image.https.window.js (3354B)
1 // META: script=/common/get-host-info.sub.js 2 // META: script=/common/utils.js 3 // META: script=/common/dispatcher/dispatcher.js 4 // META: script=./resources/common.js 5 6 promise_test_parallel(async test => { 7 const same_origin = get_host_info().HTTPS_ORIGIN; 8 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; 9 const cookie_key = "coep_credentialless_image"; 10 const cookie_same_origin = "same_origin"; 11 const cookie_cross_origin = "cross_origin"; 12 13 await Promise.all([ 14 setCookie(same_origin, cookie_key, cookie_same_origin + 15 cookie_same_site_none), 16 setCookie(cross_origin, cookie_key, cookie_cross_origin + 17 cookie_same_site_none), 18 ]); 19 20 // One window with COEP:none. (control) 21 const w_control_token = token(); 22 const w_control_url = same_origin + executor_path + 23 coep_none + `&uuid=${w_control_token}` 24 const w_control = window.open(w_control_url); 25 add_completion_callback(() => w_control.close()); 26 27 // One window with COEP:credentialless. (experiment) 28 const w_credentialless_token = token(); 29 const w_credentialless_url = same_origin + executor_path + 30 coep_credentialless + `&uuid=${w_credentialless_token}`; 31 const w_credentialless = window.open(w_credentialless_url); 32 add_completion_callback(() => w_credentialless.close()); 33 34 let imgTest = function( 35 description, origin, mode, 36 expected_cookies_control, 37 expected_cookies_credentialless) 38 { 39 promise_test_parallel(async test => { 40 const token_1 = token(); 41 const token_2 = token(); 42 43 send(w_control_token, ` 44 let img = document.createElement("img"); 45 img.src = "${showRequestHeaders(origin, token_1)}"; 46 ${mode}; 47 document.body.appendChild(img); 48 `); 49 send(w_credentialless_token, ` 50 let img = document.createElement("img"); 51 img.src = "${showRequestHeaders(origin, token_2)}"; 52 ${mode}; 53 document.body.appendChild(img); 54 `); 55 56 const headers_control = JSON.parse(await receive(token_1)); 57 const headers_credentialless = JSON.parse(await receive(token_2)); 58 59 assert_equals(parseCookies(headers_control)[cookie_key], 60 expected_cookies_control, 61 "coep:none => "); 62 assert_equals(parseCookies(headers_credentialless)[cookie_key], 63 expected_cookies_credentialless, 64 "coep:credentialless => "); 65 }, `image ${description}`) 66 }; 67 68 // Same-origin request always contains Cookies: 69 imgTest("same-origin + undefined", 70 same_origin, '', 71 cookie_same_origin, 72 cookie_same_origin); 73 imgTest("same-origin + anonymous", 74 same_origin, 'img.crossOrigin="anonymous"', 75 cookie_same_origin, 76 cookie_same_origin); 77 imgTest("same-origin + use-credentials", 78 same_origin, 'img.crossOrigin="use-credentials"', 79 cookie_same_origin, 80 cookie_same_origin); 81 82 // Cross-origin request contains cookies in the following cases: 83 // - COEP:credentialless is not set. 84 // - img.crossOrigin is `use-credentials`. 85 imgTest("cross-origin + undefined", 86 cross_origin, '', 87 cookie_cross_origin, 88 undefined); 89 imgTest("cross-origin + anonymous", 90 cross_origin, 'img.crossOrigin="anonymous"', 91 undefined, 92 undefined); 93 imgTest("cross-origin + use-credentials", 94 cross_origin, 'img.crossOrigin="use-credentials"', 95 cookie_cross_origin, 96 cookie_cross_origin); 97 }, "Main");