form-get-blank.https.html (4179B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"/> 3 <meta name="timeout" content="long"> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/cookies/resources/cookie-helper.sub.js"></script> 7 <script> 8 function create_test(origin, target, expectedStatus, title) { 9 promise_test(t => { 10 var value = "" + Math.random(); 11 return resetSameSiteCookies(origin, value) 12 .then(_ => { 13 return new Promise((resolve, reject) => { 14 var f = document.createElement('form'); 15 f.action = target + "/cookies/resources/postToParent.py"; 16 f.target = "_blank"; 17 f.method = "GET"; 18 f.rel = "opener"; 19 20 // If |target| contains a `redir` parameter, extract it, and add it 21 // to the form so it doesn't get dropped in the submission. 22 var url = new URL(f.action); 23 if (url.pathname == "/cookies/resources/redirectWithCORSHeaders.py") { 24 var i = document.createElement("input"); 25 i.name = "location"; 26 i.type="hidden"; 27 i.value = url.searchParams.get("location"); 28 f.appendChild(i); 29 } 30 31 var msgHandler = e => { 32 window.removeEventListener("message", msgHandler); 33 e.source.close(); 34 try { 35 verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); 36 resolve("Popup received the cookie."); 37 } catch (e) { 38 reject(e); 39 } 40 }; 41 window.addEventListener("message", msgHandler); 42 document.body.appendChild(f); 43 f.submit(); 44 }); 45 }); 46 }, title); 47 } 48 49 // No redirect: 50 create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host top-level form GETs are strictly same-site"); 51 create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain top-level form GETs are strictly same-site"); 52 create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.LAX, "Cross-site top-level form GETs are laxly same-site"); 53 54 // Redirect from {same-host,subdomain,cross-site} to same-host: 55 create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host top-level form GETs are strictly same-site"); 56 create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host top-level form GETs are strictly same-site"); 57 create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to same-host top-level form GETs are laxly same-site"); 58 59 // Redirect from {same-host,subdomain,cross-site} to same-host: 60 create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain top-level form GETs are strictly same-site"); 61 create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain top-level form GETs are strictly same-site"); 62 create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to subdomain top-level form GETs are laxly same-site"); 63 64 // Redirect from {same-host,subdomain,cross-site} to cross-site: 65 create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Same-host redirecting to cross-site top-level form GETs are laxly same-site"); 66 create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Subdomain redirecting to cross-site top-level form GETs are laxly same-site"); 67 create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.LAX, "Cross-site redirecting to cross-site top-level form GETs are laxly same-site"); 68 </script>