SameSite: Strict/Lax behavior.

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <utility>
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
@@ skipping 2641 matching lines @@
 }
 
 TEST_F(URLRequestTest, SameSiteCookiesEnabled) {
   LocalHttpTestServer test_server;
   ASSERT_TRUE(test_server.Start());
 
   TestNetworkDelegate network_delegate;
   network_delegate.set_experimental_cookie_features_enabled(true);
   default_context_.set_network_delegate(&network_delegate);
 
-  // Set up a 'SameSite' cookie (on '127.0.0.1', as that's where
-  // LocalHttpTestServer points).
+  const std::string kHost = "example.test";
+  const std::string kSubHost = "subdomain.example.test";
+  const std::string kCrossHost = "cross-origin.test";

[mmenke, 2016/03/17 19:15:57]

I'm fine with these tests, but seems like we should have unit tests in
canonical_cookie_unittest.cc.  Also, should we have integration tests at the
browser layer (Or, ick, layout tests)?  Do we have tests that depend on the
initiator being set correctly by the RDH?

[Mike West, 2016/03/17 19:57:12]

You're right. These are more or less integration tests... I'm happy to add some
more unit tests tomorrow.
I plan to write layout tests to help kickstart Mozilla's progress; I'm working
with folks there to try to teach their test engine about
cross-registrable-domain origins
(https://github.com/w3c/web-platform-tests/issues/2669). It's going to take some
time... :(
That behavior shouldn't have changed with this CL, so I hope the existing tests
do the job. I assume I wrote tests... :) I can look them up in the morning.

+
+  // Set up two 'SameSite' cookies on 'example.test'
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/set-cookie?SameSiteCookieToSet=1;SameSite=Strict"),
+        test_server.GetURL(kHost,
+                           "/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&"
+                           "LaxSameSiteCookie=1;SameSite=Lax"),
         DEFAULT_PRIORITY, &d));
     req->Start();
     base::RunLoop().Run();
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    EXPECT_EQ(1, network_delegate.set_cookie_count());
+    EXPECT_EQ(2, network_delegate.set_cookie_count());
   }
 
-  // Verify that the cookie is sent for same-site requests.
+  // Verify that both cookies are sent for same-site requests.
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(test_server.GetURL("/"));
-    req->set_initiator(url::Origin(test_server.GetURL("/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kHost, "/")));
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") !=
-                std::string::npos);
+    EXPECT_NE(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
-  // Verify that the cookie is not sent for cross-site requests.
+  // Verify that both cookies are sent for same-registrable-domain requests.
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(GURL("http://cross-site.test/"));
-    req->set_initiator(url::Origin(GURL("http://cross-site.test/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kSubHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kSubHost, "/")));
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") ==
-                std::string::npos);
+    EXPECT_NE(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
-  // Verify that the cookie is sent for cross-site initiators when the
+  // Verify that neither cookie is not sent for cross-site requests.
+  {
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kCrossHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/")));
+    req->Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+  }
+
+  // Verify that the lax cookie is sent for cross-site initiators when the
   // method is "safe".
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(test_server.GetURL("/"));
-    req->set_initiator(url::Origin(GURL("http://cross-site.test/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/")));
+    req->set_method("GET");
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_FALSE(d.data_received().find("SameSiteCookieToSet=1") ==
-                 std::string::npos);
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
-  // Verify that the cookie is not sent for cross-site initiators when the
+  // Verify that neither cookie is sent for cross-site initiators when the
   // method is unsafe (e.g. POST).
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(test_server.GetURL("/"));
-    req->set_initiator(url::Origin(GURL("http://cross-site.test/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/")));
     req->set_method("POST");
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") ==
-                std::string::npos);
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 }
 
 TEST_F(URLRequestTest, SameSiteCookiesDisabled) {
   LocalHttpTestServer test_server;
   ASSERT_TRUE(test_server.Start());
 
   // Set up a 'SameSite' cookie (on '127.0.0.1', as that's where
   // LocalHttpTestServer points).
   {
     TestNetworkDelegate network_delegate;
     network_delegate.set_experimental_cookie_features_enabled(false);
     default_context_.set_network_delegate(&network_delegate);
 
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/set-cookie?SameSiteCookieToSet=1;SameSite"),
+        test_server.GetURL("/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&"
+                           "LaxSameSiteCookie=1;SameSite=Lax"),
         DEFAULT_PRIORITY, &d));
     req->Start();
     base::RunLoop().Run();
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    EXPECT_EQ(1, network_delegate.set_cookie_count());
+    EXPECT_EQ(2, network_delegate.set_cookie_count());
   }
 
   // Verify that the cookie is sent for same-site requests.
   {
     TestNetworkDelegate network_delegate;
     network_delegate.set_experimental_cookie_features_enabled(false);
     default_context_.set_network_delegate(&network_delegate);
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
     req->set_first_party_for_cookies(test_server.GetURL("/"));
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") !=
+    EXPECT_TRUE(d.data_received().find("StrictSameSiteCookie=1") !=
+                std::string::npos);
+    EXPECT_TRUE(d.data_received().find("LaxSameSiteCookie=1") !=
                 std::string::npos);
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
   // Verify that the cookie is also sent for cross-site requests.
   {
     TestNetworkDelegate network_delegate;
     network_delegate.set_experimental_cookie_features_enabled(false);
     default_context_.set_network_delegate(&network_delegate);
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
     req->set_first_party_for_cookies(GURL("http://cross-site.test/"));
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_NE(d.data_received().find("SameSiteCookieToSet=1"),
+    EXPECT_NE(d.data_received().find("StrictSameSiteCookie=1"),
               std::string::npos);
+    EXPECT_TRUE(d.data_received().find("LaxSameSiteCookie=1") !=
+                std::string::npos);
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 }
 
 // Tests that __Secure- cookies can't be set on non-secure origins.
 TEST_F(URLRequestTest, SecureCookiePrefixOnNonsecureOrigin) {
   EmbeddedTestServer http_server;
   http_server.AddDefaultHandlers(
       base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
@@ skipping 7207 matching lines @@
   AddTestInterceptor()->set_main_intercept_job(std::move(job));
 
   req->Start();
   req->Cancel();
   base::RunLoop().RunUntilIdle();
   EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status());
   EXPECT_EQ(0, d.received_redirect_count());
 }
 
 }  // namespace net