0
代码
代码
Issues
Pull Requests
讨论
Wiki
分析
0
ohci1ohci1add
910e62b5创建于 1月15日历史提交
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/strings/strcat.h"
#include "base/strings/string_split.h"
#include "base/strings/stringprintf.h"
#include "base/test/bind.h"
#include "base/test/scoped_feature_list.h"
#include "build/build_config.h"
#include "content/browser/devtools/protocol/devtools_protocol_test_support.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/browser/web_contents.h"
#include "content/public/test/browser_test.h"
#include "content/public/test/browser_test_utils.h"
#include "content/public/test/content_browser_test.h"
#include "content/public/test/content_browser_test_utils.h"
#include "content/public/test/frame_test_utils.h"
#include "content/public/test/test_navigation_observer.h"
#include "content/public/test/url_loader_interceptor.h"
#include "content/shell/browser/shell.h"
#include "net/base/features.h"
#include "net/cookies/canonical_cookie_test_helpers.h"
#include "net/dns/mock_host_resolver.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
#include "services/network/public/cpp/network_switches.h"
#include "services/network/public/mojom/cookie_manager.mojom.h"
#include "testing/gmock/include/gmock/gmock-matchers.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace content {
namespace {

using ::testing::IsEmpty;
using ::testing::Key;
using ::testing::UnorderedElementsAre;

// This file contains tests for cookie access via HTTP requests.
// See also (tests for cookie access via JavaScript):
// //content/browser/renderer_host/cookie_browsertest.cc

constexpr std::string_view kHostA = "a.test";
constexpr std::string_view kHostB = "b.test";
constexpr std::string_view kHostC = "c.test";
constexpr std::string_view kSameSiteNoneCookieName = "samesite_none_cookie";
constexpr std::string_view kSameSiteStrictCookieName = "samesite_strict_cookie";
constexpr std::string_view kSameSiteLaxCookieName = "samesite_lax_cookie";
constexpr std::string_view kSameSiteUnspecifiedCookieName =
    "samesite_unspecified_cookie";
constexpr std::string_view kHostPrefixCookieName = "__Host-prefixed_cookie";
constexpr std::string_view kSecurePrefixCookieName = "__Secure-prefixed_cookie";
constexpr std::string_view kEchoCookiesWithCorsPath = "/echocookieswithcors";

std::string FrameTreeForHostAndUrl(std::string_view host, const GURL& url) {
  return base::StrCat({host, "(", url.spec(), ")"});
}

std::string FrameTreeForUrl(const GURL& url) {
  return FrameTreeForHostAndUrl(kHostA, url);
}

GURL RedirectUrl(net::EmbeddedTestServer* test_server,
                 std::string_view host,
                 const GURL& target_url) {
  return test_server->GetURL(host, "/server-redirect?" + target_url.spec());
}

class HttpCookieBrowserTest : public ContentBrowserTest,
                              public ::testing::WithParamInterface<bool> {
 public:
  HttpCookieBrowserTest() : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
    feature_list_.InitWithFeatureState(
        net::features::kCookieSameSiteConsidersRedirectChain,
        DoesSameSiteConsiderRedirectChain());
  }

  ~HttpCookieBrowserTest() override = default;

  void SetUpOnMainThread() override {
    ContentBrowserTest::SetUpOnMainThread();
    host_resolver()->AddRule("*", "127.0.0.1");
    https_server()->SetSSLConfig(net::EmbeddedTestServer::CERT_TEST_NAMES);
    https_server()->AddDefaultHandlers(GetTestDataFilePath());
    embedded_test_server()->AddDefaultHandlers(GetTestDataFilePath());
    ASSERT_TRUE(https_server()->Start());
    ASSERT_TRUE(embedded_test_server()->Start());
  }

  bool DoesSameSiteConsiderRedirectChain() { return GetParam(); }

  const std::string kSetSameSiteCookiesPath = base::StrCat({
      "/set-cookie?",
      kSameSiteStrictCookieName,
      "=1;SameSite=Strict&",
      kSameSiteLaxCookieName,
      "=1;SameSite=Lax&",
      kSameSiteUnspecifiedCookieName,
      "=1&",
      kSameSiteNoneCookieName,
      "=1;Secure;SameSite=None",
  });

  void SetSameSiteCookies(std::string_view host) {
    BrowserContext* context = shell()->web_contents()->GetBrowserContext();
    EXPECT_TRUE(SetCookie(
        context, https_server()->GetURL(host, "/"),
        base::StrCat({kSameSiteStrictCookieName, "=1; samesite=strict"})));
    EXPECT_TRUE(
        SetCookie(context, https_server()->GetURL(host, "/"),
                  base::StrCat({kSameSiteLaxCookieName, "=1; samesite=lax"})));
    EXPECT_TRUE(SetCookie(
        context, https_server()->GetURL(host, "/"),
        base::StrCat({kSameSiteNoneCookieName, "=1; samesite=none; secure"})));
    EXPECT_TRUE(
        SetCookie(context, https_server()->GetURL(host, "/"),
                  base::StrCat({kSameSiteUnspecifiedCookieName, "=1"})));
  }

  // Gets a path that causes the EmbeddedTestServer to attempt to set prefixed
  // cookies (some valid, some not).
  std::string GetSetPrefixedCookiesPath(std::string_view host) {
    return base::StrCat({
        "/set-cookie?",
        kSecurePrefixCookieName,
        "=1;Secure&",
        kHostPrefixCookieName,
        "=1;Secure;Path=/&",
        "__Secure-missing-attr=1&",
        "__Host-wrong-path=1;Secure&",
        "__Host-wrong-domain=1;Secure;Domain=",
        host,
        "&",
        "__Host-wrong-secure=1;Path=/&",
    });
  }

  // Sets some (valid) prefixed cookies.
  void SetPrefixedCookies(std::string_view host,
                          net::EmbeddedTestServer* test_server = nullptr) {
    if (!test_server) {
      test_server = https_server();
    }
    BrowserContext* context = shell()->web_contents()->GetBrowserContext();
    ASSERT_TRUE(
        SetCookie(context, test_server->GetURL(host, "/"),
                  base::StrCat({kHostPrefixCookieName, "=1; Secure; Path=/"})));
    ASSERT_TRUE(
        SetCookie(context, test_server->GetURL(host, "/"),
                  base::StrCat({kSecurePrefixCookieName, "=1; Secure"})));
  }

