author Lily Chen <chlily@chromium.org>
Wed, 14 Aug 2019 10:57:18 +0000
changeset 488121 e0a7d47faddb3ae446a4e81d51b515fa2a3ae3e8
permissions -rw-r--r--
Bug 1568091 [wpt PR 17986] - Add cookie SameSite features to experimental web platform features, a=testonly Automatic update from web-platform-tests Add cookie SameSite features to experimental web platform features SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure, as well as CookieDeprecationMessages can now be turned on by running with command line flag --enable-experimental-web-platform-features. * SameSiteByDefaultCookies causes cookies that don't specify a SameSite attribute to be treated as Lax, and introduces SameSite=None to explicitly request cross-site use. * CookiesWithoutSameSiteMustBeSecure requires SameSite=None cookies to be Secure, otherwise they are rejected. * CookieDeprecationMessages shows console messages when cookies are not sent or saved due to either of the above SameSite features. The web tests and browser tests run with experimental web platform features enabled are also updated to reflect the new behavior, including running on https because of the CookiesWithoutSameSiteMustBeSecure restriction. This also adds SameSite=None test coverage to a couple places that didn't already have it. Bug: 953306, 954551, 961439 Change-Id: I50ea7a6fb73969acf9ba3088310d7d246bc11a05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1691522 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Rick Byers <rbyers@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Robert Ma <robertma@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#686029} -- wpt-commits: de517e33fddfc1ee979ae23ebb9ef954a766bcf2 wpt-pr: 17986

<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
  function create_test(origin, target, expectedStatus, title) {
    promise_test(t => {
      var value = "" + Math.random();
      return resetSameSiteCookies(origin, value)
        .then(_ => {
          return new Promise((resolve, reject) => {
            var f = document.createElement('form');
            f.action = target + "/cookies/resources/postToParent.py";
            f.target = "_blank";
            f.method = "GET";

            // If |target| contains a `redir` parameter, extract it, and add it
            // to the form so it doesn't get dropped in the submission.
            var url = new URL(f.action);
            if (url.pathname = "/cookies/rfc6265/resources/redirectWithCORSHeaders.py") {
              var i = document.createElement("input");
              i.name = "location";
              i.value = url.searchParams.get("location");
              i.type = "hidden";
            var reloaded = false;
            var msgHandler = e => {
              try {
                getSameSiteVerifier()(expectedStatus, value, e.data);
              } catch (e) {

              if (reloaded) {
                window.removeEventListener("message", msgHandler);
                resolve("Popup received the cookie.");
              } else {
                reloaded = true;
                e.source.postMessage("reload", "*");
            window.addEventListener("message", msgHandler);

    }, title);

  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host top-level form GETs are strictly same-site");
  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain top-level form GETs are strictly same-site");
  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Reloaded cross-site top-level form GETs are laxly same-site");