Bug 1568091 [wpt PR 17986] - Add cookie SameSite features to experimental web platform features, a=testonly
authorLily Chen <chlily@chromium.org>
Wed, 14 Aug 2019 10:57:18 +0000
changeset 488121 e0a7d47faddb3ae446a4e81d51b515fa2a3ae3e8
parent 488120 6dadd5a887df764d0842af4ca9866a54317d6bff
child 488122 a2a802a992a07a69658c5e3daeab5ccdb1d40069
push id36435
push usercbrindusan@mozilla.com
push dateThu, 15 Aug 2019 09:46:49 +0000
treeherdermozilla-central@0db07ff50ab5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1568091, 17986, 953306, 954551, 961439, 1691522, 686029
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1568091 [wpt PR 17986] - Add cookie SameSite features to experimental web platform features, a=testonly Automatic update from web-platform-tests Add cookie SameSite features to experimental web platform features SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure, as well as CookieDeprecationMessages can now be turned on by running with command line flag --enable-experimental-web-platform-features. * SameSiteByDefaultCookies causes cookies that don't specify a SameSite attribute to be treated as Lax, and introduces SameSite=None to explicitly request cross-site use. * CookiesWithoutSameSiteMustBeSecure requires SameSite=None cookies to be Secure, otherwise they are rejected. * CookieDeprecationMessages shows console messages when cookies are not sent or saved due to either of the above SameSite features. The web tests and browser tests run with experimental web platform features enabled are also updated to reflect the new behavior, including running on https because of the CookiesWithoutSameSiteMustBeSecure restriction. This also adds SameSite=None test coverage to a couple places that didn't already have it. Bug: 953306, 954551, 961439 Change-Id: I50ea7a6fb73969acf9ba3088310d7d246bc11a05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1691522 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Rick Byers <rbyers@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Robert Ma <robertma@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#686029} -- wpt-commits: de517e33fddfc1ee979ae23ebb9ef954a766bcf2 wpt-pr: 17986
testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
testing/web-platform/tests/cookies/resources/setSameSite.py
testing/web-platform/tests/cookies/samesite/fetch.html
testing/web-platform/tests/cookies/samesite/fetch.https.html
testing/web-platform/tests/cookies/samesite/form-get-blank-reload.html
testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html
testing/web-platform/tests/cookies/samesite/form-get-blank.html
testing/web-platform/tests/cookies/samesite/form-get-blank.https.html
testing/web-platform/tests/cookies/samesite/form-post-blank-reload.html
testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html
testing/web-platform/tests/cookies/samesite/form-post-blank.html
testing/web-platform/tests/cookies/samesite/form-post-blank.https.html
testing/web-platform/tests/cookies/samesite/iframe-reload.html
testing/web-platform/tests/cookies/samesite/iframe-reload.https.html
testing/web-platform/tests/cookies/samesite/iframe.html
testing/web-platform/tests/cookies/samesite/iframe.https.html
testing/web-platform/tests/cookies/samesite/img.html
testing/web-platform/tests/cookies/samesite/img.https.html
testing/web-platform/tests/cookies/samesite/resources/navigate.html
testing/web-platform/tests/cookies/samesite/resources/puppet.html
testing/web-platform/tests/cookies/samesite/setcookie-lax.html
testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html
testing/web-platform/tests/cookies/samesite/setcookie-navigation.html
testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html
testing/web-platform/tests/cookies/samesite/window-open-reload.html
testing/web-platform/tests/cookies/samesite/window-open-reload.https.html
testing/web-platform/tests/cookies/samesite/window-open.html
testing/web-platform/tests/cookies/samesite/window-open.https.html
--- a/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
+++ b/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
@@ -1,27 +1,21 @@
 // Set up exciting global variables for cookie tests.
 (_ => {
   var HOST = "{{host}}";
   var SECURE_PORT = ":{{ports[https][0]}}";
-  var PORT = ":{{ports[http][0]}}";
   var CROSS_ORIGIN_HOST = "{{hosts[alt][]}}";
-  var SECURE_CROSS_ORIGIN_HOST = "{{hosts[alt][]}}";
 
   //For secure cookie verification
   window.SECURE_ORIGIN = "https://" + HOST + SECURE_PORT;
-  window.INSECURE_ORIGIN = "http://" + HOST + PORT;
 
   //standard references
-  window.ORIGIN = "http://" + HOST + PORT;
-  window.WWW_ORIGIN = "http://{{domains[www]}}" + PORT;
-  window.SUBDOMAIN_ORIGIN = "http://{{domains[www1]}}" + PORT;
-  window.CROSS_SITE_ORIGIN = "http://" + CROSS_ORIGIN_HOST + PORT;
-  window.SECURE_CROSS_SITE_ORIGIN = "https://" + SECURE_CROSS_ORIGIN_HOST + SECURE_PORT;
-  window.CROSS_SITE_HOST = SECURE_CROSS_ORIGIN_HOST;
+  window.SECURE_SUBDOMAIN_ORIGIN = "https://{{domains[www1]}}" + SECURE_PORT;
+  window.SECURE_CROSS_SITE_ORIGIN = "https://" + CROSS_ORIGIN_HOST + SECURE_PORT;
+  window.CROSS_SITE_HOST = CROSS_ORIGIN_HOST;
 
   // Set the global cookie name.
   window.HTTP_COOKIE = "cookie_via_http";
 })();
 
 // A tiny helper which returns the result of fetching |url| with credentials.
 function credFetch(url) {
   return fetch(url, {"credentials": "include"})
@@ -154,18 +148,19 @@ async function resetSameSiteCookies(orig
       assert_dom_cookie("samesite_unspecified", value, true);
     }
   } finally {
     w.close();
   }
 }
 
 // Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains the
-// proper set of cookie names and values.