  GURL EchoCookiesUrl(net::EmbeddedTestServer* test_server,
                      std::string_view host) {
    return test_server->GetURL(host, "/echoheader?Cookie");
  }

  GURL SetSameSiteCookiesUrl(net::EmbeddedTestServer* test_server,
                             std::string_view host) {
    return test_server->GetURL(host, kSetSameSiteCookiesPath);
  }

  std::string ExtractFrameContent(RenderFrameHost* frame) const {
    return EvalJs(frame, "document.body.textContent").ExtractString();
  }

  uint32_t ClearCookies() {
    return DeleteCookies(shell()->web_contents()->GetBrowserContext(),
                         network::mojom::CookieDeletionFilter());
  }

  net::EmbeddedTestServer* https_server() { return &https_server_; }

  WebContents* web_contents() { return shell()->web_contents(); }

  // is_user_initiated_navigation - true if user initiates navigation to 404,
  //                              - false script initiates this navigation
  // is_cross_site_navigation - true if testing in a cross-site context,
  //                          - false if testing in a same-site context
  // is_user_initiated_reload - true if user initates the reload,
  //                            false if the reload via script
  std::string Test404ReloadCookie(bool is_user_initiated_navigation,
                                  bool is_cross_site_navigation,
                                  bool is_user_initiated_reload) {
    // Set target as A or B and cookies based on cross_site param
    std::string_view target = is_cross_site_navigation ? kHostB : kHostA;
    GURL target_URL =
        https_server()->GetURL(target, "/echo-cookie-with-status?status=404");
    SetSameSiteCookies(target);

    // Start at a website A
    EXPECT_TRUE(
        NavigateToURL(web_contents(), EchoCookiesUrl(https_server(), kHostA)));

    // Navigate method based on whether user or script initiated
    if (is_user_initiated_navigation) {
      EXPECT_TRUE(NavigateToURL(web_contents(), target_URL));
    } else {
      EXPECT_TRUE(NavigateToURLFromRenderer(web_contents(), target_URL));
    }

    // Trigger either user or script reload
    TestNavigationObserver nav_observer(web_contents());
    if (is_user_initiated_reload) {
      shell()->Reload();
    } else {
      ExecuteScriptAsync(
          web_contents()->GetPrimaryMainFrame(),
          content::JsReplace("window.location.reload($1);", true));
    }
    nav_observer.Wait();

    // Return the cookies rendered on frame
    return ExtractFrameContent(web_contents()->GetPrimaryMainFrame());
  }

 private:
  net::test_server::EmbeddedTestServer https_server_;
  base::test::ScopedFeatureList feature_list_;
};

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SendSameSiteCookies) {
  SetSameSiteCookies(kHostA);
  SetSameSiteCookies(kHostB);

  // Main frame browser-initiated navigation sends all SameSite cookies.
  ASSERT_TRUE(
      NavigateToURL(web_contents(), EchoCookiesUrl(https_server(), kHostA)));
  EXPECT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));

  // Main frame same-site (A => A) navigation sends all SameSite cookies.
  ASSERT_TRUE(
      NavigateToURLFromRenderer(web_contents()->GetPrimaryMainFrame(),
                                EchoCookiesUrl(https_server(), kHostA)));
  EXPECT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));

  // Main frame cross-site (A => B) navigation sends all but Strict cookies.
  ASSERT_TRUE(
      NavigateToURLFromRenderer(web_contents()->GetPrimaryMainFrame(),
                                EchoCookiesUrl(https_server(), kHostB)));
  EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
              net::CookieStringIs(UnorderedElementsAre(
                  Key(kSameSiteLaxCookieName), Key(kSameSiteNoneCookieName),
                  Key(kSameSiteUnspecifiedCookieName))));

  // Same-site iframe (A embedded in A) sends all SameSite cookies.
  EXPECT_THAT(
      content::ArrangeFramesAndGetContentFromLeaf(
          web_contents(), https_server(),
          FrameTreeForUrl(EchoCookiesUrl(https_server(), kHostA)), {0}),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));

  // Cross-site iframe (B embedded in A) sends only None cookies.
  EXPECT_THAT(
      content::ArrangeFramesAndGetContentFromLeaf(
          web_contents(), https_server(),
          FrameTreeForUrl(EchoCookiesUrl(https_server(), kHostB)), {0}),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SendSameSiteCookies_Redirect) {
  SetSameSiteCookies(kHostA);

  // Main frame same-site redirect (A->A) sends all SameSite cookies.
  ASSERT_TRUE(NavigateToURL(
      web_contents(),
      RedirectUrl(https_server(), kHostA,
                  EchoCookiesUrl(https_server(), kHostA)),
      /*expected_commit_url=*/EchoCookiesUrl(https_server(), kHostA)));
  EXPECT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));

  if (DoesSameSiteConsiderRedirectChain()) {
    // Main frame cross-site redirect (B->A) sends Lax but not Strict SameSite
    // cookies...
    ASSERT_TRUE(NavigateToURL(
        web_contents(),
        RedirectUrl(https_server(), kHostB,
                    EchoCookiesUrl(https_server(), kHostA)),
        /*expected_commit_url=*/EchoCookiesUrl(https_server(), kHostA)));
    EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
                net::CookieStringIs(UnorderedElementsAre(
                    Key(kSameSiteLaxCookieName), Key(kSameSiteNoneCookieName),
                    Key(kSameSiteUnspecifiedCookieName))));

    // ... even if the first URL is same-site. (A->B->A)
    ASSERT_TRUE(NavigateToURL(
        web_contents(),
        RedirectUrl(https_server(), kHostA,
                    RedirectUrl(https_server(), kHostB,
                                EchoCookiesUrl(https_server(), kHostA))),
        /*expected_commit_url=*/EchoCookiesUrl(https_server(), kHostA)));
    EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
                net::CookieStringIs(UnorderedElementsAre(
                    Key(kSameSiteLaxCookieName), Key(kSameSiteNoneCookieName),
                    Key(kSameSiteUnspecifiedCookieName))));
  } else {
    // If redirect chains are not considered, then cross-site redirects do not
    // make the request cross-site.
    ASSERT_TRUE(NavigateToURL(
        web_contents(),
        RedirectUrl(https_server(), kHostB,
                    EchoCookiesUrl(https_server(), kHostA)),
        /*expected_commit_url=*/EchoCookiesUrl(https_server(), kHostA)));
    EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
                net::CookieStringIs(UnorderedElementsAre(
                    Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
                    Key(kSameSiteNoneCookieName),
                    Key(kSameSiteUnspecifiedCookieName))));

