diff options
Diffstat (limited to 'testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/fetch.https.window.js')
-rw-r--r-- | testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/fetch.https.window.js | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/fetch.https.window.js b/testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/fetch.https.window.js new file mode 100644 index 0000000000..6ea94d0a19 --- /dev/null +++ b/testing/web-platform/tests/html/cross-origin-embedder-policy/credentialless/fetch.https.window.js @@ -0,0 +1,127 @@ +// META: script=/common/get-host-info.sub.js +// META: script=/common/utils.js +// META: script=/common/dispatcher/dispatcher.js +// META: script=./resources/common.js + +promise_test(async test => { + const same_origin = get_host_info().HTTPS_ORIGIN; + const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; + const cookie_key = "coep_credentialless_fetch"; + const cookie_same_origin = "same_origin"; + const cookie_cross_origin = "cross_origin"; + + await Promise.all([ + setCookie(same_origin, cookie_key, cookie_same_origin + + cookie_same_site_none), + setCookie(cross_origin, cookie_key, cookie_cross_origin + + cookie_same_site_none), + ]); + + // One window with COEP:none. (control) + const w_control_token = token(); + const w_control_url = same_origin + executor_path + + coep_none + `&uuid=${w_control_token}` + const w_control = window.open(w_control_url); + add_completion_callback(() => w_control.close()); + + // One window with COEP:credentialless. (experiment) + const w_credentialless_token = token(); + const w_credentialless_url = same_origin + executor_path + + coep_credentialless + `&uuid=${w_credentialless_token}`; + const w_credentialless = window.open(w_credentialless_url); + add_completion_callback(() => w_credentialless.close()); + + const fetchTest = function( + description, origin, mode, credentials, + expected_cookies_control, + expected_cookies_credentialless) + { + promise_test_parallel(async test => { + const token_1 = token(); + const token_2 = token(); + + send(w_control_token, ` + fetch("${showRequestHeaders(origin, token_1)}", { + mode:"${mode}", + credentials: "${credentials}", + }); + `); + send(w_credentialless_token, ` + fetch("${showRequestHeaders(origin, token_2)}", { + mode:"${mode}", + credentials: "${credentials}", + }); + `); + + const headers_control = JSON.parse(await receive(token_1)); + const headers_credentialless = JSON.parse(await receive(token_2)); + + assert_equals(parseCookies(headers_control)[cookie_key], + expected_cookies_control, + "coep:none => "); + assert_equals(parseCookies(headers_credentialless)[cookie_key], + expected_cookies_credentialless, + "coep:credentialless => "); + }, `fetch ${description}`) + }; + + // Cookies are never sent with credentials='omit' + fetchTest("same-origin + no-cors + credentials:omit", + same_origin, 'no-cors', 'omit', + undefined, + undefined); + fetchTest("same-origin + cors + credentials:omit", + same_origin, 'cors', 'omit', + undefined, + undefined); + fetchTest("cross-origin + no-cors + credentials:omit", + cross_origin, 'no-cors', 'omit', + undefined, + undefined); + fetchTest("cross-origin + cors + credentials:omit", + cross_origin, 'cors', 'omit', + undefined, + undefined); + + // Same-origin request contains Cookies. + fetchTest("same-origin + no-cors + credentials:include", + same_origin, 'no-cors', 'include', + cookie_same_origin, + cookie_same_origin); + fetchTest("same-origin + cors + credentials:include", + same_origin, 'cors', 'include', + cookie_same_origin, + cookie_same_origin); + fetchTest("same-origin + no-cors + credentials:same-origin", + same_origin, 'no-cors', 'same-origin', + cookie_same_origin, + cookie_same_origin); + fetchTest("same-origin + cors + credentials:same-origin", + same_origin, 'cors', 'same-origin', + cookie_same_origin, + cookie_same_origin); + + // Cross-origin CORS requests contains Cookies, if credentials mode is set to + // 'include'. This does not depends on COEP. + fetchTest("cross-origin + cors + credentials:include", + cross_origin, 'cors', 'include', + cookie_cross_origin, + cookie_cross_origin); + fetchTest("cross-origin + cors + same-origin-credentials", + cross_origin, 'cors', 'same-origin', + undefined, + undefined); + + // Cross-origin no-CORS requests includes Cookies when: + // 1. credentials mode is 'include' + // 2. COEP: is not credentialless. + fetchTest("cross-origin + no-cors + credentials:include", + cross_origin, 'no-cors', 'include', + cookie_cross_origin, + undefined); + + fetchTest("cross-origin + no-cors + credentials:same-origin", + cross_origin, 'no-cors', 'same-origin', + undefined, + undefined); +}, ""); |