Add tentative WPT for Schemeful Same-Site

Adds new tests for Schemeful Same-Site along with a virtual test suite which enables the SchemefulSameSite feature. Because Schemeful Same-Site only modifies the definition of "same-site" it's adequate to test only a few cases that confirm the expected same-siteness rather than try to thoroughly test all possible `SameSite` situations. Bug: 1127348 Change-Id: I9b914dd425bfb8cda6fc1ddc9f3606940f0b9a1d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2412907 Commit-Queue: Steven Bingler <bingler@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#807923}

Add tentative WPT for Schemeful Same-Site
Adds new tests for Schemeful Same-Site along with a virtual test suite which enables the SchemefulSameSite feature. Because Schemeful Same-Site only modifies the definition of "same-site" it's adequate to test only a few cases that confirm the expected same-siteness rather than try to thoroughly test all possible `SameSite` situations. Bug: 1127348 Change-Id: I9b914dd425bfb8cda6fc1ddc9f3606940f0b9a1d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2412907 Commit-Queue: Steven Bingler <bingler@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#807923}
7b1caba7 · Steven Bingler · Commit Bot · f3882b5b · 7b1caba7 · 7b1caba7
Commit 7b1caba7 authored Sep 17, 2020 by Steven Bingler Committed by Commit Bot Sep 17, 2020
10 changed files
--- a/third_party/blink/web_tests/TestExpectations
+++ b/third_party/blink/web_tests/TestExpectations
@@ -4988,6 +4988,18 @@ crbug.com/1074441 external/wpt/cookies/samesite/iframe.https.html [ Skip ]
 crbug.com/1074441 virtual/legacy-samesite/external/wpt/cookies/samesite/iframe-reload.https.html?legacy-samesite [ Skip ]
 crbug.com/1074441 virtual/legacy-samesite/external/wpt/cookies/samesite/iframe.https.html?legacy-samesite [ Skip ]
+# Tentative Schemeful Same-Site tests shouldn't pass while the feature is disabled.
+crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html [ Failure ]
+crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html [ Failure ]
+crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-subresource.tentative.html [ Failure ]
+crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-navigation.tentative.html [ Failure ]
+# Mark the virtual versions as passing so that we're informed about regressions.
+crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html [ Pass ]
+crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html [ Pass ]
+crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-subresource.tentative.html [ Pass ]
+crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-navigation.tentative.html [ Pass ]
 # Sheriff failures 2017-11-15
 crbug.com/785179 [ Win7 Debug ] http/tests/devtools/console/console-viewport-stick-to-bottom.js [ Skip ]

--- a/third_party/blink/web_tests/VirtualTestSuites
+++ b/third_party/blink/web_tests/VirtualTestSuites
@@ -212,7 +212,8 @@
  },
  {
    "prefix": "schemeful-same-site",
-    "bases": ["http/tests/inspector-protocol/network/same-site-issue-warn-cookie-strict-subresource-context-downgrade.js",
+    "bases": ["external/wpt/cookies",
+              "http/tests/inspector-protocol/network/same-site-issue-warn-cookie-strict-subresource-context-downgrade.js",
              "http/tests/inspector-protocol/network/same-site-issue-warn-cookie-lax-subresource-context-downgrade.js",
              "http/tests/inspector-protocol/network/same-site-issue-warn-cookie-navigation-context-downgrade.js"],
    "args": ["--enable-features=SchemefulSameSite"]

--- a/third_party/blink/web_tests/external/wpt/cookies/resources/cookie-helper.sub.js
+++ b/third_party/blink/web_tests/external/wpt/cookies/resources/cookie-helper.sub.js
 // Set up exciting global variables for cookie tests.
 (_ => {
  var HOST = "{{host}}";
+  var INSECURE_PORT = ":{{ports[http][0]}}";
  var SECURE_PORT = ":{{ports[https][0]}}";
  var CROSS_ORIGIN_HOST = "{{hosts[alt][]}}";
+  window.INSECURE_ORIGIN = "http://" + HOST + INSECURE_PORT;
  //For secure cookie verification
  window.SECURE_ORIGIN = "https://" + HOST + SECURE_PORT;