    ASSERT_TRUE(NavigateToURL(
        web_contents(),
        RedirectUrl(https_server(), kHostA,
                    RedirectUrl(https_server(), kHostB,
                                EchoCookiesUrl(https_server(), kHostA))),
        /*expected_commit_url=*/EchoCookiesUrl(https_server(), kHostA)));
    EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
                net::CookieStringIs(UnorderedElementsAre(
                    Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
                    Key(kSameSiteNoneCookieName),
                    Key(kSameSiteUnspecifiedCookieName))));
  }

  // A same-site redirected iframe (A->A embedded in A) sends all SameSite
  // cookies.
  EXPECT_THAT(
      content::ArrangeFramesAndGetContentFromLeaf(
          web_contents(), https_server(),
          FrameTreeForUrl(RedirectUrl(https_server(), kHostA,
                                      EchoCookiesUrl(https_server(), kHostA))),
          {0}),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));

  if (DoesSameSiteConsiderRedirectChain()) {
    // A cross-site redirected iframe in a same-site context (B->A embedded in
    // A) does not send SameSite cookies...
    EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                    web_contents(), https_server(),
                    FrameTreeForUrl(
                        RedirectUrl(https_server(), kHostB,
                                    EchoCookiesUrl(https_server(), kHostA))),
                    {0}),
                net::CookieStringIs(
                    UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

    // ... even if the first URL is same-site. (A->B->A embedded in A)
    EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                    web_contents(), https_server(),
                    FrameTreeForUrl(RedirectUrl(
                        https_server(), kHostA,
                        RedirectUrl(https_server(), kHostB,
                                    EchoCookiesUrl(https_server(), kHostA)))),
                    {0}),
                net::CookieStringIs(
                    UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
  } else {
    // If redirect chains are not considered, then cross-site redirects do not
    // make the request cross-site.
    EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                    web_contents(), https_server(),
                    FrameTreeForUrl(
                        RedirectUrl(https_server(), kHostB,
                                    EchoCookiesUrl(https_server(), kHostA))),
                    {0}),
                net::CookieStringIs(UnorderedElementsAre(
                    Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
                    Key(kSameSiteNoneCookieName),
                    Key(kSameSiteUnspecifiedCookieName))));

    EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                    web_contents(), https_server(),
                    FrameTreeForUrl(
                        RedirectUrl(https_server(), kHostB,
                                    EchoCookiesUrl(https_server(), kHostA))),
                    {0}),
                net::CookieStringIs(UnorderedElementsAre(
                    Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
                    Key(kSameSiteNoneCookieName),
                    Key(kSameSiteUnspecifiedCookieName))));
  }
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SetSameSiteCookies) {
  // Main frame can set all SameSite cookies.
  ASSERT_TRUE(NavigateToURL(
      web_contents(), https_server()->GetURL(kHostA, kSetSameSiteCookiesPath)));
  EXPECT_THAT(GetCanonicalCookies(web_contents()->GetBrowserContext(),
                                  https_server()->GetURL(kHostA, "/")),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kSameSiteStrictCookieName),
                  net::MatchesCookieWithName(kSameSiteLaxCookieName),
                  net::MatchesCookieWithName(kSameSiteNoneCookieName),
                  net::MatchesCookieWithName(kSameSiteUnspecifiedCookieName)));
  ASSERT_EQ(4U, ClearCookies());

  // Same-site iframe (A embedded in A) sets all SameSite cookies.
  const GURL url_a = SetSameSiteCookiesUrl(https_server(), kHostA);
  EXPECT_THAT(content::ArrangeFramesAndGetCanonicalCookiesForLeaf(
                  web_contents(), https_server(), FrameTreeForUrl(url_a),
                  url::Origin::Create(url_a).GetURL()),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kSameSiteStrictCookieName),
                  net::MatchesCookieWithName(kSameSiteLaxCookieName),
                  net::MatchesCookieWithName(kSameSiteNoneCookieName),
                  net::MatchesCookieWithName(kSameSiteUnspecifiedCookieName)));
  ASSERT_EQ(4U, ClearCookies());

  // Cross-site iframe (B embedded in A) sets only None cookies.
  const GURL url_b = SetSameSiteCookiesUrl(https_server(), kHostB);
  EXPECT_THAT(content::ArrangeFramesAndGetCanonicalCookiesForLeaf(
                  web_contents(), https_server(), FrameTreeForUrl(url_b),
                  url::Origin::Create(url_b).GetURL()),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kSameSiteNoneCookieName)));
  ASSERT_EQ(1U, ClearCookies());
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SetSameSiteCookies_Redirect) {
  // Same-site redirected main frame navigation can set all SameSite cookies.
  ASSERT_TRUE(NavigateToURL(
      web_contents(),
      RedirectUrl(https_server(), kHostA,
                  SetSameSiteCookiesUrl(https_server(), kHostA)),
      /*expected_commit_url=*/SetSameSiteCookiesUrl(https_server(), kHostA)));
  EXPECT_THAT(GetCanonicalCookies(web_contents()->GetBrowserContext(),
                                  https_server()->GetURL(kHostA, "/")),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kSameSiteStrictCookieName),
                  net::MatchesCookieWithName(kSameSiteLaxCookieName),
                  net::MatchesCookieWithName(kSameSiteNoneCookieName),
                  net::MatchesCookieWithName(kSameSiteUnspecifiedCookieName)));
  ASSERT_EQ(4U, ClearCookies());

  // Cross-site redirected main frame navigation can set all SameSite cookies.
  ASSERT_TRUE(NavigateToURL(
      web_contents(),
      RedirectUrl(https_server(), kHostB,
                  SetSameSiteCookiesUrl(https_server(), kHostA)),
      /*expected_commit_url=*/SetSameSiteCookiesUrl(https_server(), kHostA)));
  EXPECT_THAT(GetCanonicalCookies(web_contents()->GetBrowserContext(),
                                  https_server()->GetURL(kHostA, "/")),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kSameSiteStrictCookieName),
                  net::MatchesCookieWithName(kSameSiteLaxCookieName),
                  net::MatchesCookieWithName(kSameSiteNoneCookieName),
                  net::MatchesCookieWithName(kSameSiteUnspecifiedCookieName)));
  ASSERT_EQ(4U, ClearCookies());

