testing/web-platform/tests/cookies/samesite/img.https.html
author Lily Chen <chlily@chromium.org>
Wed, 14 Aug 2019 10:57:18 +0000
changeset 488121 e0a7d47faddb3ae446a4e81d51b515fa2a3ae3e8
permissions -rw-r--r--
Bug 1568091 [wpt PR 17986] - Add cookie SameSite features to experimental web platform features, a=testonly Automatic update from web-platform-tests Add cookie SameSite features to experimental web platform features SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure, as well as CookieDeprecationMessages can now be turned on by running with command line flag --enable-experimental-web-platform-features. * SameSiteByDefaultCookies causes cookies that don't specify a SameSite attribute to be treated as Lax, and introduces SameSite=None to explicitly request cross-site use. * CookiesWithoutSameSiteMustBeSecure requires SameSite=None cookies to be Secure, otherwise they are rejected. * CookieDeprecationMessages shows console messages when cookies are not sent or saved due to either of the above SameSite features. The web tests and browser tests run with experimental web platform features enabled are also updated to reflect the new behavior, including running on https because of the CookiesWithoutSameSiteMustBeSecure restriction. This also adds SameSite=None test coverage to a couple places that didn't already have it. Bug: 953306, 954551, 961439 Change-Id: I50ea7a6fb73969acf9ba3088310d7d246bc11a05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1691522 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Rick Byers <rbyers@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Robert Ma <robertma@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#686029} -- wpt-commits: de517e33fddfc1ee979ae23ebb9ef954a766bcf2 wpt-pr: 17986

<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
<script>
  function assert_cookie_present(origin, name, value) {
    return new Promise((resolve, reject) => {
      var img = document.createElement("img");
      img.onload = _ => resolve("'" + name + "=" + value + "' present on " + origin);
      img.onerror = _ => reject("'" + name + "=" + value + "' not present on " + origin);

      // We need to URL encode the destination path/query if we're redirecting:
      if (origin.match(/\/redir/))
        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
      else
        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
    });
  }

  function assert_cookie_absent(origin, name, value) {
    return new Promise((resolve, reject) => {
      var img = document.createElement("img");
      img.onload = _ => reject("'" + name + "=" + value + "' present on " + origin);
      img.onerror = _ => resolve("'" + name + "=" + value + "' not present on " + origin);

      // We need to URL encode the destination path/query if we're redirecting:
      if (origin.match(/\/redir/))
        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
      else
        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
    });
  }

  function create_test(origin, target, expectedStatus, title) {
    promise_test(t => {
      var value = "" + Math.random();
      return resetSameSiteCookies(origin, value)
        .then(_ => {
          var asserts = [assert_cookie_present(target, "samesite_none", value),
                         expectedStatus == SameSiteStatus.STRICT ?
                           assert_cookie_present(target, "samesite_strict", value) :
                           assert_cookie_absent(target, "samesite_strict", value),
                         expectedStatus == SameSiteStatus.CROSS_SITE ?
                           assert_cookie_absent(target, "samesite_lax", value) :
                           assert_cookie_present(target, "samesite_lax", value)];
          if (isLegacySameSite()) {
            // Legacy behavior: unspecified SameSite acts like SameSite=None.
            asserts.push(assert_cookie_present(target, "samesite_unspecified", value));
          } else {
            asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
                           assert_cookie_absent(target, "samesite_unspecified", value) :
                           assert_cookie_present(target, "samesite_unspecified", value));
          }
          return Promise.all(asserts);
        });
    }, title);
  }

  // No redirect:
  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host images are strictly same-site");
  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain images are strictly same-site");
  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site images are cross-site");

  // Redirect from {same-host,subdomain,cross-site} to same-host:
  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host images are strictly same-site");
  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host images are strictly same-site");
  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host images are strictly same-site");

  // Redirect from {same-host,subdomain,cross-site} to same-host:
  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain images are strictly same-site");
  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain images are strictly same-site");
  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain images are strictly same-site");

  // Redirect from {same-host,subdomain,cross-site} to cross-site:
  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site images are cross-site");
  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site images are cross-site");
  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site images are cross-site");
</script>