diff options
Diffstat (limited to 'testing/web-platform/tests/cookies/samesite/form-post-blank.https.html')
| -rw-r--r-- | testing/web-platform/tests/cookies/samesite/form-post-blank.https.html | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html new file mode 100644 index 0000000000..947853893d --- /dev/null +++ b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html @@ -0,0 +1,57 @@ +<!DOCTYPE html> +<meta charset="utf-8"/> +<meta name="timeout" content="long"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/cookies/resources/cookie-helper.sub.js"></script> +<script> + function create_test(origin, target, expectedStatus, title) { + promise_test(t => { + var value = "" + Math.random(); + return resetSameSiteCookies(origin, value) + .then(_ => { + return new Promise((resolve, reject) => { + var f = document.createElement('form'); + f.action = target + "/cookies/resources/postToParent.py"; + f.target = "_blank"; + f.method = "POST"; + f.rel = "opener"; + + var msgHandler = e => { + window.removeEventListener("message", msgHandler); + e.source.close(); + try { + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + resolve("Popup received the cookie."); + } catch (e) { + reject(e); + } + }; + window.addEventListener("message", msgHandler); + document.body.appendChild(f); + f.submit(); + }); + }); + }, title); + } + + // No redirect: + create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form POSTs are strictly same-site"); + create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form POSTs are strictly same-site"); + create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site top-level form POSTs are cross-site"); + + // Redirect from {same-host,subdomain,cross-site} to same-host: + create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form POSTs are strictly same-site"); + create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form POSTs are strictly same-site"); + create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to same-host top-level form POSTs are cross-site"); + + // Redirect from {same-host,subdomain,cross-site} to same-host: + create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form POSTs are strictly same-site"); + create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form POSTs are strictly same-site"); + create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to subdomain top-level form POSTs are cross-site"); + + // Redirect from {same-host,subdomain,cross-site} to cross-site: + create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site top-level form POSTs are cross-site"); + create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site top-level form POSTs are cross-site"); + create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site top-level form POSTs are cross-site"); +</script> |