same-site-cookies.https.html (19390B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"/> 3 <meta name="timeout" content="long"> 4 <title>Service Worker: Same-site cookie behavior</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="/common/get-host-info.sub.js"></script> 8 <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script> 9 <script src="/cookies/resources/cookie-helper.sub.js"></script> 10 <body> 11 <script> 12 'use strict'; 13 14 const COOKIE_VALUE = 'COOKIE_VALUE'; 15 16 function make_nested_url(nested_origins, target_url) { 17 for (let i = nested_origins.length - 1; i >= 0; --i) { 18 target_url = new URL( 19 `./resources/nested-parent.html?target=${encodeURIComponent(target_url)}`, 20 nested_origins[i] + self.location.pathname); 21 } 22 return target_url; 23 } 24 25 const scopepath = '/cookies/resources/postToParent.py?with-sw'; 26 27 async function unregister_service_worker(origin, nested_origins=[]) { 28 let target_url = origin + 29 '/service-workers/service-worker/resources/unregister-rewrite-worker.html' + 30 '?scopepath=' + encodeURIComponent(scopepath); 31 target_url = make_nested_url(nested_origins, target_url); 32 const w = window.open(target_url); 33 try { 34 await wait_for_message('SW-UNREGISTERED'); 35 } finally { 36 w.close(); 37 } 38 } 39 40 async function register_service_worker(origin, nested_origins=[]) { 41 let target_url = origin + 42 '/service-workers/service-worker/resources/register-rewrite-worker.html' + 43 '?scopepath=' + encodeURIComponent(scopepath); 44 target_url = make_nested_url(nested_origins, target_url); 45 const w = window.open(target_url); 46 try { 47 await wait_for_message('SW-REGISTERED'); 48 } finally { 49 w.close(); 50 } 51 } 52 53 async function run_test(t, origin, navaction, swaction, expected, 54 redirect_origins=[], nested_origins=[]) { 55 if (swaction === 'navpreload') { 56 assert_true('navigationPreload' in ServiceWorkerRegistration.prototype, 57 'navigation preload must be supported'); 58 } 59 const sw_param = swaction === 'no-sw' ? 'no-sw' : 'with-sw'; 60 let action_param = ''; 61 if (swaction === 'fallback') { 62 action_param = '&ignore'; 63 } else if (swaction !== 'no-sw') { 64 action_param = '&' + swaction; 65 } 66 const navpreload_param = swaction === 'navpreload' ? '&navpreload' : ''; 67 const change_request_param = swaction === 'change-request' ? '&change-request' : ''; 68 const target_string = origin + `/cookies/resources/postToParent.py?` + 69 `${sw_param}${action_param}` 70 let target_url = new URL(target_string); 71 72 for (let i = redirect_origins.length - 1; i >= 0; --i) { 73 const redirect_url = new URL( 74 `./resources/redirect.py?Status=307&Redirect=${encodeURIComponent(target_url)}`, 75 redirect_origins[i] + self.location.pathname); 76 target_url = redirect_url; 77 } 78 79 if (navaction === 'window.open') { 80 target_url = new URL( 81 `./resources/window-opener.html?target=${encodeURIComponent(target_url)}`, 82 self.origin + self.location.pathname); 83 } else if (navaction === 'form post') { 84 target_url = new URL( 85 `./resources/form-poster.html?target=${encodeURIComponent(target_url)}`, 86 self.origin + self.location.pathname); 87 } else if (navaction === 'set location') { 88 target_url = new URL( 89 `./resources/location-setter.html?target=${encodeURIComponent(target_url)}`, 90 self.origin + self.location.pathname); 91 } 92 93 const w = window.open(make_nested_url(nested_origins, target_url)); 94 t.add_cleanup(() => w.close()); 95 96 const result = await wait_for_message('COOKIES'); 97 verifySameSiteCookieState(expected, COOKIE_VALUE, result.data); 98 } 99 100 promise_test(async t => { 101 await resetSameSiteCookies(self.origin, COOKIE_VALUE); 102 await register_service_worker(self.origin); 103 104 await resetSameSiteCookies(SECURE_SUBDOMAIN_ORIGIN, COOKIE_VALUE); 105 await register_service_worker(SECURE_SUBDOMAIN_ORIGIN); 106 107 await