credentialless-link.https.tentative.window.js (3430B)
1 // META: script=/common/get-host-info.sub.js 2 // META: script=/common/utils.js 3 // META: script=/common/dispatcher/dispatcher.js 4 // META: script=./resources/common.js 5 6 promise_test_parallel(async test => { 7 const same_origin = get_host_info().HTTPS_ORIGIN; 8 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; 9 const cookie_key = "dip_credentialless_link"; 10 const cookie_same_origin = "same_origin"; 11 const cookie_cross_origin = "cross_origin"; 12 13 await Promise.all([ 14 setCookie(same_origin, cookie_key, cookie_same_origin + 15 cookie_same_site_none), 16 setCookie(cross_origin, cookie_key, cookie_cross_origin + 17 cookie_same_site_none), 18 ]); 19 20 // One window with DIP:none. (control) 21 const w_control_token = token(); 22 const w_control_url = same_origin + executor_path + 23 dip_none + `&uuid=${w_control_token}` 24 const w_control = window.open(w_control_url); 25 add_completion_callback(() => w_control.close()); 26 27 // One window with DIP:credentialless. (experiment) 28 const w_credentialless_token = token(); 29 const w_credentialless_url = same_origin + executor_path + 30 dip_credentialless + `&uuid=${w_credentialless_token}`; 31 const w_credentialless = window.open(w_credentialless_url); 32 add_completion_callback(() => w_credentialless.close()); 33 34 let linkTest = function( 35 description, origin, mode, 36 expected_cookies_control, 37 expected_cookies_credentialless) 38 { 39 promise_test_parallel(async test => { 40 const token_1 = token(); 41 const token_2 = token(); 42 43 send(w_control_token, ` 44 let link = document.createElement("link"); 45 link.href = "${showRequestHeaders(origin, token_1)}"; 46 link.rel = "stylesheet"; 47 ${mode} 48 document.head.appendChild(link); 49 `); 50 send(w_credentialless_token, ` 51 let link = document.createElement("link"); 52 link.href = "${showRequestHeaders(origin, token_2)}"; 53 link.rel = "stylesheet"; 54 ${mode} 55 document.head.appendChild(link); 56 `); 57 58 const headers_control = JSON.parse(await receive(token_1)); 59 const headers_credentialless = JSON.parse(await receive(token_2)); 60 61 assert_equals(parseCookies(headers_control)[cookie_key], 62 expected_cookies_control, 63 "dip:none => "); 64 assert_equals(parseCookies(headers_credentialless)[cookie_key], 65 expected_cookies_credentialless, 66 "dip:credentialless => "); 67 }, `link ${description}`) 68 }; 69 70 // Same-origin request always contains Cookies: 71 linkTest("same-origin + undefined", 72 same_origin, '', 73 cookie_same_origin, 74 cookie_same_origin); 75 linkTest("same-origin + anonymous", 76 same_origin, 'link.crossOrigin="anonymous"', 77 cookie_same_origin, 78 cookie_same_origin); 79 linkTest("same-origin + use-credentials", 80 same_origin, 'link.crossOrigin="use-credentials"', 81 cookie_same_origin, 82 cookie_same_origin); 83 84 // Cross-origin request contains cookies in the following cases: 85 // - DIP:credentialless is not set. 86 // - link.crossOrigin is `use-credentials`. 87 linkTest("cross-origin + undefined", 88 cross_origin, '', 89 cookie_cross_origin, 90 undefined); 91 linkTest("cross-origin + anonymous", 92 cross_origin, 'link.crossOrigin="anonymous"', 93 undefined, 94 undefined); 95 linkTest("cross-origin + use-credentials", 96 cross_origin, 'link.crossOrigin="use-credentials"', 97 cookie_cross_origin, 98 cookie_cross_origin); 99 }, "Main");