
<link rel="help" href="https://fedidcg.github.io/FedCM">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
<body>
diff --git a/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html b/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html
index 3e07491d48..20b4569a05 100644
--- a/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html
@@ -22,7 +22,7 @@ fedcm_test(async t => {
let options = request_options_with_domain_hint('manifest.py',
'nomatch');
- const cred = fedcm_get_and_select_first_account(t, options);
+ const cred = navigator.credentials.get(options);
// We expect a mismatch dialog.
const type = await fedcm_get_dialog_type_promise(t);
assert_equals(type, 'ConfirmIdpLogin');
diff --git a/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html b/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html
index cff5036f39..36a4de7900 100644
--- a/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html
@@ -20,7 +20,7 @@ fedcm_test(async t => {
let test_options = request_options_with_mediation_required("manifest_redirect_accounts.json");
await select_manifest(t, test_options);
- const cred = fedcm_get_and_select_first_account(t, test_options);
+ const cred = navigator.credentials.get(test_options);
// We expect a mismatch dialog.
const type = await fedcm_get_dialog_type_promise(t);
assert_equals(type, 'ConfirmIdpLogin');
diff --git a/testing/web-platform/tests/credential-management/fedcm-iframe.https.html b/testing/web-platform/tests/credential-management/fedcm-iframe.https.html
index dc0c17dea6..6a9bec677c 100644
--- a/testing/web-platform/tests/credential-management/fedcm-iframe.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-iframe.https.html
@@ -2,6 +2,8 @@
<link rel="help" href="https://wicg.github.io/FedCM">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<div id=log>
<script type="module">
diff --git a/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html b/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html
index edae955a76..fe35007a87 100644
--- a/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html
@@ -19,7 +19,7 @@ fedcm_test(async t => {
await mark_signed_in();
let options = request_options_with_login_hint('manifest.py', 'nomatch');
- const cred = fedcm_get_and_select_first_account(t, options);
+ const cred = navigator.credentials.get(options);
// We expect a mismatch dialog.
const type = await fedcm_get_dialog_type_promise(t);
assert_equals(type, 'ConfirmIdpLogin');
diff --git a/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
new file mode 100644
index 0000000000..77ecdaff9f
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API SameSite=None tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+ alt_request_options_with_mediation_required,
+ select_manifest,
+ fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+ const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json');
+ await select_manifest(t, options);
+ const cred = await fedcm_get_and_select_first_account(t, options);
+ assert_equals(cred.token, "token");
+ assert_equals(cred.isAutoSelected, false);
+}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-helper.js b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js
new file mode 100644
index 0000000000..2020d6cda7
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js
@@ -0,0 +1,19 @@
+// Builds valid digital identity request for navigator.identity.get() API.
+export function buildValidNavigatorIdentityRequest() {
+ return {
+ digital: {
+ providers: [{
+ protocol: "urn:openid.net:oid4vp",
+ request: JSON.stringify({
+ // Based on https://github.com/openid/OpenID4VP/issues/125
+ client_id: "client.example.org",
+ client_id_scheme: "web-origin",
+ nonce: "n-0S6_WzA2Mj",
+ presentation_definition: {
+ // Presentation Exchange request, omitted for brevity
+ }
+ }),
+ }],
+ },
+ };
+}
diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html
new file mode 100644
index 0000000000..8e193ff09f
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html
@@ -0,0 +1,27 @@
+<!doctype html>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script type="module">
+import { buildValidNavigatorIdentityRequest } from './digital-identity-helper.js';
+
+// Loading digital-identity-iframe.html in the test will make a digital credential call on load, and
+// trigger a postMessage upon completion.
