Bug 1885025 [wpt PR 45066] - [FedCM] Don't send SameSite=Strict cookies for FedCM requests, a=testonly

Automatic update from web-platform-tests [FedCM] Don't send SameSite=Strict cookies for FedCM requests See https://github.com/fedidcg/FedCM/issues/320#issuecomment-1992358452 This is behind the off-by-default "FedCmSameSiteNone" feature. Bug: 329145816 Change-Id: I6408255a01118cd5ac4d0d0263a34051796dc301 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5366009 Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Commit-Queue: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org> Cr-Commit-Position: refs/heads/main@{#1273426} -- wpt-commits: 08c2f13fa0d6bf961ab2e80b0db0a958ef991ee9 wpt-pr: 45066
2024-03-19 10:04:09 +00:00 · 2024-03-19 10:04:09 +00:00 · 28eadcca9c
--- a/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API SameSite=None tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+        alt_request_options_with_mediation_required,
+        select_manifest,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json');
+  await select_manifest(t, options);
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  assert_equals(cred.token, "token");
+  assert_equals(cred.isAutoSelected, false);
+}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies.");
+
+</script>
--- a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
+++ b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
@ -22,7 +22,7 @@ export function open_and_wait_for_popup(origin, path) {
 // Set the identity provider cookie.
 export function set_fedcm_cookie(host) {
  if (host == undefined) {
-    document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
+    document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
    return Promise.resolve();
  } else {
    return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');
--- a/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py
@ -0,0 +1,28 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.accountsCheck(request)
+  if (request_error):
+    return request_error
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
+  if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
+    return (538, [], "Wrong Sec-Fetch-Site header")
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  return """
+{
+ "accounts": [{
+   "id": "1234",
+   "given_name": "John",
+   "name": "John Doe",
+   "email": "john_doe@idp.example",
+   "picture": "https://idp.example/profile/123",
+   "approved_clients": ["123", "456", "789"],
+   "login_hints": ["john_doe"],
+   "domain_hints": ["idp.example", "example"]
+  }]
+}
+"""
--- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json
@ -0,0 +1,7 @@
+{
+  "accounts_endpoint": "accounts_check_same_site_strict.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token_check_same_site_strict.py",
+  "login_url": "login.html"
+}
+
--- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request):
 def commonCredentialedRequestCheck(request):
  if request.cookies.get(b"cookie") != b"1":
    return (537, [], "Missing cookie")
-  if request.headers.get(b"Sec-Fetch-Site") != b"none":
-    return (538, [], "Wrong Sec-Fetch-Site header")

 def commonPostCheck(request):
  if not request.headers.get(b"Origin"):
--- a/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py
@ -0,0 +1,15 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.tokenCheck(request)
+  if (request_error):
+    return request_error
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
+
+  response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
+
+  return "{\"token\": \"token\"}"
--- a/testing/web-platform/tests/credential-management/support/set_cookie.headers
+++ b/testing/web-platform/tests/credential-management/support/set_cookie.headers
@ -1,2 +1,3 @@
 Content-Type: text/html
 Set-Cookie: cookie=1; SameSite=None; Secure
+Set-Cookie: same_site_strict=1; SameSite=Strict; Secure