From 38e77a73f8a648185a608ca02d087d0a67df12b2 Mon Sep 17 00:00:00 2001
From: Dominic Farolino <domfarolino@gmail.com>
Date: Fri, 26 Oct 2018 11:15:22 -0700
Subject: [PATCH] Change default classic script fetch options credentials mode

This CL changes the default classic script fetch options credentials mode
from "omit" to "same-origin", as per the recent spec change [1], and adds
descendant worker credentials tests as a follow-up to said spec change and
[2].

[1]: https://github.com/whatwg/html/pull/3656
[2]: https://github.com/web-platform-tests/wpt/issues/13426

R=domenic@chromium.org, kouhei@chromium.org, nhiroki@chromium.org

Bug: 849101
Change-Id: I958f552f0ee91beb8aab98269f79a1eb219fb40a
---
 .../dedicated-worker-options-credentials.html | 256 ++++++++++++++++--
 ...ed-worker-options-credentials.html.headers |   2 +-
 workers/modules/resources/credentials.py      |   1 +
 ...e-origin-credentials-checker-worker.sub.js |   2 +
 ...-same-origin-credentials-checker-worker.js |   1 +
 ...e-origin-credentials-checker-worker.sub.js |   2 +
 ...-same-origin-credentials-checker-worker.js |   1 +
 7 files changed, 240 insertions(+), 25 deletions(-)
 create mode 100644 workers/modules/resources/dynamic-import-remote-origin-credentials-checker-worker.sub.js
 create mode 100644 workers/modules/resources/dynamic-import-same-origin-credentials-checker-worker.js
 create mode 100644 workers/modules/resources/static-import-remote-origin-credentials-checker-worker.sub.js
 create mode 100644 workers/modules/resources/static-import-same-origin-credentials-checker-worker.js

diff --git a/workers/modules/dedicated-worker-options-credentials.html b/workers/modules/dedicated-worker-options-credentials.html
index 6603eb9be9b8f0..b7a23079b6b7a2 100644
--- a/workers/modules/dedicated-worker-options-credentials.html
+++ b/workers/modules/dedicated-worker-options-credentials.html
@@ -2,84 +2,292 @@
 <title>DedicatedWorker: WorkerOptions 'credentials'</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
 <script>
+host_info = get_host_info();
 
 // Determines the expected cookie value to be reported by a dedicated worker
 // based on the given option. The worker reports an empty string as the actual
 // cookie value if the cookie wasn't sent to the server. Otherwise, it's the
 // value set by the headers file:
 // "dedicated-worker-options-credentials.html.headers"
-function DetermineExpectedCookieValue(options) {
-  // Classic script loading should always send credentials regardless of the
-  // 'credentials' option because the spec says the option takes effect only
-  // for module script loading.
-  if (options.type == 'classic')
-    return 'COOKIE_VALUE';
+function DetermineExpectedCookieValue(options, config) {
+  // Valid WorkerOptions and test config checking.
+  if (config.origin !== 'same' && config.origin !== 'remote')
+    assert_unreached('Invalid config.origin was specified: ' + config.origin);
+  if (options.credentials && options.credentials !== 'omit' &&
+      options.credentials !== 'same-origin' &&
+      options.credentials !== 'include') {
+    assert_unreached('Invalid credentials option was specified: ' +
+                      options.credentials);
+  }
+  if (options.type !== 'classic' && options.type !== 'module')
+    assert_unreached('Invalid type option was specified: ' + options.type);
+
+  if (options.type === 'classic')
+    return (config.origin === 'same') ? '1' : '';
+
   assert_equals(options.type, 'module');
 
-  if (!options.credentials ||
-      options.credentials == 'same-origin' ||
-      options.credentials == 'include') {
-    return 'COOKIE_VALUE';
-  }
-  if (options.credentials == 'omit')
+  if (options.credentials === 'omit')
     return '';
-  assert_unreached('Invalid credentials option was specified: ' +
-                   options.credentials);
+  else if (options.credentials === 'include')
+    return '1';
+  else
+    return (config.origin === 'same') ? '1' : '';
 }
 