+//
+// message {
+// string result: "Pass" | "Fail"
+// string data: credential.token
+// string errorType: error.data
+// }
+
+window.onload = async () => {
+ try {
+ let request = buildValidNavigatorIdentityRequest();
+ let credential = await navigator.identity.get(request);
+
+ window.top.postMessage({result: "Pass", data: credential.data}, '*');
+ } catch (error) {
+ window.top.postMessage({result: "Fail", errorType: error.name}, '*');
+ }
+};
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
index 765b3cc48a..f0031fa531 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
+++ b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
@@ -8,7 +8,9 @@ export function open_and_wait_for_popup(origin, path) {
// We rely on the popup page to send us a message when done.
const popup_message_handler = (event) => {
- if (event.origin == origin) {
+ // We use new URL() to ensure the two origins are normalized the same
+ // way (especially so that default ports are handled identically).
+ if (new URL(event.origin).toString() == new URL(origin).toString()) {
popup_window.close();
window.removeEventListener('message', popup_message_handler);
resolve();
@@ -22,7 +24,7 @@ export function open_and_wait_for_popup(origin, path) {
// Set the identity provider cookie.
export function set_fedcm_cookie(host) {
if (host == undefined) {
- document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
+ document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
return Promise.resolve();
} else {
return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');
@@ -102,6 +104,15 @@ credential-management/support/fedcm/${manifest_filename}`;
// Test wrapper which does FedCM-specific setup.
export function fedcm_test(test_func, test_name) {
promise_test(async t => {
+ // Ensure we start from a clean slate.
+ await test_driver.delete_all_cookies();
+ // Turn off delays that are not useful in tests.
+ try {
+ await test_driver.set_fedcm_delay_enabled(false);
+ } catch (e) {
+ // Failure is not critical; it just might slow down tests.
+ }
+
await set_fedcm_cookie();
await set_alt_fedcm_cookie();
await test_func(t);
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py
new file mode 100644
index 0000000000..a6f385feac
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py
@@ -0,0 +1,28 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+ request_error = error_checker.accountsCheck(request)
+ if (request_error):
+ return request_error
+ if request.cookies.get(b"same_site_strict") == b"1":
+ return (546, [], "Should not send SameSite=Strict cookies")
+ if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
+ return (538, [], "Wrong Sec-Fetch-Site header")
+
+ response.headers.set(b"Content-Type", b"application/json")
+
+ return """
+{
+ "accounts": [{
+ "id": "1234",
+ "given_name": "John",
+ "name": "John Doe",
+ "email": "john_doe@idp.example",
+ "picture": "https://idp.example/profile/123",
+ "approved_clients": ["123", "456", "789"],
+ "login_hints": ["john_doe"],
+ "domain_hints": ["idp.example", "example"]
+ }]
+}
+"""
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py
new file mode 100644
index 0000000000..faea06edc3
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py
@@ -0,0 +1,30 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+ request_error = error_checker.accountsCheck(request)
+ if (request_error):
+ return request_error
+
+ response.headers.set(b"Content-Type", b"application/json")
+
+ return """
+{
+ "accounts": [{
+ "id": "1234",
+ "given_name": "John",
+ "name": "John Doe",
+ "email": "john_doe@idp.example",
+ "picture": "https://idp.example/profile/123",
+ "login_hints": ["john_doe"],
+ "domain_hints": ["idp.example", "example"]
+ },
+ {
+ "id": "jane_doe",
+ "given_name": "Jane",
+ "name": "Jane Doe",
+ "email": "jane_doe@idp.example",
+ "picture": "https://idp.example/profile/5678"
+ }]
+}
+"""
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py
index 42b4f3f8fd..1b4831b51d 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py
@@ -8,5 +8,7 @@ def main(request, response):
response.headers.set(b"Content-Type", b"application/json")
- return "{\"continue_on\": \"resolve.html\"}"
+ account = request.POST.get(b"account_id").decode("utf-8")
+ nonce = request.POST.get(b"nonce").decode("utf-8")
+ return "{\"continue_on\": \"resolve.html?selected=%s&%s\"}" % (account, nonce)
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json
new file mode 100644
index 0000000000..d730415983
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json
@@ -0,0 +1,7 @@
+{
+ "accounts_endpoint": "accounts_check_same_site_strict.py",
