Add tentative WPT for CookiesWithoutSameSiteMustBeSecure

This change adds a virtual test suite which enables
CookiesWithoutSameSiteMustBeSecure and adds a new tentative test to
test that (with the feature enabled) cookies with SameSite=None must
have the Secure attribute, and will be rejected otherwise.

Bug: 961439
Change-Id: Icd99b6fc9ef38f72b648fb81f3fd0aa241e75a28
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1612052
Commit-Queue: Lily Chen <chlily@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#662818}

third_party/blink/web_tests/TestExpectations

@@ -4597,6 +4597,10 @@ crbug.com/961439 virtual/samesite-by-default-cookies/external/wpt/cookies/samesi
 crbug.com/961439 virtual/samesite-by-default-cookies/external/wpt/cookies/samesite/window-open-reload.html [ Skip ]
 crbug.com/961439 virtual/samesite-by-default-cookies/external/wpt/cookies/samesite/window-open.html [ Skip ]
 
+# CookiesWithoutSameSiteMustBeSecure tests do not pass when that feature is not enabled.
+crbug.com/961439 external/wpt/cookies/samesite-none-secure/ [ Failure ]
+crbug.com/961439 virtual/samesite-by-default-cookies/external/wpt/cookies/samesite-none-secure/ [ Failure ]
+
 # Client hint tests that fail in content_shell but pass when run manually using
 # full browser.
 crbug.com/856700 external/wpt/client-hints/accept_ch_lifetime_same_origin_iframe.tentative.https.html [ Skip ]

third_party/blink/web_tests/VirtualTestSuites

@@ -976,5 +976,10 @@
     "prefix": "samesite-by-default-cookies",
     "base": "external/wpt/cookies",
     "args": ["--enable-features=SameSiteByDefaultCookies"]
+  },
+  {
+    "prefix": "cookies-without-samesite-must-be-secure",
+    "base": "external/wpt/cookies/samesite-none-secure",
+    "args": ["--enable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure"]
   }
 ]

third_party/blink/web_tests/external/wpt/cookies/resources/cookie-helper.sub.js

@@ -225,6 +225,22 @@ return credFetch(origin + "/cookies/resources/dropSecure.py")
  })
 }
 
+// Reset SameSite=None test cookies on |origin|. If |origin| matches
+// `self.origin`, assert (via `document.cookie`) that they were properly
+// removed.
+function resetSameSiteNoneCookies(origin, value) {
+  return credFetch(origin + "/cookies/resources/dropSameSiteNone.py")
+    .then(_ => {
+      if (origin == self.origin) {
+        assert_dom_cookie("samesite_none_insecure", value, false);
+        assert_dom_cookie("samesite_none_secure", value, false);
+      }
+    })
+    .then(_ => {
+      return credFetch(origin + "/cookies/resources/setSameSiteNone.py?" + value);
+    })
+}
+
 //
 // DOM based cookie manipulation APIs
 //

third_party/blink/web_tests/external/wpt/cookies/resources/dropSameSiteNone.py

+from helpers import makeDropCookie, setNoCacheAndCORSHeaders
+
+def main(request, response):
+    """Respond to `/cookies/resources/dropSameSiteNone.py by dropping the
+    two cookies set by setSameSiteNone.py"""
+    headers = setNoCacheAndCORSHeaders(request, response)
+
+    # Expire the cookies, and return a JSON-encoded success code.
+    headers.append(makeDropCookie("samesite_none_insecure", False))
+    headers.append(makeDropCookie("samesite_none_secure", True))
+    return headers, '{"success": true}'

third_party/blink/web_tests/external/wpt/cookies/resources/setSameSiteNone.py

+from helpers import makeCookieHeader, setNoCacheAndCORSHeaders
+
+def main(request, response):
+    """Respond to `/cookies/resources/setSameSiteNone.py?{value}` by setting two cookies:
+    1. `samesite_none_insecure={value};SameSite=None;path=/`
+    2. `samesite_none_secure={value};SameSite=None;Secure;path=/`
+    """
+    headers = setNoCacheAndCORSHeaders(request, response)
+    value = request.url_parts.query
+
+    headers.append(makeCookieHeader("samesite_none_insecure", value, {"SameSite":"None", "path":"/"}))
+    headers.append(makeCookieHeader("samesite_none_secure", value, {"SameSite":"None", "Secure":"", "path":"/"}))
+
+    return headers, '{"success": true}'

third_party/blink/web_tests/external/wpt/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.tentative.html

+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+promise_test(t => {
+  var value = "" + Math.random();
+  return resetSameSiteNoneCookies(SECURE_ORIGIN, value)
+    .then(_ => {
+      return credFetch(SECURE_ORIGIN + "/cookies/resources/list.py")
+        .then(r => r.json())
+        .then(cookies => {
+          assert_not_equals(cookies["samesite_none_insecure"], value, "Non-Secure SameSite=None cookie is rejected.");
+          assert_equals(cookies["samesite_none_secure"], value, "Secure SameSite=None cookie is set.");
+        })
+    });
+}, "SameSite=None cookies are rejected unless the Secure attribute is set.");
+</script>

third_party/blink/web_tests/virtual/cookies-without-samesite-must-be-secure/README.md

+This test suite is for testing the CookiesWithoutSameSiteMustBeSecure feature,
+which requires that cookies with SameSite=None also specify Secure, and rejects
+any SameSite=None cookies that are not secure.

third_party/blink/web_tests/virtual/cookies-without-samesite-must-be-secure/external/wpt/cookies/samesite-none-secure/README.txt

+This test suite is for testing the CookiesWithoutSameSiteMustBeSecure feature,
+which requires that cookies with SameSite=None also specify Secure, and rejects
+any SameSite=None cookies that are not secure.