resetSameSiteCookies(SECURE_CROSS_SITE_ORIGIN, COOKIE_VALUE); 108 await register_service_worker(SECURE_CROSS_SITE_ORIGIN); 109 110 await register_service_worker(self.origin, 111 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 112 }, 'Setup service workers'); 113 114 promise_test(t => { 115 return run_test(t, self.origin, 'window.open', 'no-sw', 116 SameSiteStatus.STRICT); 117 }, 'same-origin, window.open with no service worker'); 118 119 promise_test(t => { 120 return run_test(t, self.origin, 'window.open', 'fallback', 121 SameSiteStatus.STRICT); 122 }, 'same-origin, window.open with fallback'); 123 124 promise_test(t => { 125 return run_test(t, self.origin, 'window.open', 'passthrough', 126 SameSiteStatus.STRICT); 127 }, 'same-origin, window.open with passthrough'); 128 129 promise_test(t => { 130 return run_test(t, self.origin, 'window.open', 'change-request', 131 SameSiteStatus.STRICT); 132 }, 'same-origin, window.open with change-request'); 133 134 promise_test(t => { 135 return run_test(t, self.origin, 'window.open', 'navpreload', 136 SameSiteStatus.STRICT); 137 }, 'same-origin, window.open with navpreload'); 138 139 promise_test(t => { 140 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'window.open', 'no-sw', 141 SameSiteStatus.STRICT); 142 }, 'same-site, window.open with no service worker'); 143 144 promise_test(t => { 145 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'window.open', 'fallback', 146 SameSiteStatus.STRICT); 147 }, 'same-site, window.open with fallback'); 148 149 promise_test(t => { 150 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'window.open', 'passthrough', 151 SameSiteStatus.STRICT); 152 }, 'same-site, window.open with passthrough'); 153 154 promise_test(t => { 155 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'window.open', 'change-request', 156 SameSiteStatus.STRICT); 157 }, 'same-site, window.open with change-request'); 158 159 promise_test(t => { 160 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'window.open', 'navpreload', 161 SameSiteStatus.STRICT); 162 }, 'same-site, window.open with navpreload'); 163 164 promise_test(t => { 165 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'window.open', 'no-sw', 166 SameSiteStatus.LAX); 167 }, 'cross-site, window.open with no service worker'); 168 169 promise_test(t => { 170 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'window.open', 'fallback', 171 SameSiteStatus.LAX); 172 }, 'cross-site, window.open with fallback'); 173 174 promise_test(t => { 175 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'window.open', 'passthrough', 176 SameSiteStatus.LAX); 177 }, 'cross-site, window.open with passthrough'); 178 179 promise_test(t => { 180 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'window.open', 'change-request', 181 SameSiteStatus.STRICT); 182 }, 'cross-site, window.open with change-request'); 183 184 promise_test(t => { 185 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'window.open', 'navpreload', 186 SameSiteStatus.LAX); 187 }, 'cross-site, window.open with navpreload'); 188 189 // 190 // window.open redirect tests 191 // 192 promise_test(t => { 193 return run_test(t, self.origin, 'window.open', 'no-sw', 194 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 195 }, 'same-origin, window.open with no service worker and same-site redirect'); 196 197 promise_test(t => { 198 return run_test(t, self.origin, 'window.open', 'fallback', 199 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 200 }, 'same-origin, window.open with fallback and same-site redirect'); 201 202 promise_test(t => { 203 return run_test(t, self.origin, 'window.open', 'passthrough', 204 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 205 }, 'same-origin, window.open with passthrough and same-site redirect'); 206 207 promise_test(t => { 208 return run_test(t, self.origin, 'window.open', 'change-request', 209 