credentialless-cache.tentative.window.js (3344B)
1 // META: timeout=long 2 // META: script=/common/get-host-info.sub.js 3 // META: script=/common/utils.js 4 // META: script=/common/dispatcher/dispatcher.js 5 // META: script=./resources/common.js 6 7 // With DIP:isolate-and-credentialless, requesting a resource without 8 // credentials MUST NOT return a response requested with credentials. This would 9 // be a security issue, since DIP:isolate-and-credentialless can be used to 10 // enable crossOriginIsolation. 11 // 12 // The test the behavior of the HTTP cache: 13 // 1. b.com stores cookie. 14 // 2. a.com(DIP:none): request b.com's resource. 15 // 3. a.com(DIP:isolate-and-credentialless): request b.com's resource. 16 // 17 // The first time, the resource is requested with credentials. The response is 18 // served with Cache-Control: max-age=31536000. It enters the cache. 19 // The second time, the resource is requested without credentials. The response 20 // in the cache must not be returned. 21 22 const cookie_key = "dip_cache_key"; 23 const cookie_value = "dip_cache_value"; 24 const same_origin = get_host_info().HTTPS_ORIGIN; 25 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; 26 27 const GetCookie = (response) => { 28 return parseCookies(JSON.parse(response))[cookie_key]; 29 } 30 31 // "same_origin" document with DIP:none. 32 const w_dip_none_token = token(); 33 const w_dip_none_url = same_origin + executor_path + dip_none + 34 `&uuid=${w_dip_none_token}` 35 const w_dip_none = window.open(w_dip_none_url); 36 add_completion_callback(() => w_dip_none.close()); 37 38 // "same_origin" document with DIP:isolate-and-credentialles. 39 const w_dip_credentialless_token = token(); 40 const w_dip_credentialless_url = same_origin + executor_path + 41 dip_credentialless + `&uuid=${w_dip_credentialless_token}` 42 const w_dip_credentialless = window.open(w_dip_credentialless_url); 43 add_completion_callback(() => w_dip_credentialless.close()); 44 45 const this_token = token(); 46 47 // A request toward a "cross-origin" cacheable response. 48 const request_token = token(); 49 const request_url = cacheableShowRequestHeaders(cross_origin, request_token); 50 51 promise_setup(async test => { 52 await setCookie(cross_origin, cookie_key, cookie_value + cookie_same_site_none); 53 }, "Set cookie"); 54 55 // The "same-origin" DIP:none document fetches a "cross-origin" 56 // resource. The request is sent with credentials. 57 promise_setup(async test => { 58 send(w_dip_none_token, ` 59 await fetch("${request_url}", { 60 mode : "no-cors", 61 credentials: "include", 62 }); 63 send("${this_token}", "Resource fetched"); 64 `); 65 66 assert_equals(await receive(this_token), "Resource fetched"); 67 assert_equals(await receive(request_token).then(GetCookie), cookie_value); 68 }, "Cache a response requested with credentials"); 69 70 // The "same-origin" DIP:isolate-andcredentialless document fetches the same 71 // resource without credentials. The HTTP cache must not be used. Instead a 72 // second request must be made without credentials. 73 promise_test(async test => { 74 send(w_dip_credentialless_token, ` 75 await fetch("${request_url}", { 76 mode : "no-cors", 77 credentials: "include", 78 }); 79 send("${this_token}", "Resource fetched"); 80 `); 81 82 assert_equals(await receive(this_token), "Resource fetched"); 83 84 test.step_timeout(test.unreached_func("The HTTP cache has been used"), 1500); 85 assert_equals(await receive(request_token).then(GetCookie), undefined); 86 }, "The HTTP cache must not be used");