Bug 1872926 [wpt PR 43847] - Add CookieSettingOverride to allow ABA embeds to send cookies using CORS, a=testonly

Automatic update from web-platform-tests
Add CookieSettingOverride to allow ABA embeds to send cookies using CORS (#43847)

For now, this functionality is gated behind a base::Feature that is
disabled by default.

This CL does *not* interact with SameSite semantics, and still
maintains that only SameSite=None cookies are allowed in ABA contexts.
This exception is for 3P cookie blocking only.

This exception cannot be applied to cookies accessed via JS.

Bug: 1513690
Change-Id: Id5964224403b7eb9aab69cebe69095530da5baa5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5147868
Reviewed-by: Caitlin Fischer <caitlinfischer@google.com>
Commit-Queue: Dylan Cutler <dylancutler@google.com>
Reviewed-by: Chris Fredrickson <cfredric@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1243468}

Co-authored-by: Dylan Cutler <dylancutler@google.com>
--

wpt-commits: c74d1d9e07e6687756fd4301e789c7dd6016028f
wpt-pr: 43847

testing/web-platform/tests/storage-access-api/helpers.js

@@ -264,6 +264,14 @@ function FetchFromFrame(frame, url) {
     { command: "cors fetch", url }, frame.contentWindow);
 }
 
+// Makes a subresource request to the provided host in the given frame with
+// the mode set to 'no-cors'
+function NoCorsSubresourceCookiesFromFrame(frame, host) {
+  const url = `${host}/storage-access-api/resources/echo-cookie-header.py`;
+  return PostMessageAndAwaitReply(
+    { command: "no-cors fetch", url }, frame.contentWindow);
+}
+
 // Tries to set storage access policy, ignoring any errors.
 //
 // Note: to discourage the writing of tests that assume unpartitioned cookie
@@ -295,4 +303,4 @@ function MessageWorker(frame, message = {}) {
 function ReadCookiesFromWebSocketConnection(frame, origin) {
   return PostMessageAndAwaitReply(
    { command: "get_cookie_via_websocket", origin}, frame.contentWindow);
-}
+}

testing/web-platform/tests/storage-access-api/requestStorageAccess-cross-site-sibling-iframes.sub.https.window.js

@@ -75,6 +75,8 @@
     assert_true(cookieStringHasCookie("foo", "bar", await FetchSubresourceCookiesFromFrame(crossSiteFrame, wwwAlt)),"crossSiteFrame making same-origin subresource request can access cookies.");
 
     assert_false(cookieStringHasCookie("foo", "bar",  await FetchSubresourceCookiesFromFrame(crossOriginFrame, wwwAlt)), "crossOriginFrame making cross-site subresource request to sibling iframe's host should not include cookies.");
+
+    assert_false(cookieStringHasCookie("foo", "bar", await NoCorsSubresourceCookiesFromFrame(crossOriginFrame, www)), "crossSiteFrame making no-cors cross-site subresource request to sibling iframe's host should not include cookies.");
     assert_false(cookieStringHasCookie("cookie", "monster", await FetchSubresourceCookiesFromFrame(crossSiteFrame, www)),"crossSiteFrame making cross-site subresource request to sibling iframe's host should not include cookies.");
 
   }, "Cross-site sibling iframes should not be able to take advantage of the existing permission grant requested by others.");

testing/web-platform/tests/storage-access-api/resources/embedded_responder.js

@@ -75,6 +75,9 @@ window.addEventListener("message", async (event) => {
     case "cors fetch":
       reply(await fetch(event.data.url, {mode: 'cors', credentials: 'include'}).then((resp) => resp.text()));
       break;
+    case "no-cors fetch":
+      reply(await fetch(event.data.url, {mode: 'no-cors', credentials: 'include'}).then((resp) => resp.text()));
+      break;
     case "start_dedicated_worker":
       worker = new Worker("embedded_worker.js");
       reply(undefined);