-function verifySameSiteCookieState(expectedStatus, expectedValue, cookies) {
+// proper set of cookie names and values, according to the legacy behavior where
+// unspecified SameSite attribute defaults to SameSite=None behavior.
+function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies) {
     assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
     assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always sent.");
     if (expectedStatus == SameSiteStatus.CROSS_SITE) {
       assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
       assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests.");
     } else if (expectedStatus == SameSiteStatus.LAX) {
       assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests.");
       assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests.");
@@ -190,20 +185,24 @@ function verifySameSiteCookieStateWithSa
       assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are are sent with lax requests.")
     } else if (expectedStatus == SameSiteStatus.STRICT) {
       assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests.");
       assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests.");
       assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are are sent with strict requests.")
     }
 }
 
+function isLegacySameSite() {
+  return location.search === "?legacy-samesite";
+}
+
 // Get the proper verifier based on the test's variant type.
 function getSameSiteVerifier() {
-  return (location.search && location.search === "?samesite-by-default-cookies.tentative") ?
-      verifySameSiteCookieStateWithSameSiteByDefault : verifySameSiteCookieState;
+  return isLegacySameSite() ?
+      verifySameSiteCookieStateLegacy : verifySameSiteCookieStateWithSameSiteByDefault;
 }
 
 //
 // LeaveSecureCookiesAlone-specific test helpers:
 //
 
 window.SecureStatus = {
   INSECURE_COOKIE_ONLY: "1",
--- a/testing/web-platform/tests/cookies/resources/setSameSite.py
+++ b/testing/web-platform/tests/cookies/resources/setSameSite.py
@@ -8,17 +8,18 @@ def main(request, response):
     4. `samesite_unspecified={value};path=/`
     Then navigate to a page that will post a message back to the opener with the set cookies"""
     headers = setNoCacheAndCORSHeaders(request, response)
     value = request.url_parts.query
 
     headers.append(("Content-Type", "text/html; charset=utf-8"))
     headers.append(makeCookieHeader("samesite_strict", value, {"SameSite":"Strict","path":"/"}))
     headers.append(makeCookieHeader("samesite_lax", value, {"SameSite":"Lax","path":"/"}))
-    headers.append(makeCookieHeader("samesite_none", value, {"SameSite":"None", "path":"/"}))
+    # SameSite=None cookies must be Secure.
+    headers.append(makeCookieHeader("samesite_none", value, {"SameSite":"None", "path":"/", "Secure": ""}))
     headers.append(makeCookieHeader("samesite_unspecified", value, {"path":"/"}))
 
     document = """
 <!DOCTYPE html>
 <script>
   // A same-site navigation, which should attach all cookies including SameSite ones.
   // This is necessary because this page may have been reached via a cross-site navigation, so
   // we might not have access to some SameSite cookies from here.
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/fetch.html
+++ /dev/null
@@ -1,42 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return credFetch(target + "/cookies/resources/list.py")
-
-            .then(r => r.json())
-            .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies));
-        });
-    }, title);
-  }
-
-  // No redirect:
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Same-host fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain fetches are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(ORIGIN, redirectTo(ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host fetches are strictly same-site");
-  create_test(ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host fetches are strictly same-site");
-  create_test(ORIGIN, redirectTo(CROSS_SITE_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host fetches are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain fetches are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(CROSS_SITE_ORIGIN, redirectTo(ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site fetches are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site fetches are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site fetches are cross-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/fetch.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return credFetch(target + "/cookies/resources/list.py")
+
+            .then(r => r.json())
+            .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies));
+        });
+    }, title);
+  }
+
+  // No redirect:
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain fetches are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host fetches are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain fetches are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to cross-site:
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site fetches are cross-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.html
+++ /dev/null
@@ -1,59 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var f = document.createElement('form');
-            f.action = target + "/cookies/resources/postToParent.py";
-            f.target = "_blank";
-            f.method = "GET";
-
-            // If |target| contains a `redir` parameter, extract it, and add it
-            // to the form so it doesn't get dropped in the submission.