  // A same-site redirected iframe sets all SameSite cookies.
  EXPECT_THAT(content::ArrangeFramesAndGetCanonicalCookiesForLeaf(
                  web_contents(), https_server(),
                  FrameTreeForUrl(RedirectUrl(
                      https_server(), kHostA,
                      SetSameSiteCookiesUrl(https_server(), kHostA))),
                  https_server()->GetURL(kHostA, "/")),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kSameSiteStrictCookieName),
                  net::MatchesCookieWithName(kSameSiteLaxCookieName),
                  net::MatchesCookieWithName(kSameSiteNoneCookieName),
                  net::MatchesCookieWithName(kSameSiteUnspecifiedCookieName)));
  ASSERT_EQ(4U, ClearCookies());

  if (DoesSameSiteConsiderRedirectChain()) {
    // A cross-site redirected iframe only sets SameSite=None cookies.
    EXPECT_THAT(content::ArrangeFramesAndGetCanonicalCookiesForLeaf(
                    web_contents(), https_server(),
                    FrameTreeForUrl(RedirectUrl(
                        https_server(), kHostB,
                        SetSameSiteCookiesUrl(https_server(), kHostA))),
                    https_server()->GetURL(kHostA, "/")),
                UnorderedElementsAre(
                    net::MatchesCookieWithName(kSameSiteNoneCookieName)));
    ASSERT_EQ(1U, ClearCookies());
  } else {
    EXPECT_THAT(
        content::ArrangeFramesAndGetCanonicalCookiesForLeaf(
            web_contents(), https_server(),
            FrameTreeForUrl(
                RedirectUrl(https_server(), kHostB,
                            SetSameSiteCookiesUrl(https_server(), kHostA))),
            https_server()->GetURL(kHostA, "/")),
        UnorderedElementsAre(
            net::MatchesCookieWithName(kSameSiteStrictCookieName),
            net::MatchesCookieWithName(kSameSiteLaxCookieName),
            net::MatchesCookieWithName(kSameSiteNoneCookieName),
            net::MatchesCookieWithName(kSameSiteUnspecifiedCookieName)));
    ASSERT_EQ(4U, ClearCookies());
  }
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SendPrefixedCookies) {
  SetPrefixedCookies(kHostA);

  // Main frame browser-initiated navigation sends all prefixed cookies.
  ASSERT_TRUE(
      NavigateToURL(web_contents(), EchoCookiesUrl(https_server(), kHostA)));
  EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
              net::CookieStringIs(UnorderedElementsAre(
                  Key(kSecurePrefixCookieName), Key(kHostPrefixCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       SendPrefixedCookies_OmitsIfInsecure) {
  SetPrefixedCookies(kHostA);

  // Main frame browser-initiated navigation omits all prefixed cookies on
  // insecure connections.
  ASSERT_TRUE(NavigateToURL(web_contents(),
                            EchoCookiesUrl(embedded_test_server(), kHostA)));
  EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
              net::CookieStringIs(IsEmpty()));
}

// embedded_test_server() uses http, which is insecure, but localhost is
// allowed to set prefixed cookies anyway.
IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SendPrefixedCookiesLocalhost) {
  SetPrefixedCookies("localhost", embedded_test_server());

  // Main frame browser-initiated navigation sends all prefixed cookies.
  ASSERT_TRUE(NavigateToURL(
      web_contents(), EchoCookiesUrl(embedded_test_server(), "localhost")));
  EXPECT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
              net::CookieStringIs(UnorderedElementsAre(
                  Key(kSecurePrefixCookieName), Key(kHostPrefixCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest, SetPrefixedCookies) {
  // Main frame can set cookies with all prefixes.
  ASSERT_TRUE(NavigateToURL(
      web_contents(),
      https_server()->GetURL(kHostA, GetSetPrefixedCookiesPath(kHostA))));
  EXPECT_THAT(GetCanonicalCookies(web_contents()->GetBrowserContext(),
                                  https_server()->GetURL(kHostA, "/")),
              UnorderedElementsAre(
                  net::MatchesCookieWithName(kHostPrefixCookieName),
                  net::MatchesCookieWithName(kSecurePrefixCookieName)));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       SetPrefixedCookies_DisallowedIfInsecure) {
  // Main frame cannot set cookies with any prefix over an insecure connection.
  ASSERT_TRUE(NavigateToURL(web_contents(),
                            embedded_test_server()->GetURL(
                                kHostA, GetSetPrefixedCookiesPath(kHostA))));
  EXPECT_THAT(GetCanonicalCookies(web_contents()->GetBrowserContext(),
                                  embedded_test_server()->GetURL(kHostA, "/")),
              IsEmpty());
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       ScriptNavigationSameSite404ScriptReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ false,
                          /* is_cross_site_navigation= */ false,
                          /* is_user_initiated_reload= */ false),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       ScriptNavigationSameSite404UserReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ false,
                          /* is_cross_site_navigation= */ false,
                          /* is_user_initiated_reload= */ true),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       ScriptNavigationCrossSite404ScriptReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ false,
                          /* is_cross_site_navigation= */ true,
                          /* is_user_initiated_reload= */ false),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       ScriptNavigationCrossSite404UserReload) {
  EXPECT_THAT(Test404ReloadCookie(/* is_user_initiated_navigation= */ false,
                                  /* is_cross_site_navigation= */ true,
                                  /* is_user_initiated_reload= */ true),
              net::CookieStringIs(UnorderedElementsAre(
                  Key(kSameSiteLaxCookieName), Key(kSameSiteNoneCookieName),
                  Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       UserNavigationSameSite404ScriptReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ true,
                          /* is_cross_site_navigation= */ false,
                          /* is_user_initiated_reload= */ false),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       UserNavigationSameSite404UserReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ true,
                          /* is_cross_site_navigation= */ false,
                          /* is_user_initiated_reload= */ true),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       UserNavigationCrossSite404ScriptReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ true,
                          /* is_cross_site_navigation= */ true,
                          /* is_user_initiated_reload= */ false),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

IN_PROC_BROWSER_TEST_P(HttpCookieBrowserTest,
                       UserNavigationCrossSite404UserReload) {
  EXPECT_THAT(
      Test404ReloadCookie(/* is_user_initiated_navigation= */ true,
                          /* is_cross_site_navigation= */ true,
                          /* is_user_initiated_reload= */ true),
      net::CookieStringIs(UnorderedElementsAre(
          Key(kSameSiteStrictCookieName), Key(kSameSiteLaxCookieName),
          Key(kSameSiteNoneCookieName), Key(kSameSiteUnspecifiedCookieName))));
}

