Bug 1641459 - Do not expose sameSite=lax/strict cookies to cross-site documents - part 2 - tests, r=smaug,annevk
authorAndrea Marchesini <amarchesini@mozilla.com>
Fri, 29 May 2020 15:54:00 +0000
changeset 533010 44bcf1896d0f9e52daf26a3d60fa5b3e82867809
parent 533009 54961f7abe2cf945118d15db368dec26f48bb73e
child 533011 6af083ac4611717a193ef436d5dcbadd00ee1d97
push id37461
push userccoroiu@mozilla.com
push dateFri, 29 May 2020 21:46:31 +0000
treeherdermozilla-central@a58cc68b0c51 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug, annevk
bugs1641459
milestone78.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1641459 - Do not expose sameSite=lax/strict cookies to cross-site documents - part 2 - tests, r=smaug,annevk Differential Revision: https://phabricator.services.mozilla.com/D77209
testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
testing/web-platform/tests/cookies/samesite/fetch.https.html
testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html
testing/web-platform/tests/cookies/samesite/form-get-blank.https.html
testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html
testing/web-platform/tests/cookies/samesite/form-post-blank.https.html
testing/web-platform/tests/cookies/samesite/iframe-reload.https.html
testing/web-platform/tests/cookies/samesite/iframe.https.html
testing/web-platform/tests/cookies/samesite/window-open-reload.https.html
testing/web-platform/tests/cookies/samesite/window-open.https.html
--- a/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
+++ b/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
@@ -99,21 +99,27 @@ function set_prefixed_cookie_via_http_te
       .then(cookies => assert_equals(cookies[name], options.shouldExistViaHTTP ? value : undefined));
   }, options.title);
 }
 
 //
 // SameSite-specific test helpers:
 //
 
+// status for "network" cookies.
 window.SameSiteStatus = {
   CROSS_SITE: "cross-site",
   LAX: "lax",
   STRICT: "strict"
 };
+// status for "document.cookie".
+window.DomSameSiteStatus = {
+  CROSS_SITE: "cross-site",
+  SAME_SITE: "same-site",
+};
 
 const wait_for_message = (type, origin) => {
   return new Promise((resolve, reject) => {
     window.addEventListener('message', e => {
       if (origin && e.origin != origin) {
         reject("Message from unexpected origin in wait_for_message:" + e.origin);
         return;
       }
@@ -150,71 +156,99 @@ async function resetSameSiteCookies(orig
   } finally {
     w.close();
   }
 }
 
 // Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains the
 // proper set of cookie names and values, according to the legacy behavior where
 // unspecified SameSite attribute defaults to SameSite=None behavior.
-function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies) {
+function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies, domCookieStatus) {
     assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
     assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always sent.");
     if (expectedStatus == SameSiteStatus.CROSS_SITE) {
       assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
       assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests.");
     } else if (expectedStatus == SameSiteStatus.LAX) {
       assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests.");
       assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests.");
     } else if (expectedStatus == SameSiteStatus.STRICT) {
       assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests.");
       assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests.");
     }
 
     if (cookies["domcookies"]) {
-      verifyDocumentCookie(expectedStatus, expectedValue, cookies["domcookies"]);
+      verifyDocumentCookieLegacy(domCookieStatus, expectedValue, cookies["domcookies"]);
     }
 }
 
 // Same as above except this expects samesite_unspecified to act the same as
 // samesite_lax (which is the behavior expected when SameSiteByDefault is
 // enabled).
-function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expectedValue, cookies) {
+function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expectedValue, cookies, domCookieStatus) {
     assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
     if (expectedStatus == SameSiteStatus.CROSS_SITE) {
       assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
       assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests.");
       assert_not_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are not sent with cross-site requests.");
     } else if (expectedStatus == SameSiteStatus.LAX) {
       assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests.");
       assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests.");
       assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are are sent with lax requests.")
     } else if (expectedStatus == SameSiteStatus.STRICT) {
       assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests.");
       assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests.");
       assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are are sent with strict requests.")
     }
 
     if (cookies["domcookies"]) {
-      verifyDocumentCookie(expectedStatus, expectedValue, cookies["domcookies"]);
+      verifyDocumentCookieWithSameSiteByDefault(domCookieStatus, expectedValue, cookies["domcookies"]);
     }
 }
 
-function verifyDocumentCookie(expectedStatus, expectedValue, domcookies) {
+function verifyDocumentCookieLegacy(expectedStatus, expectedValue, domcookies) {
   const cookies = domcookies.split(";")
                             .map(cookie => cookie.trim().split("="))
                             .reduce((obj, cookie) => {
                               obj[cookie[0]] = cookie[1];
                               return obj;
                             }, {});
 
-  assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
-  assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
-  assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie.");
-  assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie.");
+  if (expectedStatus == DomSameSiteStatus.SAME_SITE) {
+    assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie.");
+  } else if (expectedStatus == DomSameSiteStatus.CROSS_SITE) {
+    assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
+    assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not included in document.cookie when cross-site.");
+    assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not included in document.cookie when cross-site.");
+  }
+}
+
+function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue, domcookies) {
+  const cookies = domcookies.split(";")
+                            .map(cookie => cookie.trim().split("="))
+                            .reduce((obj, cookie) => {
+                              obj[cookie[0]] = cookie[1];
+                              return obj;
+                            }, {});
+
+  if (expectedStatus == DomSameSiteStatus.SAME_SITE) {
+    assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie.");
+    assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie.");
+  } else if (expectedStatus == DomSameSiteStatus.CROSS_SITE) {
+    assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
+    assert_not_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are not included in document.cookie when cross-site.");
+    assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not included in document.cookie when cross-site.");
+    assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not included in document.cookie when cross-site.");
+  }
 }
 
 function isLegacySameSite() {
   return location.search === "?legacy-samesite";
 }
 
 // Get the proper verifier based on the test's variant type.
 function getSameSiteVerifier() {
--- a/testing/web-platform/tests/cookies/samesite/fetch.https.html
+++ b/testing/web-platform/tests/cookies/samesite/fetch.https.html
@@ -10,17 +10,17 @@
   function create_test(origin, target, expectedStatus, title) {
     promise_test(t => {
       var value = "" + Math.random();
       return resetSameSiteCookies(origin, value)
         .then(_ => {
           return credFetch(target + "/cookies/resources/list.py")
 
             .then(r => r.json())
-            .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies));
+            .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
         });
     }, title);
   }
 
   // No redirect:
   create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host fetches are strictly same-site");
   create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain fetches are strictly same-site");
   create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
--- a/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html
+++ b/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html
@@ -25,17 +25,17 @@
               i.name = "location";
               i.value = url.searchParams.get("location");
               i.type = "hidden";
               f.appendChild(i);
             }
             var reloaded = false;
             var msgHandler = e => {
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
               } catch (e) {
                 reject(e);
               }
 
               if (reloaded) {
                 window.removeEventListener("message", msgHandler);
                 e.source.close();
                 resolve("Popup received the cookie.");
--- a/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html
+++ b/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html
@@ -28,17 +28,17 @@
               i.value = url.searchParams.get("location");
               f.appendChild(i);
             }
 
             var msgHandler = e => {
               window.removeEventListener("message", msgHandler);
               e.source.close();
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
                 resolve("Popup received the cookie.");
               } catch (e) {
                 reject(e);
               }
             };
             window.addEventListener("message", msgHandler);
             document.body.appendChild(f);
             f.submit();
--- a/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html
+++ b/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html
@@ -15,17 +15,17 @@
             var f = document.createElement('form');
             f.action = target + "/cookies/resources/postToParent.py";
             f.target = "_blank";
             f.method = "POST";
 
             var reloaded = false;
             var msgHandler = e => {
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
               } catch (e) {
                 reject(e);
               }
 
               if (reloaded) {
                 window.removeEventListener("message", msgHandler);
                 e.source.close();
                 resolve("Popup received the cookie.");
--- a/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html
+++ b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html
@@ -17,17 +17,17 @@
             f.action = target + "/cookies/resources/postToParent.py";
             f.target = "_blank";
             f.method = "POST";
 
             var msgHandler = e => {
               window.removeEventListener("message", msgHandler);
               e.source.close();
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
                 resolve("Popup received the cookie.");
               } catch (e) {
                 reject(e);
               }
             };
             window.addEventListener("message", msgHandler);
             document.body.appendChild(f);
             f.submit();
--- a/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html
+++ b/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html
@@ -4,29 +4,29 @@
 <meta name="variant" content="">
 <meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
 <!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
 <body>
 <script>
-  function create_test(origin, target, expectedStatus, title) {
+  function create_test(origin, target, expectedStatus, expectedDomStatus, title) {
     promise_test(t => {
       var value = "" + Math.random();
       return resetSameSiteCookies(origin, value)
         .then(_ => {
           return new Promise((resolve, reject) => {
             var iframe = document.createElement("iframe");
             iframe.onerror = _ => reject("IFrame could not be loaded.");
 
