[FedCM] Test that we don't send SameSite=Lax cookies to accounts/id assertion

cbiesinger · chromium-wpt-export-bot · commit 0a75a0121c1c · 2024-04-24T17:35:38.000-07:00
Bug: 329145816 Change-Id: I4ab779c48aa76c9c2c0205e78c5f1eec7c101d38 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5484967 Reviewed-by: Nicolás Peña <npm@chromium.org> Auto-Submit: Christian Biesinger <cbiesinger@chromium.org> Commit-Queue: Christian Biesinger <cbiesinger@chromium.org> Cr-Commit-Position: refs/heads/main@{#1292125}
diff --git a/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
@@ -20,6 +20,6 @@
   const cred = await fedcm_get_and_select_first_account(t, options);
   assert_equals(cred.token, "token");
   assert_equals(cred.isAutoSelected, false);
-}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies.");
+}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict or Lax cookies.");
 
 </script>
diff --git a/credential-management/support/fedcm/accounts_check_same_site_strict.py b/credential-management/support/fedcm/accounts_check_same_site_strict.py
@@ -7,6 +7,8 @@ def main(request, response):
     return request_error
   if request.cookies.get(b"same_site_strict") == b"1":
     return (546, [], "Should not send SameSite=Strict cookies")
+  if request.cookies.get(b"same_site_lax") == b"1":
+    return (547, [], "Should not send SameSite=Lax cookies")
   if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
     return (538, [], "Wrong Sec-Fetch-Site header")
 
diff --git a/credential-management/support/fedcm/token_check_same_site_strict.py b/credential-management/support/fedcm/token_check_same_site_strict.py
@@ -7,6 +7,8 @@ def main(request, response):
     return request_error
   if request.cookies.get(b"same_site_strict") == b"1":
     return (546, [], "Should not send SameSite=Strict cookies")
+  if request.cookies.get(b"same_site_lax") == b"1":
+    return (547, [], "Should not send SameSite=Lax cookies")
 
   response.headers.set(b"Content-Type", b"application/json")
   response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
diff --git a/credential-management/support/set_cookie.headers b/credential-management/support/set_cookie.headers
@@ -1,3 +1,4 @@
 Content-Type: text/html
 Set-Cookie: cookie=1; SameSite=None; Secure; Path=/
 Set-Cookie: same_site_strict=1; SameSite=Strict; Secure; Path=/
+Set-Cookie: same_site_lax=1; SameSite=Lax; Secure; Path=/
