cross-origin-same-site-credentials.https.sub.html (2968B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Test that credentials are sent properly in a cross-origin but same-site nested context</title> 5 <script src='/resources/testharness.js'></script> 6 <script src='/resources/testharnessreport.js'></script> 7 <script src='resources/report-helper.js'></script> 8 </head> 9 <body> 10 <script> 11 const base_url = `${location.protocol}//${location.host}`; 12 const endpoint = `${base_url}/reporting/resources/report.py`; 13 const id = 'd6f382f4-028d-51e0-9ef2-a635439da02a'; 14 15 promise_test(async t => { 16 // If this is not run from the expected origin, then the A->A->www.A frame embedding will not be correct, 17 // and the cookies set in the top-level page will never be returned with the reports. 18 assert_true(location.href.startsWith("https://{{hosts[][]}}:{{ports[https][0]}}/"), 19 "Test running on unexpected origin; subsequent assertions will fail."); 20 21 // Set credentials, and set up test to clear them afterwards. Cookies are set with the Domain 22 // attribute, so that they may be sent to same-site resources. 23 await fetch('/cookies/resources/setSameSiteDomain.py?reporting', {mode: 'no-cors', credentials: 'include', cache: 'no-store'}); 24 t.add_cleanup(() => fetch("/cookies/resources/dropSameSite.py", {mode: 'no-cors', credentials: 'include', cache: 'no-store'})); 25 26 // Insert a same-origin frame, which will then frame a same-site but cross-origin page to 27 // trigger a CSP error. 28 const frame = document.createElement('iframe'); 29 frame.src = `https://{{hosts[][]}}:{{ports[https][0]}}/reporting/resources/middle-frame.https.sub.html?host={{hosts[][www]}}&reportID=${id}`; 30 31 // Wait for the inner frame to signal that the report has been generated. 32 await new Promise(resolve => { 33 window.addEventListener('message', ev => { 34 if (ev.data === "done") 35 resolve(ev.data); 36 }); 37 document.body.appendChild(frame); 38 }); 39 40 const reports = await pollReports(endpoint, id); 41 checkReportExists(reports, 'csp-violation', 42 `https://{{hosts[][www]}}:{{ports[https][0]}}/reporting/resources/same-origin-report.https.sub.html?reportID=${id}`); 43 44 // All credentials set at the top-level should be received. 45 const cookies = await pollCookies(endpoint, id); 46 assert_equals(cookies.samesite_none, "[samesite_none=reporting]", "Credential value was correct"); 47 assert_equals(cookies.samesite_unspecified, "[samesite_unspecified=reporting]", "Credential value was correct"); 48 assert_equals(cookies.samesite_lax, "[samesite_lax=reporting]", "Credential value was correct"); 49 assert_equals(cookies.samesite_strict, "[samesite_strict=reporting]", "Credential value was correct"); 50 assert_equals(Object.keys(cookies).length, 4, "No additional cookies were received"); 51 52 }, "Reporting endpoints received credentials."); 53 </script> 54 </body> 55 </html>