 // Runs a credentials test with the given WorkerOptions.
-function credentials_test(options, description) {
+function credentials_test(options, config, description) {
   promise_test(async () => {
-    const worker = new Worker('resources/credentials.py', options);
+    let workerURL, origin = config.origin;
+    if (config.fetchType === 'top-level') {
+      workerURL = 'resources/credentials.py';
+    } else if (config.fetchType === 'descendant-static') {
+      workerURL =
+        `resources/static-import-${origin}-origin-credentials-checker-worker.${origin === 'same' ? '' : 'sub.'}js`;
+    } else if (config.fetchType === 'descendant-dynamic') {
+      workerURL =
+        `resources/dynamic-import-${origin}-origin-credentials-checker-worker.${origin === 'same' ? '' : 'sub.'}js`;
+    } else {
+      assert_unreached('Invalid config.fetchType: ' + config.fetchType);
+    }
+
+    const worker = new Worker(workerURL, options);
 
     // Wait until the worker sends the actual cookie value.
     const msg_event = await new Promise(resolve => worker.onmessage = resolve);
 
-    const expectedCookieValue = DetermineExpectedCookieValue(options);
+    const expectedCookieValue = DetermineExpectedCookieValue(options, config);
     assert_equals(msg_event.data, expectedCookieValue);
   }, description);
 }
 
-// Tests for module scripts.
+function init() {
+  // Same-origin cookie is set up in the .headers file in this directory.
+  promise_test(async () => {
+    return fetch(
+      `${host_info.HTTP_REMOTE_ORIGIN}/cookies/resources/set-cookie.py?name=COOKIE_NAME&path=/workers/modules/`,
+      {
+        mode: 'no-cors',
+        credentials: 'include'
+      });
+  }, 'Test initialization: setting up cross-origin cookie');
+}
+
+init();
+
+// Tests for module workers.
+
+credentials_test(
+    { type: 'module' },
+    { fetchType: 'top-level', origin: 'same' },
+    'new Worker() with type=module and default credentials option should ' +
+    'behave as credentials=same-origin and send the credentials');
+
+credentials_test(
+    { credentials: 'omit', type: 'module' },
+    { fetchType: 'top-level', origin: 'same' },
+    'new Worker() with type=module and credentials=omit should not send the ' +
+    'credentials');
+
+credentials_test(
+    { credentials: 'same-origin', type: 'module' },
+    { fetchType: 'top-level', origin: 'same' },
+    'new Worker() with type=module and credentials=same-origin should send ' +
+    'the credentials');
+
+credentials_test(
+    { credentials: 'include', type: 'module' },
+    { fetchType: 'top-level', origin: 'same' },
+    'new Worker() with type=module and credentials=include should send the ' +
+    'credentials');
+
+// Tests for module worker static imports.
+
+credentials_test(
+    { type: 'module' },
+    { fetchType: 'descendant-static', origin: 'same' },
+    'new Worker() with type=module and default credentials option should ' +
+    'behave as credentials=same-origin and send the credentials for ' +
+    'same-origin static imports');
+
+credentials_test(
+    { credentials: 'omit', type: 'module' },
+    { fetchType: 'descendant-static', origin: 'same' },
+    'new Worker() with type=module and credentials=omit should not send the ' +
+    'credentials for same-origin static imports');
+
+credentials_test(
+    { credentials: 'same-origin', type: 'module' },
+    { fetchType: 'descendant-static', origin: 'same' },
+    'new Worker() with type=module and credentials=same-origin should send ' +
+    'the credentials for same-origin static imports');
+
+credentials_test(
+    { credentials: 'include', type: 'module' },
+    { fetchType: 'descendant-static', origin: 'same' },
+    'new Worker() with type=module and credentials=include should send the ' +
+    'credentials for same-origin static imports');
+
+credentials_test(
+    { type: 'module' },
+    { fetchType: 'descendant-static', origin: 'remote' },
+    'new Worker() with type=module and default credentials option should ' +
+    'behave as credentials=same-origin and not send the credentials for ' +
+    'cross-origin static imports');
+
+credentials_test(
+    { credentials: 'omit', type: 'module' },
+    { fetchType: 'descendant-static', origin: 'remote' },
+    'new Worker() with type-module credentials=omit should not send the ' +
+    'credentials for cross-origin static imports');
+
+credentials_test(
+    { credentials: 'same-origin', type: 'module' },
+    { fetchType: 'descendant-static', origin: 'remote' },
+    'new Worker() with type=module and credentials=same-origin should not ' +
+    'send the credentials for cross-origin static imports');
+
+credentials_test(
+    { credentials: 'include', type: 'module' },
+    { fetchType: 'descendant-static', origin: 'remote' },
+    'new Worker() with type=module and credentials=include should send the ' +
+    'credentials for cross-origin static imports');
+
+// Tests for module worker dynamic imports.
+
+credentials_test(
+    { type: 'module' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=module and default credentials option should ' +
+    'behave as credentials=same-origin and send the credentials for ' +
+    'same-origin dynamic imports');
+
+credentials_test(
+    { credentials: 'omit', type: 'module' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=module and credentials=omit should not send the ' +
+    'credentials for same-origin dynamic imports');
+
+credentials_test(
+    { credentials: 'same-origin', type: 'module' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=module and credentials=same-origin should send ' +
+    'the credentials for same-origin dynamic imports');
+
+credentials_test(
+    { credentials: 'include', type: 'module' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=module and credentials=include should send the ' +
+    'credentials for same-origin dynamic imports');
 
 credentials_test(
     { type: 'module'},
-    'new Worker() with the default credentials option should behave as ' +
-    'credentials=same-origin and send the credentials');
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=module and default credentials option should ' +
+    'behave as credentials=same-origin and not send the credentials for ' +
+    'cross-origin dynamic imports');
 
 credentials_test(
     { credentials: 'omit', type: 'module' },
-    'new Worker() with credentials=omit should not send the credentials');
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type-module credentials=omit should not send the ' +
+    'credentials for cross-origin dynamic imports');
 
 credentials_test(
     { credentials: 'same-origin', type: 'module' },
-    'new Worker() with credentials=same-origin should send the credentials');
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=module and credentials=same-origin should not ' +
+    'send the credentials for cross-origin dynamic imports');
 
 credentials_test(
     { credentials: 'include', type: 'module' },
-    'new Worker() with credentials=include should send the credentials');
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=module and credentials=include should send the ' +
+    'credentials for cross-origin dynamic imports');
 
-// Tests for classic scripts.
+// Tests for classic workers.
 
 credentials_test(
     { type: 'classic' },
+    { fetchType: 'top-level', origin: 'same' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (default).');
 
 credentials_test(
     { credentials: 'omit', type: 'classic' },
+    { fetchType: 'top-level', origin: 'same' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (omit).');
 
 credentials_test(
     { credentials: 'same-origin', type: 'classic' },
+    { fetchType: 'top-level', origin: 'same' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (same-origin).');
 
 credentials_test(
     { credentials: 'include', type: 'classic' },
+    { fetchType: 'top-level', origin: 'same' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (include).');
 