+ "client_metadata_endpoint": "client_metadata.py",
+ "id_assertion_endpoint": "token_check_same_site_strict.py",
+ "login_url": "login.html"
+}
+
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json
index 3f5a954b87..d7673c7e1b 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json
@@ -1,5 +1,5 @@
{
- "accounts_endpoint": "accounts.py",
+ "accounts_endpoint": "accounts_no_approved_clients.py",
"client_metadata_endpoint": "client_metadata.py",
"id_assertion_endpoint": "continue_on.py",
"disconnect_endpoint": "disconnect.py",
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
index b774496d5d..6c610e6e20 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
@@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request):
def commonCredentialedRequestCheck(request):
if request.cookies.get(b"cookie") != b"1":
return (537, [], "Missing cookie")
- if request.headers.get(b"Sec-Fetch-Site") != b"none":
- return (538, [], "Wrong Sec-Fetch-Site header")
def commonPostCheck(request):
if not request.headers.get(b"Origin"):
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html
index 87f5112cfd..dbdc28c324 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html
+++ b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html
@@ -1,7 +1,16 @@
<!DOCTYPE html>
<script>
async function doResolve() {
- IdentityProvider.resolve("resolved token");
+ let params = new URLSearchParams(document.location.search);
+ let options = {};
+ if (params.get("accountId")) {
+ options.accountId = params.get("accountId");
+ }
+ let token = "resolved token";
+ if (params.get("selected")) {
+ token = "account=" + params.get("selected");
+ }
+ IdentityProvider.resolve(token, options);
}
window.onload = doResolve;
</script>
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
index ab34992210..15adf11324 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
@@ -15,6 +15,7 @@ def main(request, response):
// If this page was opened as a popup, notify the opener.
if (window.opener) {
window.opener.postMessage("done_loading", "*");
+ window.close();
}
</script>
Sent header value: {}".format(header_value)
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py
new file mode 100644
index 0000000000..8a4b3a234b
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py
@@ -0,0 +1,15 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+ request_error = error_checker.tokenCheck(request)
+ if (request_error):
+ return request_error
+ if request.cookies.get(b"same_site_strict") == b"1":
+ return (546, [], "Should not send SameSite=Strict cookies")
+
+ response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
+
+ return "{\"token\": \"token\"}"
diff --git a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html
index 532db7047a..681fcd6787 100644
--- a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html
+++ b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html
@@ -3,13 +3,17 @@
<fencedframe></fencedframe>
<script>
-const url = new URL("mark_signedin", location.href);
-document.querySelector("fencedframe").config = new FencedFrameConfig(url);
-
// If this page was opened as a popup, notify the opener when we are done loading.
if (window.opener) {
window.onload = function() {
window.opener.postMessage("done_loading", "*");
};
}
+
+// This code is intentionally after the onload listener registration
+// because it can throw if FencedFrameConfig is not defined. In that
+// case, we still want to notify the opener to avoid a test timeout.
+const url = new URL("mark_signedin", location.href);
+document.querySelector("fencedframe").config = new FencedFrameConfig(url);
+
</script>
diff --git a/testing/web-platform/tests/credential-management/support/set_cookie b/testing/web-platform/tests/credential-management/support/set_cookie
index 1080b366e4..2c3196058a 100644
--- a/testing/web-platform/tests/credential-management/support/set_cookie
+++ b/testing/web-platform/tests/credential-management/support/set_cookie
@@ -6,6 +6,7 @@
// If this page was opened as a popup, notify the opener.
if (window.opener) {
window.opener.postMessage("done_loading", "*");
+ window.close();
}
</script>
</body>
diff --git a/testing/web-platform/tests/credential-management/support/set_cookie.headers b/testing/web-platform/tests/credential-management/support/set_cookie.headers
index b19ff933a6..4226ff4c99 100644
--- a/testing/web-platform/tests/credential-management/support/set_cookie.headers
+++ b/testing/web-platform/tests/credential-management/support/set_cookie.headers
@@ -1,2 +1,3 @@
Content-Type: text/html
Set-Cookie: cookie=1; SameSite=None; Secure
+Set-Cookie: same_site_strict=1; SameSite=Strict; Secure