html/document-isolation-policy/credentialless-shared-worker.https.tentative.window.js - external/github.com/web-platform-tests/wpt - Git at Google

 // META: variant=?request_origin=same_origin&worker_dip=none&window_dip=none
 // META: variant=?request_origin=same_origin&worker_dip=none&window_dip=credentialless
 // META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=none
 // META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=credentialless
 // META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=none
 // META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=credentialless
 // META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=none
 // META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=credentialless
 // META: timeout=long
 // META: script=/common/get-host-info.sub.js
 // META: script=/common/utils.js
 // META: script=/common/dispatcher/dispatcher.js
 // META: script=./resources/common.js

 // Test description:
 //   Request a resource from a SharedWorker. Check the request's cookies.
 //
 // Variant:
 //   - The Window DIP policy: none or credentialless.
 //   - The SharedWorker DIP policy: none or credentialless.
 //   - The SharedWorker's request URL origin: same-origin or cross-origin.

 const same_origin = get_host_info().HTTPS_ORIGIN;
 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
 const cookie_key = token();
 const cookie_same_origin = "same_origin";
 const cookie_cross_origin = "cross_origin";

 const variants = new URLSearchParams(window.location.search);
 const window_dip = variants.get('window_dip') == 'none'
   ? dip_none
   : dip_credentialless;
 const worker_dip = variants.get('worker_dip') == 'none'
   ? dip_none
   : dip_credentialless;
 const request_origin = variants.get('request_origin') == 'same-origin'
   ? same_origin
   : cross_origin;

 // When using DIP:credentialless: cross-origin no-cors request do not include
 // credentials. Note: This must not depend on the window's DIP policy.
 const worker_expected_cookie =
   request_origin == same_origin
   ? cookie_same_origin
   : (worker_dip == dip_credentialless
     ? undefined
     : cookie_cross_origin);

 // From a JSON representing the `response` HTTP headers key-values, return the
 // cookie corresponding to the `cookie_key`.
 const get_cookie = (response) => {
   const headers_credentialless = JSON.parse(response);
   return parseCookies(headers_credentialless)[cookie_key];
 }

 promise_test(async test => {
   // 0. Populate cookies for the two origins.
   await Promise.all([
     setCookie(same_origin, cookie_key, cookie_same_origin +
       cookie_same_site_none),
     setCookie(cross_origin, cookie_key, cookie_cross_origin +
       cookie_same_site_none),
   ]);

   // 1. Create the popup with the `window_dip` DIP policy:
   const popup = environments.document(window_dip)[0];

   // 2. Create the worker with the `worker_dip` DIP policy:
   const worker_token = token();
   const worker_error = token();
   const worker_src = same_origin + executor_worker_path + worker_dip +
     `&uuid=${worker_token}`;
   send(popup, `
     let worker = new SharedWorker("${worker_src}", {});
     worker.onerror = () => {
       send("${worker_error}", "Worker blocked");
     }
   `);

   // 3. Request the resource from the worker, with the `request_origin` origin.
   const request_token = token();
   const request_url = showRequestHeaders(request_origin, request_token);
   send(worker_token, `fetch("${request_url}", {
     mode: 'no-cors',
     credentials: 'include',
   })`);
   const request_cookie = await Promise.race([
     receive(worker_error),
     receive(request_token).then(get_cookie)
   ]);

   assert_equals(request_cookie, worker_expected_cookie);
 })
	// META: variant=?request_origin=same_origin&worker_dip=none&window_dip=none
	// META: variant=?request_origin=same_origin&worker_dip=none&window_dip=credentialless
	// META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=none
	// META: variant=?request_origin=same_origin&worker_dip=credentialless&window_dip=credentialless
	// META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=none
	// META: variant=?request_origin=cross_origin&worker_dip=none&window_dip=credentialless
	// META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=none
	// META: variant=?request_origin=cross_origin&worker_dip=credentialless&window_dip=credentialless
	// META: timeout=long
	// META: script=/common/get-host-info.sub.js
	// META: script=/common/utils.js
	// META: script=/common/dispatcher/dispatcher.js
	// META: script=./resources/common.js

	// Test description:
	// Request a resource from a SharedWorker. Check the request's cookies.
	//
	// Variant:
	// - The Window DIP policy: none or credentialless.
	// - The SharedWorker DIP policy: none or credentialless.
	// - The SharedWorker's request URL origin: same-origin or cross-origin.

	const same_origin = get_host_info().HTTPS_ORIGIN;
	const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
	const cookie_key = token();
	const cookie_same_origin = "same_origin";
	const cookie_cross_origin = "cross_origin";

	const variants = new URLSearchParams(window.location.search);
	const window_dip = variants.get('window_dip') == 'none'
	? dip_none
	: dip_credentialless;
	const worker_dip = variants.get('worker_dip') == 'none'
	? dip_none
	: dip_credentialless;
	const request_origin = variants.get('request_origin') == 'same-origin'
	? same_origin
	: cross_origin;

	// When using DIP:credentialless: cross-origin no-cors request do not include
	// credentials. Note: This must not depend on the window's DIP policy.
	const worker_expected_cookie =
	request_origin == same_origin
	? cookie_same_origin
	: (worker_dip == dip_credentialless
	? undefined
	: cookie_cross_origin);

	// From a JSON representing the `response` HTTP headers key-values, return the
	// cookie corresponding to the `cookie_key`.
	const get_cookie = (response) => {
	const headers_credentialless = JSON.parse(response);
	return parseCookies(headers_credentialless)[cookie_key];
	}

	promise_test(async test => {
	// 0. Populate cookies for the two origins.
	await Promise.all([
	setCookie(same_origin, cookie_key, cookie_same_origin +
	cookie_same_site_none),
	setCookie(cross_origin, cookie_key, cookie_cross_origin +
	cookie_same_site_none),
	]);

	// 1. Create the popup with the `window_dip` DIP policy:
	const popup = environments.document(window_dip)[0];

	// 2. Create the worker with the `worker_dip` DIP policy:
	const worker_token = token();
	const worker_error = token();
	const worker_src = same_origin + executor_worker_path + worker_dip +
	`&uuid=${worker_token}`;
	send(popup, `
	let worker = new SharedWorker("${worker_src}", {});
	worker.onerror = () => {
	send("${worker_error}", "Worker blocked");
	}
	`);

	// 3. Request the resource from the worker, with the `request_origin` origin.
	const request_token = token();
	const request_url = showRequestHeaders(request_origin, request_token);
	send(worker_token, `fetch("${request_url}", {
	mode: 'no-cors',
	credentials: 'include',
	})`);
	const request_cookie = await Promise.race([
	receive(worker_error),
	receive(request_token).then(get_cookie)
	]);

	assert_equals(request_cookie, worker_expected_cookie);
	})