Remove legacy-samesite Web Platform Tests
SameSite-Lax-by-default and SameSite=None-requires-Secure have been
standardized ([1], [2]) and launched in Chromium [3] as well as
Firefox [4]. The WPTs testing "legacy" behavior are no longer needed,
and they are also failing on wpt.fyi [5].
This change removes the legacy-samesite virtual test suite, as well as
the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The
test for SameSite=None-requires-Secure also loses its "tentative"
designation.
Chromium will soon no longer support the configuration used in the
virtual test suite, so there would be no way to run these tests anyway.
[1] https://github.com/httpwg/http-extensions/pull/1325
[2] https://github.com/httpwg/http-extensions/pull/1323
[3] https://crrev.com/c/2231445
[4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
[5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144
Bug: 961439, 1211388
Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679
Reviewed-by: Steven Bingler <bingler@chromium.org>
Commit-Queue: Lily Chen <chlily@chromium.org>
Cr-Commit-Position: refs/heads/master@{#905289}
diff --git a/cookies/resources/cookie-helper.sub.js b/cookies/resources/cookie-helper.sub.js
index 789d38d..1420779 100644
--- a/cookies/resources/cookie-helper.sub.js
+++ b/cookies/resources/cookie-helper.sub.js
@@ -167,32 +167,9 @@
}
}
-// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains the
-// proper set of cookie names and values, according to the legacy behavior where
-// unspecified SameSite attribute defaults to SameSite=None behavior.
-function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies, domCookieStatus) {
- assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
- assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always sent.");
- if (expectedStatus == SameSiteStatus.CROSS_SITE) {
- assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
- assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests.");
- } else if (expectedStatus == SameSiteStatus.LAX) {
- assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests.");
- assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests.");
- } else if (expectedStatus == SameSiteStatus.STRICT) {
- assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests.");
- assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests.");
- }
-
- if (cookies["domcookies"]) {
- verifyDocumentCookieLegacy(domCookieStatus, expectedValue, cookies["domcookies"]);
- }
-}
-
-// Same as above except this expects samesite_unspecified to act the same as
-// samesite_lax (which is the behavior expected when SameSiteByDefault is
-// enabled).
-function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expectedValue, cookies, domCookieStatus) {
+// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains
+// the proper set of cookie names and values. Expects SameSite-Lax-by-default.
+function verifySameSiteCookieState(expectedStatus, expectedValue, cookies, domCookieStatus) {
assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
if (expectedStatus == SameSiteStatus.CROSS_SITE) {
assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
@@ -209,32 +186,11 @@
}
if (cookies["domcookies"]) {
- verifyDocumentCookieWithSameSiteByDefault(domCookieStatus, expectedValue, cookies["domcookies"]);
- }
-}
-
-function verifyDocumentCookieLegacy(expectedStatus, expectedValue, domcookies) {
- const cookies = domcookies.split(";")
- .map(cookie => cookie.trim().split("="))
- .reduce((obj, cookie) => {
- obj[cookie[0]] = cookie[1];
- return obj;
- }, {});
-
- if (expectedStatus == DomSameSiteStatus.SAME_SITE) {
- assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie.");
- } else if (expectedStatus == DomSameSiteStatus.CROSS_SITE) {
- assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
- assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not included in document.cookie when cross-site.");
- assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not included in document.cookie when cross-site.");
+ verifyDocumentCookieSameSite(domCookieStatus, expectedValue, cookies['domcookies']);
}
}
-function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue, domcookies) {
+function verifyDocumentCookieSameSite(expectedStatus, expectedValue, domcookies) {
const cookies = domcookies.split(";")
.map(cookie => cookie.trim().split("="))
.reduce((obj, cookie) => {
@@ -255,16 +211,6 @@
}
}
-function isLegacySameSite() {
- return location.search === "?legacy-samesite";
-}
-
-// Get the proper verifier based on the test's variant type.
-function getSameSiteVerifier() {
- return isLegacySameSite() ?
