From 1120ba99036f61a02a3cbca05dcd0b2c0c39fcc0 Mon Sep 17 00:00:00 2001
From: Kevin McNee <mcnee@chromium.org>
Date: Tue, 6 Feb 2024 11:09:58 -0800
Subject: [PATCH] Don't reject same site prefetches with no-referrer

The referring URL as computed by the referrer policy for the prefetch
request was incorrectly being used to determine whether a prefetch was
cross site. This value is only meant to be used for the prefetch
request. The omission of the URL made it look like a cross site
prefetch, so the cookie eligibility check was applied.

We now use the initiating origin to determine whether a prefetch is
cross site.

Bug: 1524338
Change-Id: Id154effae55c539fff7cd733327fc9029c53b03a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5263133
Commit-Queue: Kevin McNee <mcnee@chromium.org>
Reviewed-by: Liviu Tinta <liviutinta@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1256905}
---
 .../prefetch/same-origin-cookies.https.html   | 37 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/speculation-rules/prefetch/same-origin-cookies.https.html b/speculation-rules/prefetch/same-origin-cookies.https.html
index d97ee55d106e43..2f93c1ebb4f5ce 100644
--- a/speculation-rules/prefetch/same-origin-cookies.https.html
+++ b/speculation-rules/prefetch/same-origin-cookies.https.html
@@ -5,13 +5,19 @@
 <script src="/resources/testdriver.js"></script>
 <script src='/resources/testdriver-vendor.js'></script>
 <script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/subset-tests.js"></script>
 <script src="/common/utils.js"></script>
 <script src="../resources/utils.js"></script>
 <script src="resources/utils.sub.js"></script>
+
+<!--Split test cases due to the use of timeouts in speculation rules test utilities.-->
+<meta name="variant" content="?1-1">
+<meta name="variant" content="?2-last">
+
 <script>
   setup(() => assertSpeculationRulesIsSupported());
 
-  promise_test(async t => {
+  subsetTest(promise_test, async t => {
     await test_driver.delete_all_cookies();
 
     let executor = 'cookies.py';
@@ -36,4 +42,33 @@
 
     assert_prefetched(await agent.getRequestHeaders());
   }, "speculation rules based prefetch should use cookies for same origin urls.");
+
+  // Regression test for https://crbug.com/1524338
+  subsetTest(promise_test, async t => {
+    await test_driver.delete_all_cookies();
+
+    let executor = 'cookies.py';
+    let agent = await spawnWindow(t, { executor });
+    let response_cookies = await agent.getResponseCookies();
+    let request_cookies = await agent.getRequestCookies();
+    assert_equals(request_cookies["count"], undefined);
+    assert_equals(request_cookies["type"], undefined);
+    assert_equals(response_cookies["count"], "1");
+    assert_equals(response_cookies["type"], "navigate");
+
+    await agent.setReferrerPolicy("no-referrer");
+
+    let nextUrl = agent.getExecutorURL({ executor, page: 2 });
+    await agent.forceSinglePrefetch(nextUrl);
+    await agent.navigate(nextUrl);
+
+    response_cookies = await agent.getResponseCookies();
+    request_cookies = await agent.getRequestCookies();
+    assert_equals(request_cookies["count"], "1");
+    assert_equals(request_cookies["type"], "navigate");
+    assert_equals(response_cookies["count"], "2");
+    assert_equals(response_cookies["type"], "prefetch");
+
+    assert_prefetched(await agent.getRequestHeaders());
+  }, "same origin prefetch with no referrer works when cookies are present.");
 </script>