diff --git a/fetch/api/cors/cors-cookies-redirect.any.js b/fetch/api/cors/cors-cookies-redirect.any.js new file mode 100644 index 00000000000000..f5217b42460a57 --- /dev/null +++ b/fetch/api/cors/cors-cookies-redirect.any.js @@ -0,0 +1,49 @@ +// META: script=/common/utils.js +// META: script=../resources/utils.js +// META: script=/common/get-host-info.sub.js + +var redirectUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "redirect.py"; +var urlSetCookies1 = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "top.txt"; +var urlSetCookies2 = get_host_info().HTTP_ORIGIN_WITH_DIFFERENT_PORT + dirname(location.pathname) + RESOURCES_DIR + "top.txt"; +var urlCheckCookies = get_host_info().HTTP_ORIGIN_WITH_DIFFERENT_PORT + dirname(location.pathname) + RESOURCES_DIR + "inspect-headers.py?cors&headers=cookie"; + +var urlSetCookiesParameters = "?pipe=header(Access-Control-Allow-Origin," + location.origin + ")"; +urlSetCookiesParameters += "|header(Access-Control-Allow-Credentials,true)"; + +urlSetCookiesParameters1 = urlSetCookiesParameters + "|header(Set-Cookie,a=1)"; +urlSetCookiesParameters2 = urlSetCookiesParameters + "|header(Set-Cookie,a=2)"; + +urlClearCookiesParameters1 = urlSetCookiesParameters + "|header(Set-Cookie,a=1%3B%20max-age=0)"; +urlClearCookiesParameters2 = urlSetCookiesParameters + "|header(Set-Cookie,a=2%3B%20max-age=0)"; + +promise_test(async (test) => { + await fetch(urlSetCookies1 + urlSetCookiesParameters1, {"credentials": "include", "mode": "cors"}); + await fetch(urlSetCookies2 + urlSetCookiesParameters2, {"credentials": "include", "mode": "cors"}); +}, "Set cookies"); + +function doTest(usePreflight) { + promise_test(async (test) => { + var url = redirectUrl; + var uuid_token = token(); + var urlParameters = "?token=" + uuid_token + "&max_age=0"; + urlParameters += "&redirect_status=301"; + urlParameters += "&location=" + encodeURIComponent(urlCheckCookies); + urlParameters += "&allow_headers=a&headers=Cookie"; + headers = []; + if (usePreflight) + headers.push(["a", "b"]); + + var requestInit = {"credentials": "include", "mode": "cors", "headers": headers}; + var response = await fetch(url + urlParameters, requestInit); + + assert_equals(response.headers.get("x-request-cookie") , "a=2", "Request includes cookie(s)"); + }, "Testing credentials after cross-origin redirection with CORS and " + (usePreflight ? "" : "no ") + "preflight"); +} + +doTest(false); +doTest(true); + +promise_test(async (test) => { + await fetch(urlSetCookies1 + urlClearCookiesParameters1, {"credentials": "include", "mode": "cors"}); + await fetch(urlSetCookies2 + urlClearCookiesParameters2, {"credentials": "include", "mode": "cors"}); +}, "Clean cookies"); diff --git a/fetch/api/resources/inspect-headers.py b/fetch/api/resources/inspect-headers.py index c4ace18ab64b11..d53038cee0bd79 100644 --- a/fetch/api/resources/inspect-headers.py +++ b/fetch/api/resources/inspect-headers.py @@ -16,7 +16,10 @@ def main(request, response): headers.append(("Access-Control-Allow-Methods", "GET, POST, HEAD")) exposed_headers = ["x-request-" + header for header in checked_headers] headers.append(("Access-Control-Expose-Headers", ", ".join(exposed_headers))) - headers.append(("Access-Control-Allow-Headers", ", ".join(request.headers))) + if "allow_headers" in request.GET: + headers.append(("Access-Control-Allow-Headers", request.GET['allow_headers'])) + else: + headers.append(("Access-Control-Allow-Headers", ", ".join(request.headers))) headers.append(("content-type", "text/plain")) return headers, "" diff --git a/fetch/api/resources/redirect.py b/fetch/api/resources/redirect.py index 3d313e5b0b40e1..40c1b99961aad3 100644 --- a/fetch/api/resources/redirect.py +++ b/fetch/api/resources/redirect.py @@ -7,10 +7,14 @@ def main(request, response): status = 302 headers = [("Content-Type", "text/plain"), ("Cache-Control", "no-cache"), - ("Pragma", "no-cache"), - ("Access-Control-Allow-Origin", "*")] - token = None + ("Pragma", "no-cache")] + if "Origin" in request.headers: + headers.append(("Access-Control-Allow-Origin", request.headers.get("Origin", ""))) + headers.append(("Access-Control-Allow-Credentials", "true")) + else: + headers.append(("Access-Control-Allow-Origin", "*")) + token = None if "token" in request.GET: token = request.GET.first("token") data = request.server.stash.take(token)