| OLD | NEW |
|---|
| (Empty) | |
| 1 <!doctype html> |
| 2 <script src="/resources/testharness.js"></script> |
| 3 <script src="/resources/testharnessreport.js"></script> |
| 4 <script src="/cookies/resources/testharness-helpers.js"></script> |
| 5 <script> |
| 6 // Set cookies on ORIGINAL_HOST, then move ourselves to TEST_ROOT so |
| 7 // we can verify registrable domain and cross-origin behavior. |
| 8 if (window.location.hostname == ORIGINAL_HOST) { |
| 9 clearKnownCookies(); |
| 10 document.cookie = STRICT_DOM + "=1; SameSite=Strict; Max-Age=100; path=/"; |
| 11 document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/"; |
| 12 document.cookie = NORMAL_DOM + "=1; Max-Age=100; path=/"; |
| 13 window.location.hostname = TEST_HOST; |
| 14 } else { |
| 15 test(_ => { |
| 16 clearKnownCookies(); |
| 17 assert_equals(document.cookie, ""); |
| 18 |
| 19 document.cookie = STRICT_DOM + "=2; SameSite=Strict; domain=" + TEST_HOS
T + "; path=/"; |
| 20 document.cookie = LAX_DOM + "=2; SameSite=Lax; domain=" + TEST_HOST + ";
path=/"; |
| 21 document.cookie = NORMAL_DOM + "=2; domain=" + TEST_HOST + "; path=/"; |
| 22 assert_equals(document.cookie, STRICT_DOM + "=2; " + LAX_DOM + "=2; " +
NORMAL_DOM + "=2"); |
| 23 }, "Cookies can be set from DOM."); |
| 24 |
| 25 promise_test(_ => { |
| 26 return fetch("/cookies/resources/echo-json.php", {"credentials": "includ
e"}) |
| 27 .then(r => r.json()) |
| 28 .then(j => { |
| 29 assert_equals(j[STRICT_DOM], "2", "strict"); |
| 30 assert_equals(j[LAX_DOM], "2", "lax"); |
| 31 assert_equals(j[NORMAL_DOM], "2", "normal"); |
| 32 }); |
| 33 }, "SameSite set from DOM are sent via HTTP."); |
| 34 |
| 35 promise_test(_ => { |
| 36 return fetch("https://" + TEST_HOST + ":8443/cookies/resources/echo-json
.php", {"credentials": "include"}) |
| 37 .then(r => r.json()) |
| 38 .then(j => { |
| 39 assert_equals(j[STRICT_DOM], "2", "strict"); |
| 40 assert_equals(j[LAX_DOM], "2", "lax"); |
| 41 assert_equals(j[NORMAL_DOM], "2", "normal"); |
| 42 }); |
| 43 }, "HTTPS is same-site with HTTP."); |
| 44 |
| 45 promise_test(_ => { |
| 46 return fetch("http://subdomain." + TEST_HOST + ":8000/cookies/resources/
echo-json.php", {"credentials": "include"}) |
| 47 .then(r => r.json()) |
| 48 .then(j => { |
| 49 assert_equals(j[STRICT_DOM], "2", "strict"); |
| 50 assert_equals(j[LAX_DOM], "2", "lax"); |
| 51 assert_equals(j[NORMAL_DOM], "2", "normal"); |
| 52 }); |
| 53 }, "Subdomains are same-site."); |
| 54 |
| 55 promise_test(_ => { |
| 56 return fetch("http://" + TEST_ROOT + ":8000/cookies/resources/echo-json.
php", {"credentials": "include"}) |
| 57 .then(r => r.json()) |
| 58 .then(j => { |
| 59 assert_equals(j[STRICT_DOM], undefined, "strict"); |
| 60 assert_equals(j[LAX_DOM], undefined, "lax"); |
| 61 assert_equals(j[NORMAL_DOM], undefined, "normal"); |
| 62 }); |
| 63 }, "`" + TEST_ROOT + "` is same-site but the cookies don't match it: 'samesi
te' doesn't override matching rules."); |
| 64 |
| 65 promise_test(_ => { |
| 66 return fetch("http://" + ORIGINAL_HOST + ":8000/cookies/resources/echo-j
son.php", {"credentials": "include"}) |
| 67 .then(r => r.json()) |
| 68 .then(j => { |
| 69 assert_equals(j[STRICT_DOM], undefined, "strict"); |
| 70 assert_equals(j[LAX_DOM], undefined, "lax"); |
| 71 assert_equals(j[NORMAL_DOM], "1", "normal"); |
| 72 }); |
| 73 }, "'" + ORIGINAL_HOST + "' is not same-site with '" + TEST_HOST + "', so sa
mesite cookies are not sent."); |
| 74 } |
| 75 </script> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1783813002:
SameSite: Strict/Lax behavior. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@strict-lax