Commit 7b1caba7 authored by Steven Bingler's avatar Steven Bingler Committed by Commit Bot

Add tentative WPT for Schemeful Same-Site

Adds new tests for Schemeful Same-Site along with a virtual test suite
which enables the SchemefulSameSite feature.

Because Schemeful Same-Site only modifies the definition of "same-site"
it's adequate to test only a few cases that confirm the expected
same-siteness rather than try to thoroughly test all possible
`SameSite` situations.


Bug: 1127348
Change-Id: I9b914dd425bfb8cda6fc1ddc9f3606940f0b9a1d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2412907
Commit-Queue: Steven Bingler <bingler@chromium.org>
Reviewed-by: default avatarMike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#807923}
parent f3882b5b
......@@ -4988,6 +4988,18 @@ crbug.com/1074441 external/wpt/cookies/samesite/iframe.https.html [ Skip ]
crbug.com/1074441 virtual/legacy-samesite/external/wpt/cookies/samesite/iframe-reload.https.html?legacy-samesite [ Skip ]
crbug.com/1074441 virtual/legacy-samesite/external/wpt/cookies/samesite/iframe.https.html?legacy-samesite [ Skip ]
# Tentative Schemeful Same-Site tests shouldn't pass while the feature is disabled.
crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html [ Failure ]
crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html [ Failure ]
crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-subresource.tentative.html [ Failure ]
crbug.com/1127348 external/wpt/cookies/schemeful-same-site/schemeful-navigation.tentative.html [ Failure ]
# Mark the virtual versions as passing so that we're informed about regressions.
crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-websockets.sub.tentative.html [ Pass ]
crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-iframe-subresource.tentative.html [ Pass ]
crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-subresource.tentative.html [ Pass ]
crbug.com/1127348 virtual/schemeful-same-site/external/wpt/cookies/schemeful-same-site/schemeful-navigation.tentative.html [ Pass ]
# Sheriff failures 2017-11-15
crbug.com/785179 [ Win7 Debug ] http/tests/devtools/console/console-viewport-stick-to-bottom.js [ Skip ]
......
......@@ -212,7 +212,8 @@
},
{
"prefix": "schemeful-same-site",
"bases": ["http/tests/inspector-protocol/network/same-site-issue-warn-cookie-strict-subresource-context-downgrade.js",
"bases": ["external/wpt/cookies",
"http/tests/inspector-protocol/network/same-site-issue-warn-cookie-strict-subresource-context-downgrade.js",
"http/tests/inspector-protocol/network/same-site-issue-warn-cookie-lax-subresource-context-downgrade.js",
"http/tests/inspector-protocol/network/same-site-issue-warn-cookie-navigation-context-downgrade.js"],
"args": ["--enable-features=SchemefulSameSite"]
......
// Set up exciting global variables for cookie tests.
(_ => {
var HOST = "{{host}}";
var INSECURE_PORT = ":{{ports[http][0]}}";
var SECURE_PORT = ":{{ports[https][0]}}";
var CROSS_ORIGIN_HOST = "{{hosts[alt][]}}";
window.INSECURE_ORIGIN = "http://" + HOST + INSECURE_PORT;
//For secure cookie verification
window.SECURE_ORIGIN = "https://" + HOST + SECURE_PORT;
......
<!DOCTYPE html>
<meta charset="utf-8">
<script src="/cookies/resources/cookie-helper.sub.js"></script>
<script>
window.location = INSECURE_ORIGIN + "/cookies/resources/postToParent.py";
</script>
<!DOCTYPE html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
</head>
<body onload="doTests()">
<iframe id="if">
</iframe>
<script>
function doTests() {
promise_test(async function(t) {
var value = "" + Math.random();
await resetSameSiteCookies(SECURE_ORIGIN, value);
var child = document.getElementById("if");
child.src = SECURE_ORIGIN + "/cookies/samesite/resources/iframe-subresource-report.html";
// the iframe nested inside if should post COOKIES to here.
var e = await wait_for_message("COOKIES");
// Cross-scheme iframes should be cross-site and thus the subresources
// shouldn't get Lax or Strict cookies.
assert_cookie(SECURE_ORIGIN, e.data, "samesite_lax", value, false);
assert_cookie(SECURE_ORIGIN, e.data, "samesite_strict", value, false);
assert_cookie(SECURE_ORIGIN, e.data, "samesite_none", value, true);
}, "SameSite cookies with intervening cross-scheme iframe and subresources");
}
</script>
</body>
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="timeout" content="long">