-            var url = new URL(f.action);
-            if (url.pathname = "/cookies/rfc6265/resources/redirectWithCORSHeaders.py") {
-              var i = document.createElement("input");
-              i.name = "location";
-              i.value = url.searchParams.get("location");
-              i.type = "hidden";
-              f.appendChild(i);
-            }
-            var reloaded = false;
-            var msgHandler = e => {
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-              } catch (e) {
-                reject(e);
-              }
-
-              if (reloaded) {
-                window.removeEventListener("message", msgHandler);
-                e.source.close();
-                resolve("Popup received the cookie.");
-              } else {
-                reloaded = true;
-                e.source.postMessage("reload", "*");
-              }
-            };
-            window.addEventListener("message", msgHandler);
-            document.body.appendChild(f);
-
-            f.submit();
-          });
-        });
-    }, title);
-  }
-
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host top-level form GETs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain top-level form GETs are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Reloaded cross-site top-level form GETs are laxly same-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var f = document.createElement('form');
+            f.action = target + "/cookies/resources/postToParent.py";
+            f.target = "_blank";
+            f.method = "GET";
+
+            // If |target| contains a `redir` parameter, extract it, and add it
+            // to the form so it doesn't get dropped in the submission.
+            var url = new URL(f.action);
+            if (url.pathname = "/cookies/rfc6265/resources/redirectWithCORSHeaders.py") {
+              var i = document.createElement("input");
+              i.name = "location";
+              i.value = url.searchParams.get("location");
+              i.type = "hidden";
+              f.appendChild(i);
+            }
+            var reloaded = false;
+            var msgHandler = e => {
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+              } catch (e) {
+                reject(e);
+              }
+
+              if (reloaded) {
+                window.removeEventListener("message", msgHandler);
+                e.source.close();
+                resolve("Popup received the cookie.");
+              } else {
+                reloaded = true;
+                e.source.postMessage("reload", "*");
+              }
+            };
+            window.addEventListener("message", msgHandler);
+            document.body.appendChild(f);
+
+            f.submit();
+          });
+        });
+    }, title);
+  }
+
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host top-level form GETs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain top-level form GETs are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Reloaded cross-site top-level form GETs are laxly same-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/form-get-blank.html
+++ /dev/null
@@ -1,69 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var f = document.createElement('form');
-            f.action = target + "/cookies/resources/postToParent.py";
-            f.target = "_blank";
-            f.method = "GET";
-
-            // If |target| contains a `redir` parameter, extract it, and add it
-            // to the form so it doesn't get dropped in the submission.
-            var url = new URL(f.action);
-            if (url.pathname == "/cookies/resources/redirectWithCORSHeaders.py") {
-              var i = document.createElement("input");
-              i.name = "location";
-              i.type="hidden";
-              i.value = url.searchParams.get("location");
-              f.appendChild(i);
-            }
-
-            var msgHandler = e => {
-              window.removeEventListener("message", msgHandler);
-              e.source.close();
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-                resolve("Popup received the cookie.");
-              } catch (e) {
-                reject(e);
-              }
-            };
-            window.addEventListener("message", msgHandler);
-            document.body.appendChild(f);
-            f.submit();
-          });
-        });
-    }, title);
-  }
-
-  // No redirect:
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form GETs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form GETs are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Cross-site top-level form GETs are laxly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(ORIGIN, redirectTo(ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form GETs are strictly same-site");
-  create_test(ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form GETs are strictly same-site");
-  create_test(ORIGIN, redirectTo(CROSS_SITE_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host top-level form GETs are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form GETs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form GETs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain top-level form GETs are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(CROSS_SITE_ORIGIN, redirectTo(ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Same-host redirecting to cross-site top-level form GETs are laxly same-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Subdomain redirecting to cross-site top-level form GETs are laxly same-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to cross-site top-level form GETs are laxly same-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var f = document.createElement('form');
+            f.action = target + "/cookies/resources/postToParent.py";
+            f.target = "_blank";
+            f.method = "GET";
+
+            // If |target| contains a `redir` parameter, extract it, and add it
+            // to the form so it doesn't get dropped in the submission.