+// Tests for classic worker dynamic imports.
+
+credentials_test(
+    { type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=classic should always send the credentials for ' +
+    'same-origin dynamic imports regardless of the credentials option ' +
+    '(default).');
+
+credentials_test(
+    { credentials: 'omit', type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=classic should always send the credentials for ' +
+    'same-origin dynamic imports regardless of the credentials option (omit).');
+
+credentials_test(
+    { credentials: 'same-origin', type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=classic should always send the credentials for ' +
+    'same-origin dynamic imports regardless of the credentials option ' +
+    '(same-origin).');
+
+credentials_test(
+    { credentials: 'include', type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'same' },
+    'new Worker() with type=classic should always send the credentials for ' +
+    'same-origin dynamic imports regardless of the credentials option ' +
+    '(include).');
+
+credentials_test(
+    { type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=classic should never send the credentials for ' +
+    'cross-origin dynamic imports regardless of the credentials option ' +
+    '(default).');
+
+credentials_test(
+    { credentials: 'omit', type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=classic should never send the credentials for ' +
+    'cross-origin dynamic imports regardless of the credentials option ' +
+    '(omit).');
+
+credentials_test(
+    { credentials: 'same-origin', type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=classic should never send the credentials for ' +
+    'cross-origin dynamic imports regardless of the credentials option ' +
+    '(same-origin).');
+
+credentials_test(
+    { credentials: 'include', type: 'classic' },
+    { fetchType: 'descendant-dynamic', origin: 'remote' },
+    'new Worker() with type=classic should never send the credentials for ' +
+    'cross-origin dynamic imports regardless of the credentials option ' +
+    '(include).');
+
 </script>
diff --git a/workers/modules/dedicated-worker-options-credentials.html.headers b/workers/modules/dedicated-worker-options-credentials.html.headers
index 6f53744a6ae77b..8da851ab736387 100644
--- a/workers/modules/dedicated-worker-options-credentials.html.headers
+++ b/workers/modules/dedicated-worker-options-credentials.html.headers
@@ -1,2 +1,2 @@
-Set-Cookie: COOKIE_NAME=COOKIE_VALUE
+Set-Cookie: COOKIE_NAME=1
 Access-Control-Allow-Credentials: true
diff --git a/workers/modules/resources/credentials.py b/workers/modules/resources/credentials.py
index 8f79563fb5ff9c..7623d849625db4 100644
--- a/workers/modules/resources/credentials.py
+++ b/workers/modules/resources/credentials.py
@@ -2,6 +2,7 @@ def main(request, response):
     cookie = request.cookies.first("COOKIE_NAME", None)
 
     response_headers = [("Content-Type", "text/javascript"),
+                        ("Access-Control-Allow-Origin", request.headers.get("Origin")),
                         ("Access-Control-Allow-Credentials", "true")]
 
     cookie_value = '';
diff --git a/workers/modules/resources/dynamic-import-remote-origin-credentials-checker-worker.sub.js b/workers/modules/resources/dynamic-import-remote-origin-credentials-checker-worker.sub.js
new file mode 100644
index 00000000000000..fb4f6e067a89f7
--- /dev/null
+++ b/workers/modules/resources/dynamic-import-remote-origin-credentials-checker-worker.sub.js
@@ -0,0 +1,2 @@
+// Import a remote origin script.
+import('http://{{domains[www1]}}:{{ports[http][0]}}/workers/modules/resources/credentials.py');
diff --git a/workers/modules/resources/dynamic-import-same-origin-credentials-checker-worker.js b/workers/modules/resources/dynamic-import-same-origin-credentials-checker-worker.js
new file mode 100644
index 00000000000000..b267d3441005ac
--- /dev/null
+++ b/workers/modules/resources/dynamic-import-same-origin-credentials-checker-worker.js
@@ -0,0 +1 @@
+import('./credentials.py');
diff --git a/workers/modules/resources/static-import-remote-origin-credentials-checker-worker.sub.js b/workers/modules/resources/static-import-remote-origin-credentials-checker-worker.sub.js
new file mode 100644
index 00000000000000..41ef6a8de71ea2
--- /dev/null
+++ b/workers/modules/resources/static-import-remote-origin-credentials-checker-worker.sub.js
@@ -0,0 +1,2 @@
+// Import a remote origin script.
+import 'http://{{domains[www1]}}:{{ports[http][0]}}/workers/modules/resources/credentials.py';
diff --git a/workers/modules/resources/static-import-same-origin-credentials-checker-worker.js b/workers/modules/resources/static-import-same-origin-credentials-checker-worker.js
new file mode 100644
index 00000000000000..17755d9099f187
--- /dev/null
+++ b/workers/modules/resources/static-import-same-origin-credentials-checker-worker.js
@@ -0,0 +1 @@
+import './credentials.py';