cache.window.js (3306B)
1 // META: script=/common/get-host-info.sub.js 2 // META: script=/common/utils.js 3 // META: script=/common/dispatcher/dispatcher.js 4 // META: script=./resources/common.js 5 6 // With COEP:credentialless, requesting a resource without credentials MUST NOT 7 // return a response requested with credentials. This would be a security 8 // issue, since COEP:credentialless can be used to enable crossOriginIsolation. 9 // 10 // The test the behavior of the HTTP cache: 11 // 1. b.com stores cookie. 12 // 2. a.com(COEP:unsafe-none): request b.com's resource. 13 // 3. a.com(COEP:credentialless): request b.com's resource. 14 // 15 // The first time, the resource is requested with credentials. The response is 16 // served with Cache-Control: max-age=31536000. It enters the cache. 17 // The second time, the resource is requested without credentials. The response 18 // in the cache must not be returned. 19 20 const cookie_key = "coep_cache_key"; 21 const cookie_value = "coep_cache_value"; 22 const same_origin = get_host_info().HTTPS_ORIGIN; 23 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; 24 25 const GetCookie = (response) => { 26 return parseCookies(JSON.parse(response))[cookie_key]; 27 } 28 29 // "same_origin" document with COEP:unsafe-none. 30 const w_coep_none_token = token(); 31 const w_coep_none_url = same_origin + executor_path + coep_none + 32 `&uuid=${w_coep_none_token}` 33 const w_coep_none = window.open(w_coep_none_url); 34 add_completion_callback(() => w_coep_none.close()); 35 36 // "same_origin" document with COEP:credentialles. 37 const w_coep_credentialless_token = token(); 38 const w_coep_credentialless_url = same_origin + executor_path + 39 coep_credentialless + `&uuid=${w_coep_credentialless_token}` 40 const w_coep_credentialless = window.open(w_coep_credentialless_url); 41 add_completion_callback(() => w_coep_credentialless.close()); 42 43 const this_token = token(); 44 45 // A request toward a "cross-origin" cacheable response. 46 const request_token = token(); 47 const request_url = cacheableShowRequestHeaders(cross_origin, request_token); 48 49 promise_setup(async test => { 50 await setCookie(cross_origin, cookie_key, cookie_value + cookie_same_site_none); 51 }, "Set cookie"); 52 53 // The "same-origin" COEP:unsafe-none document fetchs a "cross-origin" 54 // resource. The request is sent with credentials. 55 promise_setup(async test => { 56 send(w_coep_none_token, ` 57 await fetch("${request_url}", { 58 mode : "no-cors", 59 credentials: "include", 60 }); 61 send("${this_token}", "Resource fetched"); 62 `); 63 64 assert_equals(await receive(this_token), "Resource fetched"); 65 assert_equals(await receive(request_token).then(GetCookie), cookie_value); 66 }, "Cache a response requested with credentials"); 67 68 // The "same-origin" COEP:credentialless document fetches the same resource 69 // without credentials. The HTTP cache must not be used. Instead a second 70 // request must be made without credentials. 71 promise_test(async test => { 72 send(w_coep_credentialless_token, ` 73 await fetch("${request_url}", { 74 mode : "no-cors", 75 credentials: "include", 76 }); 77 send("${this_token}", "Resource fetched"); 78 `); 79 80 assert_equals(await receive(this_token), "Resource fetched"); 81 82 test.step_timeout(test.unreached_func("The HTTP cache has been used"), 1500); 83 assert_equals(await receive(request_token).then(GetCookie), undefined); 84 }, "The HTTP cache must not be used");