same-origin-cross-site-credentials.https.sub.html (2838B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Test that credentials are sent properly in a same-origin but not same-site context</title> 5 <script src='/resources/testharness.js'></script> 6 <script src='/resources/testharnessreport.js'></script> 7 <script src='resources/report-helper.js'></script> 8 </head> 9 <body> 10 <script> 11 const base_url = `${location.protocol}//${location.host}`; 12 const endpoint = `${base_url}/reporting/resources/report.py`; 13 const id = '44b17b0d-1041-5640-acc5-4321844b47e4'; 14 15 promise_test(async t => { 16 // If this is not run from the expected origin, then the A->B->A frame embedding will not be correct, 17 // and the cookies set in the top-level page will never be returned with the reports. 18 assert_true(location.href.startsWith("https://{{hosts[][]}}:{{ports[https][0]}}/"), 19 "Test running on unexpected origin; subsequent assertions will fail."); 20 21 // Set credentials, and set up test to clear them afterwards. 22 await fetch('/cookies/resources/setSameSite.py?reporting', {mode: 'no-cors', credentials: 'include', cache: 'no-store'}); 23 t.add_cleanup(() => fetch("/cookies/resources/dropSameSite.py", {mode: 'no-cors', credentials: 'include', cache: 'no-store'})); 24 25 // Insert a cross-origin frame which will then frame this origin to 26 // trigger a CSP error. 27 const frame = document.createElement('iframe'); 28 frame.src = `https://{{hosts[alt][]}}:{{ports[https][0]}}/reporting/resources/middle-frame.https.sub.html?reportID=${id}`; 29 document.body.appendChild(frame); 30 31 // Wait for the inner frame to signal that the report has been generated. 32 await new Promise(resolve => { 33 window.addEventListener('message', ev => { 34 if (ev.data === "done") 35 resolve(ev.data); 36 }); 37 document.body.appendChild(frame); 38 }); 39 40 const reports = await pollReports(endpoint, id); 41 checkReportExists(reports, 'csp-violation', 42 `https://{{hosts[][]}}:{{ports[https][0]}}/reporting/resources/same-origin-report.https.sub.html?reportID=${id}`); 43 44 // Same-site: None cookies should be sent, but not Lax, Strict, or default cookies. 45 const cookies = await pollCookies(endpoint, id); 46 assert_equals(cookies.samesite_none, "[samesite_none=reporting]", "Credential value was correct"); 47 assert_false("samesite_strict" in cookies, "Same-site: Strict cookies should not be sent"); 48 assert_false("samesite_lax" in cookies, "Same-site: Lax cookies should not be sent"); 49 assert_false("samesite_unspecified" in cookies, "Same-site unspecified cookies should not be sent"); 50 assert_equals(Object.keys(cookies).length, 1, "No additional cookies were received"); 51 }, "Reporting endpoints received credentials."); 52 </script> 53 </body> 54 </html>