// META: script=/common/get-host-info.sub.js
// META: script=/common/utils.js
// META: script=/common/dispatcher/dispatcher.js
// META: script=./resources/common.js
const same_origin = get_host_info().HTTPS_ORIGIN;
const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
const cookie_key = "coep_credentialless_image";
const cookie_same_origin = "same_origin";
const cookie_cross_origin = "cross_origin";
promise_setup(async test => {
await Promise.all([
setCookie(same_origin, cookie_key, cookie_same_origin +
cookie_same_site_none),
setCookie(cross_origin, cookie_key, cookie_cross_origin +
cookie_same_site_none),
]);
}, "Setup cookies");
const videoTest = function(description, origin, mode, expected_cookie) {
promise_test(async test => {
const video_token = token();
let video = document.createElement("video");
video.src = showRequestHeaders(origin, video_token);
video.autoplay = true;
if (mode)
video.crossOrigin = mode;
document.body.appendChild(video);
const headers = JSON.parse(await receive(video_token));
assert_equals(parseCookies(headers)[cookie_key], expected_cookie);
}, `video ${description}`)
};
// Same-origin request always contains Cookies:
videoTest("same-origin + undefined",
same_origin, undefined, cookie_same_origin);
videoTest("same-origin + anonymous",
same_origin, 'anonymous', cookie_same_origin);
videoTest("same-origin + use-credentials",
same_origin, 'use-credentials', cookie_same_origin);
// Cross-origin request contains cookies, only when sent in CORS mode, using
// crossOrigin = "use-credentials".
videoTest("cross-origin + undefined",
cross_origin, '', undefined);
videoTest("cross-origin + anonymous",
cross_origin, 'anonymous', undefined);
videoTest("cross-origin + use-credentials",
cross_origin, 'use-credentials', cookie_cross_origin);
Codebase Browser
chromium