// Responds to a request to /echocookieswithcors with the cookies that were sent
// with the request. We can't use the default handler /echoheader?Cookie here,
// because it doesn't send the appropriate Access-Control-Allow-Origin and
// Access-Control-Allow-Credentials headers (which are required for this to
// work for cross-origin requests in the tests).
std::unique_ptr<net::test_server::HttpResponse>
HandleEchoCookiesWithCorsRequest(const net::test_server::HttpRequest& request) {
  if (request.relative_url != kEchoCookiesWithCorsPath) {
    return nullptr;
  }

  auto http_response = std::make_unique<net::test_server::BasicHttpResponse>();
  std::string content;

  // Get the 'Cookie' header that was sent in the request.
  if (auto it = request.headers.find(net::HttpRequestHeaders::kCookie);
      it != request.headers.end()) {
    content = it->second;
  }

  http_response->set_code(net::HTTP_OK);
  http_response->set_content_type("text/plain");
  // Set the cors enabled headers.
  if (auto it = request.headers.find(net::HttpRequestHeaders::kOrigin);
      it != request.headers.end()) {
    http_response->AddCustomHeader("Access-Control-Allow-Headers",
                                   "credentials");
    http_response->AddCustomHeader("Access-Control-Allow-Origin", it->second);
    http_response->AddCustomHeader("Origin", it->second);
    http_response->AddCustomHeader("Vary", "Origin");
    http_response->AddCustomHeader("Access-Control-Allow-Methods", "POST");
    http_response->AddCustomHeader("Access-Control-Allow-Credentials", "true");
  }
  http_response->set_content(content);

  return http_response;
}

class ThirdPartyCookiesHttpCookieBrowserTest : public ContentBrowserTest {
 public:
  ThirdPartyCookiesHttpCookieBrowserTest()
      : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {}

  ~ThirdPartyCookiesHttpCookieBrowserTest() override = default;

  void SetUpOnMainThread() override {
    ContentBrowserTest::SetUpOnMainThread();
    host_resolver()->AddRule("*", "127.0.0.1");
    https_server()->SetSSLConfig(net::EmbeddedTestServer::CERT_TEST_NAMES);
    https_server()->AddDefaultHandlers(GetTestDataFilePath());
    https_server()->RegisterRequestHandler(
        base::BindRepeating(&HandleEchoCookiesWithCorsRequest));
    ASSERT_TRUE(https_server()->Start());
  }

  WebContents* web_contents() const { return shell()->web_contents(); }

  net::EmbeddedTestServer* https_server() { return &https_server_; }

  GURL EchoCookiesUrl(std::string_view host) {
    return https_server()->GetURL(host, "/echoheader?Cookie");
  }

  std::string ExtractFrameContent(RenderFrameHost* frame) const {
    return EvalJs(frame, "document.body.textContent").ExtractString();
  }

  std::string ExtractCookieFromDocument(RenderFrameHost* frame) const {
    return EvalJs(frame, "document.cookie").ExtractString();
  }

  std::string PostWithCredentials(RenderFrameHost* frame, const GURL& url) {
    constexpr char script[] = R"JS(
      fetch($1, {method: 'POST', 'credentials' : 'include'}
      ).then((result) => result.text());
      )JS";
    return EvalJs(frame, JsReplace(script, url)).ExtractString();
  }

  EvalJsResult Fetch(RenderFrameHost* frame,
                     const GURL& url,
                     std::string_view mode,
                     std::string_view credentials) {
    constexpr char script[] = R"JS(
      fetch($1, {mode: $2, credentials: $3}).then(result => result.text());
    )JS";
    return EvalJs(frame, JsReplace(script, url, mode, credentials));
  }

  bool CookieStoreEmpty(RenderFrameHost* frame) {
    constexpr char script[] = R"JS(
          (async () => {
            let cookies = await cookieStore.getAll();
            return cookies.length == 0;
          })();
      )JS";
    return EvalJs(frame, script).ExtractBool();
  }

  EvalJsResult NavigateToURLWithPOST(RenderFrameHost* frame,
                                     std::string_view host) {
    TestNavigationObserver observer(web_contents());

    constexpr char script[] = R"JS(
        let form = document.createElement('form');
        form.setAttribute('method', 'POST');
        form.setAttribute('action', $1);
        document.body.appendChild(form);
        form.submit();
     )JS";

    EvalJsResult result =
        EvalJs(frame, JsReplace(script, EchoCookiesUrl(host)));
    observer.WaitForNavigationFinished();
    EXPECT_TRUE(WaitForLoadStop(web_contents()));
    return result;
  }

  EvalJsResult ReadCookiesViaFetchWithRedirect(
      RenderFrameHost* frame,
      std::string_view intermediate_host,
      std::string_view destination_host) {
    constexpr char script[] = "fetch($1).then((result) => result.text());";

    GURL redirect_url = RedirectUrl(https_server(), intermediate_host,
                                    EchoCookiesUrl(destination_host));

    return EvalJs(frame, JsReplace(script, redirect_url));
  }

 private:
  net::test_server::EmbeddedTestServer https_server_;
};

class ThirdPartyCookiesBlockedHttpCookieBrowserTest
    : public ThirdPartyCookiesHttpCookieBrowserTest {
 public:
  ThirdPartyCookiesBlockedHttpCookieBrowserTest() {
    feature_list_.InitWithFeatures(
        {
            net::features::kForceThirdPartyCookieBlocking,
        },
        {});
  }

  ~ThirdPartyCookiesBlockedHttpCookieBrowserTest() override = default;

 private:
  base::test::ScopedFeatureList feature_list_;
};

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       SameSiteNoneCookieNavigateCrossSiteEmbedToSameSiteUrl) {
  ASSERT_TRUE(base::FeatureList::IsEnabled(
      net::features::kForceThirdPartyCookieBlocking));

  // Set SameSite=None cookie on kHostA.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));

  // Confirm cross-site iframe (kHostB embedded in kHostA) does not
  // send SameSite=None cookie to iframe.
  EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                  web_contents(), https_server(),
                  FrameTreeForUrl(EchoCookiesUrl(kHostB)), {0}),
              net::CookieStringIs(UnorderedElementsAre()));

  // Navigate embedded iframe from kHostB to kHostA and confirm that
  // SameSite=None cookie is sent.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostA)));

  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       SameSiteNoneCookieCrossSitePostRequest) {
  // Set and confirm SameSite=None cookie on top-level-site kHostB.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostB, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostB)));

  ASSERT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));

  // Perform 'Post' to cross-site (kHostB) and confirm no cookie present in
  // method response. Since there is no redirect action at the same time as
  // the post, the cookie will be blocked as the request is being made
  // cross-site.
  EXPECT_THAT(PostWithCredentials(
                  web_contents()->GetPrimaryMainFrame(),
                  https_server()->GetURL(kHostB, kEchoCookiesWithCorsPath)),
              "");
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       SameSiteNoneCookieCrossSiteSubresourceNavigationPost) {
  // Set and confirm SameSite=None cookie on top-level-site kHostB.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostB, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostB)));

  ASSERT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  // Starting at kHostA create a form that has an action value that causes a
  // navigation to a new top-level-site (kHostB). Submit the form to trigger the
  // navigation and confirm that no error has occurred in the response.
  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));

  ASSERT_TRUE(
      NavigateToURLWithPOST(web_contents()->GetPrimaryMainFrame(), kHostB)
          .is_ok());

  // Confirm that navigation from subresource occurred and cookies are still
  // available.
  EXPECT_THAT(web_contents()->GetLastCommittedURL().GetHost(), kHostB);

  EXPECT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       RedirectCrossSiteSubresourceToSameSiteUrl) {
  // Set and confirm SameSite=None cookie on top-level-site kHostA.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));

  ASSERT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  // Perform redirect from cross-site subresource and ensure that no cookie was
  // sent even though it was redirected to the top-level-site.
  EXPECT_EQ(ReadCookiesViaFetchWithRedirect(
                web_contents()->GetPrimaryMainFrame(), kHostB, kHostA),
            "None");
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       SameSiteNoneCookieBlockedOnABEmbeddedIframe) {
  // Set and confirm SameSite=None cookie on top-level-site kHostA is
  // present in the cookie header, document.cookie and cookie store.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));
  // Confirm in cookie header.
  ASSERT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
  // Confirm in document.cookie.
  ASSERT_THAT(
      ExtractCookieFromDocument(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
  // Confirm in cookie store.
  ASSERT_TRUE(
      GetCookies(web_contents()->GetBrowserContext(), EchoCookiesUrl(kHostA))
          .starts_with(kSameSiteNoneCookieName));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostB)));

  // Embed an iframe containing A in B and check cookie header.
  EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                  web_contents(), https_server(),
                  FrameTreeForHostAndUrl(kHostB, EchoCookiesUrl(kHostA)), {0}),
              "None");

  // Check document.cookie.
  EXPECT_TRUE(ExtractCookieFromDocument(
                  ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0))
                  .empty());

  // Check cookie store.
  EXPECT_TRUE(
      CookieStoreEmpty(ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)));
}

IN_PROC_BROWSER_TEST_F(
    ThirdPartyCookiesBlockedHttpCookieBrowserTest,
    SameSiteNoneCookieBlockedInCrossSiteFetchRequestFromTopLevelFrame) {
  // Set and confirm SameSite=None cookie on Site A.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));

  ASSERT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  // From site B make a fetch call (with credentials) from site B to site A; and
  // check if cookies are present on the request.
  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostB)));

  EXPECT_THAT(Fetch(web_contents()->GetPrimaryMainFrame(),
                    https_server()->GetURL(kHostA, kEchoCookiesWithCorsPath),
                    "cors", "include")
                  .ExtractString(),
              net::CookieStringIs(IsEmpty()));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       TestCrossSitePartitionKeyNotAvailable) {
  // Set cookie for site A kSameSite ancestor.
  // Create initial frame tree A->B (B is an iframe) and check cookie.
  // Navigate iframe with site B to A and confirm that cookie is present.

  // Set kSameSite cookie
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Embed an iframe containing B in A to create initial frame tree A->B.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostB)), {0}),
            "None");

  // Navigate embedded iframe B to A
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostA)));

  // Extract cookie from A
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       TestSubresourceRedirects) {
  // Initial frame tree A->B (B is an iframe).
  // A cookie is set for site C.
  // iframe B is navigated to site C.
  // Frame tree becomes A->C (C is an iframe).
  // Check if cookie set for C is present in C.

  // Embed an iframe containing B in A to create initial frame tree A->B.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostB)), {0}),
            "None");

  // Set SameSite=None partitioned cookie for kHostC from embedded iframe B.

  net::CookiePartitionKey partition_key =
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kCrossSite);

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostC, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;partitioned"}),
      net::CookieOptions::SameSiteCookieContext(
          net::CookieOptions::SameSiteCookieContext::ContextType::CROSS_SITE),
      partition_key));
  // confirm that there is a cookie with kHostC url in the mojom cookie manager
  // and that the cookie is partitioned and third party.
  std::vector<net::CanonicalCookie> cookies = GetCanonicalCookies(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostC, "/"),
      net::CookiePartitionKeyCollection(partition_key));
  ASSERT_EQ(cookies.size(), 1u);
  ASSERT_TRUE(cookies[0].IsPartitioned());
  ASSERT_TRUE(cookies[0].PartitionKey()->IsThirdParty());

  // Navigate embedded iframe B to C
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostC)));

  // Extract cookie from C
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       TestTopLevelRedirects) {
  // Navigate to Site A and set cookie on site A.
  // Redirect from site A to site B and back to site A.
  // Confirm cookie is present on site A after redirection.

  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));
  // Check to make sure that there are no cookies set on kHostA.
  ASSERT_THAT(ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
              "None");

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Perform redirect from site A to site B and back to site A.
  ASSERT_TRUE(
      NavigateToURL(web_contents(),
                    RedirectUrl(https_server(), kHostB, EchoCookiesUrl(kHostA)),
                    EchoCookiesUrl(kHostA)));

  EXPECT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(
    ThirdPartyCookiesBlockedHttpCookieBrowserTest,
    TestSameSiteEmbeddedResourceToCrossSiteEmbeddedResource) {
  // Initial frame tree A1->A2 (A2 is an iframe)
  // A cookie is set from top-level A1 for site B with kCrossSite ancestor chain
  // bit. iframe A2 is navigated to site B. Frame tree becomes A1->B (B is an
  // iframe). Check if cookie set from A1 is present in B.

