// META: script=/common/get-host-info.sub.js // META: script=/common/utils.js // META: script=/common/dispatcher/dispatcher.js // META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js // META: script=./resources/common.js const same_origin = get_host_info().HTTPS_ORIGIN; const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; const cookie_key = "credentialless_iframe_load_cookie"; const cookie_same_origin = "same_origin"; const cookie_cross_origin = "cross_origin"; const cookieFromResource = async resource_token => { let headers = JSON.parse(await receive(resource_token)); return parseCookies(headers)[cookie_key]; }; // Load a credentialless iframe, return the HTTP request cookies. const cookieFromCredentiallessIframeRequest = async (iframe_origin) => { const resource_token = token(); let iframe = document.createElement("iframe"); iframe.src = `${showRequestHeaders(iframe_origin, resource_token)}`; iframe.credentialless = true; document.body.appendChild(iframe); return await cookieFromResource(resource_token); }; // Load a resource `type` from the iframe with `document_token`, // return the HTTP request cookies. const cookieFromResourceInIframe = async (document_token, resource_origin, type = "img") => { const resource_token = token(); send(document_token, ` let el = document.createElement("${type}"); el.src = "${showRequestHeaders(resource_origin, resource_token)}"; document.body.appendChild(el); `); return await cookieFromResource(resource_token); }; promise_test_parallel(async test => { await Promise.all([ setCookie(same_origin, cookie_key, cookie_same_origin), setCookie(cross_origin, cookie_key, cookie_cross_origin), ]); promise_test_parallel(async test => { assert_equals( await cookieFromCredentiallessIframeRequest(same_origin), undefined ); }, "Credentialless same-origin iframe is loaded without credentials"); promise_test_parallel(async test => { assert_equals( await cookieFromCredentiallessIframeRequest(cross_origin), undefined ); }, "Credentialless cross-origin iframe is loaded without credentials"); const iframe_same_origin = newIframeCredentialless(same_origin); const iframe_cross_origin = newIframeCredentialless(cross_origin); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_same_origin, same_origin), undefined ); }, "same_origin credentialless iframe can't send same_origin credentials"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_same_origin, cross_origin), undefined ); }, "same_origin credentialless iframe can't send cross_origin credentials"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_cross_origin, cross_origin), undefined ); }, "cross_origin credentialless iframe can't send cross_origin credentials"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_cross_origin, same_origin), undefined ); }, "cross_origin credentialless iframe can't send same_origin credentials"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_same_origin, same_origin, "iframe"), undefined ); }, "same_origin credentialless iframe can't send same_origin credentials " + "on child iframe"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_same_origin, cross_origin, "iframe"), undefined ); }, "same_origin credentialless iframe can't send cross_origin credentials " + "on child iframe"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_cross_origin, cross_origin, "iframe"), undefined ); }, "cross_origin credentialless iframe can't send cross_origin credentials " + "on child iframe"); promise_test_parallel(async test => { assert_equals( await cookieFromResourceInIframe(iframe_cross_origin, same_origin, "iframe"), undefined ); }, "cross_origin credentialless iframe can't send same_origin credentials " + "on child iframe"); }, "Setup")