<meta name="variant" content="">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
<script>
function schemeful_navigation_test(target, expectedSameSiteStatus, title) {
promise_test(async function(t) {
let value = "" + Math.random();
document.cookie = `samesite_strict=${value}; sameSite=strict; path=/`;
document.cookie = `samesite_lax=${value}; sameSite=lax; path=/`;
let url = target + "/cookies/schemeful-same-site/resources/navigateToInsecurePostToParent.html";
await new Promise((resolve, reject) => {
window.onmessage = t.step_func(e => {
if (e.source == window.open("", "testwindow" + value)) {
e.source.close();
const cookies = e.data;
assert_equals(cookies["samesite_lax"], value, "SameSite=lax cookies can be sent in both cases");
if (expectedSameSiteStatus === SameSiteStatus.STRICT) {
assert_equals(cookies["samesite_strict"], value, "SameSite=strict cookies can be sent to same-scheme navigations");
} else if (expectedSameSiteStatus === SameSiteStatus.LAX) {
assert_not_equals(cookies["samesite_strict"], value, "SameSite=strict cookies cannot be sent to cross-scheme navigations");
}
resolve();
}
else {reject();}
});
var w = window.open(url, "testwindow" + value);
});
},title);}
schemeful_navigation_test(INSECURE_ORIGIN, SameSiteStatus.STRICT, "Navigate same-scheme");
schemeful_navigation_test(SECURE_ORIGIN, SameSiteStatus.LAX, "Navigate cross-scheme");
</script>
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
<!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
<body>
<script>
function create_test(target, expectedDomStatus, title) {
promise_test(async t => {
var cookieValue = "" + Math.random();
document.cookie = `dc_samesite_strict=${cookieValue}; sameSite=strict; path=/`;
document.cookie = `dc_samesite_lax=${cookieValue}; sameSite=lax; path=/`;
// SameSite=None requires `Secure` which complicates the test and we don't
// need it, so don't add it.
await new Promise((resolve, reject) => {
var iframe = document.createElement("iframe");
window.onmessage = t.step_func(e => {
if (e.source == iframe.contentWindow) {
// Cleanup, then verify cookie state:
document.body.removeChild(iframe);
const cookies = e.data;
if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) {
assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be sent to same-scheme subresources");
assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be sent to same-scheme subresources");
} else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) {
assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies cannot be sent to cross-scheme subresources");
assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies cannot be sent to cross-scheme subresources");
}
resolve();
}
});
iframe.src = target + "/cookies/resources/postToParent.py";
document.body.appendChild(iframe);
});
}, title);
}
// Test that cross-scheme subresources (iframes in this case) are cross-site.
create_test(INSECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-scheme subresources can send lax/strict cookies");
create_test(SECURE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-scheme subresources cannot sent lax/strict cookies");
</script>
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/testharness-helpers.js"></script>
</head>
<body>
<div id=log></div>
<script>
async_test(function (t) {
document.cookie = `samesite_strict=1; sameSite=strict; path=/`;
document.cookie = `samesite_lax=1; sameSite=lax; path=/`;
var ws = new WebSocket("ws://{{host}}:{{ports[ws][0]}}/echo-cookie");
ws.onclose = t.step_func_done(function () {
assert_unreached("'close' should not fire before 'open'.");
});
ws.onmessage = t.step_func(function (e) {
ws.onclose = null;
ws.close();
// Same-scheme WebSockets should get both cookies
assert_regexp_match(e.data, /samesite_strict=1/);
assert_regexp_match(e.data, /samesite_lax=1/);
var ws2 = new WebSocket("wss://{{host}}:{{ports[wss][0]}}/echo-cookie");
ws2.onclose = t.step_func_done(function () {
assert_unreached("'close' should not fire before 'open'.");
});
ws2.onmessage = t.step_func_done(function (e2) {
ws2.onclose = null;
ws2.close();
// Cross-scheme WebSockets shouldn't get anything.
assert_regexp_match(e2.data, /(none)/, "Cross-scheme");
});
});
}, "Cross-scheme WebSockets are cross-site");
</script>
</body>
</html>
This suite runs inspector protocol networks tests with SchemefulSameSite enabled.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment