1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<!DOCTYPE html>
<meta charset="utf-8">
<title>DBSC session over multiple origins</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="helper.js" type="module"></script>
<script type="module">
import { expireCookie, documentHasCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer } from "./helper.js";
async function runTest(t, includeSite) {
await setupShardedServerState();
const expectedCookieAndValue = "auth_cookie=abcdef0123";
const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
addCookieAndSessionCleanup(t);
configureServer({ includeSite });
// Prompt starting a session, and wait until registration completes.
const loginResponse = await fetch('login.py');
assert_equals(loginResponse.status, 200);
await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
// Expire the cookie, and check whether a refresh has occurred.
expireCookie(expectedCookieAndAttributes);
assert_false(documentHasCookie(expectedCookieAndValue));
const url = `${location.protocol}//www1.${location.host}/device-bound-session-credentials/verify_authenticated.py`;
const authResponseAfterExpiry = await fetch(url, {credentials: "include"});
// The cookie should only be refreshed if the session includes the whole site.
assert_equals(authResponseAfterExpiry.status, includeSite ? 200 : 401);
assert_equals(documentHasCookie(expectedCookieAndValue), includeSite);
}
promise_test(async t => {
await runTest(t, /*includeSite=*/true);
}, "An established session refreshes across origins if the site is included");
promise_test(async t => {
await runTest(t, /*includeSite=*/false);
}, "An established session does not refresh across origins if the site is not included");
</script>
|
