| // META: timeout=long |
| // META: script=/common/get-host-info.sub.js |
| // META: script=/common/utils.js |
| // META: script=/common/dispatcher/dispatcher.js |
| // META: script=./resources/common.js |
| |
| // With DIP:isolate-and-credentialless, requesting a resource without |
| // credentials MUST NOT return a response requested with credentials. This would |
| // be a security issue, since DIP:isolate-and-credentialless can be used to |
| // enable crossOriginIsolation. |
| // |
| // The test the behavior of the HTTP cache: |
| // 1. b.com stores cookie. |
| // 2. a.com(DIP:none): request b.com's resource. |
| // 3. a.com(DIP:isolate-and-credentialless): request b.com's resource. |
| // |
| // The first time, the resource is requested with credentials. The response is |
| // served with Cache-Control: max-age=31536000. It enters the cache. |
| // The second time, the resource is requested without credentials. The response |
| // in the cache must not be returned. |
| |
| const cookie_key = "dip_cache_key"; |
| const cookie_value = "dip_cache_value"; |
| const same_origin = get_host_info().HTTPS_ORIGIN; |
| const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN; |
| |
| const GetCookie = (response) => { |
| return parseCookies(JSON.parse(response))[cookie_key]; |
| } |
| |
| // "same_origin" document with DIP:none. |
| const w_dip_none_token = token(); |
| const w_dip_none_url = same_origin + executor_path + dip_none + |
| `&uuid=${w_dip_none_token}` |
| const w_dip_none = window.open(w_dip_none_url); |
| add_completion_callback(() => w_dip_none.close()); |
| |
| // "same_origin" document with DIP:isolate-and-credentialles. |
| const w_dip_credentialless_token = token(); |
| const w_dip_credentialless_url = same_origin + executor_path + |
| dip_credentialless + `&uuid=${w_dip_credentialless_token}` |
| const w_dip_credentialless = window.open(w_dip_credentialless_url); |
| add_completion_callback(() => w_dip_credentialless.close()); |
| |
| const this_token = token(); |
| |
| // A request toward a "cross-origin" cacheable response. |
| const request_token = token(); |
| const request_url = cacheableShowRequestHeaders(cross_origin, request_token); |
| |
| promise_setup(async test => { |
| await setCookie(cross_origin, cookie_key, cookie_value + cookie_same_site_none); |
| }, "Set cookie"); |
| |
| // The "same-origin" DIP:none document fetches a "cross-origin" |
| // resource. The request is sent with credentials. |
| promise_setup(async test => { |
| send(w_dip_none_token, ` |
| await fetch("${request_url}", { |
| mode : "no-cors", |
| credentials: "include", |
| }); |
| send("${this_token}", "Resource fetched"); |
| `); |
| |
| assert_equals(await receive(this_token), "Resource fetched"); |
| assert_equals(await receive(request_token).then(GetCookie), cookie_value); |
| }, "Cache a response requested with credentials"); |
| |
| // The "same-origin" DIP:isolate-andcredentialless document fetches the same |
| // resource without credentials. The HTTP cache must not be used. Instead a |
| // second request must be made without credentials. |
| promise_test(async test => { |
| send(w_dip_credentialless_token, ` |
| await fetch("${request_url}", { |
| mode : "no-cors", |
| credentials: "include", |
| }); |
| send("${this_token}", "Resource fetched"); |
| `); |
| |
| assert_equals(await receive(this_token), "Resource fetched"); |
| |
| test.step_timeout(test.unreached_func("The HTTP cache has been used"), 1500); |
| assert_equals(await receive(request_token).then(GetCookie), undefined); |
| }, "The HTTP cache must not be used"); |
