author Lily Chen <chlily@chromium.org>
Wed, 14 Aug 2019 10:57:18 +0000
changeset 488121 e0a7d47faddb3ae446a4e81d51b515fa2a3ae3e8
permissions -rw-r--r--
Bug 1568091 [wpt PR 17986] - Add cookie SameSite features to experimental web platform features, a=testonly Automatic update from web-platform-tests Add cookie SameSite features to experimental web platform features SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure, as well as CookieDeprecationMessages can now be turned on by running with command line flag --enable-experimental-web-platform-features. * SameSiteByDefaultCookies causes cookies that don't specify a SameSite attribute to be treated as Lax, and introduces SameSite=None to explicitly request cross-site use. * CookiesWithoutSameSiteMustBeSecure requires SameSite=None cookies to be Secure, otherwise they are rejected. * CookieDeprecationMessages shows console messages when cookies are not sent or saved due to either of the above SameSite features. The web tests and browser tests run with experimental web platform features enabled are also updated to reflect the new behavior, including running on https because of the CookiesWithoutSameSiteMustBeSecure restriction. This also adds SameSite=None test coverage to a couple places that didn't already have it. Bug: 953306, 954551, 961439 Change-Id: I50ea7a6fb73969acf9ba3088310d7d246bc11a05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1691522 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Rick Byers <rbyers@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Robert Ma <robertma@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#686029} -- wpt-commits: de517e33fddfc1ee979ae23ebb9ef954a766bcf2 wpt-pr: 17986

<!DOCTYPE html>
<meta charset="utf-8">
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
  function assert_samesite_cookies_present(cookies, value) {
    let samesite_cookie_names = ["samesite_strict", "samesite_lax", "samesite_none", "samesite_unspecified"];
    for (name of samesite_cookie_names) {
      let re = new RegExp("(?:^|; )" + name + "=" + value + "(?:$|;)");
      assert_true(re.test(cookies), "`" + name + "=" + value + "` in cookies");

  // Navigate from ORIGIN to |origin_to|, expecting the navigation to set SameSite
  // cookies on |origin_to|.
  function navigate_test(method, origin_to, title) {
    promise_test(async function(t) {
      // The cookies don't need to be cleared on each run because |value| is
      // a new random value on each run, so on each run we are overwriting and
      // checking for a cookie with a different random value.
      let value = "" + Math.random();
      let url_from = SECURE_ORIGIN + "/cookies/samesite/resources/navigate.html";
      let url_to = origin_to + "/cookies/resources/setSameSite.py?" + value;
      var w = window.open(url_from);
      await wait_for_message('READY', SECURE_ORIGIN);
      assert_equals(SECURE_ORIGIN, window.origin);
      assert_equals(SECURE_ORIGIN, w.origin);
      let command = (method === "POST") ? "post-form" : "navigate";
      w.postMessage({ type: command, url: url_to }, "*");
      let message = await wait_for_message('COOKIES_SET', origin_to);
      assert_samesite_cookies_present(message.data.cookies, value);
    }, title);

  navigate_test("GET", SECURE_ORIGIN, "Same-site top-level navigation should be able to set SameSite=* cookies.");
  navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level navigation should be able to set SameSite=* cookies.");
  navigate_test("POST", SECURE_ORIGIN, "Same-site top-level POST should be able to set SameSite=* cookies.");
  navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level POST should be able to set SameSite=* cookies.");