commit 56cf8e394a6259ae0611998e96fb271fd2ec68f9
author Shuran Huang <shuuran@chromium.org> Wed Mar 22 03:25:00 2023
committer Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> Wed Mar 22 03:42:20 2023
tree 06c3ab41e37773691d7fd0abf8b575cbae9b396f
parent eb3280b0ae28c0c7b219659288541b0957cc2021

[rSAFor] Verify cookie access allowed by rSAFor in WPT

Specifically, this change adds test cases that verifies cookie access
that should have been blocked by 3rd-party cookie blocking can be
enabled by rSAFor, only if the request is made in the top-level
context with CORS mode enabled.

Bug: 1410556
Change-Id: Ic858d4f5ff3a933df311b612968e537e3c5afb46
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4355702
Commit-Queue: Shuran Huang <shuuran@chromium.org>
Reviewed-by: Matt Reichhoff <mreichhoff@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1120354}

cookies/resources/set-cookie.py

diff --git a/cookies/resources/set-cookie.py b/cookies/resources/set-cookie.py
index 1163531..59b5b80 100644
--- a/cookies/resources/set-cookie.py
+++ b/cookies/resources/set-cookie.py
@@ -34,5 +34,12 @@
         (b"Content-Type", b"application/json"),
         (b"Set-Cookie", cookie)
     ]
+
+    # Set the cors enabled headers.
+    origin = request.headers.get(b"Origin")
+    if origin is not None and origin != b"null":
+        headers.append((b"Access-Control-Allow-Origin", origin))
+        headers.append((b"Access-Control-Allow-Credentials", 'true'))
+
     body = b"var dummy='value';"
     return headers, body

top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js

diff --git a/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js b/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js
index 9e16740..4475098 100644
--- a/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js
+++ b/top-level-storage-access-api/tentative/requestStorageAccessFor.sub.https.window.js
@@ -166,6 +166,50 @@
       '[' + testPrefix +
           '] document.requestStorageAccessFor() should be rejected when called with an opaque origin');
 
+  promise_test(
+      async (t) => {
+        const altOrigin = 'https://{{hosts[alt][www]}}:{{ports[https][0]}}';
+        const altEchoCookieHeaderUrl =
+            `${altOrigin}/storage-access-api/resources/echo-cookie-header.py`;
+
+        await MaybeSetStorageAccess('*', '*', 'blocked');
+        t.add_cleanup(async () => {
+          await test_driver.delete_all_cookies();
+          await test_driver.set_permission(
+              {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+              'prompt');
+          await MaybeSetStorageAccess('*', '*', 'allowed');
+        });
+
+        await test_driver.set_permission(
+            {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+            'granted');
+
+        // Set cross-site cookie for altOrigin. Note that this only works with
+        // an existing top-level storage access permission.
+        await fetch(
+            `${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`,
+            {mode: 'cors', credentials: 'include'});
+
+        const httpCookies1 = await fetch(altEchoCookieHeaderUrl, {
+                               mode: 'cors',
+                               credentials: 'include'
+                             }).then((resp) => resp.text());
+        assert_true(
+            httpCookies1.includes('cookie=1'),
+            'After obtaining top-level storage access, cross-site subresource requests with CORS mode should have cookie access.');
+
+        const httpCookies2 = await fetch(altEchoCookieHeaderUrl, {
+                               mode: 'no-cors',
+                               credentials: 'include'
+                             }).then((resp) => resp.text());
+        assert_false(
+            httpCookies2.includes('cookie=1'),
+            'Cross-site subresource requests without CORS mode cannot access cookie even with an existing permission.');
+      },
+      '[' + testPrefix +
+          '] Top-level storage access only allows cross-site subresource requests to access cookie when using CORS mode.');
+
 } else {
   promise_test(
       async t => {
@@ -175,4 +219,38 @@
       },
       '[' + testPrefix +
           '] document.requestStorageAccessFor() should be rejected when called in an iframe');
+
+  promise_test(
+      async (t) => {
+        const altOrigin = 'https://{{hosts[alt][www]}}:{{ports[https][0]}}';
+
+        await MaybeSetStorageAccess('*', '*', 'blocked');
+        t.add_cleanup(async () => {
+          await test_driver.delete_all_cookies();
+          await test_driver.set_permission(
+              {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+              'prompt');
+          await MaybeSetStorageAccess('*', '*', 'allowed');
+        });
+
+        // Set cross-site cookie for altOrigin. Note that cookie won't be set
+        // even with an existing top-level storage access permission in an
+        // iframe.
+        await fetch(
+            `${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`,
+            {mode: 'cors', credentials: 'include'});
+
+        await test_driver.set_permission(
+            {name: 'top-level-storage-access', requestedOrigin: altOrigin},
+            'granted');
+
+        const httpCookies =
+            await fetch(
+                `${altOrigin}/storage-access-api/resources/echo-cookie-header.py`,
+                {mode: 'cors', credentials: 'include'})
+                .then((resp) => resp.text());
+        assert_false(httpCookies.includes('cookie=1'));
+      },
+      '[' + testPrefix +
+          '] Existing top-level storage access permission should not allow cookie access for the cross-site subresource requests made in a non-top-level context.');
 }