Chromium Code Reviews Chromium Code Reviews
Issue 1487343002:
Set credentials mode "same-origin" when crossOrigin=anonymous is set. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html |
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html b/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..33ca877c47ce9cdbe72591e33763310df4438d66 |
| --- /dev/null |
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html |
| @@ -0,0 +1,81 @@ |
| +<!DOCTYPE html> |
| +<title>Check request cookies for image resources with crossOrigin.</title> |
| +<script src="../resources/testharness.js"></script> |
| +<script src="../resources/testharnessreport.js"></script> |
| +<script src="../resources/get-host-info.js?pipe=sub"></script> |
| +<script> |
| +if (window.testRunner) |
| + testRunner.setAlwaysAcceptCookies(true); |
| + |
| + |
| +function load_image(url, cross_origin) { |
| + return new Promise(function(resolve, reject) { |
| + var img = document.createElement('img'); |
| + document.body.appendChild(img); |
| + img.onload = resolve; |
| + img.onerror = reject; |
| + if (cross_origin != '') { |
| + img.crossOrigin = cross_origin; |
| + } |
| + img.src = url; |
| + }); |
| +} |
| + |
| +function assert_resolves(promise, description) { |
| + return promise.catch(function(reason) { |
| + throw description + ' - ' + reason; |
| + }); |
| +} |
| + |
| +promise_test(function(t) { |
| + document.cookie="TestCookie=same"; |
|
tyoshino (SeeGerritForStatus)
2015/12/08 11:30:31
put spaces around the first =
horo
2015/12/09 02:29:34
Done.
|
| + var host_info = get_host_info(); |
| + var RESOURCES_PATH = host_info['HTTP_ORIGIN'] + '/security/resources/'; |
| + var REMOTE_RESOURCES_PATH = host_info['HTTP_REMOTE_ORIGIN'] + |
| + '/security/resources/'; |
| + |
| + return fetch(new Request(REMOTE_RESOURCES_PATH + '/set-cookie.php?' + |
|
tyoshino (SeeGerritForStatus)
2015/12/08 11:30:31
redundant /
horo
2015/12/09 02:29:34
Done.
|
| + 'name=TestCookie&value=cross', |
| + {mode: 'no-cors', credentials: 'include'})) |
| + .then(function() { |
| + return Promise.all([ |
| + assert_resolves( |
| + load_image( |
| + RESOURCES_PATH + 'abe-cookie-check.php?Cookie=same', ''), |
| + 'Same-origin request for a resource which CORS setting is ' + |
| + 'NoCORS must contain cookies.'), |
|
tyoshino (SeeGerritForStatus)
2015/12/08 11:30:31
which -> for which
or
which -> whose
or
which
horo
2015/12/09 02:29:34
Done.
|
| + assert_resolves( |
| + load_image( |
| + RESOURCES_PATH + 'abe-cookie-check.php?Cookie=same', |
| + 'anonymous'), |
| + 'Same-origin request for a resource which CORS setting is ' + |
| + 'Anonymous must contain cookies.'), |
| + assert_resolves( |
| + load_image( |
| + RESOURCES_PATH + 'abe-cookie-check.php?Cookie=same', |
| + 'use-credentials'), |
| + 'Same-origin request for a resource which CORS setting is ' + |
| + 'UseCredentials must contain cookies.'), |
| + assert_resolves( |
| + load_image( |
| + REMOTE_RESOURCES_PATH + 'abe-cookie-check.php?Cookie=cross', |
| + ''), |
| + 'Cross-origin request for a resource which CORS setting is ' + |
| + 'NoCORS must contain cookies.'), |
| + assert_resolves( |
| + load_image( |
| + REMOTE_RESOURCES_PATH + 'abe-allow-star.php?Cookie=NotSet', |
| + 'anonymous'), |
| + 'Cross-origin request for a resource which CORS setting is ' + |
| + 'Anonymous must not contain cookies.'), |
| + assert_resolves( |
| + load_image( |
| + REMOTE_RESOURCES_PATH + 'abe-allow-credentials.php?' + |
| + 'Cookie=cross', |
| + 'use-credentials'), |
| + 'Cross-origin request for a resource which CORS setting is ' + |
| + 'UseCredentials must contain cookies.'), |
| + ]);} |
| + ); |
| + }, 'Check request cookies for image resources with crossOrigin.'); |
| +</script> |
