Skip to content

Commit

Permalink
Remove legacy-samesite Web Platform Tests
Browse files Browse the repository at this point in the history 
SameSite-Lax-by-default and SameSite=None-requires-Secure have been
standardized ([1], [2]) and launched in Chromium [3] as well as
Firefox [4]. The WPTs testing "legacy" behavior are no longer needed,
and they are also failing on wpt.fyi [5].

This change removes the legacy-samesite virtual test suite, as well as
the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The
test for SameSite=None-requires-Secure also loses its "tentative"
designation.

Chromium will soon no longer support the configuration used in the
virtual test suite, so there would be no way to run these tests anyway.

[1] httpwg/http-extensions#1325
[2] httpwg/http-extensions#1323
[3] https://crrev.com/c/2231445
[4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
[5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144

Bug: 961439, 1211388
Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f
  • Loading branch information
@chlily1 @chromium-wpt-export-bot
chlily1 authored and chromium-wpt-export-bot committed Jul 23, 2021
1 parent c7e97b0 commit 7847d95
Show file tree
Hide file tree
Showing 15 changed files with 32 additions and 127 deletions.
64 changes: 5 additions & 59 deletions cookies/resources/cookie-helper.sub.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,32 +167,9 @@ async function resetSameSiteCookies(origin, value) {
}
}

// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains the
// proper set of cookie names and values, according to the legacy behavior where
// unspecified SameSite attribute defaults to SameSite=None behavior.
function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies, domCookieStatus) {
assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always sent.");
if (expectedStatus == SameSiteStatus.CROSS_SITE) {
assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests.");
} else if (expectedStatus == SameSiteStatus.LAX) {
assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests.");
assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests.");
} else if (expectedStatus == SameSiteStatus.STRICT) {
assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests.");
assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests.");
}

if (cookies["domcookies"]) {
verifyDocumentCookieLegacy(domCookieStatus, expectedValue, cookies["domcookies"]);
}
}

// Same as above except this expects samesite_unspecified to act the same as
// samesite_lax (which is the behavior expected when SameSiteByDefault is
// enabled).
function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expectedValue, cookies, domCookieStatus) {
// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains
// the proper set of cookie names and values. Expects SameSite-Lax-by-default.
function verifySameSiteCookieState(expectedStatus, expectedValue, cookies, domCookieStatus) {
assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent.");
if (expectedStatus == SameSiteStatus.CROSS_SITE) {
assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests.");
Expand All @@ -209,32 +186,11 @@ function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expected
}

if (cookies["domcookies"]) {
verifyDocumentCookieWithSameSiteByDefault(domCookieStatus, expectedValue, cookies["domcookies"]);
}
}

function verifyDocumentCookieLegacy(expectedStatus, expectedValue, domcookies) {
const cookies = domcookies.split(";")
.map(cookie => cookie.trim().split("="))
.reduce((obj, cookie) => {
obj[cookie[0]] = cookie[1];
return obj;
}, {});

if (expectedStatus == DomSameSiteStatus.SAME_SITE) {
assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie.");
assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie.");
} else if (expectedStatus == DomSameSiteStatus.CROSS_SITE) {
assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie.");
assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie.");
assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not included in document.cookie when cross-site.");
assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not included in document.cookie when cross-site.");
verifyDocumentCookieSameSite(domCookieStatus, expectedValue, cookies['domcookies']);
}
}

function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue, domcookies) {
function verifyDocumentCookieSameSite(expectedStatus, expectedValue, domcookies) {
const cookies = domcookies.split(";")
.map(cookie => cookie.trim().split("="))
.reduce((obj, cookie) => {
Expand All @@ -255,16 +211,6 @@ function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue
}
}

function isLegacySameSite() {
return location.search === "?legacy-samesite";
}

// Get the proper verifier based on the test's variant type.
function getSameSiteVerifier() {
return isLegacySameSite() ?
verifySameSiteCookieStateLegacy : verifySameSiteCookieStateWithSameSiteByDefault;
}

//
// LeaveSecureCookiesAlone-specific test helpers:
//
Expand Down
0 ...esite-must-be-secure.https.tentative.html → ...ithout-samesite-must-be-secure.https.html
View file
File renamed without changes.
4 changes: 1 addition & 3 deletions cookies/samesite/fetch.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -15,7 +13,7 @@
return credFetch(target + "/cookies/resources/list.py")

