fix: same site cookie context and duplicate cookies (#23438)

* test: refactor and add tests in the cors package

* fix: add areUrlsSameSite method to cookies package and fix
sameSiteContext calculation method and add tests

* fix: always use Set-Cookie optimistically whether or not we keep track of the cookie or not in the server side cookie jar

* chore: add failing unit tests for postpending cookies

* chore: add tough cookie integration tests to verify we append cookies appropriately to request header Cookie

* fix: do not duplicate cookies in request if existing in the cookie jar. Add additional tests to verify expected behavior

* test: add cookie behavior tests that document current expected behavior vs what spec behavior should/will be

* test: add misc tests that check for cookie order

* chore: update debug logs in request to discern cookies

* test: fix assertions in firefox as same-site cookies are actually set correctly

* fix test incorrect assertions. cookies currently exist in primary that are same-site regardless of browser

* skip SameSite=none test in firefox as we currently low insecure samesite none cookies in firefox

* chore: apply suggestions from code review

* chore: change expects to expect

* chore: add documentation for why we need an additional HTTPS port

* remove X-Set-Cookie fixmes

packages/driver/cypress.config.ts

@@ -5,6 +5,7 @@ export default defineConfig({
   'experimentalStudio': true,
   'hosts': {
     '*.foobar.com': '127.0.0.1',
+    '*.barbaz.com': '127.0.0.1',
     '*.idp.com': '127.0.0.1',
     'localalias': '127.0.0.1',
   },

packages/driver/cypress/e2e/e2e/origin/cookie_login.cy.ts

@@ -191,7 +191,8 @@ describe('cy.origin - cookie login', () => {
       verifyIdpNotLoggedIn({ expectNullCookie: false })
     })
 
-    it('SameSite=None -> not logged in', () => {
+    // FIXME: Currently in Firefox, the default cookie setting in the extension is no_restriction, which can be set with Secure=false.
+    it('SameSite=None -> not logged in', { browser: '!firefox' }, () => {
       cy.origin('http://foobar.com:3500', { args: { username } }, ({ username }) => {
         cy.get('[data-cy="username"]').type(username)
         cy.get('[data-cy="cookieProps"]').type('SameSite=None')

packages/driver/cypress/fixtures/primary-origin.html

@@ -21,6 +21,8 @@
     <li><a data-cy="cookie-login-alias">Login with Social (aliased localhost)</a></li>
     <li><a data-cy="cookie-login-override">Login with Social (cookie override)</a></li>
     <li><a data-cy="cookie-login-land-on-idp">Login with Social (lands on idp)</a></li>
+    <li><a data-cy="cookie-http" href="http://www.foobar.com:3500/fixtures/secondary-origin.html">Visit foobar.com over http</a></li>
+    <li><a data-cy="cookie-https" href="https://www.foobar.com:3502/fixtures/secondary-origin.html">Visit foobar.com over https</a></li>
   </ul>
   <script>
     function setHref (dataCy, redirect2, primaryQueryAddition = '') {

packages/driver/cypress/plugins/server.js

@@ -12,7 +12,7 @@ const upload = multer({ dest: 'cypress/_test-output/' })
 const PATH_TO_SERVER_PKG = path.dirname(require.resolve('@packages/server'))
 
 const httpPorts = [3500, 3501]
-const httpsPort = 3502
+const httpsPorts = [3502, 3503]
 
 const createApp = (port) => {
   const app = express()
@@ -283,6 +283,10 @@ const createApp = (port) => {
     res.send(`<html><body><h1>Welcome, ${user}!</h1></body></html>`)
   })
 
+  app.get('/test-request', (req, res) => {
+    res.sendStatus(200)
+  })
+
   app.get('/set-cookie', (req, res) => {
     const { cookie } = req.query
 
@@ -291,6 +295,23 @@ const createApp = (port) => {
     .sendStatus(200)
   })
 
+  app.get('/test-request-credentials', (req, res) => {
+    res
+    .setHeader('Access-Control-Allow-Origin', req['headers']['origin'])
+    .setHeader('Access-Control-Allow-Credentials', 'true')
+    .sendStatus(200)
+  })
+
+  app.get('/set-cookie-credentials', (req, res) => {
+    const { cookie } = req.query
+
+    res
+    .setHeader('Access-Control-Allow-Origin', req['headers']['origin'])
+    .setHeader('Access-Control-Allow-Credentials', 'true')
+    .append('Set-Cookie', cookie)
+    .sendStatus(200)
+  })
+
   let _var = ''
 
   app.get('/set-var', (req, res) => {
@@ -323,10 +344,14 @@ httpPorts.forEach((port) => {
   })
 })
 
-const httpsApp = createApp(httpsPort)
-const httpsServer = httpsProxy.httpsServer(httpsApp)
+// Have two HTTPS ports in order to test same-site cookie behavior in `cookie_behavior.cy.ts` for experimentalSessionAndOrigin
+// Cookies can be same site if the port is different, and we need a way to test this E2E style to make sure we implement cookie handling correctly
+httpsPorts.forEach((port) => {
+  const httpsApp = createApp(port)
+  const httpsServer = httpsProxy.httpsServer(httpsApp)
 
-httpsServer.listen(httpsPort, () => {
-  // eslint-disable-next-line no-console
-  return console.log('Express server listening on port', httpsPort, '(HTTPS)')
+  return httpsServer.listen(port, () => {
+    // eslint-disable-next-line no-console
+    return console.log('Express server listening on port', port, '(HTTPS)')
+  })
 })