             var reloaded = false;
             var msgHandler = e => {
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
               } catch (e) {
                 reject(e);
               }
 
               if (reloaded) {
                 window.removeEventListener("message", msgHandler);
                 document.body.removeChild(iframe);
                 resolve("IFrame received the cookie.");
@@ -39,12 +39,12 @@
 
             iframe.src = target + "/cookies/resources/postToParent.py";
             document.body.appendChild(iframe);
           });
         });
     }, title);
   }
 
-  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host fetches are strictly same-site");
-  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain fetches are strictly same-site");
-  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Reloaded cross-site fetches are cross-site");
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Reloaded same-host fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Reloaded subdomain fetches are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, DomSameSiteStatus.CROSS_SITE, "Reloaded cross-site fetches are cross-site");
 </script>
--- a/testing/web-platform/tests/cookies/samesite/iframe.https.html
+++ b/testing/web-platform/tests/cookies/samesite/iframe.https.html
@@ -4,59 +4,59 @@
 <meta name="variant" content="">
 <meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
 <!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
 <body>
 <script>
-  function create_test(origin, target, expectedStatus, title) {
+  function create_test(origin, target, expectedStatus, expectedDomStatus, title) {
     promise_test(t => {
       var value = "" + Math.random();
       return resetSameSiteCookies(origin, value)
         .then(_ => {
           return new Promise((resolve, reject) => {
             var iframe = document.createElement("iframe");
             iframe.onerror = _ => reject("IFrame could not be loaded.");
 
             var msgHandler = e => {
               if (e.source == iframe.contentWindow) {
                 // Cleanup, then verify cookie state:
                 document.body.removeChild(iframe);
                 window.removeEventListener("message", msgHandler);
                 try {
-                  getSameSiteVerifier()(expectedStatus, value, e.data);
+                  getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
                   resolve();
                 } catch(e) {
                   reject(e);
                 }
               }
             };
             window.addEventListener("message", msgHandler);
 
             iframe.src = target + "/cookies/resources/postToParent.py";
             document.body.appendChild(iframe);
           });
         });
     }, title);
   }
 
   // No redirect:
-  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host fetches are strictly same-site");
-  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain fetches are strictly same-site");
-  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Same-host fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Subdomain fetches are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, DomSameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
 
   // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host fetches are strictly same-site");
-  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host fetches are strictly same-site");
-  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Same-host redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Subdomain redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Cross-site redirecting to same-host fetches are strictly same-site");
 
   // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain fetches are strictly same-site");
-  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain fetches are strictly same-site");
-  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Same-host redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Subdomain redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, DomSameSiteStatus.SAME_SITE, "Cross-site redirecting to subdomain fetches are strictly same-site");
 
   // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site fetches are cross-site");
-  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site fetches are cross-site");
-  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, DomSameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, DomSameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, DomSameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site fetches are cross-site");
 </script>
--- a/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html
+++ b/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html
@@ -12,17 +12,17 @@
       return resetSameSiteCookies(origin, value)
         .then(_ => {
           return new Promise((resolve, reject) => {
             var w = window.open(origin + "/cookies/resources/postToParent.py");
 
             var reloaded = false;
             var msgHandler = e => {
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
               } catch (e) {
                 reject(e);
               }
 
               if (reloaded) {
                 window.removeEventListener("message", msgHandler);
                 w.close();
                 resolve("Popup received the cookie.");
--- a/testing/web-platform/tests/cookies/samesite/window-open.https.html
+++ b/testing/web-platform/tests/cookies/samesite/window-open.https.html
@@ -14,17 +14,17 @@
         .then(_ => {
           return new Promise((resolve, reject) => {
             var w = window.open(origin + "/cookies/resources/postToParent.py");
 
             var msgHandler = e => {
               window.removeEventListener("message", msgHandler);
               w.close();
               try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
+                getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
                 resolve("Popup received the cookie.");
               } catch (e) {
                 reject(e);
               }
             };
             window.addEventListener("message", msgHandler);
 
             if (!w)