--- a/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html
+++ b/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+      window.location = INSECURE_ORIGIN + "/cookies/resources/postToParent.py";
+</script>
--- a/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/cookies/resources/cookie-helper.sub.js"></script>
+</head>
+<body onload="doTests()">
+  <iframe id="if">
+  </iframe>
+  <script>
+  function doTests() {
+    promise_test(async function(t) {
+      var value = "" + Math.random();
+      await resetSameSiteCookies(SECURE_ORIGIN, value);
+      var child = document.getElementById("if");
+      child.src = SECURE_ORIGIN + "/cookies/samesite/resources/iframe-subresource-report.html";
+      // the iframe nested inside if should post COOKIES to here.
+      var e = await wait_for_message("COOKIES");
+      // Cross-scheme iframes should be cross-site and thus the subresources
+      // shouldn't get Lax or Strict cookies.
+      assert_cookie(SECURE_ORIGIN, e.data, "samesite_lax", value, false);
+      assert_cookie(SECURE_ORIGIN, e.data, "samesite_strict", value, false);
+      assert_cookie(SECURE_ORIGIN, e.data, "samesite_none", value, true);
+    }, "SameSite cookies with intervening cross-scheme iframe and subresources");
+  }
+  </script>
+</body>
--- a/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-navigation.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-navigation.tentative.html
+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<meta name="variant" content="">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  function schemeful_navigation_test(target, expectedSameSiteStatus, title) {
+    promise_test(async function(t) {
+      let value = "" + Math.random();
+      document.cookie = `samesite_strict=${value}; sameSite=strict; path=/`;
+      document.cookie = `samesite_lax=${value}; sameSite=lax; path=/`;
+      let url = target + "/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html";
+      await new Promise((resolve, reject) => {
+          window.onmessage = t.step_func(e => {
+            if (e.source == window.open("", "testwindow" + value)) {
+              e.source.close();
+              const cookies = e.data;
+              assert_equals(cookies["samesite_lax"], value, "SameSite=lax cookies can be sent in both cases");
+              if (expectedSameSiteStatus === SameSiteStatus.STRICT) {
+                assert_equals(cookies["samesite_strict"], value, "SameSite=strict cookies can be sent to same-scheme navigations");
+              } else if (expectedSameSiteStatus === SameSiteStatus.LAX) {
+                assert_not_equals(cookies["samesite_strict"], value, "SameSite=strict cookies cannot be sent to cross-scheme navigations");
+              }
+              resolve();
+            }
+            else {reject();}
+          });
+          var w = window.open(url, "testwindow" + value);
+        });
+    },title);}
+  schemeful_navigation_test(INSECURE_ORIGIN, SameSiteStatus.STRICT, "Navigate same-scheme");
+  schemeful_navigation_test(SECURE_ORIGIN, SameSiteStatus.LAX, "Navigate cross-scheme");
+</script>
--- a/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-subresource.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-subresource.tentative.html
+<!DOCTYPE html>
+<meta charset="utf-8"/>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
+<body>
+<script>
+  function create_test(target, expectedDomStatus, title) {
+    promise_test(async t => {
+      var cookieValue = "" + Math.random();
+      document.cookie = `dc_samesite_strict=${cookieValue}; sameSite=strict; path=/`;
+      document.cookie = `dc_samesite_lax=${cookieValue}; sameSite=lax; path=/`;
+      // SameSite=None requires `Secure` which complicates the test and we don't
+      // need it, so don't add it.
+      await new Promise((resolve, reject) => {
+        var iframe = document.createElement("iframe");
+        window.onmessage = t.step_func(e => {
+          if (e.source == iframe.contentWindow) {
+            // Cleanup, then verify cookie state:
+            document.body.removeChild(iframe);
+            const cookies = e.data;
+            if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) {
+              assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be sent to same-scheme subresources");
+              assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be sent to same-scheme subresources");
+            } else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) {
+              assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies cannot be sent to cross-scheme subresources");
+              assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies cannot be sent to cross-scheme subresources");
+            }
+            resolve();
+          }
+        });
+        iframe.src = target + "/cookies/resources/postToParent.py";
+        document.body.appendChild(iframe);
+      });
+    }, title);
+  }
+  // Test that cross-scheme subresources (iframes in this case) are cross-site.
+  create_test(INSECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-scheme subresources can send lax/strict cookies");
+  create_test(SECURE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-scheme subresources cannot sent lax/strict cookies");
+</script>
--- a/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html
+<!doctype html>
+<html>
+<head>
+  <meta charset=utf-8>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/cookies/resources/testharness-helpers.js"></script>
+</head>
+<body>
+<div id=log></div>
+<script>
+  async_test(function (t) {
+    document.cookie = `samesite_strict=1; sameSite=strict; path=/`;
+    document.cookie = `samesite_lax=1; sameSite=lax; path=/`;
+    var ws = new WebSocket("ws://{{host}}:{{ports[ws][0]}}/echo-cookie");
+    ws.onclose = t.step_func_done(function () {
+      assert_unreached("'close' should not fire before 'open'.");
+    });
+    ws.onmessage = t.step_func(function (e) {
+      ws.onclose = null;
+      ws.close();
+      // Same-scheme WebSockets should get both cookies
+      assert_regexp_match(e.data, /samesite_strict=1/);
+      assert_regexp_match(e.data, /samesite_lax=1/);
+      var ws2 = new WebSocket("wss://{{host}}:{{ports[wss][0]}}/echo-cookie");
+      ws2.onclose = t.step_func_done(function () {
+        assert_unreached("'close' should not fire before 'open'.");
+      });
+      ws2.onmessage = t.step_func_done(function (e2) {
+        ws2.onclose = null;
+        ws2.close();
+        // Cross-scheme WebSockets shouldn't get anything.
+        assert_regexp_match(e2.data, /(none)/, "Cross-scheme");
+      });
+    });
+  }, "Cross-scheme WebSockets are cross-site");
+</script>
+</body>
+</html>
--- a/third_party/blink/web_tests/virtual/schemeful-same-site/http/README.md
+++ b/third_party/blink/web_tests/virtual/schemeful-same-site/http/README.md
--- a/third_party/blink/web_tests/virtual/schemeful-same-site/external/wpt/cookies/README.txt
+++ b/third_party/blink/web_tests/virtual/schemeful-same-site/external/wpt/cookies/README.txt
+This suite runs inspector protocol networks tests with SchemefulSameSite enabled.