[rSAFor] Verify cookie access allowed by rSAFor in WPT
Specifically, this change adds test cases that verifies cookie access
that should have been blocked by 3rd-party cookie blocking can be
enabled by rSAFor, only if the request is made in the top-level
context with CORS mode enabled.
Bug: 1410556
Change-Id: Ic858d4f5ff3a933df311b612968e537e3c5afb46
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4355702
Commit-Queue: Shuran Huang <shuuran@chromium.org>
Reviewed-by: Matt Reichhoff <mreichhoff@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1120354}
diff --git a/cookies/resources/set-cookie.py b/cookies/resources/set-cookie.py
index 1163531..59b5b80 100644
--- a/cookies/resources/set-cookie.py
+++ b/cookies/resources/set-cookie.py
@@ -34,5 +34,12 @@
(b"Content-Type", b"application/json"),
(b"Set-Cookie", cookie)
]
+
+ # Set the cors enabled headers.
+ origin = request.headers.get(b"Origin")
+ if origin is not None and origin != b"null":
+ headers.append((b"Access-Control-Allow-Origin", origin))
+ headers.append((b"Access-Control-Allow-Credentials", 'true'))
+
body = b"var dummy='value';"
return headers, body
diff --git a/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js b/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js
index 9e16740..4475098 100644
--- a/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js
+++ b/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js
@@ -166,6 +166,50 @@
'[' + testPrefix +
'] document.requestStorageAccessFor() should be rejected when called with an opaque origin');
+ promise_test(
+ async (t) => {
+ const altOrigin = 'https://{{hosts[alt][www]}}:{{ports[https][0]}}';
+ const altEchoCookieHeaderUrl =
+ `${altOrigin}/storage-access-api/resources/echo-cookie-header.py`;
+
+ await MaybeSetStorageAccess('*', '*', 'blocked');
+ t.add_cleanup(async () => {
+ await test_driver.delete_all_cookies();
+ await test_driver.set_permission(
+ {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+ 'prompt');
+ await MaybeSetStorageAccess('*', '*', 'allowed');
+ });
+
+ await test_driver.set_permission(
+ {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+ 'granted');
+
+ // Set cross-site cookie for altOrigin. Note that this only works with
+ // an existing top-level storage access permission.
+ await fetch(
+ `${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`,
+ {mode: 'cors', credentials: 'include'});
+
+ const httpCookies1 = await fetch(altEchoCookieHeaderUrl, {
+ mode: 'cors',
+ credentials: 'include'
+ }).then((resp) => resp.text());
+ assert_true(
+ httpCookies1.includes('cookie=1'),
+ 'After obtaining top-level storage access, cross-site subresource requests with CORS mode should have cookie access.');
+
+ const httpCookies2 = await fetch(altEchoCookieHeaderUrl, {
+ mode: 'no-cors',
+ credentials: 'include'
+ }).then((resp) => resp.text());
+ assert_false(
+ httpCookies2.includes('cookie=1'),
+ 'Cross-site subresource requests without CORS mode cannot access cookie even with an existing permission.');
+ },
+ '[' + testPrefix +
+ '] Top-level storage access only allows cross-site subresource requests to access cookie when using CORS mode.');
+
} else {
promise_test(
async t => {
@@ -175,4 +219,38 @@
},
'[' + testPrefix +
'] document.requestStorageAccessFor() should be rejected when called in an iframe');
+
+ promise_test(
+ async (t) => {
+ const altOrigin = 'https://{{hosts[alt][www]}}:{{ports[https][0]}}';
+
+ await MaybeSetStorageAccess('*', '*', 'blocked');
+ t.add_cleanup(async () => {
+ await test_driver.delete_all_cookies();
+ await test_driver.set_permission(
+ {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+ 'prompt');
+ await MaybeSetStorageAccess('*', '*', 'allowed');
+ });
+
+ // Set cross-site cookie for altOrigin. Note that cookie won't be set
+ // even with an existing top-level storage access permission in an
+ // iframe.
+ await fetch(
+ `${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`,
+ {mode: 'cors', credentials: 'include'});
+
+ await test_driver.set_permission(
+ {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+ 'granted');
+
+ const httpCookies =
+ await fetch(
+ `${altOrigin}/storage-access-api/resources/echo-cookie-header.py`,
+ {mode: 'cors', credentials: 'include'})
+ .then((resp) => resp.text());
+ assert_false(httpCookies.includes('cookie=1'));
+ },
+ '[' + testPrefix +
+ '] Existing top-level storage access permission should not allow cookie access for the cross-site subresource requests made in a non-top-level context.');
}