+            var url = new URL(f.action);
+            if (url.pathname == "/cookies/resources/redirectWithCORSHeaders.py") {
+              var i = document.createElement("input");
+              i.name = "location";
+              i.type="hidden";
+              i.value = url.searchParams.get("location");
+              f.appendChild(i);
+            }
+
+            var msgHandler = e => {
+              window.removeEventListener("message", msgHandler);
+              e.source.close();
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+                resolve("Popup received the cookie.");
+              } catch (e) {
+                reject(e);
+              }
+            };
+            window.addEventListener("message", msgHandler);
+            document.body.appendChild(f);
+            f.submit();
+          });
+        });
+    }, title);
+  }
+
+  // No redirect:
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form GETs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form GETs are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Cross-site top-level form GETs are laxly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form GETs are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form GETs are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host top-level form GETs are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form GETs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form GETs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain top-level form GETs are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to cross-site:
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Same-host redirecting to cross-site top-level form GETs are laxly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Subdomain redirecting to cross-site top-level form GETs are laxly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to cross-site top-level form GETs are laxly same-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.html
+++ /dev/null
@@ -1,49 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var f = document.createElement('form');
-            f.action = target + "/cookies/resources/postToParent.py";
-            f.target = "_blank";
-            f.method = "POST";
-
-            var reloaded = false;
-            var msgHandler = e => {
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-              } catch (e) {
-                reject(e);
-              }
-
-              if (reloaded) {
-                window.removeEventListener("message", msgHandler);
-                e.source.close();
-                resolve("Popup received the cookie.");
-              } else {
-                reloaded = true;
-                e.source.postMessage("reload", "*");
-              }
-            };
-            window.addEventListener("message", msgHandler);
-
-            document.body.appendChild(f);
-            f.submit();
-          });
-        });
-    }, title);
-  }
-
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host top-level form POSTs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain top-level form POSTs are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Reloaded cross-site top-level form POSTs are not same-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var f = document.createElement('form');
+            f.action = target + "/cookies/resources/postToParent.py";
+            f.target = "_blank";
+            f.method = "POST";
+
+            var reloaded = false;
+            var msgHandler = e => {
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+              } catch (e) {
+                reject(e);
+              }
+
+              if (reloaded) {
+                window.removeEventListener("message", msgHandler);
+                e.source.close();
+                resolve("Popup received the cookie.");
+              } else {
+                reloaded = true;
+                e.source.postMessage("reload", "*");
+              }
+            };
+            window.addEventListener("message", msgHandler);
+
+            document.body.appendChild(f);
+            f.submit();
+          });
+        });
+    }, title);
+  }
+
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host top-level form POSTs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain top-level form POSTs are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Reloaded cross-site top-level form POSTs are not same-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/form-post-blank.html
+++ /dev/null
@@ -1,58 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var f = document.createElement('form');
-            f.action = target + "/cookies/resources/postToParent.py";
-            f.target = "_blank";
-            f.method = "POST";
-
-            var msgHandler = e => {
-              window.removeEventListener("message", msgHandler);
-              e.source.close();
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-                resolve("Popup received the cookie.");
-              } catch (e) {
-                reject(e);
-              }
-            };
-            window.addEventListener("message", msgHandler);
-            document.body.appendChild(f);
-            f.submit();
-          });
-        });
-    }, title);
-  }
-
-  // No redirect:
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form POSTs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form POSTs are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site top-level form POSTs are cross-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(ORIGIN, redirectTo(ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form POSTs are strictly same-site");
-  create_test(ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form POSTs are strictly same-site");
-  create_test(ORIGIN, redirectTo(CROSS_SITE_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host top-level form POSTs are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form POSTs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form POSTs are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain top-level form POSTs are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(CROSS_SITE_ORIGIN, redirectTo(ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site top-level form POSTs are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site top-level form POSTs are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site top-level form POSTs are cross-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var f = document.createElement('form');
+            f.action = target + "/cookies/resources/postToParent.py";
+            f.target = "_blank";
+            f.method = "POST";
+
+            var msgHandler = e => {
+              window.removeEventListener("message", msgHandler);
+              e.source.close();
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+                resolve("Popup received the cookie.");
+              } catch (e) {
+                reject(e);
+              }
+            };
+            window.addEventListener("message", msgHandler);
+            document.body.appendChild(f);
+            f.submit();
+          });
+        });
+    }, title);
+  }
+
+  // No redirect:
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form POSTs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form POSTs are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site top-level form POSTs are cross-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form POSTs are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form POSTs are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host top-level form POSTs are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form POSTs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form POSTs are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain top-level form POSTs are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to cross-site:
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site top-level form POSTs are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site top-level form POSTs are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site top-level form POSTs are cross-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/iframe-reload.html
+++ /dev/null
@@ -1,50 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
-<body>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var iframe = document.createElement("iframe");
-            iframe.onerror = _ => reject("IFrame could not be loaded.");
-
-            var reloaded = false;
-            var msgHandler = e => {
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-              } catch (e) {
-                reject(e);
-              }
-
-              if (reloaded) {
-                window.removeEventListener("message", msgHandler);
-                document.body.removeChild(iframe);
-                resolve("IFrame received the cookie.");
-              } else {
-                reloaded = true;
-                e.source.postMessage("reload", "*");
-              }
-            };
-            window.addEventListener("message", msgHandler);
-
-            iframe.src = target + "/cookies/resources/postToParent.py";
-            document.body.appendChild(iframe);
-          });
-        });
-    }, title);
-  }
-
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain fetches are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Reloaded cross-site fetches are cross-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
+<body>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var iframe = document.createElement("iframe");
+            iframe.onerror = _ => reject("IFrame could not be loaded.");
+
+            var reloaded = false;