- verifySameSiteCookieStateLegacy : verifySameSiteCookieStateWithSameSiteByDefault;
-}
-
//
// LeaveSecureCookiesAlone-specific test helpers:
//
diff --git a/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.tentative.html b/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.html
similarity index 100%
rename from cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.tentative.html
rename to cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.html
diff --git a/cookies/samesite/fetch.https.html b/cookies/samesite/fetch.https.html
index 934fc06..79e4900 100644
--- a/cookies/samesite/fetch.https.html
+++ b/cookies/samesite/fetch.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -15,7 +13,7 @@
return credFetch(target + "/cookies/resources/list.py")
.then(r => r.json())
- .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
+ .then(cookies => verifySameSiteCookieState(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
});
}, title);
}
diff --git a/cookies/samesite/form-get-blank-reload.https.html b/cookies/samesite/form-get-blank-reload.https.html
index 611255f..ff39899 100644
--- a/cookies/samesite/form-get-blank-reload.https.html
+++ b/cookies/samesite/form-get-blank-reload.https.html
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -30,7 +28,7 @@
var reloaded = false;
var msgHandler = e => {
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
diff --git a/cookies/samesite/form-get-blank.https.html b/cookies/samesite/form-get-blank.https.html
index 3b05917..e0f6799 100644
--- a/cookies/samesite/form-get-blank.https.html
+++ b/cookies/samesite/form-get-blank.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -33,7 +31,7 @@
window.removeEventListener("message", msgHandler);
e.source.close();
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
resolve("Popup received the cookie.");
} catch (e) {
reject(e);
diff --git a/cookies/samesite/form-post-blank-reload.https.html b/cookies/samesite/form-post-blank-reload.https.html
index fedb0a0..9d1ef2e 100644
--- a/cookies/samesite/form-post-blank-reload.https.html
+++ b/cookies/samesite/form-post-blank-reload.https.html
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -20,7 +18,7 @@
var reloaded = false;
var msgHandler = e => {
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
diff --git a/cookies/samesite/form-post-blank.https.html b/cookies/samesite/form-post-blank.https.html
index cc37f08..9c795b1 100644
--- a/cookies/samesite/form-post-blank.https.html
+++ b/cookies/samesite/form-post-blank.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -22,7 +20,7 @@
window.removeEventListener("message", msgHandler);
e.source.close();
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
resolve("Popup received the cookie.");
} catch (e) {
reject(e);
diff --git a/cookies/samesite/iframe-reload.https.html b/cookies/samesite/iframe-reload.https.html
index a33c4dd..ab572f8 100644
--- a/cookies/samesite/iframe-reload.https.html
+++ b/cookies/samesite/iframe-reload.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -21,7 +19,7 @@
var reloaded = false;
var msgHandler = e => {
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
+ verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus);
} catch (e) {
reject(e);
}
diff --git a/cookies/samesite/iframe.https.html b/cookies/samesite/iframe.https.html
index 3c7b638..cad523c 100644
--- a/cookies/samesite/iframe.https.html
+++ b/cookies/samesite/iframe.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -24,7 +22,7 @@
document.body.removeChild(iframe);
window.removeEventListener("message", msgHandler);
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
+ verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus);
resolve();
} catch(e) {
reject(e);
diff --git a/cookies/samesite/img.https.html b/cookies/samesite/img.https.html
index 68603fd..1ddc8d9 100644
--- a/cookies/samesite/img.https.html
+++ b/cookies/samesite/img.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -46,15 +44,10 @@
assert_cookie_absent(target, "samesite_strict", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_lax", value) :
- assert_cookie_present(target, "samesite_lax", value)];
- if (isLegacySameSite()) {
- // Legacy behavior: unspecified SameSite acts like SameSite=None.
- asserts.push(assert_cookie_present(target, "samesite_unspecified", value));
- } else {
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_present(target, "samesite_lax", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_unspecified", value) :
- assert_cookie_present(target, "samesite_unspecified", value));
- }
+ assert_cookie_present(target, "samesite_unspecified", value)];
return Promise.all(asserts);
});
}, title);
diff --git a/cookies/samesite/multiple-samesite-attributes.https.html b/cookies/samesite/multiple-samesite-attributes.https.html
index f1e52a3..d32a396 100644
--- a/cookies/samesite/multiple-samesite-attributes.https.html
+++ b/cookies/samesite/multiple-samesite-attributes.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -54,28 +52,19 @@
assert_cookie_present(target, "samesite_unsupported_lax", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_strict_lax", value) :
- assert_cookie_present(target, "samesite_strict_lax", value)
- ];
- if (isLegacySameSite()) {
- // Legacy behavior: unsupported SameSite value acts like SameSite=None.
