Add WPT tests for SameSite cookies in ServiceWorkers with nested frames. #31690
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wpt-pr-bot
approved these changes
Nov 19, 2021
This CL adds a number of new cases to the service worker SameSite cookies test. The cases break down into two general types: 1. Cases where A1 frames B frames A2, and then A2 calls window.open() to an A origin URL. 2. Cases where A1 frames B frames A2, and then A2 sets the location to an A origin URL. For (1) we expect SameSite strict cookies to be sent because window.open() creates a top-level context that will have a populated site-for-cookies and the initiator is same-origin (regardless of the cross-site ancestor chain). For (2) we expect only SameSite=None cookies to be sent. This is because setting the location results in a navigation to an A1->B->A3 nested frame with an empty site-for-cookies. We currently fail the passthrough and change-request cases for (2). We plan to fix this as part of storage partitioning with an ancestor chain bit in the StorageKey. See: privacycg/storage-partitioning#25 This CL also includes some minor cleanup of the WPT test and associated resources. Bug: 1115847 Change-Id: I9002e60a271ae95d1d702068d44b30bd0e33b5dc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3277058 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#944293}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-3277058
branch
from
35013f1
to
d6faaf1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This CL adds a number of new cases to the service worker SameSite
cookies test. The cases break down into two general types:
to an A origin URL.
to an A origin URL.
For (1) we expect SameSite strict cookies to be sent because
window.open() creates a top-level context that will have a populated
site-for-cookies and the initiator is same-origin (regardless of the
cross-site ancestor chain).
For (2) we expect only SameSite=None cookies to be sent. This is
because setting the location results in a navigation to an A1->B->A3
nested frame with an empty site-for-cookies.
We currently fail the passthrough and change-request cases for (2).
We plan to fix this as part of storage partitioning with an ancestor
chain bit in the StorageKey. See:
privacycg/storage-partitioning#25
This CL also includes some minor cleanup of the WPT test and associated
resources.
Bug: 1115847
Change-Id: I9002e60a271ae95d1d702068d44b30bd0e33b5dc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3277058
Reviewed-by: Steven Bingler <bingler@chromium.org>
Commit-Queue: Ben Kelly <wanderview@chromium.org>
Cr-Commit-Position: refs/heads/main@{#944293}