| <!DOCTYPE html> |
| <meta charset="utf-8"/> |
| <meta name="timeout" content="long"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/cookies/resources/cookie-helper.sub.js"></script> |
| <script> |
| function create_test(origin, target, expectedStatus, title) { |
| promise_test(t => { |
| var value = "" + Math.random(); |
| return resetSameSiteCookies(origin, value) |
| .then(_ => { |
| return new Promise((resolve, reject) => { |
| var f = document.createElement('form'); |
| f.action = target + "/cookies/resources/postToParent.py"; |
| f.target = "_blank"; |
| f.method = "GET"; |
| f.rel = "opener"; |
| |
| // If |target| contains a `redir` parameter, extract it, and add it |
| // to the form so it doesn't get dropped in the submission. |
| var url = new URL(f.action); |
| if (url.pathname == "/cookies/resources/redirectWithCORSHeaders.py") { |
| var i = document.createElement("input"); |
| i.name = "location"; |
| i.type="hidden"; |
| i.value = url.searchParams.get("location"); |
| f.appendChild(i); |
| } |
| |
| var msgHandler = e => { |
| window.removeEventListener("message", msgHandler); |
| e.source.close(); |
| try { |
| verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); |
| resolve("Popup received the cookie."); |
| } catch (e) { |
| reject(e); |
| } |
| }; |
| window.addEventListener("message", msgHandler); |
| document.body.appendChild(f); |
| f.submit(); |
| }); |
| }); |
| }, title); |
| } |
| |
| // No redirect: |
| create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form GETs are strictly same-site"); |
| create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form GETs are strictly same-site"); |
| create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Cross-site top-level form GETs are laxly same-site"); |
| |
| // Redirect from {same-host,subdomain,cross-site} to same-host: |
| create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form GETs are strictly same-site"); |
| create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form GETs are strictly same-site"); |
| create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to same-host top-level form GETs are laxly same-site"); |
| |
| // Redirect from {same-host,subdomain,cross-site} to same-host: |
| create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form GETs are strictly same-site"); |
| create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form GETs are strictly same-site"); |
| create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to subdomain top-level form GETs are laxly same-site"); |
| |
| // Redirect from {same-host,subdomain,cross-site} to cross-site: |
| create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Same-host redirecting to cross-site top-level form GETs are laxly same-site"); |
| create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Subdomain redirecting to cross-site top-level form GETs are laxly same-site"); |
| create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to cross-site top-level form GETs are laxly same-site"); |
| </script> |