File: setcookie-navigation.https.html

package info (click to toggle)
thunderbird 1%3A91.12.0-1~deb10u1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 3,008,300 kB
  • sloc: cpp: 6,084,052; javascript: 4,790,441; ansic: 3,341,486; python: 862,958; asm: 366,542; xml: 204,277; java: 152,477; sh: 111,376; makefile: 21,388; perl: 15,312; yacc: 4,583; objc: 3,026; lex: 1,720; exp: 762; pascal: 635; awk: 564; sql: 453; php: 436; lisp: 432; ruby: 99; sed: 69; csh: 45
file content (84 lines) | stat: -rw-r--r-- 5,175 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
<script>
  // Asserts that cookies are present or not present (according to `expectation`)
  // in the cookie string `cookies` with the correct names and value.
  function assert_cookies_present(cookies, value, expected_cookie_names, expectation) {
    for (name of expected_cookie_names) {
      let re = new RegExp("(?:^|; )" + name + "=" + value + "(?:$|;)");
      let assertion = expectation ? assert_true : assert_false;
      assertion(re.test(cookies), "`" + name + "=" + value + "` in cookies");
    }
  }

  // Navigate from ORIGIN to |origin_to|, expecting the navigation to set SameSite
  // cookies on |origin_to|.
  function navigate_test(method, origin_to, title) {
    promise_test(async function(t) {
      // The cookies don't need to be cleared on each run because |value| is
      // a new random value on each run, so on each run we are overwriting and
      // checking for a cookie with a different random value.
      let value = "" + Math.random();
      let url_from = SECURE_ORIGIN + "/cookies/samesite/resources/navigate.html";
      let url_to = origin_to + "/cookies/resources/setSameSite.py?" + value;
      var w = window.open(url_from);
      await wait_for_message('READY', SECURE_ORIGIN);
      assert_equals(SECURE_ORIGIN, window.origin);
      assert_equals(SECURE_ORIGIN, w.origin);
      let command = (method === "POST") ? "post-form" : "navigate";
      w.postMessage({ type: command, url: url_to }, "*");
      let message = await wait_for_message('COOKIES_SET', origin_to);
      let samesite_cookie_names = ['samesite_strict', 'samesite_lax', 'samesite_none', 'samesite_unspecified'];
      assert_cookies_present(message.data.cookies, value, samesite_cookie_names, true);
      w.close();
    }, title);
  }

  // Opens a page on origin SECURE_ORIGIN containing an iframe on `iframe_origin_from`,
  // then navigates that iframe to `iframe_origin_to`. Expects that navigation to set
  // some subset of SameSite cookies.
  function navigate_iframe_test(iframe_origin_from, iframe_origin_to, cross_site, title) {
    promise_test(async function(t) {
      // The cookies don't need to be cleared on each run because |value| is
      // a new random value on each run, so on each run we are overwriting and
      // checking for a cookie with a different random value.
      let value = "" + Math.random();
      let parent_url = SECURE_ORIGIN + "/cookies/samesite/resources/navigate-iframe.html";
      let iframe_url_from = iframe_origin_from + "/cookies/samesite/resources/navigate.html";
      let iframe_url_to = iframe_origin_to + "/cookies/resources/setSameSite.py?" + value;
      var w = window.open(parent_url);
      await wait_for_message('LOADED', SECURE_ORIGIN);
      assert_equals(SECURE_ORIGIN, window.origin);
      assert_equals(SECURE_ORIGIN, w.origin);
      // Navigate the frame to its starting location.
      w.postMessage({ type: 'initialize-iframe', url: iframe_url_from }, '*');
      await wait_for_message('FRAME_READY', SECURE_ORIGIN);
      // Have the frame navigate itself, possibly cross-site.
      w.postMessage({ type: 'navigate-iframe', url: iframe_url_to }, '*');
      let message = await wait_for_message('FRAME_COOKIES_SET', SECURE_ORIGIN);
      // Check for the proper cookies.
      let samesite_none_cookies = ['samesite_none'];
      let samesite_cookies = ['samesite_strict', 'samesite_lax'];
      (isLegacySameSite() ? samesite_none_cookies : samesite_cookies).push('samesite_unspecified');
      assert_cookies_present(message.data.cookies, value, samesite_none_cookies, true);
      assert_cookies_present(message.data.cookies, value, samesite_cookies, !cross_site);
      w.close();
    }, title);
  }

  navigate_test("GET", SECURE_ORIGIN, "Same-site top-level navigation should be able to set SameSite=* cookies.");
  navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level navigation should be able to set SameSite=* cookies.");
  navigate_test("POST", SECURE_ORIGIN, "Same-site top-level POST should be able to set SameSite=* cookies.");
  navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level POST should be able to set SameSite=* cookies.");

  navigate_iframe_test(SECURE_ORIGIN, SECURE_ORIGIN, false, "Same-site to same-site iframe navigation should be able to set SameSite=* cookies.");
  navigate_iframe_test(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN, true, "Cross-site to same-site iframe navigation should only be able to set SameSite=None cookies.");
  navigate_iframe_test(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, true, "Same-site to cross-site-site iframe navigation should only be able to set SameSite=None cookies.");
  navigate_iframe_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, true, "Cross-site to cross-site iframe navigation should only be able to set SameSite=None cookies.");
</script>