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 210 }, 'same-origin, window.open with change-request and same-site redirect'); 211 212 promise_test(t => { 213 return run_test(t, self.origin, 'window.open', 'navpreload', 214 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 215 }, 'same-origin, window.open with navpreload and same-site redirect'); 216 217 promise_test(t => { 218 return run_test(t, self.origin, 'window.open', 'no-sw', 219 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN]); 220 }, 'same-origin, window.open with no service worker and cross-site redirect'); 221 222 promise_test(t => { 223 return run_test(t, self.origin, 'window.open', 'fallback', 224 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN]); 225 }, 'same-origin, window.open with fallback and cross-site redirect'); 226 227 promise_test(t => { 228 return run_test(t, self.origin, 'window.open', 'passthrough', 229 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN]); 230 }, 'same-origin, window.open with passthrough and cross-site redirect'); 231 232 promise_test(t => { 233 return run_test(t, self.origin, 'window.open', 'change-request', 234 SameSiteStatus.STRICT, [SECURE_CROSS_SITE_ORIGIN]); 235 }, 'same-origin, window.open with change-request and cross-site redirect'); 236 237 promise_test(t => { 238 return run_test(t, self.origin, 'window.open', 'navpreload', 239 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN]); 240 }, 'same-origin, window.open with navpreload and cross-site redirect'); 241 242 promise_test(t => { 243 return run_test(t, self.origin, 'window.open', 'no-sw', 244 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN, self.origin]); 245 }, 'same-origin, window.open with no service worker, cross-site redirect, and ' + 246 'same-origin redirect'); 247 248 promise_test(t => { 249 return run_test(t, self.origin, 'window.open', 'fallback', 250 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN, self.origin]); 251 }, 'same-origin, window.open with fallback, cross-site redirect, and ' + 252 'same-origin redirect'); 253 254 promise_test(t => { 255 return run_test(t, self.origin, 'window.open', 'passthrough', 256 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN, self.origin]); 257 }, 'same-origin, window.open with passthrough, cross-site redirect, and ' + 258 'same-origin redirect'); 259 260 promise_test(t => { 261 return run_test(t, self.origin, 'window.open', 'change-request', 262 SameSiteStatus.STRICT, [SECURE_CROSS_SITE_ORIGIN, self.origin]); 263 }, 'same-origin, window.open with change-request, cross-site redirect, and ' + 264 'same-origin redirect'); 265 266 promise_test(t => { 267 return run_test(t, self.origin, 'window.open', 'navpreload', 268 SameSiteStatus.LAX, [SECURE_CROSS_SITE_ORIGIN, self.origin]); 269 }, 'same-origin, window.open with navpreload, cross-site redirect, and ' + 270 'same-origin redirect'); 271 272 // 273 // Double-nested frame calling open.window() tests 274 // 275 promise_test(t => { 276 return run_test(t, self.origin, 'window.open', 'no-sw', 277 SameSiteStatus.STRICT, [], 278 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 279 }, 'same-origin, nested window.open with cross-site middle frame and ' + 280 'no service worker'); 281 282 promise_test(t => { 283 return run_test(t, self.origin, 'window.open', 'fallback', 284 SameSiteStatus.STRICT, [], 285 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 286 }, 'same-origin, nested window.open with cross-site middle frame and ' + 287 'fallback service worker'); 288 289 promise_test(t => { 290 return run_test(t, self.origin, 'window.open', 'passthrough', 291 SameSiteStatus.STRICT, [], 292 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 293 }, 'same-origin, nested window.open with cross-site middle frame and ' + 294 'passthrough service worker'); 295 296 promise_test(t => { 297 return run_test(t, self.origin, 'window.open', 