  // Embed an iframe containing A in A to create initial frame tree A->A.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostA)), {0}),
            "None");

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostB, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kCrossSite)));

  // Navigate embedded iframe A2 to B.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostB)));

  // Confirm that the cookie is in the header sent to the iframe.
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       CrossSiteToSameSiteIframeRedirects) {
  // Set partitioned kSameSite ancestor cookie on top level site A.
  // Embed an iframe of site A and confirm cookie is accessible from iframe.
  // Navigate the iframe to a cross-domain (site B) and redirect back to A.
  // Confirm that cookie is accessible from the iframe.

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Embed an iframe containing A in A to create initial frame tree A->A.
  // Confirm that partitioned cookie is accessible from the iframe.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostA)), {0}),
            "samesite_none_cookie=1");

  // Navigate the iframe from A to B to A.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      RedirectUrl(https_server(), kHostB, EchoCookiesUrl(kHostA)),
      /*expected_commit_url=*/EchoCookiesUrl(kHostA)));

  // Confirm that the cookie is in the header sent to the iframe.
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       RedirectCrossSiteThroughSameSiteIframe) {
  // Set partitioned kSameSite ancestor cookie on top level site A.
  // Embed an iframe of site A and confirm cookie is accessible from iframe.
  // Navigate the iframe to a cross-domain (site B) and redirect back to a
  // different page with domain of A and then redirect back to the original
  // site. Confirm that cookie is accessible from the header in the final
  // redirect.

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Embed an iframe containing A in A to create initial frame tree A->A.
  // Confirm that partitioned cookie is accessible from the iframe.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostA)), {0}),
            "samesite_none_cookie=1");

  // Navigate the iframe from A to B redirecting to A redirecting to A.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      RedirectUrl(https_server(), kHostB,
                  RedirectUrl(https_server(), kHostA, EchoCookiesUrl(kHostA))),
      /*expected_commit_url=*/EchoCookiesUrl(kHostA)));

  // Confirm that the cookie is in the header sent to the iframe.
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       RedirectTwoCrossSitesThroughSameSiteIframe) {
  // Set partitioned kSameSite ancestor cookie on top level site A.
  // Embed an iframe of site A and confirm cookie is accessible from iframe.
  // Navigate the iframe to a cross-domain (site B) and redirect to a second
  // cross-domain (site C) and then redirect back to A.
  // Confirm that cookie is accessible from the header in the final
  // redirect.

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Embed an iframe containing A in A to create initial frame tree A->A.
  // Confirm that partitioned cookie is accessible from the iframe.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostA)), {0}),
            "samesite_none_cookie=1");

  // Navigate the iframe from A to B redirecting to C and then back to A.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      RedirectUrl(https_server(), kHostB,
                  RedirectUrl(https_server(), kHostC,
                              RedirectUrl(https_server(), kHostA,
                                          EchoCookiesUrl(kHostA)))),
      EchoCookiesUrl(kHostA)));

  // Confirm that the cookie is in the header sent to the iframe.
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(
    ThirdPartyCookiesBlockedHttpCookieBrowserTest,
    RedirectCrossSiteIframeToSameSiteThenNavigateToSameSite) {
  // Set partitioned kSameSite ancestor cookie on top level site A.
  // Embed an iframe of site A and confirm cookie is accessible from iframe.
  // Navigate the iframe to a cross-domain (site B) and redirect back to site A.
  // Then navigate to site A again.
  // Confirm that cookie is accessible from the header in the final navigation.

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Embed an iframe containing A in A to create initial frame tree A->A.
  // Confirm that partitioned cookie is accessible from the iframe.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostA)), {0}),
            "samesite_none_cookie=1");
  // Navigate the iframe from A to B redirecting to A.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      RedirectUrl(https_server(), kHostB, EchoCookiesUrl(kHostA)),
      /*expected_commit_url=*/EchoCookiesUrl(kHostA)));

  // Navigate to A from the iframe A that was redirected to site A from B.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostA)));

  // Confirm that the cookie is in the header sent to the iframe.
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

IN_PROC_BROWSER_TEST_F(ThirdPartyCookiesBlockedHttpCookieBrowserTest,
                       CrossSiteToSameSiteIframeNavigation) {
  // Set partitioned kSameSite ancestor cookie on top level site A.
  // Embed an iframe of site A and confirm cookie is accessible from iframe.
  // Navigate the iframe to a cross-domain (site B).
  // Then navigate the iframe back to site A.
  // Confirm that cookie is accessible from the iframe.

  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat(
          {kSameSiteNoneCookieName, "=1;Secure;SameSite=None;Partitioned"}),
      net::CookieOptions::SameSiteCookieContext::MakeInclusive(),
      net::CookiePartitionKey::FromURLForTesting(
          https_server()->GetURL(kHostA, "/"),
          net::CookiePartitionKey::AncestorChainBit::kSameSite)));

  // Embed an iframe containing A in A to create initial frame tree A->A.
  // Confirm that partitioned cookie is accessible from the iframe.
  ASSERT_EQ(content::ArrangeFramesAndGetContentFromLeaf(
                web_contents(), https_server(),
                FrameTreeForUrl(EchoCookiesUrl(kHostA)), {0}),
            "samesite_none_cookie=1");

  // Navigate the iframe from A to B. Then B to A.
  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostB)));

  ASSERT_TRUE(NavigateToURLFromRenderer(
      ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0),
      EchoCookiesUrl(kHostA)));

  // Confirm that the cookie is in the header sent to the iframe.
  EXPECT_THAT(
      ExtractFrameContent(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  EXPECT_THAT(
      ExtractCookieFromDocument(
          ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0)),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

class DevToolsOverridesThirdPartyCookiesBrowserTest
    : public ThirdPartyCookiesHttpCookieBrowserTest {
 public:
  DevToolsOverridesThirdPartyCookiesBrowserTest() = default;

  ~DevToolsOverridesThirdPartyCookiesBrowserTest() override = default;

  void SetUpOnMainThread() override {
    ThirdPartyCookiesHttpCookieBrowserTest::SetUpOnMainThread();
    web_contents_devtools_client.AttachToWebContents(shell()->web_contents());
    web_contents_devtools_client.SendCommandAsync("Network.enable");
  }

  void TearDownOnMainThread() override {
    web_contents_devtools_client.DetachProtocolClient();
    frame_devtools_client.DetachProtocolClient();
  }

 protected:
  void NavigateToPageWith3pIFrame(std::string_view host) {
    frame_devtools_client.DetachProtocolClient();
    GURL main_url(https_server()->GetURL(host, "/page_with_blank_iframe.html"));

