| OLD | NEW |
|---|
| (Empty) | |
| 1 <!doctype html> |
| 2 <script src="/resources/testharness.js"></script> |
| 3 <script src="/resources/testharnessreport.js"></script> |
| 4 <script src="/cookies/resources/testharness-helpers.js"></script> |
| 5 <script> |
| 6 // Set cookies on ORIGINAL_HOST, then move ourselves to TEST_ROOT so |
| 7 // we can verify registrable domain and cross-origin behavior. |
| 8 if (window.location.hostname == ORIGINAL_HOST) { |
| 9 clearKnownCookies(); |
| 10 document.cookie = STRICT_DOM + "=1; SameSite=Strict; Max-Age=100; path=/"; |
| 11 document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/"; |
| 12 document.cookie = NORMAL_DOM + "=1; Max-Age=100; path=/"; |
| 13 console.log(document.cookie); |
| 14 window.location.hostname = TEST_HOST; |
| 15 } else { |
| 16 test(t => { |
| 17 clearKnownCookies(); |
| 18 assert_equals(document.cookie, ""); |
| 19 |
| 20 document.cookie = STRICT_DOM + "=1; SameSite=Strict; domain=" + TEST_HOS
T + "; path=/"; |
| 21 document.cookie = LAX_DOM + "=1; SameSite=Lax; domain=" + TEST_HOST + ";
path=/"; |
| 22 document.cookie = NORMAL_DOM + "=1; domain=" + TEST_HOST + "; path=/"; |
| 23 assert_equals(document.cookie, STRICT_DOM + "=1; " + LAX_DOM + "=1; " +
NORMAL_DOM + "=1"); |
| 24 }, "Cookies can be set from DOM."); |
| 25 |
| 26 promise_test(_ => { |
| 27 return fetch("/cookies/resources/echo-json.php", {"credentials": "includ
e"}) |
| 28 .then(r => r.json()) |
| 29 .then(j => { |
| 30 assert_equals(j[STRICT_DOM], "1", "strict"); |
| 31 assert_equals(j[LAX_DOM], "1", "lax"); |
| 32 assert_equals(j[NORMAL_DOM], "1", "normal"); |
| 33 }); |
| 34 }, "SameSite set from DOM are sent via HTTP."); |
| 35 |
| 36 promise_test(_ => { |
| 37 return fetch("https://" + TEST_HOST + ":8443/cookies/resources/echo-json
.php", {"credentials": "include"}) |
| 38 .then(r => r.json()) |
| 39 .then(j => { |
| 40 assert_equals(j[STRICT_DOM], "1", "strict"); |
| 41 assert_equals(j[LAX_DOM], "1", "lax"); |
| 42 assert_equals(j[NORMAL_DOM], "1", "normal"); |
| 43 }); |
| 44 }, "HTTPS is same-site with HTTP."); |
| 45 |
| 46 promise_test(_ => { |
| 47 return fetch("http://subdomain." + TEST_HOST + ":8000/cookies/resources/
echo-json.php", {"credentials": "include"}) |
| 48 .then(r => r.json()) |
| 49 .then(j => { |
| 50 assert_equals(j[STRICT_DOM], "1", "strict"); |
| 51 assert_equals(j[LAX_DOM], "1", "lax"); |
| 52 assert_equals(j[NORMAL_DOM], "1", "normal"); |
| 53 }); |
| 54 }, "Subdomains are same-site."); |
| 55 |
| 56 promise_test(_ => { |
| 57 return fetch("http://" + TEST_ROOT + ":8000/cookies/resources/echo-json.
php", {"credentials": "include"}) |
| 58 .then(r => r.json()) |
| 59 .then(j => { |
| 60 assert_equals(j[STRICT_DOM], undefined, "strict"); |
| 61 assert_equals(j[LAX_DOM], undefined, "lax"); |
| 62 assert_equals(j[NORMAL_DOM], undefined, "normal"); |
| 63 }); |
| 64 }, "`" + TEST_ROOT + "` is 'same-site' but the cookies don't match it: 'same
site' doesn't override matching rules."); |
| 65 |
| 66 promise_test(_ => { |
| 67 return fetch("http://" + ORIGINAL_HOST + ":8000/cookies/resources/echo-j
son.php", {"credentials": "include"}) |
| 68 .then(r => r.json()) |
| 69 .then(j => { |
| 70 assert_equals(j[STRICT_DOM], undefined, "strict"); |
| 71 assert_equals(j[LAX_DOM], undefined, "lax"); |
| 72 assert_equals(j[NORMAL_DOM], "1", "normal"); |
| 73 }); |
| 74 }, "'" + ORIGINAL_HOST + "' is not same-site with '" + TEST_HOST + "', so sa
mesite cookies are not sent."); |
| 75 } |
| 76 </script> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1783813002:
SameSite: Strict/Lax behavior. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@strict-lax