'change-request', 298 SameSiteStatus.STRICT, [], 299 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 300 }, 'same-origin, nested window.open with cross-site middle frame and ' + 301 'change-request service worker'); 302 303 promise_test(t => { 304 return run_test(t, self.origin, 'window.open', 'navpreload', 305 SameSiteStatus.STRICT, [], 306 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 307 }, 'same-origin, nested window.open with cross-site middle frame and ' + 308 'navpreload service worker'); 309 310 // 311 // Double-nested frame setting location tests 312 // 313 promise_test(t => { 314 return run_test(t, self.origin, 'set location', 'no-sw', 315 SameSiteStatus.CROSS_SITE, [], 316 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 317 }, 'same-origin, nested set location with cross-site middle frame and ' + 318 'no service worker'); 319 320 promise_test(t => { 321 return run_test(t, self.origin, 'set location', 'fallback', 322 SameSiteStatus.CROSS_SITE, [], 323 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 324 }, 'same-origin, nested set location with cross-site middle frame and ' + 325 'fallback service worker'); 326 327 promise_test(t => { 328 return run_test(t, self.origin, 'set location', 'passthrough', 329 SameSiteStatus.CROSS_SITE, [], 330 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 331 }, 'same-origin, nested set location with cross-site middle frame and ' + 332 'passthrough service worker'); 333 334 promise_test(t => { 335 return run_test(t, self.origin, 'set location', 'change-request', 336 SameSiteStatus.CROSS_SITE, [], 337 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 338 }, 'same-origin, nested set location with cross-site middle frame and ' + 339 'change-request service worker'); 340 341 promise_test(t => { 342 return run_test(t, self.origin, 'set location', 'navpreload', 343 SameSiteStatus.CROSS_SITE, [], 344 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 345 }, 'same-origin, nested set location with cross-site middle frame and ' + 346 'navpreload service worker'); 347 348 // 349 // Form POST tests 350 // 351 promise_test(t => { 352 return run_test(t, self.origin, 'form post', 'no-sw', SameSiteStatus.STRICT); 353 }, 'same-origin, form post with no service worker'); 354 355 promise_test(t => { 356 return run_test(t, self.origin, 'form post', 'fallback', 357 SameSiteStatus.STRICT); 358 }, 'same-origin, form post with fallback'); 359 360 promise_test(t => { 361 return run_test(t, self.origin, 'form post', 'passthrough', 362 SameSiteStatus.STRICT); 363 }, 'same-origin, form post with passthrough'); 364 365 promise_test(t => { 366 return run_test(t, self.origin, 'form post', 'change-request', 367 SameSiteStatus.STRICT); 368 }, 'same-origin, form post with change-request'); 369 370 promise_test(t => { 371 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'form post', 'no-sw', 372 SameSiteStatus.STRICT); 373 }, 'same-site, form post with no service worker'); 374 375 promise_test(t => { 376 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'form post', 'fallback', 377 SameSiteStatus.STRICT); 378 }, 'same-site, form post with fallback'); 379 380 promise_test(t => { 381 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'form post', 'passthrough', 382 SameSiteStatus.STRICT); 383 }, 'same-site, form post with passthrough'); 384 385 promise_test(t => { 386 return run_test(t, SECURE_SUBDOMAIN_ORIGIN, 'form post', 'change-request', 387 SameSiteStatus.STRICT); 388 }, 'same-site, form post with change-request'); 389 390 promise_test(t => { 391 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'form post', 'no-sw', 392 SameSiteStatus.CROSS_SITE); 393 }, 'cross-site, form post with no service worker'); 394 395 promise_test(t => { 396 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'form post', 'fallback', 397 SameSiteStatus.CROSS_SITE); 398 }, 'cross-site, form