requestStorageAccess-cross-origin-fetch.sub.https.window.js (3967B)
1 // META: script=helpers.js 2 // META: script=/cookies/resources/cookie-helper.sub.js 3 // META: script=/resources/testdriver.js 4 // META: script=/resources/testdriver-vendor.js 5 'use strict'; 6 7 (async function() { 8 // These are cross-site from the current document. 9 const altWww = "https://{{hosts[alt][www]}}:{{ports[https][0]}}"; 10 const altRoot = "https://{{hosts[alt][]}}:{{ports[https][0]}}"; 11 const responderPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js"; 12 13 const altRootResponder = `${altRoot}${responderPath}`; 14 const domainCookieString = "cookie=unpartitioned;Secure;SameSite=None;Path=/;Domain={{hosts[alt][]}}"; 15 16 async function SetUpResponderFrame(t, url) { 17 const frame = await CreateFrame(url); 18 19 await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'granted']); 20 t.add_cleanup(async () => { 21 await test_driver.delete_all_cookies(); 22 await SetPermissionInFrame(frame, [{ name: 'storage-access' }, 'prompt']); 23 await DeleteCookieInFrame(frame, "cookie", "Secure;SameSite=None;Path=/;Domain={{hosts[alt][]}}"); 24 }); 25 26 return frame; 27 } 28 29 promise_test(async (t) => { 30 await SetFirstPartyCookie(altRoot, "initial-cookie=unpartitioned;Secure;SameSite=None;Path=/"); 31 const frame = await SetUpResponderFrame(t, altRootResponder); 32 await SetDocumentCookieFromFrame(frame, domainCookieString); 33 34 const initiallyHasCookieAccess = 35 cookieStringHasCookie("cookie", "unpartitioned", 36 await FetchSubresourceCookiesFromFrame(frame, altWww)); 37 if (initiallyHasCookieAccess) { 38 // Nothing to test here; third-party cookies are already accessible. 39 return; 40 } 41 42 assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture."); 43 assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request."); 44 await SetDocumentCookieFromFrame(frame, domainCookieString); 45 assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request."); 46 47 // The frame's origin is hosts[alt][], so hosts[alt][www] is same-site but 48 // cross-origin to it. 49 assert_false( 50 cookieStringHasCookie("cookie", "unpartitioned", 51 await FetchSubresourceCookiesFromFrame(frame, altWww)), 52 "same-site cross-origin fetch is not credentialed"); 53 }, "Cross-origin fetches from a frame with storage-access are not credentialed by default"); 54 55 promise_test(async (t) => { 56 await SetFirstPartyCookie(altRoot, "initial-cookie=unpartitioned;Secure;SameSite=None;Path=/"); 57 const frame = await SetUpResponderFrame(t, altRootResponder); 58 await SetDocumentCookieFromFrame(frame, domainCookieString); 59 60 const initiallyHasCookieAccess = 61 cookieStringHasCookie("cookie", "unpartitioned", 62 await FetchSubresourceCookiesFromFrame(frame, altWww)); 63 if (initiallyHasCookieAccess) { 64 // Nothing to test here; third-party cookies are already accessible. 65 return; 66 } 67 68 assert_true(await RequestStorageAccessInFrame(frame), "requestStorageAccess resolves without requiring a gesture."); 69 assert_true(await FrameHasStorageAccess(frame), "frame has storage access after request."); 70 await SetDocumentCookieFromFrame(frame, domainCookieString); 71 assert_true(await HasUnpartitionedCookie(frame), "frame has access to cookies after request."); 72 73 // The frame's origin is hosts[alt][], so hosts[alt][www] is same-site but 74 // cross-origin to it. 75 const cross_origin_redirect = `${altRoot}/common/redirect.py?location=${altWww}/storage-access-api/resources/echo-cookie-header.py`; 76 assert_false( 77 cookieStringHasCookie("cookie", "unpartitioned", 78 await FetchFromFrame(frame, cross_origin_redirect)), 79 "fetch is not credentialed after a cross-origin redirect"); 80 }, "Cross-origin HTTP redirects from a frame with storage-access are not credentialed by default"); 81 82 })();