+            var msgHandler = e => {
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+              } catch (e) {
+                reject(e);
+              }
+
+              if (reloaded) {
+                window.removeEventListener("message", msgHandler);
+                document.body.removeChild(iframe);
+                resolve("IFrame received the cookie.");
+              } else {
+                reloaded = true;
+                e.source.postMessage("reload", "*");
+              }
+            };
+            window.addEventListener("message", msgHandler);
+
+            iframe.src = target + "/cookies/resources/postToParent.py";
+            document.body.appendChild(iframe);
+          });
+        });
+    }, title);
+  }
+
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain fetches are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Reloaded cross-site fetches are cross-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/iframe.html
+++ /dev/null
@@ -1,62 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
-<body>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var iframe = document.createElement("iframe");
-            iframe.onerror = _ => reject("IFrame could not be loaded.");
-
-            var msgHandler = e => {
-              if (e.source == iframe.contentWindow) {
-                // Cleanup, then verify cookie state:
-                document.body.removeChild(iframe);
-                window.removeEventListener("message", msgHandler);
-                try {
-                  getSameSiteVerifier()(expectedStatus, value, e.data);
-                  resolve();
-                } catch(e) {
-                  reject(e);
-                }
-              }
-            };
-            window.addEventListener("message", msgHandler);
-
-            iframe.src = target + "/cookies/resources/postToParent.py";
-            document.body.appendChild(iframe);
-          });
-        });
-    }, title);
-  }
-
-  // No redirect:
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Same-host fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain fetches are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(ORIGIN, redirectTo(ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host fetches are strictly same-site");
-  create_test(ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host fetches are strictly same-site");
-  create_test(ORIGIN, redirectTo(CROSS_SITE_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host fetches are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain fetches are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain fetches are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(CROSS_SITE_ORIGIN, redirectTo(ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site fetches are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site fetches are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site fetches are cross-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/iframe.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
+<body>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var iframe = document.createElement("iframe");
+            iframe.onerror = _ => reject("IFrame could not be loaded.");
+
+            var msgHandler = e => {
+              if (e.source == iframe.contentWindow) {
+                // Cleanup, then verify cookie state:
+                document.body.removeChild(iframe);
+                window.removeEventListener("message", msgHandler);
+                try {
+                  getSameSiteVerifier()(expectedStatus, value, e.data);
+                  resolve();
+                } catch(e) {
+                  reject(e);
+                }
+              }
+            };
+            window.addEventListener("message", msgHandler);
+
+            iframe.src = target + "/cookies/resources/postToParent.py";
+            document.body.appendChild(iframe);
+          });
+        });
+    }, title);
+  }
+
+  // No redirect:
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain fetches are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site fetches are cross-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host fetches are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host fetches are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain fetches are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain fetches are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to cross-site:
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site fetches are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site fetches are cross-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/img.html
+++ /dev/null
@@ -1,81 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function assert_cookie_present(origin, name, value) {
-    return new Promise((resolve, reject) => {
-      var img = document.createElement("img");
-      img.onload = _ => resolve("'" + name + "=" + value + "' present on " + origin);
-      img.onerror = _ => reject("'" + name + "=" + value + "' not present on " + origin);
-
-      // We need to URL encode the destination path/query if we're redirecting:
-      if (origin.match(/\/redir/))
-        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
-      else
-        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
-    });
-  }
-
-  function assert_cookie_absent(origin, name, value) {
-    return new Promise((resolve, reject) => {
-      var img = document.createElement("img");
-      img.onload = _ => reject("'" + name + "=" + value + "' present on " + origin);
-      img.onerror = _ => resolve("'" + name + "=" + value + "' not present on " + origin);
-
-      // We need to URL encode the destination path/query if we're redirecting:
-      if (origin.match(/\/redir/))
-        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
-      else
-        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
-    });
-  }
-
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          var asserts = [assert_cookie_present(target, "samesite_none", value),
-                         expectedStatus == SameSiteStatus.STRICT ?
-                           assert_cookie_present(target, "samesite_strict", value) :
-                           assert_cookie_absent(target, "samesite_strict", value),
-                         expectedStatus == SameSiteStatus.CROSS_SITE ?
-                           assert_cookie_absent(target, "samesite_lax", value) :
-                           assert_cookie_present(target, "samesite_lax", value)];
-          if (location.search && location.search === "?samesite-by-default-cookies.tentative") {
-            asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
-                           assert_cookie_absent(target, "samesite_unspecified", value) :
-                           assert_cookie_present(target, "samesite_unspecified", value));
-          } else {
-            asserts.push(assert_cookie_present(target, "samesite_unspecified", value));
-          }
-          return Promise.all(asserts);
-        });
-    }, title);
-  }
-
-  // No redirect:
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Same-host images are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain images are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site images are cross-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(ORIGIN, redirectTo(ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host images are strictly same-site");
-  create_test(ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host images are strictly same-site");
-  create_test(ORIGIN, redirectTo(CROSS_SITE_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host images are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain images are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain images are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain images are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(CROSS_SITE_ORIGIN, redirectTo(ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site images are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site images are cross-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site images are cross-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/img.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function assert_cookie_present(origin, name, value) {
+    return new Promise((resolve, reject) => {
+      var img = document.createElement("img");
+      img.onload = _ => resolve("'" + name + "=" + value + "' present on " + origin);
+      img.onerror = _ => reject("'" + name + "=" + value + "' not present on " + origin);
+
+      // We need to URL encode the destination path/query if we're redirecting:
+      if (origin.match(/\/redir/))
+        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
+      else
+        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
+    });
+  }
+
+  function assert_cookie_absent(origin, name, value) {
+    return new Promise((resolve, reject) => {
+      var img = document.createElement("img");
+      img.onload = _ => reject("'" + name + "=" + value + "' present on " + origin);
+      img.onerror = _ => resolve("'" + name + "=" + value + "' not present on " + origin);
+
+      // We need to URL encode the destination path/query if we're redirecting:
+      if (origin.match(/\/redir/))
+        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
+      else
+        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
+    });
+  }
+
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          var asserts = [assert_cookie_present(target, "samesite_none", value),
+                         expectedStatus == SameSiteStatus.STRICT ?
