commit eadb53e9b71512dc91466b87d383bd0696d711a3
parent 67709d2a6b19914e3b12540f492da55dd642eecb
Author: Daniel Rubery <drubery@chromium.org>
Date: Tue, 16 Dec 2025 08:46:45 +0000
Bug 2005627 [wpt PR 56690] - Add WPT for WebSockets in DBSC, a=testonly
Automatic update from web-platform-tests
Add WPT for WebSockets in DBSC
This CL adds a WPT validating that WebSocket handshakes can trigger DBSC
refreshes.
Bug: 379241469
Change-Id: I49ebf547540e7e7e05133d09abefc4ea6a6a6964
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7242020
Commit-Queue: Daniel Rubery <drubery@chromium.org>
Reviewed-by: thefrog <thefrog@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1557624}
--
wpt-commits: ad3b91ad1d450f40735af53738fa227fc8b055ee
wpt-pr: 56690
Diffstat:
1 file changed, 60 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/device-bound-session-credentials/websockets.https.html b/testing/web-platform/tests/device-bound-session-credentials/websockets.https.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js" type="module"></script>
+
+<script type="module">
+ import { expireCookie, documentHasCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer } from "./helper.js";
+
+ function ws_connect(url) {
+ return new Promise(function(resolve,reject) {
+ const ws = new WebSocket(url);
+ ws.onopen = function () { resolve(); };
+ ws.onerror = function(error) { reject(error); };
+ });
+ }
+
+ promise_test(async t => {
+ await setupShardedServerState();
+ const expectedCookieAndValue = "auth_cookie=abcdef0123";
+ const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
+ addCookieAndSessionCleanup(t);
+
+ // In order to validate DBSC is applying to a WebSocket handshake,
+ // we need an endpoint that can validate the cookie was refreshed
+ // without triggering a refresh itself. Add an excluded endpoint to
+ // do that.
+ await configureServer({ scopeSpecificationItems: [
+ {
+ "type": "exclude",
+ "domain": location.hostname,
+ "path": "/device-bound-session-credentials/excludeInScopeSpecification"
+ },
+ ]});
+
+ // Prompt starting a session, and wait until registration completes.
+ const loginResponse = await fetch('login.py');
+ assert_equals(loginResponse.status, 200);
+ await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
+
+ // Confirm that a request has the cookie set.
+ const authResponse = await fetch('verify_authenticated.py');
+ assert_equals(authResponse.status, 200);
+
+ // Confirm that expiring the cookie still leads to a request with the cookie set (refresh occurs).
+ expireCookie(expectedCookieAndAttributes);
+ assert_false(documentHasCookie(expectedCookieAndValue));
+
+ // Start a WebSocket handshake. This will fail, but DBSC will still apply to the request.
+ try {
+ await ws_connect(`wss://${location.host}/device-bound-session-credentials/websocket`);
+ } catch (error) {
+ }
+
+ // Confirm we're logged in by checking the excluded endpoint.
+ const authResponseAfterExpiry = await fetch('excludeInScopeSpecification/excluded_verify_authenticated.py');
+ assert_equals(authResponseAfterExpiry.status, 200);
+ assert_true(documentHasCookie(expectedCookieAndValue));
+ }, "An established session applies to WebSocket handshakes");
+</script>