.then(r => r.json())
.then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
.then(cookies => verifySameSiteCookieState(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE));
});
}, title);
}
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/form-get-blank-reload.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand Down Expand Up @@ -30,7 +28,7 @@
var reloaded = false;
var msgHandler = e => {
try {
getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/form-get-blank.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand Down Expand Up @@ -33,7 +31,7 @@
window.removeEventListener("message", msgHandler);
e.source.close();
try {
getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
resolve("Popup received the cookie.");
} catch (e) {
reject(e);
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/form-post-blank-reload.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -20,7 +18,7 @@
var reloaded = false;
var msgHandler = e => {
try {
getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/form-post-blank.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -22,7 +20,7 @@
window.removeEventListener("message", msgHandler);
e.source.close();
try {
getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
resolve("Popup received the cookie.");
} catch (e) {
reject(e);
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/iframe-reload.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -21,7 +19,7 @@
var reloaded = false;
var msgHandler = e => {
try {
getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus);
} catch (e) {
reject(e);
}
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/iframe.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -24,7 +22,7 @@
document.body.removeChild(iframe);
window.removeEventListener("message", msgHandler);
try {
getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus);
verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus);
resolve();
} catch(e) {
reject(e);
Expand Down
13 changes: 3 additions & 10 deletions cookies/samesite/img.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand Down Expand Up @@ -46,15 +44,10 @@
assert_cookie_absent(target, "samesite_strict", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_lax", value) :
assert_cookie_present(target, "samesite_lax", value)];
if (isLegacySameSite()) {
// Legacy behavior: unspecified SameSite acts like SameSite=None.
asserts.push(assert_cookie_present(target, "samesite_unspecified", value));
} else {
asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_present(target, "samesite_lax", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_unspecified", value) :
assert_cookie_present(target, "samesite_unspecified", value));
}
assert_cookie_present(target, "samesite_unspecified", value)];
return Promise.all(asserts);
});
}, title);
Expand Down
37 changes: 13 additions & 24 deletions cookies/samesite/multiple-samesite-attributes.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand Down Expand Up @@ -54,28 +52,19 @@
assert_cookie_present(target, "samesite_unsupported_lax", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_strict_lax", value) :
assert_cookie_present(target, "samesite_strict_lax", value)
];
if (isLegacySameSite()) {
// Legacy behavior: unsupported SameSite value acts like SameSite=None.
asserts.push(assert_cookie_present(target, "samesite_none_unsupported", value));
asserts.push(assert_cookie_present(target, "samesite_lax_unsupported", value));
asserts.push(assert_cookie_present(target, "samesite_strict_unsupported", value));
asserts.push(assert_cookie_present(target, "samesite_unsupported", value));
} else {
asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_none_unsupported", value) :
assert_cookie_present(target, "samesite_none_unsupported", value));
asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_lax_unsupported", value) :
assert_cookie_present(target, "samesite_lax_unsupported", value));
asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_strict_unsupported", value) :
assert_cookie_present(target, "samesite_strict_unsupported", value));
asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_unsupported", value) :
assert_cookie_present(target, "samesite_unsupported", value));
}
assert_cookie_present(target, "samesite_strict_lax", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_none_unsupported", value) :
assert_cookie_present(target, "samesite_none_unsupported", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_lax_unsupported", value) :
assert_cookie_present(target, "samesite_lax_unsupported", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_strict_unsupported", value) :
assert_cookie_present(target, "samesite_strict_unsupported", value),
expectedStatus == SameSiteStatus.CROSS_SITE ?
assert_cookie_absent(target, "samesite_unsupported", value) :
assert_cookie_present(target, "samesite_unsupported", value)];
return Promise.all(asserts);
});
}, title);
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/setcookie-lax.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -28,7 +26,7 @@
assert_dom_cookie("samesite_strict", e.data.value, false);
assert_dom_cookie("samesite_lax", e.data.value, false);
assert_dom_cookie("samesite_none", e.data.value, true);
assert_dom_cookie("samesite_unspecified", e.data.value, isLegacySameSite());
assert_dom_cookie("samesite_unspecified", e.data.value, false);
w.close();
}, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies.");
</script>
5 changes: 1 addition & 4 deletions cookies/samesite/setcookie-navigation.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand Down Expand Up @@ -64,8 +62,7 @@
let message = await wait_for_message('FRAME_COOKIES_SET', SECURE_ORIGIN);
// Check for the proper cookies.
let samesite_none_cookies = ['samesite_none'];
let samesite_cookies = ['samesite_strict', 'samesite_lax'];
(isLegacySameSite() ? samesite_none_cookies : samesite_cookies).push('samesite_unspecified');
let samesite_cookies = ['samesite_strict', 'samesite_lax', 'samesite_unspecified'];
assert_cookies_present(message.data.cookies, value, samesite_none_cookies, true);
assert_cookies_present(message.data.cookies, value, samesite_cookies, !cross_site);
w.close();
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/window-open-reload.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -17,7 +15,7 @@
var reloaded = false;
var msgHandler = e => {
try {
getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
} catch (e) {
reject(e);
}
Expand Down
4 changes: 1 addition & 3 deletions cookies/samesite/window-open.https.html
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
<!DOCTYPE html>
<meta charset="utf-8"/>
<meta name="timeout" content="long">
<meta name="variant" content="">
<meta name="variant" content="?legacy-samesite">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/cookies/resources/cookie-helper.sub.js"></script>
Expand All @@ -19,7 +17,7 @@
window.removeEventListener("message", msgHandler);
w.close();
try {
getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE);
resolve("Popup received the cookie.");
} catch (e) {
reject(e);
Expand Down

0 comments on commit 7847d95

Please sign in to comment.