Bug 1721957 [wpt PR 29758] - Remove legacy-samesite Web Platform Test…

…s, a=testonly Automatic update from web-platform-tests Remove legacy-samesite Web Platform Tests SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] httpwg/http-extensions#1325 [2] httpwg/http-extensions#1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler <[email protected]> Commit-Queue: Lily Chen <[email protected]> Cr-Commit-Position: refs/heads/master@{#905289} -- wpt-commits: 939731a4f020de9afac2c4bf8c4de67eb9992e68 wpt-pr: 29758
jamienicol · Jul 31, 2021 · 539ae4e · 539ae4e
1 parent c7602cb
commit 539ae4e
Show file tree

Hide file tree

Showing 15 changed files with 32 additions and 127 deletions.
diff --git a/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js b/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js
@@ -167,32 +167,9 @@ async function resetSameSiteCookies(origin, value) {
  }
 }
 
-// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains the
-// proper set of cookie names and values, according to the legacy behavior where
-// unspecified SameSite attribute defaults to SameSite=None behavior.
-function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies, domCookieStatus) {
- assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
- assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always sent.");
- if (expectedStatus == SameSiteStatus.CROSS_SITE) {
- assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
- assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests.");
- } else if (expectedStatus == SameSiteStatus.LAX) {
- assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests.");
- assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests.");
- } else if (expectedStatus == SameSiteStatus.STRICT) {
- assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests.");
- assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests.");
- }
-
- if (cookies["domcookies"]) {
- verifyDocumentCookieLegacy(domCookieStatus, expectedValue, cookies["domcookies"]);
- }
-}
-
-// Same as above except this expects samesite_unspecified to act the same as
-// samesite_lax (which is the behavior expected when SameSiteByDefault is
-// enabled).
-function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expectedValue, cookies, domCookieStatus) {
+// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains
+// the proper set of cookie names and values. Expects SameSite-Lax-by-default.
+function verifySameSiteCookieState(expectedStatus, expectedValue, cookies, domCookieStatus) {
  assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
  if (expectedStatus == SameSiteStatus.CROSS_SITE) {
  assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
@@ -209,32 +186,11 @@ function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expected
  }
 
  if (cookies["domcookies"]) {
- verifyDocumentCookieWithSameSiteByDefault(domCookieStatus, expectedValue, cookies["domcookies"]);
- }
-}
-
-function verifyDocumentCookieLegacy(expectedStatus, expectedValue, domcookies) {
- const cookies = domcookies.split(";")
- .map(cookie => cookie.trim().split("="))
- .reduce((obj, cookie) => {
- obj[cookie[0]] = cookie[1];
- return obj;
- }, {});
-
- if (expectedStatus == DomSameSiteStatus.SAME_SITE) {
- assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie.");
- } else if (expectedStatus == DomSameSiteStatus.CROSS_SITE) {
- assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
- assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
- assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not included in document.cookie when cross-site.");
- assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not included in document.cookie when cross-site.");
+ verifyDocumentCookieSameSite(domCookieStatus, expectedValue, cookies['domcookies']);
  }
 }
 
-function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue, domcookies) {
+function verifyDocumentCookieSameSite(expectedStatus, expectedValue, domcookies) {
  const cookies = domcookies.split(";")
  .map(cookie => cookie.trim().split("="))
  .reduce((obj, cookie) => {
@@ -255,16 +211,6 @@ function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue
  }
 }
 
-function isLegacySameSite() {
- return location.search === "?legacy-samesite";
-}
-
-// Get the proper verifier based on the test's variant type.
-function getSameSiteVerifier() {
- return isLegacySameSite() ?
- verifySameSiteCookieStateLegacy : verifySameSiteCookieStateWithSameSiteByDefault;
-}
-
 //
 // LeaveSecureCookiesAlone-specific test helpers:
 //

diff --git a/...esite-must-be-secure.https.tentative.html → ...ithout-samesite-must-be-secure.https.html b/...esite-must-be-secure.https.tentative.html → ...ithout-samesite-must-be-secure.https.html
diff --git a/testing/web-platform/tests/cookies/samesite/fetch.https.html b/testing/web-platform/tests/cookies/samesite/fetch.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -15,7 +13,7 @@
  return credFetch(target + "/cookies/resources/list.py")
 
  .then(r => r.json())
- .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
+ .then(cookies => verifySameSiteCookieState(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
  });
  }, title);
  }

diff --git a/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html b/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html
@@ -1,7 +1,5 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -30,7 +28,7 @@
  var reloaded = false;
  var msgHandler = e => {
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
  } catch (e) {
  reject(e);
  }

diff --git a/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html b/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -33,7 +31,7 @@
  window.removeEventListener("message", msgHandler);
  e.source.close();
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
  resolve("Popup received the cookie.");
  } catch (e) {
  reject(e);

diff --git a/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html b/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html
@@ -1,7 +1,5 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -20,7 +18,7 @@
  var reloaded = false;
  var msgHandler = e => {
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
  } catch (e) {
  reject(e);
  }

diff --git a/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -22,7 +20,7 @@
  window.removeEventListener("message", msgHandler);
  e.source.close();
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
  resolve("Popup received the cookie.");
  } catch (e) {
  reject(e);

diff --git a/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html b/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -21,7 +19,7 @@
  var reloaded = false;
  var msgHandler = e => {
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
+ verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus);
  } catch (e) {
  reject(e);
  }