- asserts.push(assert_cookie_present(target, "samesite_none_unsupported", value));
- asserts.push(assert_cookie_present(target, "samesite_lax_unsupported", value));
- asserts.push(assert_cookie_present(target, "samesite_strict_unsupported", value));
- asserts.push(assert_cookie_present(target, "samesite_unsupported", value));
- } else {
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_none_unsupported", value) :
- assert_cookie_present(target, "samesite_none_unsupported", value));
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_lax_unsupported", value) :
- assert_cookie_present(target, "samesite_lax_unsupported", value));
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_strict_unsupported", value) :
- assert_cookie_present(target, "samesite_strict_unsupported", value));
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_unsupported", value) :
- assert_cookie_present(target, "samesite_unsupported", value));
- }
+ assert_cookie_present(target, "samesite_strict_lax", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_none_unsupported", value) :
+ assert_cookie_present(target, "samesite_none_unsupported", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_lax_unsupported", value) :
+ assert_cookie_present(target, "samesite_lax_unsupported", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_strict_unsupported", value) :
+ assert_cookie_present(target, "samesite_strict_unsupported", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_unsupported", value) :
+ assert_cookie_present(target, "samesite_unsupported", value)];
return Promise.all(asserts);
});
}, title);
diff --git a/cookies/samesite/setcookie-lax.https.html b/cookies/samesite/setcookie-lax.https.html
index 0c09577..f2094af 100644
--- a/cookies/samesite/setcookie-lax.https.html
+++ b/cookies/samesite/setcookie-lax.https.html
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -28,7 +26,7 @@
assert_dom_cookie("samesite_strict", e.data.value, false);
assert_dom_cookie("samesite_lax", e.data.value, false);
assert_dom_cookie("samesite_none", e.data.value, true);
- assert_dom_cookie("samesite_unspecified", e.data.value, isLegacySameSite());
+ assert_dom_cookie("samesite_unspecified", e.data.value, false);
w.close();
}, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
</script>
diff --git a/cookies/samesite/setcookie-navigation.https.html b/cookies/samesite/setcookie-navigation.https.html
index 06f9a73..2dbc552 100644
--- a/cookies/samesite/setcookie-navigation.https.html
+++ b/cookies/samesite/setcookie-navigation.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -64,8 +62,7 @@
let message = await wait_for_message('FRAME_COOKIES_SET', SECURE_ORIGIN);
// Check for the proper cookies.
let samesite_none_cookies = ['samesite_none'];
- let samesite_cookies = ['samesite_strict', 'samesite_lax'];
- (isLegacySameSite() ? samesite_none_cookies : samesite_cookies).push('samesite_unspecified');
+ let samesite_cookies = ['samesite_strict', 'samesite_lax', 'samesite_unspecified'];
assert_cookies_present(message.data.cookies, value, samesite_none_cookies, true);
assert_cookies_present(message.data.cookies, value, samesite_cookies, !cross_site);
w.close();
diff --git a/cookies/samesite/window-open-reload.https.html b/cookies/samesite/window-open-reload.https.html
index f21b6a7..dc800f8 100644
--- a/cookies/samesite/window-open-reload.https.html
+++ b/cookies/samesite/window-open-reload.https.html
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -17,7 +15,7 @@
var reloaded = false;
var msgHandler = e => {
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
diff --git a/cookies/samesite/window-open.https.html b/cookies/samesite/window-open.https.html
index 7ee3ef4..b460e1a 100644
--- a/cookies/samesite/window-open.https.html
+++ b/cookies/samesite/window-open.https.html
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -19,7 +17,7 @@
window.removeEventListener("message", msgHandler);
w.close();
try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
resolve("Popup received the cookie.");
} catch (e) {
reject(e);
