| <!doctype html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/cookies/resources/testharness-helpers.js"></script> |
| <script> |
| // Set cookies on ORIGINAL_HOST, then move ourselves to TEST_ROOT so |
| // we can verify registrable domain and cross-origin behavior. |
| if (window.location.hostname == "127.0.0.1") { |
| window.location.hostname = ORIGINAL_HOST; |
| } else if (window.location.hostname == ORIGINAL_HOST) { |
| clearKnownCookies(); |
| document.cookie = STRICT_DOM + "=1; SameSite=Strict; Max-Age=100; path=/"; |
| document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/"; |
| document.cookie = NORMAL_DOM + "=1; Max-Age=100; path=/"; |
| window.location.hostname = TEST_HOST; |
| } else { |
| test(_ => { |
| clearKnownCookies(); |
| assert_equals(document.cookie, ""); |
| |
| document.cookie = STRICT_DOM + "=2; SameSite=Strict; domain=" + TEST_HOST + "; path=/"; |
| document.cookie = LAX_DOM + "=2; SameSite=Lax; domain=" + TEST_HOST + "; path=/"; |
| document.cookie = NORMAL_DOM + "=2; domain=" + TEST_HOST + "; path=/"; |
| assert_equals(document.cookie, STRICT_DOM + "=2; " + LAX_DOM + "=2; " + NORMAL_DOM + "=2"); |
| }, "Cookies can be set from DOM."); |
| |
| promise_test(_ => { |
| return fetch("/cookies/resources/echo-json.php", {"credentials": "include"}) |
| .then(r => r.json()) |
| .then(j => { |
| assert_equals(j[STRICT_DOM], "2", "strict"); |
| assert_equals(j[LAX_DOM], "2", "lax"); |
| assert_equals(j[NORMAL_DOM], "2", "normal"); |
| }); |
| }, "SameSite set from DOM are sent via HTTP."); |
| |
| promise_test(_ => { |
| return fetch("https://" + TEST_HOST + ":8443/cookies/resources/echo-json.php", {"credentials": "include"}) |
| .then(r => r.json()) |
| .then(j => { |
| assert_equals(j[STRICT_DOM], "2", "strict"); |
| assert_equals(j[LAX_DOM], "2", "lax"); |
| assert_equals(j[NORMAL_DOM], "2", "normal"); |
| }); |
| }, "HTTPS is same-site with HTTP."); |
| |
| promise_test(_ => { |
| return fetch("http://subdomain." + TEST_HOST + ":8000/cookies/resources/echo-json.php", {"credentials": "include"}) |
| .then(r => r.json()) |
| .then(j => { |
| assert_equals(j[STRICT_DOM], "2", "strict"); |
| assert_equals(j[LAX_DOM], "2", "lax"); |
| assert_equals(j[NORMAL_DOM], "2", "normal"); |
| }); |
| }, "Subdomains are same-site."); |
| |
| promise_test(_ => { |
| return fetch("http://" + TEST_ROOT + ":8000/cookies/resources/echo-json.php", {"credentials": "include"}) |
| .then(r => r.json()) |
| .then(j => { |
| assert_equals(j[STRICT_DOM], undefined, "strict"); |
| assert_equals(j[LAX_DOM], undefined, "lax"); |
| assert_equals(j[NORMAL_DOM], undefined, "normal"); |
| }); |
| }, "`" + TEST_ROOT + "` is same-site but the cookies don't match it: 'samesite' doesn't override matching rules."); |
| |
| promise_test(_ => { |
| return fetch("http://" + ORIGINAL_HOST + ":8000/cookies/resources/echo-json.php", {"credentials": "include"}) |
| .then(r => r.json()) |
| .then(j => { |
| assert_equals(j[STRICT_DOM], undefined, "strict"); |
| assert_equals(j[LAX_DOM], undefined, "lax"); |
| assert_equals(j[NORMAL_DOM], "1", "normal"); |
| }); |
| }, "'" + ORIGINAL_HOST + "' is not same-site with '" + TEST_HOST + "', so samesite cookies are not sent."); |
| } |
| </script> |