+                           assert_cookie_present(target, "samesite_strict", value) :
+                           assert_cookie_absent(target, "samesite_strict", value),
+                         expectedStatus == SameSiteStatus.CROSS_SITE ?
+                           assert_cookie_absent(target, "samesite_lax", value) :
+                           assert_cookie_present(target, "samesite_lax", value)];
+          if (isLegacySameSite()) {
+            // Legacy behavior: unspecified SameSite acts like SameSite=None.
+            asserts.push(assert_cookie_present(target, "samesite_unspecified", value));
+          } else {
+            asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
+                           assert_cookie_absent(target, "samesite_unspecified", value) :
+                           assert_cookie_present(target, "samesite_unspecified", value));
+          }
+          return Promise.all(asserts);
+        });
+    }, title);
+  }
+
+  // No redirect:
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host images are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain images are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site images are cross-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host images are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host images are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host images are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain images are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain images are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain images are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to cross-site:
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site images are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site images are cross-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site images are cross-site");
+</script>
--- a/testing/web-platform/tests/cookies/samesite/resources/navigate.html
+++ b/testing/web-platform/tests/cookies/samesite/resources/navigate.html
@@ -2,17 +2,17 @@
 <meta charset="utf-8">
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
 <script>
   window.addEventListener('load', function() {
     window.opener.postMessage({ type: 'READY' }, '*');
   });
 
   window.addEventListener('message', function(e) {
-    if (ORIGIN !== window.location.origin)
+    if (SECURE_ORIGIN !== window.location.origin)
       return;
     if (window.location.origin !== e.origin)
       return;
 
     if (e.data.type === "navigate") {
       window.location = e.data.url;
     }
 
--- a/testing/web-platform/tests/cookies/samesite/resources/puppet.html
+++ b/testing/web-platform/tests/cookies/samesite/resources/puppet.html
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
 <script>
   // Helper to either set or clear some cookies on its own origin, or
-  // (potentially) cross-site on ORIGIN.
+  // (potentially) cross-site on SECURE_ORIGIN.
   window.onmessage = e => {
-    var originToUse = ORIGIN;
+    var originToUse = SECURE_ORIGIN;
     if (e.data.useOwnOrigin)
       originToUse = self.origin;
 
     if (e.data.type === "set") {
       credFetch(originToUse + "/cookies/resources/setSameSite.py?" + e.data.value)
         .then(_ => {
           e.source.postMessage({
             type: "set-complete",
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/setcookie-lax.html
+++ /dev/null
@@ -1,35 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  promise_test(async function(t) {
-    let w = window.open(ORIGIN + "/cookies/samesite/resources/puppet.html");
-    await wait_for_message("READY", ORIGIN);
-    let random = "" + Math.random();
-    w.postMessage({type: "set", value: random}, "*");
-    let e = await wait_for_message("set-complete", ORIGIN)
-    assert_dom_cookie("samesite_strict", e.data.value, true);
-    assert_dom_cookie("samesite_lax", e.data.value, true);
-    assert_dom_cookie("samesite_none", e.data.value, true);
-    assert_dom_cookie("samesite_unspecified", e.data.value, true);
-    w.close();
-  }, "Same-site window should be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
-
-  promise_test(async function(t) {
-    let w = window.open(CROSS_SITE_ORIGIN + "/cookies/samesite/resources/puppet.html");
-    await wait_for_message("READY", CROSS_SITE_ORIGIN);
-    let random = "" + Math.random();
-    w.postMessage({type: "set", value: random}, "*");
-    let e = await wait_for_message("set-complete", CROSS_SITE_ORIGIN);
-    assert_dom_cookie("samesite_strict", e.data.value, false);
-    assert_dom_cookie("samesite_lax", e.data.value, false);
-    assert_dom_cookie("samesite_none", e.data.value, true);
-    assert_dom_cookie("samesite_unspecified", e.data.value,
-      location.search !== "?samesite-by-default-cookies.tentative");
-    w.close();
-  }, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  promise_test(async function(t) {
+    let w = window.open(SECURE_ORIGIN + "/cookies/samesite/resources/puppet.html");
+    await wait_for_message("READY", SECURE_ORIGIN);
+    let random = "" + Math.random();
+    w.postMessage({type: "set", value: random}, "*");
+    let e = await wait_for_message("set-complete", SECURE_ORIGIN)
+    assert_dom_cookie("samesite_strict", e.data.value, true);
+    assert_dom_cookie("samesite_lax", e.data.value, true);
+    assert_dom_cookie("samesite_none", e.data.value, true);
+    assert_dom_cookie("samesite_unspecified", e.data.value, true);
+    w.close();
+  }, "Same-site window should be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
+
+  promise_test(async function(t) {
+    let w = window.open(SECURE_CROSS_SITE_ORIGIN + "/cookies/samesite/resources/puppet.html");
+    await wait_for_message("READY", SECURE_CROSS_SITE_ORIGIN);
+    let random = "" + Math.random();
+    w.postMessage({type: "set", value: random}, "*");
+    let e = await wait_for_message("set-complete", SECURE_CROSS_SITE_ORIGIN);
+    assert_dom_cookie("samesite_strict", e.data.value, false);
+    assert_dom_cookie("samesite_lax", e.data.value, false);
+    assert_dom_cookie("samesite_none", e.data.value, true);
+    assert_dom_cookie("samesite_unspecified", e.data.value, isLegacySameSite());
+    w.close();
+  }, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/setcookie-navigation.html
+++ /dev/null
@@ -1,44 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8">
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function assert_samesite_cookies_present(cookies, value) {
-    let samesite_cookie_names = ["samesite_strict", "samesite_lax", "samesite_none", "samesite_unspecified"];
-    for (name of samesite_cookie_names) {
-      let re = new RegExp("(?:^|; )" + name + "=" + value + "(?:$|;)");
-      assert_true(re.test(cookies), "`" + name + "=" + value + "` in cookies");
-    }
-  }
-
-  // Navigate from ORIGIN to |origin_to|, expecting the navigation to set SameSite
-  // cookies on |origin_to|.
