WebDriver mechanism to test samesite cookie security overhaul?

[asen...@2keys.ca]

I just read about this future Chrome update chrome-browser-pushes-samesite-cookie-security-overhaul and I was hoping I could set a ChromeOption on the driver to run my tests with the samesite policy set to strict to see how my app would behave. Do any of you know how this could be accomplished? 

I've looked through:

• https://peter.sh/experiments/chromium-command-line-switches/
  
• https://chromedriver.chromium.org/capabilities
  

and can't seem to find something relevant.

Thanks

[T Crichton]

The flags I can find relating to same Site cookies are same-site-by-default-cookies and cookies-without-same-site-must-be-secure. You can see more about these by looking in chrome://flags.

[asen...@2keys.ca]

Yes, I saw those but fail to understand how these flags can be passed to the Capabilities & ChromeOptions of the driver?

[asen...@2keys.ca]

I've tried multiple variations setting the experimental option directly or through a map using the "prefs" as described in this post https://www.awesome-testing.com/2016/02/selenium-browser-capabilities-explained.html

Map<String, Object> chromePrefs = new HashMap<>();

chromePrefs.put("same-site-by-default-cookies", true);

ChromeOptions chromeOptions = new ChromeOptions();

chromeOptions.setExperimentalOption("prefs", chromePrefs);

return new ChromeDriver(chromeOptions);

I've tried setting the value of same-site-by-default-cookies to "Enabled", true, 1.

I try to validate the configuration by looking at the chrome://flags/ page in the driven browser that opens but it is always set to default.

On Wednesday, October 16, 2019 at 4:57:40 PM UTC-4, T Crichton wrote:

[asen...@2keys.ca]

I even tried setting the flag through Selenium before conducting any tests

driver.get("chrome://flags/");

WebElement sameSiteSelect = driver.findElementByCssSelector("select[aria-labelledby=same-site-by-default-cookies_name]");

Select sameSite = new Select(sameSiteSelect);

sameSite.selectByVisibleText("Enabled");

driver.findElementById("experiment-restart-button").click();

But sadly a browser restart is required for the changes to take effect and this causes the driver to loose track of the browser and results in a 

org.openqa.selenium.WebDriverException: chrome not reachable

[tri...@google.com]

I apologize. Those flags do not work the way I expected. 

I found an internal document that gave this example for selenium code:

options.addArguments("enable-features=SameSiteByDefautCookies,CookiesWithoutSameSiteMustBeSecure");

However, it still doesn't show enabled on Chrome://flags for me.

According to the same internal document, it looks like it isn't scheduled for Stable release until version 80, so it may just be too soon to try.

[asen...@2keys.ca]

Ok, thank you for the information. I appreciate it.

[upar...@gmail.com]

You can enable sameSite cookie flag using localState experimental options of chrome driver.

ChromeOptions chromeOptions = new ChromeOptions();

HashMap<String, Object> chromeLocalStatePrefs = new HashMap<String, Object>();
List<String> experimentalFlags = new ArrayList<String>();

experimentalFlags.add("same-site-by-default-cookies@1");

chromeLocalStatePrefs.put("browser.enabled_labs_experiments",experimentalFlags);

chromeOptions.setExperimentalOption("localState", chromeLocalStatePrefs);

[asen...@2keys.ca]

Works great, thank you!

[zhng...@gmail.com]

It works like a charm. Thank you very much.

[ramabod...@gmail.com]

we need to set samesite flag enabled can you please confirm this code working for you, for some reason its not enabling for me Thanks

On Thursday, January 2, 2020 at 5:32:21 AM UTC-5, upar...@gmail.com wrote:

[T Crichton]

ramabod... The code posted Jan 2 by upar....@gmail works for me on Linux with Chrome/ChromeDriver 78+. When connecting to chrome://flags, the listed feature shows enabled.

There are 2 flags relating to same-site: same-site-by-default-cookies and cookies-without-same-site-must-be-secure. You may need to add both of them to get the effect you are trying to test.

If you post the code you tried and attach a verbose ChromeDriver log, we may be able to help further.

[saga...@gmail.com]

Can you please let me know how enable same-site-by-default-cookies flag in chrome using selenium C#. 

[pmadh...@gmail.com]

Try like below

 var experimentalFlags = new List<string>();

 experimentalFlags.Add("same-site-by-default-cookies@1");

 experimentalFlags.Add("cookies-without-same-site-must-be-secure@1");

 chromeOptions.AddLocalStatePreference("browser.enabled_labs_experiments", experimentalFlags);

[saga...@gmail.com]

Thanks, its work for me.

[saga...@gmail.com]

Thanks for your help and its work for me but now we have to implement same for Edge(Chromium) browser, In which method - AddLocalStatePreference is not available. Is there any other way to set these flag in Edge(Chromium). I have tried with AddAdditionalCapability but no luck. 

On Wednesday, March 11, 2020 at 2:54:33 PM UTC+5:30, pmadh...@gmail.com wrote:

[T Crichton]

I think you will have to use the 4.0 Selenium bindings; in this version, the chromium options were moved into a common class, so that they were accessible to the EdgeDriver. AddLocalStatePreference, is in the ChromiumOptions class, which is a parent of EdgeOptions.

[홍영기]

Hi, would this be possible through Ruby client? Couldn't find how we can set experimental options using Ruby, would appreciate any help.