SameSite: Strict/Lax behavior.

third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html

Index: third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html b/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html
new file mode 100644
index 0000000000000000000000000000000000000000..f747b40a5220b9441e96c9fb018757c053035f8e
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html
@@ -0,0 +1,76 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/testharness-helpers.js"></script>
+<script>
+// Set cookies on ORIGINAL_HOST, then move ourselves to TEST_ROOT so
+// we can verify registrable domain and cross-origin behavior.
+if (window.location.hostname == ORIGINAL_HOST) {
+    clearKnownCookies();
+    document.cookie = STRICT_DOM + "=1; SameSite=Strict; Max-Age=100; path=/";
+    document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/";
+    document.cookie = NORMAL_DOM + "=1; Max-Age=100; path=/";
+    console.log(document.cookie);

[philipj_slow, 2016/03/21 09:18:23]

Leftover from debugging, or nice to have if the test starts failing?

[Mike West, 2016/03/21 11:03:13]

Leftover, dropped, thanks.

+    window.location.hostname = TEST_HOST;
+} else {
+    test(t => {

[philipj_slow, 2016/03/21 09:18:23]

s/t/_/ since it's not used

[Mike West, 2016/03/21 11:03:13]

Done.

+        clearKnownCookies();
+        assert_equals(document.cookie, "");
+
+        document.cookie = STRICT_DOM + "=1; SameSite=Strict; domain=" + TEST_HOST + "; path=/";

[philipj_slow, 2016/03/21 09:18:23]

Why is the cookie set both on ORIGINAL_HOST and now again on TEST_HOST? It makes
it not so obvious which of the two have an effect below. If the answer is mixed,
maybe set =2 here or something?

[Mike West, 2016/03/21 11:03:13]

Because we need to do cross-registrable domain requests in order to verify
behavior (see the last promise_test, which grabs data from ORIGINAL_HOST and not
TEST_HOST. I can flip it to "2" if that helps disambiguate.

[philipj_slow, 2016/03/21 11:17:47]

Oh, OK. Using "2" would make it obvious which value is used where and that
there's no mistake, so that'd be nice.

+        document.cookie = LAX_DOM + "=1; SameSite=Lax; domain=" + TEST_HOST + "; path=/";
+        document.cookie = NORMAL_DOM + "=1; domain=" + TEST_HOST + "; path=/";
+        assert_equals(document.cookie, STRICT_DOM + "=1; " + LAX_DOM + "=1; " + NORMAL_DOM + "=1");
+    }, "Cookies can be set from DOM.");
+
+    promise_test(_ => {
+        return fetch("/cookies/resources/echo-json.php", {"credentials": "include"})
+            .then(r => r.json())
+            .then(j => {
+                assert_equals(j[STRICT_DOM], "1", "strict");

[philipj_slow, 2016/03/21 09:18:23]

Nice how t.step_func wrapping is no longer needed with promise_test :)

[Mike West, 2016/03/21 11:03:13]

Indeed!

+                assert_equals(j[LAX_DOM], "1", "lax");
+                assert_equals(j[NORMAL_DOM], "1", "normal");
+            });
+    }, "SameSite set from DOM are sent via HTTP.");
+
+    promise_test(_ => {
+        return fetch("https://" + TEST_HOST + ":8443/cookies/resources/echo-json.php", {"credentials": "include"})
+            .then(r => r.json())
+            .then(j => {
+                assert_equals(j[STRICT_DOM], "1", "strict");
+                assert_equals(j[LAX_DOM], "1", "lax");
+                assert_equals(j[NORMAL_DOM], "1", "normal");
+            });
+    }, "HTTPS is same-site with HTTP.");
+
+    promise_test(_ => {
+        return fetch("http://subdomain." + TEST_HOST + ":8000/cookies/resources/echo-json.php", {"credentials": "include"})
+            .then(r => r.json())
+            .then(j => {
+                assert_equals(j[STRICT_DOM], "1", "strict");
+                assert_equals(j[LAX_DOM], "1", "lax");
+                assert_equals(j[NORMAL_DOM], "1", "normal");
+            });
+    }, "Subdomains are same-site.");
+
+    promise_test(_ => {
+        return fetch("http://" + TEST_ROOT + ":8000/cookies/resources/echo-json.php", {"credentials": "include"})
+            .then(r => r.json())
+            .then(j => {
+                assert_equals(j[STRICT_DOM], undefined, "strict");
+                assert_equals(j[LAX_DOM], undefined, "lax");
+                assert_equals(j[NORMAL_DOM], undefined, "normal");
+            });
+    }, "`" + TEST_ROOT + "` is 'same-site' but the cookies don't match it: 'samesite' doesn't override matching rules.");
+
+    promise_test(_ => {
+        return fetch("http://" + ORIGINAL_HOST + ":8000/cookies/resources/echo-json.php", {"credentials": "include"})
+            .then(r => r.json())
+            .then(j => {
+                assert_equals(j[STRICT_DOM], undefined, "strict");
+                assert_equals(j[LAX_DOM], undefined, "lax");
+                assert_equals(j[NORMAL_DOM], "1", "normal");
+            });
+    }, "'" + ORIGINAL_HOST + "' is not same-site with '" + TEST_HOST + "', so samesite cookies are not sent.");
+}
+</script>