// META: script=/storage-access-api/helpers.js
// META: script=/resources/testdriver.js
// META: script=/resources/testdriver-vendor.js
'use strict';
const requestedOrigin = 'https://foo.com';
const altOrigin = 'https://{{hosts[alt][www]}}:{{ports[https][0]}}';
promise_test(
async () => {
assert_not_equals(document.requestStorageAccessFor, undefined);
},
'[top-level-context] document.requestStorageAccessFor() should be supported on the document interface');
promise_test(
t => {
return promise_rejects_js(t, TypeError,
document.requestStorageAccessFor(),
'document.requestStorageAccessFor() call without origin argument');
},
'[top-level-context] document.requestStorageAccessFor() should be rejected when called with no argument');
// Most tests need to start with the feature in "prompt" state.
// For tests that rely on the permission state, this function is intended to be
// run prior to executing test logic, rather than using clean-up functions for
// the permission.
async function CommonSetup() {
await test_driver.set_permission(
{ name: 'top-level-storage-access', requestedOrigin }, 'prompt');
await test_driver.set_permission(
{ name: 'top-level-storage-access', requestedOrigin: altOrigin }, 'prompt');
}
promise_test(async t => {
await CommonSetup();
return promise_rejects_dom(t, 'NotAllowedError',
document.requestStorageAccessFor(requestedOrigin),
'document.requestStorageAccessFor() call without user gesture');
},
'[top-level-context] document.requestStorageAccessFor() should be rejected by default with no user gesture');
promise_test(async t => {
const description =
'document.requestStorageAccessFor() call in a detached frame';
// Can't use promise_rejects_dom here because the exception is from the wrong global.
return CreateDetachedFrame().requestStorageAccessFor(requestedOrigin)
.then(t.unreached_func('Should have rejected: ' + description))
.catch((e) => {
assert_equals(e.name, 'InvalidStateError', description);
});
}, '[non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached frame');
promise_test(async t => {
const description =
'document.requestStorageAccessFor() in a detached DOMParser result';
return CreateDocumentViaDOMParser().requestStorageAccessFor(requestedOrigin)
.then(t.unreached_func('Should have rejected: ' + description))
.catch((e) => {
assert_equals(e.name, 'InvalidStateError', description);
});
}, '[non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached DOMParser document');
promise_test(
async t => {
await CommonSetup();
await test_driver.set_permission(
{name: 'top-level-storage-access', requestedOrigin}, 'granted');
await document.requestStorageAccessFor(requestedOrigin);
},
'[top-level-context] document.requestStorageAccessFor() should be resolved without a user gesture with an existing permission');
promise_test(
async t => {
await CommonSetup();
await test_driver.set_permission(
{name: 'top-level-storage-access', requestedOrigin: altOrigin},
'granted');
const frame = await CreateFrame(
altOrigin + '/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
await RunCallbackWithGesture(() => document.requestStorageAccessFor(altOrigin));
assert_true(await RequestStorageAccessInFrame(frame));
},
'[top-level-context] document.requestStorageAccess() should be resolved without a user gesture after a successful requestStorageAccessFor() call');
promise_test(
async t => {
await RunCallbackWithGesture(
() => document.requestStorageAccessFor(document.location.origin));
},
'[top-level-context] document.requestStorageAccessFor() should be resolved when called properly with a user gesture and the same origin');
promise_test(
async t =>{
await RunCallbackWithGesture(
() => promise_rejects_js(t, TypeError, document.requestStorageAccessFor('bogus-url'),
'document.requestStorageAccessFor() call with bogus URL'));
},
'[top-level-context] document.requestStorageAccessFor() should be rejected when called with an invalid origin');
promise_test(
async t => {
await RunCallbackWithGesture(
() => promise_rejects_dom(t, 'NotAllowedError', document.requestStorageAccessFor('data:,Hello%2C%20World%21'),
'document.requestStorageAccessFor() call with data URL'));
},
'[top-level-context] document.requestStorageAccessFor() should be rejected when called with an opaque origin');
promise_test(
async (t) => {
const altEchoCookieHeaderUrl =
`${altOrigin}/storage-access-api/resources/echo-cookie-header.py`;
await MaybeSetStorageAccess('*', '*', 'blocked');
await CommonSetup();
await test_driver.set_permission(
{name: 'top-level-storage-access', requestedOrigin: altOrigin},
'granted');
// Set cross-site cookie for altOrigin. Note that this only works with
// an existing top-level storage access permission.
await fetch(
`${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`,
{mode: 'cors', credentials: 'include'});
const httpCookies1 = await fetch(altEchoCookieHeaderUrl, {
mode: 'cors',
credentials: 'include'
}).then((resp) => resp.text());
assert_true(
httpCookies1.includes('cookie=1'),
'After obtaining top-level storage access, cross-site subresource requests with CORS mode should have cookie access.');
const httpCookies2 = await fetch(altEchoCookieHeaderUrl, {
mode: 'no-cors',
credentials: 'include'
}).then((resp) => resp.text());
assert_false(
httpCookies2.includes('cookie=1'),
'Cross-site subresource requests without CORS mode cannot access cookie even with an existing permission.');
},
'[top-level-context] Top-level storage access only allows cross-site subresource requests to access cookie when using CORS mode.');
promise_test(
async () => {
const frame = await CreateFrame(
'/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
assert_not_equals(frame.contentWindow.document.requestStorageAccessFor, undefined);
},
'[same-origin-iframe] document.requestStorageAccessFor() should be supported on the document interface');
promise_test(
async t => {
const frame = await CreateFrame(
'/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
return promise_rejects_js(t, frame.contentWindow.TypeError,
frame.contentWindow.document.requestStorageAccessFor(),
'document.requestStorageAccessFor() call without origin argument');
},
'[same-origin-iframe] document.requestStorageAccessFor() should be rejected when called with no argument');
promise_test(
async t => {
const frame = await CreateFrame(
'/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
await RunCallbackWithGesture(() =>
promise_rejects_dom(t, 'NotAllowedError', frame.contentWindow.DOMException,
frame.contentWindow.document.requestStorageAccessFor(document.location.origin),
'document.requestStorageAccessFor() call in a non-top-level context'));
},
'[same-origin-iframe] document.requestStorageAccessFor() should be rejected when called in an iframe');
promise_test(
async (t) => {
await MaybeSetStorageAccess('*', '*', 'blocked');
await CommonSetup();
const frame = await CreateFrame(
`/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js`);
// Set cross-site cookie for altOrigin. Note that cookie won't be set
// even with an existing top-level storage access permission in an
// iframe.
await FetchFromFrame(frame,
`${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`);
await test_driver.set_permission(
{name: 'top-level-storage-access', requestedOrigin: altOrigin},
'granted');
const httpCookies = await FetchSubresourceCookiesFromFrame(frame, altOrigin);
assert_false(httpCookies.includes('cookie=1'));
},
'[same-origin-iframe] Existing top-level storage access permission should not allow cookie access for the cross-site subresource requests made in a non-top-level context.');
Codebase Browser
chromium