third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html - Issue 1783813002: SameSite: Strict/Lax behavior.

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html

Issue 1783813002: SameSite: Strict/Lax behavior. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@strict-lax

Patch Set: OOPIF. Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php ('K') | « third_party/WebKit/LayoutTests/http/tests/cookies/resources/testharness-helpers.js ('k') | third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!doctype html>

	2 <script src="/resources/testharness.js"></script>

	3 <script src="/resources/testharnessreport.js"></script>

	4 <script src="/cookies/resources/testharness-helpers.js"></script>

	5 <script>

	6 // Set cookies on ORIGINAL_HOST, then move ourselves to TEST_ROOT so

	7 // we can verify registrable domain and cross-origin behavior.

	8 if (window.location.hostname == ORIGINAL_HOST) {

	9 clearKnownCookies();

	10 document.cookie = STRICT_DOM + "=1; SameSite=Strict; Max-Age=100; path=/";

	11 document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/";

	12 document.cookie = NORMAL_DOM + "=1; Max-Age=100; path=/";

	13 console.log(document.cookie);
	philipj_slow 2016/03/21 09:18:23 Leftover from debugging, or nice to have if the te Leftover from debugging, or nice to have if the test starts failing? Mike West 2016/03/21 11:03:13 Leftover, dropped, thanks. Show quoted text On 2016/03/21 at 09:18:23, philipj_UTC7 wrote: > Leftover from debugging, or nice to have if the test starts failing? Leftover, dropped, thanks.
	14 window.location.hostname = TEST_HOST;

	15 } else {

	16 test(t => {
	philipj_slow 2016/03/21 09:18:23 s/t/_/ since it's not used s/t/_/ since it's not used Mike West 2016/03/21 11:03:13 Done. Show quoted text On 2016/03/21 at 09:18:23, philipj_UTC7 wrote: > s/t/_/ since it's not used Done.
	17 clearKnownCookies();

	18 assert_equals(document.cookie, "");

	19

	20 document.cookie = STRICT_DOM + "=1; SameSite=Strict; domain=" + TEST_HOS T + "; path=/";
	philipj_slow 2016/03/21 09:18:23 Why is the cookie set both on ORIGINAL_HOST and no Why is the cookie set both on ORIGINAL_HOST and now again on TEST_HOST? It makes it not so obvious which of the two have an effect below. If the answer is mixed, maybe set =2 here or something? Mike West 2016/03/21 11:03:13 Because we need to do cross-registrable domain req Show quoted text On 2016/03/21 at 09:18:23, philipj_UTC7 wrote: > Why is the cookie set both on ORIGINAL_HOST and now again on TEST_HOST? It makes it not so obvious which of the two have an effect below. If the answer is mixed, maybe set =2 here or something? Because we need to do cross-registrable domain requests in order to verify behavior (see the last promise_test, which grabs data from ORIGINAL_HOST and not TEST_HOST. I can flip it to "2" if that helps disambiguate. philipj_slow 2016/03/21 11:17:47 Oh, OK. Using "2" would make it obvious which valu Show quoted text On 2016/03/21 11:03:13, Mike West wrote: > On 2016/03/21 at 09:18:23, philipj_UTC7 wrote: > > Why is the cookie set both on ORIGINAL_HOST and now again on TEST_HOST? It > makes it not so obvious which of the two have an effect below. If the answer is > mixed, maybe set =2 here or something? > > Because we need to do cross-registrable domain requests in order to verify > behavior (see the last promise_test, which grabs data from ORIGINAL_HOST and not > TEST_HOST. I can flip it to "2" if that helps disambiguate. Oh, OK. Using "2" would make it obvious which value is used where and that there's no mistake, so that'd be nice.
	21 document.cookie = LAX_DOM + "=1; SameSite=Lax; domain=" + TEST_HOST + "; path=/";

	22 document.cookie = NORMAL_DOM + "=1; domain=" + TEST_HOST + "; path=/";

	23 assert_equals(document.cookie, STRICT_DOM + "=1; " + LAX_DOM + "=1; " + NORMAL_DOM + "=1");

	24 }, "Cookies can be set from DOM.");

	25

	26 promise_test(_ => {

	27 return fetch("/cookies/resources/echo-json.php", {"credentials": "includ e"})

	28 .then(r => r.json())

	29 .then(j => {

	30 assert_equals(j[STRICT_DOM], "1", "strict");
	philipj_slow 2016/03/21 09:18:23 Nice how t.step_func wrapping is no longer needed Nice how t.step_func wrapping is no longer needed with promise_test :) Mike West 2016/03/21 11:03:13 Indeed! Show quoted text On 2016/03/21 at 09:18:23, philipj_UTC7 wrote: > Nice how t.step_func wrapping is no longer needed with promise_test :) Indeed!
	31 assert_equals(j[LAX_DOM], "1", "lax");

	32 assert_equals(j[NORMAL_DOM], "1", "normal");

	33 });

	34 }, "SameSite set from DOM are sent via HTTP.");

	35

	36 promise_test(_ => {

	37 return fetch("https://" + TEST_HOST + ":8443/cookies/resources/echo-json .php", {"credentials": "include"})

	38 .then(r => r.json())

	39 .then(j => {

	40 assert_equals(j[STRICT_DOM], "1", "strict");

	41 assert_equals(j[LAX_DOM], "1", "lax");

	42 assert_equals(j[NORMAL_DOM], "1", "normal");

	43 });

	44 }, "HTTPS is same-site with HTTP.");

	45

	46 promise_test(_ => {

	47 return fetch("http://subdomain." + TEST_HOST + ":8000/cookies/resources/ echo-json.php", {"credentials": "include"})

	48 .then(r => r.json())

	49 .then(j => {

	50 assert_equals(j[STRICT_DOM], "1", "strict");

	51 assert_equals(j[LAX_DOM], "1", "lax");

	52 assert_equals(j[NORMAL_DOM], "1", "normal");

	53 });

	54 }, "Subdomains are same-site.");

	55

	56 promise_test(_ => {

	57 return fetch("http://" + TEST_ROOT + ":8000/cookies/resources/echo-json. php", {"credentials": "include"})

	58 .then(r => r.json())

	59 .then(j => {

	60 assert_equals(j[STRICT_DOM], undefined, "strict");

	61 assert_equals(j[LAX_DOM], undefined, "lax");

	62 assert_equals(j[NORMAL_DOM], undefined, "normal");

	63 });

	64 }, "`" + TEST_ROOT + "` is 'same-site' but the cookies don't match it: 'same site' doesn't override matching rules.");

	65

	66 promise_test(_ => {

	67 return fetch("http://" + ORIGINAL_HOST + ":8000/cookies/resources/echo-j son.php", {"credentials": "include"})

	68 .then(r => r.json())

	69 .then(j => {

	70 assert_equals(j[STRICT_DOM], undefined, "strict");

	71 assert_equals(j[LAX_DOM], undefined, "lax");

	72 assert_equals(j[NORMAL_DOM], "1", "normal");

	73 });

	74 }, "'" + ORIGINAL_HOST + "' is not same-site with '" + TEST_HOST + "', so sa mesite cookies are not sent.");

	75 }

	76 </script>

OLD	NEW