    ASSERT_TRUE(content::NavigateToURL(web_contents(), main_url));
    EXPECT_TRUE(
        NavigateIframeToURL(web_contents(), "test_iframe",
                            https_server()->GetURL(kHostB, "/empty.html")));

    frame_devtools_client.AttachToFrameTreeHost(GetFrame());
    frame_devtools_client.SendCommandSync("Network.enable");
  }

  content::RenderFrameHost* GetFrame() {
    return ChildFrameAt(web_contents()->GetPrimaryMainFrame(), 0);
  }

  std::string SetCookieFromJS(content::RenderFrameHost* render_frame_host,
                              std::string cookie) {
    content::EvalJsResult result = content::EvalJs(
        render_frame_host,
        "document.cookie = '" + cookie + "; SameSite=None; Secure'",
        content::EXECUTE_SCRIPT_NO_USER_GESTURE);

    return result.ExtractString();
  }

  std::string ReadCookiesFromJS(content::RenderFrameHost* render_frame_host) {
    std::string res = content::EvalJs(render_frame_host, "document.cookie",
                                      content::EXECUTE_SCRIPT_NO_USER_GESTURE)
                          .ExtractString();

    return res;
  }

  void SendSetCookieControls(bool enable_third_party_cookie_restriction,
                             bool disable_third_party_cookie_metadata,
                             bool disable_third_party_cookie_heuristics) {
    base::Value::Dict command_params;
    web_contents_devtools_client.SendCommandSync("Network.enable");
    command_params.Set("enableThirdPartyCookieRestriction",
                       enable_third_party_cookie_restriction);
    command_params.Set("disableThirdPartyCookieMetadata",
                       disable_third_party_cookie_metadata);
    command_params.Set("disableThirdPartyCookieHeuristics",
                       disable_third_party_cookie_heuristics);
    web_contents_devtools_client.SendCommandSync("Network.setCookieControls",
                                                 std::move(command_params));
  }

  content::TestDevToolsProtocolClient web_contents_devtools_client;
  content::TestDevToolsProtocolClient frame_devtools_client;
};

IN_PROC_BROWSER_TEST_F(DevToolsOverridesThirdPartyCookiesBrowserTest,
                       DevToolsForceDisableTPCFromJS) {
  // Third-party access should work initially
  NavigateToPageWith3pIFrame(kHostA);
  SetCookieFromJS(GetFrame(), "cookieAllowed=true");
  EXPECT_EQ(ReadCookiesFromJS(GetFrame()), "cookieAllowed=true");

  // Turning on third-party cookie restriction
  SendSetCookieControls(/*enable_third_party_cookie_restriction=*/true,
                        /*disable_third_party_cookie_metadata=*/false,
                        /*disable_third_party_cookie_heuristics=*/false);

  // Refreshing so that RCM is re-created with new controls
  NavigateToPageWith3pIFrame("a.test");

  // Both of these should get blocked now
  SetCookieFromJS(GetFrame(), "cookieAllowed=false");
  EXPECT_EQ(ReadCookiesFromJS(GetFrame()), "");

  // Disabling the network domain should return to normal (unblocked) cookie
  // state
  frame_devtools_client.SendCommandSync("Network.disable");
  web_contents_devtools_client.SendCommandSync("Network.disable");

  // The cookie should be the same as before proving that the last
  // SetCookieFromJS didn't update the cookie
  EXPECT_EQ(ReadCookiesFromJS(GetFrame()), "cookieAllowed=true");
}

IN_PROC_BROWSER_TEST_F(DevToolsOverridesThirdPartyCookiesBrowserTest,
                       DevToolsForceDisableTPC) {
  // Set SameSite=None cookie on top-level-site kHostA.
  ASSERT_TRUE(SetCookie(
      web_contents()->GetBrowserContext(), https_server()->GetURL(kHostA, "/"),
      base::StrCat({kSameSiteNoneCookieName, "=1;Secure;SameSite=None;"})));
  ASSERT_TRUE(NavigateToURL(web_contents(), EchoCookiesUrl(kHostA)));
  ASSERT_THAT(
      ExtractFrameContent(web_contents()->GetPrimaryMainFrame()),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
  // Embed an iframe containing A in B and check 3pc is allowed.
  ASSERT_THAT(
      content::ArrangeFramesAndGetContentFromLeaf(
          web_contents(), https_server(),
          FrameTreeForHostAndUrl(kHostB, EchoCookiesUrl(kHostA)), {0}),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));

  // Apply devtools overrides to enable 3pc restriction.
  SendSetCookieControls(/*enable_third_party_cookie_restriction=*/true,
                        /*disable_third_party_cookie_metadata=*/false,
                        /*disable_third_party_cookie_heuristics=*/false);

  // 3pc should be blocked due to devtools overrides.
  EXPECT_THAT(content::ArrangeFramesAndGetContentFromLeaf(
                  web_contents(), https_server(),
                  FrameTreeForHostAndUrl(kHostB, EchoCookiesUrl(kHostA)), {0}),
              "None");
  EXPECT_THAT(Fetch(web_contents()->GetPrimaryMainFrame(),
                    https_server()->GetURL(kHostA, kEchoCookiesWithCorsPath),
                    "cors", "include")
                  .ExtractString(),
              net::CookieStringIs(IsEmpty()));

  web_contents_devtools_client.SendCommandAsync("Network.disable");
  // The override should stop working and 3pc is re-allowed after devtools is
  // disabled.
  EXPECT_THAT(
      content::ArrangeFramesAndGetContentFromLeaf(
          web_contents(), https_server(),
          FrameTreeForHostAndUrl(kHostB, EchoCookiesUrl(kHostA)), {0}),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
  EXPECT_THAT(
      Fetch(web_contents()->GetPrimaryMainFrame(),
            https_server()->GetURL(kHostA, kEchoCookiesWithCorsPath), "cors",
            "include")
          .ExtractString(),
      net::CookieStringIs(UnorderedElementsAre(Key(kSameSiteNoneCookieName))));
}

INSTANTIATE_TEST_SUITE_P(/* no label */,
                         HttpCookieBrowserTest,
                         ::testing::Bool());

}  // namespace
}  // namespace content