post with fallback'); 399 400 promise_test(t => { 401 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'form post', 'passthrough', 402 SameSiteStatus.CROSS_SITE); 403 }, 'cross-site, form post with passthrough'); 404 405 promise_test(t => { 406 return run_test(t, SECURE_CROSS_SITE_ORIGIN, 'form post', 'change-request', 407 SameSiteStatus.STRICT); 408 }, 'cross-site, form post with change-request'); 409 410 // 411 // Form POST redirect tests 412 // 413 promise_test(t => { 414 return run_test(t, self.origin, 'form post', 'no-sw', 415 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 416 }, 'same-origin, form post with no service worker and same-site redirect'); 417 418 promise_test(t => { 419 return run_test(t, self.origin, 'form post', 'fallback', 420 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 421 }, 'same-origin, form post with fallback and same-site redirect'); 422 423 promise_test(t => { 424 return run_test(t, self.origin, 'form post', 'passthrough', 425 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 426 }, 'same-origin, form post with passthrough and same-site redirect'); 427 428 promise_test(t => { 429 return run_test(t, self.origin, 'form post', 'change-request', 430 SameSiteStatus.STRICT, [SECURE_SUBDOMAIN_ORIGIN]); 431 }, 'same-origin, form post with change-request and same-site redirect'); 432 433 // navpreload is not supported for POST requests 434 435 promise_test(t => { 436 return run_test(t, self.origin, 'form post', 'no-sw', 437 SameSiteStatus.CROSS_SITE, [SECURE_CROSS_SITE_ORIGIN]); 438 }, 'same-origin, form post with no service worker and cross-site redirect'); 439 440 promise_test(t => { 441 return run_test(t, self.origin, 'form post', 'fallback', 442 SameSiteStatus.CROSS_SITE, [SECURE_CROSS_SITE_ORIGIN]); 443 }, 'same-origin, form post with fallback and cross-site redirect'); 444 445 promise_test(t => { 446 return run_test(t, self.origin, 'form post', 'passthrough', 447 SameSiteStatus.CROSS_SITE, [SECURE_CROSS_SITE_ORIGIN]); 448 }, 'same-origin, form post with passthrough and cross-site redirect'); 449 450 promise_test(t => { 451 return run_test(t, self.origin, 'form post', 'change-request', 452 SameSiteStatus.STRICT, [SECURE_CROSS_SITE_ORIGIN]); 453 }, 'same-origin, form post with change-request and cross-site redirect'); 454 455 // navpreload is not supported for POST requests 456 457 promise_test(t => { 458 return run_test(t, self.origin, 'form post', 'no-sw', 459 SameSiteStatus.CROSS_SITE, [SECURE_CROSS_SITE_ORIGIN, 460 self.origin]); 461 }, 'same-origin, form post with no service worker, cross-site redirect, and ' + 462 'same-origin redirect'); 463 464 promise_test(t => { 465 return run_test(t, self.origin, 'form post', 'fallback', 466 SameSiteStatus.CROSS_SITE, [SECURE_CROSS_SITE_ORIGIN, 467 self.origin]); 468 }, 'same-origin, form post with fallback, cross-site redirect, and ' + 469 'same-origin redirect'); 470 471 promise_test(t => { 472 return run_test(t, self.origin, 'form post', 'passthrough', 473 SameSiteStatus.CROSS_SITE, [SECURE_CROSS_SITE_ORIGIN, 474 self.origin]); 475 }, 'same-origin, form post with passthrough, cross-site redirect, and ' + 476 'same-origin redirect'); 477 478 promise_test(t => { 479 return run_test(t, self.origin, 'form post', 'change-request', 480 SameSiteStatus.STRICT, [SECURE_CROSS_SITE_ORIGIN, 481 self.origin]); 482 }, 'same-origin, form post with change-request, cross-site redirect, and ' + 483 'same-origin redirect'); 484 485 // navpreload is not supported for POST requests 486 487 promise_test(async t => { 488 await unregister_service_worker(self.origin); 489 await unregister_service_worker(SECURE_SUBDOMAIN_ORIGIN); 490 await unregister_service_worker(SECURE_CROSS_SITE_ORIGIN); 491 await unregister_service_worker(self.origin, 492 [self.origin, SECURE_CROSS_SITE_ORIGIN]); 493 }, 'Cleanup service workers'); 494 495 </script> 496 </body>