credentialless-shared-worker.https.tentative.window.js (3621B)
1 // META: variant=?request_origin=same_origin&worker_dip=none&window_dip=none 2 // META: variant=?request_origin=same_origin&worker_dip=none&window_dip=credentialless 3 // META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=none 4 // META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=credentialless 5 // META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=none 6 // META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=credentialless 7 // META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=none 8 // META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=credentialless 9 // META: timeout=long 10 // META: script=/common/get-host-info.sub.js 11 // META: script=/common/utils.js 12 // META: script=/common/dispatcher/dispatcher.js 13 // META: script=./resources/common.js 14 15 // Test description: 16 // Request a resource from a SharedWorker. Check the request's cookies. 17 // 18 // Variant: 19 // - The Window DIP policy: none or credentialless. 20 // - The SharedWorker DIP policy: none or credentialless. 21 // - The SharedWorker's request URL origin: same-origin or cross-origin. 22 23 const same_origin = get_host_info().HTTPS_ORIGIN; 24 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; 25 const cookie_key = token(); 26 const cookie_same_origin = "same_origin"; 27 const cookie_cross_origin = "cross_origin"; 28 29 const variants = new URLSearchParams(window.location.search); 30 const window_dip = variants.get('window_dip') == 'none' 31 ? dip_none 32 : dip_credentialless; 33 const worker_dip = variants.get('worker_dip') == 'none' 34 ? dip_none 35 : dip_credentialless; 36 const request_origin = variants.get('request_origin') == 'same-origin' 37 ? same_origin 38 : cross_origin; 39 40 // When using DIP:credentialless: cross-origin no-cors request do not include 41 // credentials. Note: This must not depend on the window's DIP policy. 42 const worker_expected_cookie = 43 request_origin == same_origin 44 ? cookie_same_origin 45 : (worker_dip == dip_credentialless 46 ? undefined 47 : cookie_cross_origin); 48 49 // From a JSON representing the `response` HTTP headers key-values, return the 50 // cookie corresponding to the `cookie_key`. 51 const get_cookie = (response) => { 52 const headers_credentialless = JSON.parse(response); 53 return parseCookies(headers_credentialless)[cookie_key]; 54 } 55 56 promise_test(async test => { 57 // 0. Populate cookies for the two origins. 58 await Promise.all([ 59 setCookie(same_origin, cookie_key, cookie_same_origin + 60 cookie_same_site_none), 61 setCookie(cross_origin, cookie_key, cookie_cross_origin + 62 cookie_same_site_none), 63 ]); 64 65 // 1. Create the popup with the `window_dip` DIP policy: 66 const popup = environments.document(window_dip)[0]; 67 68 // 2. Create the worker with the `worker_dip` DIP policy: 69 const worker_token = token(); 70 const worker_error = token(); 71 const worker_src = same_origin + executor_worker_path + worker_dip + 72 `&uuid=${worker_token}`; 73 send(popup, ` 74 let worker = new SharedWorker("${worker_src}", {}); 75 worker.onerror = () => { 76 send("${worker_error}", "Worker blocked"); 77 } 78 `); 79 80 // 3. Request the resource from the worker, with the `request_origin` origin. 81 const request_token = token(); 82 const request_url = showRequestHeaders(request_origin, request_token); 83 send(worker_token, `fetch("${request_url}", { 84 mode: 'no-cors', 85 credentials: 'include', 86 })`); 87 const request_cookie = await Promise.race([ 88 receive(worker_error), 89 receive(request_token).then(get_cookie) 90 ]); 91 92 assert_equals(request_cookie, worker_expected_cookie); 93 })