diff --git a/testing/web-platform/tests/cookies/samesite/iframe.https.html b/testing/web-platform/tests/cookies/samesite/iframe.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -24,7 +22,7 @@
  document.body.removeChild(iframe);
  window.removeEventListener("message", msgHandler);
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
+ verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus);
  resolve();
  } catch(e) {
  reject(e);

diff --git a/testing/web-platform/tests/cookies/samesite/img.https.html b/testing/web-platform/tests/cookies/samesite/img.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -46,15 +44,10 @@
  assert_cookie_absent(target, "samesite_strict", value),
  expectedStatus == SameSiteStatus.CROSS_SITE ?
  assert_cookie_absent(target, "samesite_lax", value) :
- assert_cookie_present(target, "samesite_lax", value)];
- if (isLegacySameSite()) {
- // Legacy behavior: unspecified SameSite acts like SameSite=None.
- asserts.push(assert_cookie_present(target, "samesite_unspecified", value));
- } else {
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_present(target, "samesite_lax", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
  assert_cookie_absent(target, "samesite_unspecified", value) :
- assert_cookie_present(target, "samesite_unspecified", value));
- }
+ assert_cookie_present(target, "samesite_unspecified", value)];
  return Promise.all(asserts);
  });
  }, title);

diff --git a/testing/web-platform/tests/cookies/samesite/multiple-samesite-attributes.https.html b/testing/web-platform/tests/cookies/samesite/multiple-samesite-attributes.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -54,28 +52,19 @@
  assert_cookie_present(target, "samesite_unsupported_lax", value),
  expectedStatus == SameSiteStatus.CROSS_SITE ?
  assert_cookie_absent(target, "samesite_strict_lax", value) :
- assert_cookie_present(target, "samesite_strict_lax", value)
- ];
- if (isLegacySameSite()) {
- // Legacy behavior: unsupported SameSite value acts like SameSite=None.
- asserts.push(assert_cookie_present(target, "samesite_none_unsupported", value));
- asserts.push(assert_cookie_present(target, "samesite_lax_unsupported", value));
- asserts.push(assert_cookie_present(target, "samesite_strict_unsupported", value));
- asserts.push(assert_cookie_present(target, "samesite_unsupported", value));
- } else {
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_none_unsupported", value) :
- assert_cookie_present(target, "samesite_none_unsupported", value));
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_lax_unsupported", value) :
- assert_cookie_present(target, "samesite_lax_unsupported", value));
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_strict_unsupported", value) :
- assert_cookie_present(target, "samesite_strict_unsupported", value));
- asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
- assert_cookie_absent(target, "samesite_unsupported", value) :
- assert_cookie_present(target, "samesite_unsupported", value));
- }
+ assert_cookie_present(target, "samesite_strict_lax", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_none_unsupported", value) :
+ assert_cookie_present(target, "samesite_none_unsupported", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_lax_unsupported", value) :
+ assert_cookie_present(target, "samesite_lax_unsupported", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_strict_unsupported", value) :
+ assert_cookie_present(target, "samesite_strict_unsupported", value),
+ expectedStatus == SameSiteStatus.CROSS_SITE ?
+ assert_cookie_absent(target, "samesite_unsupported", value) :
+ assert_cookie_present(target, "samesite_unsupported", value)];
  return Promise.all(asserts);
  });
  }, title);

diff --git a/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html b/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html
@@ -1,7 +1,5 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -28,7 +26,7 @@
  assert_dom_cookie("samesite_strict", e.data.value, false);
  assert_dom_cookie("samesite_lax", e.data.value, false);
  assert_dom_cookie("samesite_none", e.data.value, true);
- assert_dom_cookie("samesite_unspecified", e.data.value, isLegacySameSite());
+ assert_dom_cookie("samesite_unspecified", e.data.value, false);
  w.close();
  }, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
 </script>
diff --git a/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html b/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8">
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -64,8 +62,7 @@
  let message = await wait_for_message('FRAME_COOKIES_SET', SECURE_ORIGIN);
  // Check for the proper cookies.
  let samesite_none_cookies = ['samesite_none'];
- let samesite_cookies = ['samesite_strict', 'samesite_lax'];
- (isLegacySameSite() ? samesite_none_cookies : samesite_cookies).push('samesite_unspecified');
+ let samesite_cookies = ['samesite_strict', 'samesite_lax', 'samesite_unspecified'];
  assert_cookies_present(message.data.cookies, value, samesite_none_cookies, true);
  assert_cookies_present(message.data.cookies, value, samesite_cookies, !cross_site);
  w.close();

diff --git a/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html b/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html
@@ -1,7 +1,5 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -17,7 +15,7 @@
  var reloaded = false;
  var msgHandler = e => {
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
  } catch (e) {
  reject(e);
  }

diff --git a/testing/web-platform/tests/cookies/samesite/window-open.https.html b/testing/web-platform/tests/cookies/samesite/window-open.https.html
@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <meta charset="utf-8"/>
 <meta name="timeout" content="long">
-<meta name="variant" content="">
-<meta name="variant" content="?legacy-samesite">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
@@ -19,7 +17,7 @@
  window.removeEventListener("message", msgHandler);
  w.close();
  try {
- getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
+ verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
  resolve("Popup received the cookie.");
  } catch (e) {
  reject(e);