multiple-samesite-attributes.https.html (6033B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"/> 3 <meta name="timeout" content="long"> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/cookies/resources/cookie-helper.sub.js"></script> 7 <script> 8 function assert_cookie_present(origin, name, value) { 9 return new Promise((resolve, reject) => { 10 var img = document.createElement("img"); 11 img.onload = _ => resolve("'" + name + "=" + value + "' present on " + origin); 12 img.onerror = _ => reject("'" + name + "=" + value + "' not present on " + origin); 13 14 // We need to URL encode the destination path/query if we're redirecting: 15 if (origin.match(/\/redir/)) 16 img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value); 17 else 18 img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value; 19 }); 20 } 21 22 function assert_cookie_absent(origin, name, value) { 23 return new Promise((resolve, reject) => { 24 var img = document.createElement("img"); 25 img.onload = _ => reject("'" + name + "=" + value + "' present on " + origin); 26 img.onerror = _ => resolve("'" + name + "=" + value + "' not present on " + origin); 27 28 // We need to URL encode the destination path/query if we're redirecting: 29 if (origin.match(/\/redir/)) 30 img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value); 31 else 32 img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value; 33 }); 34 } 35 36 function create_test(origin, target, expectedStatus, title) { 37 promise_test(t => { 38 var value = "" + Math.random(); 39 return resetSameSiteMultiAttributeCookies(origin, value) 40 .then(_ => { 41 var asserts = [ 42 assert_cookie_present(target, "samesite_unsupported_none", value), 43 assert_cookie_present(target, "samesite_lax_none", value), 44 expectedStatus == SameSiteStatus.STRICT ? 45 assert_cookie_present(target, "samesite_unsupported_strict", value) : 46 assert_cookie_absent(target, "samesite_unsupported_strict", value), 47 expectedStatus == SameSiteStatus.STRICT ? 48 assert_cookie_present(target, "samesite_lax_strict", value) : 49 assert_cookie_absent(target, "samesite_lax_strict", value), 50 expectedStatus == SameSiteStatus.CROSS_SITE ? 51 assert_cookie_absent(target, "samesite_unsupported_lax", value) : 52 assert_cookie_present(target, "samesite_unsupported_lax", value), 53 expectedStatus == SameSiteStatus.CROSS_SITE ? 54 assert_cookie_absent(target, "samesite_strict_lax", value) : 55 assert_cookie_present(target, "samesite_strict_lax", value), 56 expectedStatus == SameSiteStatus.CROSS_SITE ? 57 assert_cookie_absent(target, "samesite_none_unsupported", value) : 58 assert_cookie_present(target, "samesite_none_unsupported", value), 59 expectedStatus == SameSiteStatus.CROSS_SITE ? 60 assert_cookie_absent(target, "samesite_lax_unsupported", value) : 61 assert_cookie_present(target, "samesite_lax_unsupported", value), 62 expectedStatus == SameSiteStatus.CROSS_SITE ? 63 assert_cookie_absent(target, "samesite_strict_unsupported", value) : 64 assert_cookie_present(target, "samesite_strict_unsupported", value), 65 expectedStatus == SameSiteStatus.CROSS_SITE ? 66 assert_cookie_absent(target, "samesite_unsupported", value) : 67 assert_cookie_present(target, "samesite_unsupported", value)]; 68 return Promise.all(asserts); 69 }); 70 }, title); 71 } 72 73 // No redirect: 74 create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host images are strictly same-site"); 75 create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain images are strictly same-site"); 76 create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site images are cross-site"); 77 78 // Redirect from {same-host,subdomain,cross-site} to same-host: 79 create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host images are strictly same-site"); 80 create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host images are strictly same-site"); 81 create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to same-host images are cross-site"); 82 83 // Redirect from {same-host,subdomain,cross-site} to same-host: 84 create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain images are strictly same-site"); 85 create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain images are strictly same-site"); 86 create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to subdomain images are cross-site"); 87 88 // Redirect from {same-host,subdomain,cross-site} to cross-site: 89 create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site images are cross-site"); 90 create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site images are cross-site"); 91 create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site images are cross-site"); 92 </script>