From 539ae4ecbf8b83af3698087f7c3efe28cc29e86e Mon Sep 17 00:00:00 2001 From: Lily Chen Date: Fri, 30 Jul 2021 22:08:34 +0000 Subject: [PATCH] Bug 1721957 [wpt PR 29758] - Remove legacy-samesite Web Platform Tests, a=testonly Automatic update from web-platform-tests Remove legacy-samesite Web Platform Tests SameSite-Lax-by-default and SameSite=None-requires-Secure have been standardized ([1], [2]) and launched in Chromium [3] as well as Firefox [4]. The WPTs testing "legacy" behavior are no longer needed, and they are also failing on wpt.fyi [5]. This change removes the legacy-samesite virtual test suite, as well as the ?legacy-samesite variant of the tests in wpt/cookie/samesite/. The test for SameSite=None-requires-Secure also loses its "tentative" designation. Chromium will soon no longer support the configuration used in the virtual test suite, so there would be no way to run these tests anyway. [1] https://github.com/httpwg/http-extensions/pull/1325 [2] https://github.com/httpwg/http-extensions/pull/1323 [3] https://crrev.com/c/2231445 [4] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ [5] https://wpt.fyi/results/cookies/samesite?run_id=5099687737556992&run_id=5641857632567296&run_id=5678463840157696&run_id=5638004375814144 Bug: 961439, 1211388 Change-Id: Idb3c835908bcd61dde3593b4fb4f9349e738031f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3047679 Reviewed-by: Steven Bingler Commit-Queue: Lily Chen Cr-Commit-Position: refs/heads/master@{#905289} -- wpt-commits: 939731a4f020de9afac2c4bf8c4de67eb9992e68 wpt-pr: 29758 --- .../cookies/resources/cookie-helper.sub.js | 64 ++----------------- ...ithout-samesite-must-be-secure.https.html} | 0 .../tests/cookies/samesite/fetch.https.html | 4 +- .../samesite/form-get-blank-reload.https.html | 4 +- .../samesite/form-get-blank.https.html | 4 +- .../form-post-blank-reload.https.html | 4 +- .../samesite/form-post-blank.https.html | 4 +- .../cookies/samesite/iframe-reload.https.html | 4 +- .../tests/cookies/samesite/iframe.https.html | 4 +- .../tests/cookies/samesite/img.https.html | 13 +--- .../multiple-samesite-attributes.https.html | 37 ++++------- .../cookies/samesite/setcookie-lax.https.html | 4 +- .../samesite/setcookie-navigation.https.html | 5 +- .../samesite/window-open-reload.https.html | 4 +- .../cookies/samesite/window-open.https.html | 4 +- 15 files changed, 32 insertions(+), 127 deletions(-) rename testing/web-platform/tests/cookies/samesite-none-secure/{cookies-without-samesite-must-be-secure.https.tentative.html => cookies-without-samesite-must-be-secure.https.html} (100%) diff --git a/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js b/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js index 789d38d1eb406..1420779e0d5a1 100644 --- a/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js +++ b/testing/web-platform/tests/cookies/resources/cookie-helper.sub.js @@ -167,32 +167,9 @@ async function resetSameSiteCookies(origin, value) { } } -// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains the -// proper set of cookie names and values, according to the legacy behavior where -// unspecified SameSite attribute defaults to SameSite=None behavior. -function verifySameSiteCookieStateLegacy(expectedStatus, expectedValue, cookies, domCookieStatus) { - assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent."); - assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always sent."); - if (expectedStatus == SameSiteStatus.CROSS_SITE) { - assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests."); - assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not sent with cross-site requests."); - } else if (expectedStatus == SameSiteStatus.LAX) { - assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with lax requests."); - assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with lax requests."); - } else if (expectedStatus == SameSiteStatus.STRICT) { - assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are sent with strict requests."); - assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are sent with strict requests."); - } - - if (cookies["domcookies"]) { - verifyDocumentCookieLegacy(domCookieStatus, expectedValue, cookies["domcookies"]); - } -} - -// Same as above except this expects samesite_unspecified to act the same as -// samesite_lax (which is the behavior expected when SameSiteByDefault is -// enabled). -function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expectedValue, cookies, domCookieStatus) { +// Given an |expectedStatus| and |expectedValue|, assert the |cookies| contains +// the proper set of cookie names and values. Expects SameSite-Lax-by-default. +function verifySameSiteCookieState(expectedStatus, expectedValue, cookies, domCookieStatus) { assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always sent."); if (expectedStatus == SameSiteStatus.CROSS_SITE) { assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not sent with cross-site requests."); @@ -209,32 +186,11 @@ function verifySameSiteCookieStateWithSameSiteByDefault(expectedStatus, expected } if (cookies["domcookies"]) { - verifyDocumentCookieWithSameSiteByDefault(domCookieStatus, expectedValue, cookies["domcookies"]); - } -} - -function verifyDocumentCookieLegacy(expectedStatus, expectedValue, domcookies) { - const cookies = domcookies.split(";") - .map(cookie => cookie.trim().split("=")) - .reduce((obj, cookie) => { - obj[cookie[0]] = cookie[1]; - return obj; - }, {}); - - if (expectedStatus == DomSameSiteStatus.SAME_SITE) { - assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie."); - assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie."); - assert_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are always included in document.cookie."); - assert_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are always included in document.cookie."); - } else if (expectedStatus == DomSameSiteStatus.CROSS_SITE) { - assert_equals(cookies["samesite_none"], expectedValue, "SameSite=None cookies are always included in document.cookie."); - assert_equals(cookies["samesite_unspecified"], expectedValue, "Unspecified-SameSite cookies are always included in document.cookie."); - assert_not_equals(cookies["samesite_strict"], expectedValue, "SameSite=Strict cookies are not included in document.cookie when cross-site."); - assert_not_equals(cookies["samesite_lax"], expectedValue, "SameSite=Lax cookies are not included in document.cookie when cross-site."); + verifyDocumentCookieSameSite(domCookieStatus, expectedValue, cookies['domcookies']); } } -function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue, domcookies) { +function verifyDocumentCookieSameSite(expectedStatus, expectedValue, domcookies) { const cookies = domcookies.split(";") .map(cookie => cookie.trim().split("=")) .reduce((obj, cookie) => { @@ -255,16 +211,6 @@ function verifyDocumentCookieWithSameSiteByDefault(expectedStatus, expectedValue } } -function isLegacySameSite() { - return location.search === "?legacy-samesite"; -} - -// Get the proper verifier based on the test's variant type. -function getSameSiteVerifier() { - return isLegacySameSite() ? - verifySameSiteCookieStateLegacy : verifySameSiteCookieStateWithSameSiteByDefault; -} - // // LeaveSecureCookiesAlone-specific test helpers: // diff --git a/testing/web-platform/tests/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.tentative.html b/testing/web-platform/tests/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.html similarity index 100% rename from testing/web-platform/tests/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.tentative.html rename to testing/web-platform/tests/cookies/samesite-none-secure/cookies-without-samesite-must-be-secure.https.html diff --git a/testing/web-platform/tests/cookies/samesite/fetch.https.html b/testing/web-platform/tests/cookies/samesite/fetch.https.html index 934fc06765c48..79e49009fb8fc 100644 --- a/testing/web-platform/tests/cookies/samesite/fetch.https.html +++ b/testing/web-platform/tests/cookies/samesite/fetch.https.html @@ -1,8 +1,6 @@ - - @@ -15,7 +13,7 @@ return credFetch(target + "/cookies/resources/list.py") .then(r => r.json()) - .then(cookies => getSameSiteVerifier()(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE)); + .then(cookies => verifySameSiteCookieState(expectedStatus, value, cookies, DomSameSiteStatus.SAME_SITE)); }); }, title); } diff --git a/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html b/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html index 611255f7374da..ff39899f04338 100644 --- a/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html +++ b/testing/web-platform/tests/cookies/samesite/form-get-blank-reload.https.html @@ -1,7 +1,5 @@ - - @@ -30,7 +28,7 @@ var reloaded = false; var msgHandler = e => { try { - getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); } catch (e) { reject(e); } diff --git a/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html b/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html index 3b059174d0b9e..e0f6799e99f38 100644 --- a/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html +++ b/testing/web-platform/tests/cookies/samesite/form-get-blank.https.html @@ -1,8 +1,6 @@ - - @@ -33,7 +31,7 @@ window.removeEventListener("message", msgHandler); e.source.close(); try { - getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); resolve("Popup received the cookie."); } catch (e) { reject(e); diff --git a/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html b/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html index fedb0a03c5a9a..9d1ef2ea47d9b 100644 --- a/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html +++ b/testing/web-platform/tests/cookies/samesite/form-post-blank-reload.https.html @@ -1,7 +1,5 @@ - - @@ -20,7 +18,7 @@ var reloaded = false; var msgHandler = e => { try { - getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); } catch (e) { reject(e); } diff --git a/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html index cc37f08dd1fa5..9c795b18bc60f 100644 --- a/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html +++ b/testing/web-platform/tests/cookies/samesite/form-post-blank.https.html @@ -1,8 +1,6 @@ - - @@ -22,7 +20,7 @@ window.removeEventListener("message", msgHandler); e.source.close(); try { - getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); resolve("Popup received the cookie."); } catch (e) { reject(e); diff --git a/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html b/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html index a33c4dd4eb2ac..ab572f8ba1e69 100644 --- a/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html +++ b/testing/web-platform/tests/cookies/samesite/iframe-reload.https.html @@ -1,8 +1,6 @@ - - @@ -21,7 +19,7 @@ var reloaded = false; var msgHandler = e => { try { - getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus); + verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus); } catch (e) { reject(e); } diff --git a/testing/web-platform/tests/cookies/samesite/iframe.https.html b/testing/web-platform/tests/cookies/samesite/iframe.https.html index 3c7b638810e2f..cad523c4a60bd 100644 --- a/testing/web-platform/tests/cookies/samesite/iframe.https.html +++ b/testing/web-platform/tests/cookies/samesite/iframe.https.html @@ -1,8 +1,6 @@ - - @@ -24,7 +22,7 @@ document.body.removeChild(iframe); window.removeEventListener("message", msgHandler); try { - getSameSiteVerifier()(expectedStatus, value, e.data, expectedDomStatus); + verifySameSiteCookieState(expectedStatus, value, e.data, expectedDomStatus); resolve(); } catch(e) { reject(e); diff --git a/testing/web-platform/tests/cookies/samesite/img.https.html b/testing/web-platform/tests/cookies/samesite/img.https.html index 68603fd39d9c8..1ddc8d99adfa5 100644 --- a/testing/web-platform/tests/cookies/samesite/img.https.html +++ b/testing/web-platform/tests/cookies/samesite/img.https.html @@ -1,8 +1,6 @@ - - @@ -46,15 +44,10 @@ assert_cookie_absent(target, "samesite_strict", value), expectedStatus == SameSiteStatus.CROSS_SITE ? assert_cookie_absent(target, "samesite_lax", value) : - assert_cookie_present(target, "samesite_lax", value)]; - if (isLegacySameSite()) { - // Legacy behavior: unspecified SameSite acts like SameSite=None. - asserts.push(assert_cookie_present(target, "samesite_unspecified", value)); - } else { - asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ? + assert_cookie_present(target, "samesite_lax", value), + expectedStatus == SameSiteStatus.CROSS_SITE ? assert_cookie_absent(target, "samesite_unspecified", value) : - assert_cookie_present(target, "samesite_unspecified", value)); - } + assert_cookie_present(target, "samesite_unspecified", value)]; return Promise.all(asserts); }); }, title); diff --git a/testing/web-platform/tests/cookies/samesite/multiple-samesite-attributes.https.html b/testing/web-platform/tests/cookies/samesite/multiple-samesite-attributes.https.html index f1e52a3aea3b8..d32a39639d168 100644 --- a/testing/web-platform/tests/cookies/samesite/multiple-samesite-attributes.https.html +++ b/testing/web-platform/tests/cookies/samesite/multiple-samesite-attributes.https.html @@ -1,8 +1,6 @@ - - @@ -54,28 +52,19 @@ assert_cookie_present(target, "samesite_unsupported_lax", value), expectedStatus == SameSiteStatus.CROSS_SITE ? assert_cookie_absent(target, "samesite_strict_lax", value) : - assert_cookie_present(target, "samesite_strict_lax", value) - ]; - if (isLegacySameSite()) { - // Legacy behavior: unsupported SameSite value acts like SameSite=None. - asserts.push(assert_cookie_present(target, "samesite_none_unsupported", value)); - asserts.push(assert_cookie_present(target, "samesite_lax_unsupported", value)); - asserts.push(assert_cookie_present(target, "samesite_strict_unsupported", value)); - asserts.push(assert_cookie_present(target, "samesite_unsupported", value)); - } else { - asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ? - assert_cookie_absent(target, "samesite_none_unsupported", value) : - assert_cookie_present(target, "samesite_none_unsupported", value)); - asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ? - assert_cookie_absent(target, "samesite_lax_unsupported", value) : - assert_cookie_present(target, "samesite_lax_unsupported", value)); - asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ? - assert_cookie_absent(target, "samesite_strict_unsupported", value) : - assert_cookie_present(target, "samesite_strict_unsupported", value)); - asserts.push(expectedStatus == SameSiteStatus.CROSS_SITE ? - assert_cookie_absent(target, "samesite_unsupported", value) : - assert_cookie_present(target, "samesite_unsupported", value)); - } + assert_cookie_present(target, "samesite_strict_lax", value), + expectedStatus == SameSiteStatus.CROSS_SITE ? + assert_cookie_absent(target, "samesite_none_unsupported", value) : + assert_cookie_present(target, "samesite_none_unsupported", value), + expectedStatus == SameSiteStatus.CROSS_SITE ? + assert_cookie_absent(target, "samesite_lax_unsupported", value) : + assert_cookie_present(target, "samesite_lax_unsupported", value), + expectedStatus == SameSiteStatus.CROSS_SITE ? + assert_cookie_absent(target, "samesite_strict_unsupported", value) : + assert_cookie_present(target, "samesite_strict_unsupported", value), + expectedStatus == SameSiteStatus.CROSS_SITE ? + assert_cookie_absent(target, "samesite_unsupported", value) : + assert_cookie_present(target, "samesite_unsupported", value)]; return Promise.all(asserts); }); }, title); diff --git a/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html b/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html index 0c09577373fd9..f2094af693d64 100644 --- a/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html +++ b/testing/web-platform/tests/cookies/samesite/setcookie-lax.https.html @@ -1,7 +1,5 @@ - - @@ -28,7 +26,7 @@ assert_dom_cookie("samesite_strict", e.data.value, false); assert_dom_cookie("samesite_lax", e.data.value, false); assert_dom_cookie("samesite_none", e.data.value, true); - assert_dom_cookie("samesite_unspecified", e.data.value, isLegacySameSite()); + assert_dom_cookie("samesite_unspecified", e.data.value, false); w.close(); }, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies."); diff --git a/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html b/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html index 06f9a73a7b4da..2dbc5526bccae 100644 --- a/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html +++ b/testing/web-platform/tests/cookies/samesite/setcookie-navigation.https.html @@ -1,8 +1,6 @@ - - @@ -64,8 +62,7 @@ let message = await wait_for_message('FRAME_COOKIES_SET', SECURE_ORIGIN); // Check for the proper cookies. let samesite_none_cookies = ['samesite_none']; - let samesite_cookies = ['samesite_strict', 'samesite_lax']; - (isLegacySameSite() ? samesite_none_cookies : samesite_cookies).push('samesite_unspecified'); + let samesite_cookies = ['samesite_strict', 'samesite_lax', 'samesite_unspecified']; assert_cookies_present(message.data.cookies, value, samesite_none_cookies, true); assert_cookies_present(message.data.cookies, value, samesite_cookies, !cross_site); w.close(); diff --git a/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html b/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html index f21b6a77de5c5..dc800f853bdba 100644 --- a/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html +++ b/testing/web-platform/tests/cookies/samesite/window-open-reload.https.html @@ -1,7 +1,5 @@ - - @@ -17,7 +15,7 @@ var reloaded = false; var msgHandler = e => { try { - getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); } catch (e) { reject(e); } diff --git a/testing/web-platform/tests/cookies/samesite/window-open.https.html b/testing/web-platform/tests/cookies/samesite/window-open.https.html index 7ee3ef43abea9..b460e1a597b2f 100644 --- a/testing/web-platform/tests/cookies/samesite/window-open.https.html +++ b/testing/web-platform/tests/cookies/samesite/window-open.https.html @@ -1,8 +1,6 @@ - - @@ -19,7 +17,7 @@ window.removeEventListener("message", msgHandler); w.close(); try { - getSameSiteVerifier()(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); + verifySameSiteCookieState(expectedStatus, value, e.data, DomSameSiteStatus.SAME_SITE); resolve("Popup received the cookie."); } catch (e) { reject(e);