credentialless-script.https.tentative.window.js (3605B)
1 // META: script=/common/get-host-info.sub.js 2 // META: script=/common/utils.js 3 // META: script=/common/dispatcher/dispatcher.js 4 // META: script=./resources/common.js 5 6 window.onload = function() { 7 promise_test_parallel(async test => { 8 const same_origin = get_host_info().HTTPS_ORIGIN; 9 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; 10 const cookie_key = "dip_credentialless_script"; 11 const cookie_same_origin = "same_origin"; 12 const cookie_cross_origin = "cross_origin"; 13 14 await Promise.all([ 15 setCookie(same_origin, cookie_key, cookie_same_origin + 16 cookie_same_site_none), 17 setCookie(cross_origin, cookie_key, cookie_cross_origin + 18 cookie_same_site_none), 19 ]); 20 21 // One window with DIP:none. (control) 22 const w_control_token = token(); 23 const w_control_url = same_origin + executor_path + 24 dip_none + `&uuid=${w_control_token}` 25 const w_control = window.open(w_control_url); 26 add_completion_callback(() => w_control.close()); 27 28 // One window with DIP:credentialless. (experiment) 29 const w_credentialless_token = token(); 30 const w_credentialless_url = same_origin + executor_path + 31 dip_credentialless + `&uuid=${w_credentialless_token}`; 32 const w_credentialless = window.open(w_credentialless_url); 33 add_completion_callback(() => w_credentialless.close()); 34 35 let scriptTest = function( 36 description, origin, mode, 37 expected_cookies_control, 38 expected_cookies_credentialless) 39 { 40 promise_test_parallel(async test => { 41 const token_1 = token(); 42 const token_2 = token(); 43 44 send(w_control_token, ` 45 let script = document.createElement("script"); 46 script.src = "${showRequestHeaders(origin, token_1)}"; 47 ${mode}; 48 document.body.appendChild(script); 49 `); 50 send(w_credentialless_token, ` 51 let script = document.createElement("script"); 52 script.src = "${showRequestHeaders(origin, token_2)}"; 53 ${mode}; 54 document.body.appendChild(script); 55 `); 56 57 const headers_control = JSON.parse(await receive(token_1)); 58 const headers_credentialless = JSON.parse(await receive(token_2)); 59 60 assert_equals(parseCookies(headers_control)[cookie_key], 61 expected_cookies_control, 62 "dip:none => "); 63 assert_equals(parseCookies(headers_credentialless)[cookie_key], 64 expected_cookies_credentialless, 65 "dip:credentialless => "); 66 }, `script ${description}`) 67 }; 68 69 // Same-origin request always contains Cookies: 70 scriptTest("same-origin + undefined", 71 same_origin, '', 72 cookie_same_origin, 73 cookie_same_origin); 74 scriptTest("same-origin + anonymous", 75 same_origin, 'script.crossOrigin="anonymous"', 76 cookie_same_origin, 77 cookie_same_origin); 78 scriptTest("same-origin + use-credentials", 79 same_origin, 'script.crossOrigin="use-credentials"', 80 cookie_same_origin, 81 cookie_same_origin); 82 83 // Cross-origin request contains cookies in the following cases: 84 // - DIP:credentialless is not set. 85 // - script.crossOrigin is `use-credentials`. 86 scriptTest("cross-origin + undefined", 87 cross_origin, '', 88 cookie_cross_origin, 89 undefined); 90 scriptTest("cross-origin + anonymous", 91 cross_origin, 'script.crossOrigin="anonymous"', 92 undefined, 93 undefined); 94 scriptTest("cross-origin + use-credentials", 95 cross_origin, 'script.crossOrigin="use-credentials"', 96 cookie_cross_origin, 97 cookie_cross_origin); 98 }, "Main"); 99 }