// META: script=/common/get-host-info.sub.js
// META: script=/common/utils.js
// META: script=/common/dispatcher/dispatcher.js
// META: script=./resources/common.js
// With COEP:credentialless, requesting a resource without credentials MUST NOT
// return a response requested with credentials. This would be a security
// issue, since COEP:credentialless can be used to enable crossOriginIsolation.
//
// The test the behavior of the HTTP cache:
// 1. b.com stores cookie.
// 2. a.com(COEP:unsafe-none): request b.com's resource.
// 3. a.com(COEP:credentialless): request b.com's resource.
//
// The first time, the resource is requested with credentials. The response is
// served with Cache-Control: max-age=31536000. It enters the cache.
// The second time, the resource is requested without credentials. The response
// in the cache must not be returned.
const cookie_key = "coep_cache_key";
const cookie_value = "coep_cache_value";
const same_origin = get_host_info().HTTPS_ORIGIN;
const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
const GetCookie = (response) => {
return parseCookies(JSON.parse(response))[cookie_key];
}
// "same_origin" document with COEP:unsafe-none.
const w_coep_none_token = token();
const w_coep_none_url = same_origin + executor_path + coep_none +
`&uuid=${w_coep_none_token}`
const w_coep_none = window.open(w_coep_none_url);
add_completion_callback(() => w_coep_none.close());
// "same_origin" document with COEP:credentialles.
const w_coep_credentialless_token = token();
const w_coep_credentialless_url = same_origin + executor_path +
coep_credentialless + `&uuid=${w_coep_credentialless_token}`
const w_coep_credentialless = window.open(w_coep_credentialless_url);
add_completion_callback(() => w_coep_credentialless.close());
const this_token = token();
// A request toward a "cross-origin" cacheable response.
const request_token = token();
const request_url = cacheableShowRequestHeaders(cross_origin, request_token);
promise_setup(async test => {
await setCookie(cross_origin, cookie_key, cookie_value + cookie_same_site_none);
}, "Set cookie");
// The "same-origin" COEP:unsafe-none document fetchs a "cross-origin"
// resource. The request is sent with credentials.
promise_setup(async test => {
send(w_coep_none_token, `
await fetch("${request_url}", {
mode : "no-cors",
credentials: "include",
});
send("${this_token}", "Resource fetched");
`);
assert_equals(await receive(this_token), "Resource fetched");
assert_equals(await receive(request_token).then(GetCookie), cookie_value);
}, "Cache a response requested with credentials");
// The "same-origin" COEP:credentialless document fetches the same resource
// without credentials. The HTTP cache must not be used. Instead a second
// request must be made without credentials.
promise_test(async test => {
send(w_coep_credentialless_token, `
await fetch("${request_url}", {
mode : "no-cors",
credentials: "include",
});
send("${this_token}", "Resource fetched");
`);
assert_equals(await receive(this_token), "Resource fetched");
test.step_timeout(test.unreached_func("The HTTP cache has been used"), 1500);
assert_equals(await receive(request_token).then(GetCookie), undefined);
}, "The HTTP cache must not be used");
Codebase Browser
chromium