1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
<!DOCTYPE html>
<meta charset="utf-8"/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
<script>
// This test opens a popup window to postToParent.py (on the specified
// origin). The popup sends a postMessage event back to its opener
// (i.e., here) with the cookies it received, which we verify against
// expectedStatus. Then, the test sends a message to the popup, telling it to
// reload itself via window.location.reload(). Again, the popup posts a
// message back here with the cookies it received. These cookies are verified
// against expectedStatusReload.
function create_test(origin, target, expectedStatus, expectedStatusReload, title) {
promise_test(t => {
var value = "" + Math.random();
return resetSameSiteCookies(origin, value)
.then(_ => {
return new Promise((resolve, reject) => {
var w = window.open(target + "/cookies/resources/postToParent.py");
var reloaded = false;
var msgHandler = e => {
try {
verifySameSiteCookieState(reloaded ? expectedStatusReload : expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
if (reloaded) {
window.removeEventListener("message", msgHandler);
w.close();
resolve("Popup received the cookie.");
} else {
reloaded = true;
w.postMessage("reload", "*");
}
};
window.addEventListener("message", msgHandler);
if (!w)
reject("Popup could not be opened (did you allow the test site in your popup blocker?).");
});
});
}, title);
}
// The reload status is always strictly same-site because this is a site-initiated reload, as opposed to a reload triggered by a user interface element.
create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, SameSiteStatus.STRICT, "Reloaded same-host auxiliary navigations are strictly same-site.");
create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, SameSiteStatus.STRICT, "Reloaded subdomain auxiliary navigations are strictly same-site.");
create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, SameSiteStatus.STRICT, "Reloaded cross-site auxiliary navigations are strictly same-site");
</script>
|