-  function navigate_test(method, origin_to, title) {
-    promise_test(async function(t) {
-      // The cookies don't need to be cleared on each run because |value| is
-      // a new random value on each run, so on each run we are overwriting and
-      // checking for a cookie with a different random value.
-      let value = "" + Math.random();
-      let url_from = ORIGIN + "/cookies/samesite/resources/navigate.html";
-      let url_to = origin_to + "/cookies/resources/setSameSite.py?" + value;
-      var w = window.open(url_from);
-      await wait_for_message('READY', ORIGIN);
-      assert_equals(ORIGIN, window.origin);
-      assert_equals(ORIGIN, w.origin);
-      let command = (method === "POST") ? "post-form" : "navigate";
-      w.postMessage({ type: command, url: url_to }, "*");
-      let message = await wait_for_message('COOKIES_SET', origin_to);
-      assert_samesite_cookies_present(message.data.cookies, value);
-      w.close();
-    }, title);
-  }
-
-  navigate_test("GET", ORIGIN, "Same-site top-level navigation should be able to set SameSite=* cookies.");
-  navigate_test("GET", CROSS_SITE_ORIGIN, "Cross-site top-level navigation should be able to set SameSite=* cookies.");
-  navigate_test("POST", ORIGIN, "Same-site top-level POST should be able to set SameSite=* cookies.");
-  navigate_test("POST", CROSS_SITE_ORIGIN, "Cross-site top-level POST should be able to set SameSite=* cookies.");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function assert_samesite_cookies_present(cookies, value) {
+    let samesite_cookie_names = ["samesite_strict", "samesite_lax", "samesite_none", "samesite_unspecified"];
+    for (name of samesite_cookie_names) {
+      let re = new RegExp("(?:^|; )" + name + "=" + value + "(?:$|;)");
+      assert_true(re.test(cookies), "`" + name + "=" + value + "` in cookies");
+    }
+  }
+
+  // Navigate from ORIGIN to |origin_to|, expecting the navigation to set SameSite
+  // cookies on |origin_to|.
+  function navigate_test(method, origin_to, title) {
+    promise_test(async function(t) {
+      // The cookies don't need to be cleared on each run because |value| is
+      // a new random value on each run, so on each run we are overwriting and
+      // checking for a cookie with a different random value.
+      let value = "" + Math.random();
+      let url_from = SECURE_ORIGIN + "/cookies/samesite/resources/navigate.html";
+      let url_to = origin_to + "/cookies/resources/setSameSite.py?" + value;
+      var w = window.open(url_from);
+      await wait_for_message('READY', SECURE_ORIGIN);
+      assert_equals(SECURE_ORIGIN, window.origin);
+      assert_equals(SECURE_ORIGIN, w.origin);
+      let command = (method === "POST") ? "post-form" : "navigate";
+      w.postMessage({ type: command, url: url_to }, "*");
+      let message = await wait_for_message('COOKIES_SET', origin_to);
+      assert_samesite_cookies_present(message.data.cookies, value);
+      w.close();
+    }, title);
+  }
+
+  navigate_test("GET", SECURE_ORIGIN, "Same-site top-level navigation should be able to set SameSite=* cookies.");
+  navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level navigation should be able to set SameSite=* cookies.");
+  navigate_test("POST", SECURE_ORIGIN, "Same-site top-level POST should be able to set SameSite=* cookies.");
+  navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level POST should be able to set SameSite=* cookies.");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/window-open-reload.html
+++ /dev/null
@@ -1,46 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var w = window.open(origin + "/cookies/resources/postToParent.py");
-
-            var reloaded = false;
-            var msgHandler = e => {
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-              } catch (e) {
-                reject(e);
-              }
-
-              if (reloaded) {
-                window.removeEventListener("message", msgHandler);
-                w.close();
-                resolve("Popup received the cookie.");
-              } else {
-                reloaded = true;
-                w.postMessage("reload", "*");
-              }
-            };
-            window.addEventListener("message", msgHandler);
-
-            if (!w)
-              reject("Popup could not be opened (did you whitelist the test site in your popup blocker?).");
-          });
-        });
-    }, title);
-  }
-
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host auxiliary navigations are strictly same-site.");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain auxiliary navigations are strictly same-site.");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Reloaded cross-site auxiliary navigations are laxly same-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var w = window.open(origin + "/cookies/resources/postToParent.py");
+
+            var reloaded = false;
+            var msgHandler = e => {
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+              } catch (e) {
+                reject(e);
+              }
+
+              if (reloaded) {
+                window.removeEventListener("message", msgHandler);
+                w.close();
+                resolve("Popup received the cookie.");
+              } else {
+                reloaded = true;
+                w.postMessage("reload", "*");
+              }
+            };
+            window.addEventListener("message", msgHandler);
+
+            if (!w)
+              reject("Popup could not be opened (did you whitelist the test site in your popup blocker?).");
+          });
+        });
+    }, title);
+  }
+
