1 files changed, 128 insertions, 0 deletions

diff --git a/testing/web-platform/tests/html/anonymous-iframe/cookie.tentative.https.window.js b/testing/web-platform/tests/html/anonymous-iframe/cookie.tentative.https.window.js
new file mode 100644
index 0000000000..d6889ae52d
--- /dev/null
+++ b/testing/web-platform/tests/html/anonymous-iframe/cookie.tentative.https.window.js
@@ -0,0 +1,128 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/common/dispatcher/dispatcher.js
+// META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js
+// META: script=./resources/common.js
+
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const cookie_key = "credentialless_iframe_load_cookie";
+const cookie_same_origin = "same_origin";
+const cookie_cross_origin = "cross_origin";
+
+const cookieFromResource = async resource_token => {
+  let headers = JSON.parse(await receive(resource_token));
+  return parseCookies(headers)[cookie_key];
+};
+
+// Load a credentialless iframe, return the HTTP request cookies.
+const cookieFromCredentiallessIframeRequest = async (iframe_origin) => {
+  const resource_token = token();
+  let iframe = document.createElement("iframe");
+  iframe.src = `${showRequestHeaders(iframe_origin, resource_token)}`;
+  iframe.credentialless = true;
+  document.body.appendChild(iframe);
+  return await cookieFromResource(resource_token);
+};
+
+// Load a resource `type` from the iframe with `document_token`,
+// return the HTTP request cookies.
+const cookieFromResourceInIframe =
+    async (document_token, resource_origin, type = "img") => {
+  const resource_token = token();
+  send(document_token, `
+    let el = document.createElement("${type}");
+    el.src = "${showRequestHeaders(resource_origin, resource_token)}";
+    document.body.appendChild(el);
+  `);
+  return await cookieFromResource(resource_token);
+};
+
+promise_test_parallel(async test => {
+  await Promise.all([
+    setCookie(same_origin, cookie_key, cookie_same_origin),
+    setCookie(cross_origin, cookie_key, cookie_cross_origin),
+  ]);
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromCredentiallessIframeRequest(same_origin),
+      undefined
+    );
+  }, "Credentialless same-origin iframe is loaded without credentials");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromCredentiallessIframeRequest(cross_origin),
+      undefined
+    );
+  }, "Credentialless cross-origin iframe is loaded without credentials");
+
+  const iframe_same_origin = newIframeCredentialless(same_origin);
+  const iframe_cross_origin = newIframeCredentialless(cross_origin);
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_same_origin, same_origin),
+      undefined
+    );
+  }, "same_origin credentialless iframe can't send same_origin credentials");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_same_origin, cross_origin),
+      undefined
+    );
+  }, "same_origin credentialless iframe can't send cross_origin credentials");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_cross_origin, cross_origin),
+      undefined
+    );
+  }, "cross_origin credentialless iframe can't send cross_origin credentials");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_cross_origin, same_origin),
+      undefined
+    );
+  }, "cross_origin credentialless iframe can't send same_origin credentials");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_same_origin, same_origin,
+                                       "iframe"),
+      undefined
+    );
+  }, "same_origin credentialless iframe can't send same_origin credentials "
+                        + "on child iframe");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_same_origin, cross_origin,
+                                       "iframe"),
+      undefined
+    );
+  }, "same_origin credentialless iframe can't send cross_origin credentials "
+    + "on child iframe");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_cross_origin, cross_origin,
+                                       "iframe"),
+      undefined
+    );
+  }, "cross_origin credentialless iframe can't send cross_origin credentials "
+    + "on child iframe");
+
+  promise_test_parallel(async test => {
+    assert_equals(
+      await cookieFromResourceInIframe(iframe_cross_origin, same_origin,
+                                       "iframe"),
+      undefined
+    );
+  }, "cross_origin credentialless iframe can't send same_origin credentials "
+    + "on child iframe");
+
+}, "Setup")