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Reloaded same-host auxiliary navigations are strictly same-site.");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Reloaded subdomain auxiliary navigations are strictly same-site.");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Reloaded cross-site auxiliary navigations are laxly same-site");
+</script>
deleted file mode 100644
--- a/testing/web-platform/tests/cookies/samesite/window-open.html
+++ /dev/null
@@ -1,56 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8"/>
-<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?samesite-by-default-cookies.tentative">
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function create_test(origin, target, expectedStatus, title) {
-    promise_test(t => {
-      var value = "" + Math.random();
-      return resetSameSiteCookies(origin, value)
-        .then(_ => {
-          return new Promise((resolve, reject) => {
-            var w = window.open(origin + "/cookies/resources/postToParent.py");
-
-            var msgHandler = e => {
-              window.removeEventListener("message", msgHandler);
-              w.close();
-              try {
-                getSameSiteVerifier()(expectedStatus, value, e.data);
-                resolve("Popup received the cookie.");
-              } catch (e) {
-                reject(e);
-              }
-            };
-            window.addEventListener("message", msgHandler);
-
-            if (!w)
-              reject("Popup could not be opened (did you whitelist the test site in your popup blocker?).");
-          });
-        });
-    }, title);
-  }
-
-  // No redirect:
-  create_test(ORIGIN, ORIGIN, SameSiteStatus.STRICT, "Same-host auxiliary navigations are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain auxiliary navigations are strictly same-site");
-  create_test(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Cross-site auxiliary navigations are laxly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(ORIGIN, redirectTo(ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host auxiliary navigations are strictly same-site");
-  create_test(ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host auxiliary navigations are strictly same-site");
-  create_test(ORIGIN, redirectTo(CROSS_SITE_ORIGIN, ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host auxiliary navigations are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to same-host:
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain auxiliary navigations are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain auxiliary navigations are strictly same-site");
-  create_test(SUBDOMAIN_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain auxiliary navigations are strictly same-site");
-
-  // Redirect from {same-host,subdomain,cross-site} to cross-site:
-  create_test(CROSS_SITE_ORIGIN, redirectTo(ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Same-host redirecting to cross-site auxiliary navigations are laxly same-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(SUBDOMAIN_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Subdomain redirecting to cross-site auxiliary navigations are laxly same-site");
-  create_test(CROSS_SITE_ORIGIN, redirectTo(CROSS_SITE_ORIGIN, CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to cross-site auxiliary navigations are laxly same-site");
-</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/cookies/samesite/window-open.https.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<meta name="variant" content="?legacy-samesite">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function create_test(origin, target, expectedStatus, title) {
+    promise_test(t => {
+      var value = "" + Math.random();
+      return resetSameSiteCookies(origin, value)
+        .then(_ => {
+          return new Promise((resolve, reject) => {
+            var w = window.open(origin + "/cookies/resources/postToParent.py");
+
+            var msgHandler = e => {
+              window.removeEventListener("message", msgHandler);
+              w.close();
+              try {
+                getSameSiteVerifier()(expectedStatus, value, e.data);
+                resolve("Popup received the cookie.");
+              } catch (e) {
+                reject(e);
+              }
+            };
+            window.addEventListener("message", msgHandler);
+
+            if (!w)
+              reject("Popup could not be opened (did you whitelist the test site in your popup blocker?).");
+          });
+        });
+    }, title);
+  }
+
+  // No redirect:
+  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host auxiliary navigations are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain auxiliary navigations are strictly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Cross-site auxiliary navigations are laxly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host auxiliary navigations are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host auxiliary navigations are strictly same-site");
+  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to same-host auxiliary navigations are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to same-host:
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain auxiliary navigations are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain auxiliary navigations are strictly same-site");
+  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Cross-site redirecting to subdomain auxiliary navigations are strictly same-site");
+
+  // Redirect from {same-host,subdomain,cross-site} to cross-site:
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Same-host redirecting to cross-site auxiliary navigations are laxly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Subdomain redirecting to cross-site auxiliary navigations are laxly same-site");
+  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to cross-site auxiliary navigations are laxly same-site");
+</script>