tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_permissions.js (11230B)

      1 /* Any copyright is dedicated to the Public Domain.
      2 * http://creativecommons.org/publicdomain/zero/1.0/ */
      3 
      4 "use strict";
      5 
      6 function URI(str) {
      7  return Services.io.newURI(str);
      8 }
      9 
     10 add_task(async function test_setup_preexisting_permissions() {
     11  // Pre-existing ALLOW permissions that should be overridden
     12  // with DENY.
     13 
     14  // No ALLOW -> DENY override for popup and install permissions,
     15  // because their policies only supports the Allow parameter.
     16 
     17  PermissionTestUtils.add(
     18    "https://www.pre-existing-allow.com",
     19    "camera",
     20    Ci.nsIPermissionManager.ALLOW_ACTION,
     21    Ci.nsIPermissionManager.EXPIRE_SESSION
     22  );
     23  PermissionTestUtils.add(
     24    "https://www.pre-existing-allow.com",
     25    "microphone",
     26    Ci.nsIPermissionManager.ALLOW_ACTION,
     27    Ci.nsIPermissionManager.EXPIRE_SESSION
     28  );
     29  PermissionTestUtils.add(
     30    "https://www.pre-existing-allow.com",
     31    "geo",
     32    Ci.nsIPermissionManager.ALLOW_ACTION,
     33    Ci.nsIPermissionManager.EXPIRE_SESSION
     34  );
     35  PermissionTestUtils.add(
     36    "https://www.pre-existing-allow.com",
     37    "desktop-notification",
     38    Ci.nsIPermissionManager.ALLOW_ACTION,
     39    Ci.nsIPermissionManager.EXPIRE_SESSION
     40  );
     41  PermissionTestUtils.add(
     42    "https://www.pre-existing-allow.com",
     43    "autoplay-media",
     44    Ci.nsIPermissionManager.ALLOW_ACTION,
     45    Ci.nsIPermissionManager.EXPIRE_SESSION
     46  );
     47  PermissionTestUtils.add(
     48    "https://www.pre-existing-allow.com",
     49    "xr",
     50    Ci.nsIPermissionManager.ALLOW_ACTION,
     51    Ci.nsIPermissionManager.EXPIRE_SESSION
     52  );
     53 
     54  // Pre-existing DENY permissions that should be overridden
     55  // with ALLOW.
     56 
     57  PermissionTestUtils.add(
     58    "https://www.pre-existing-deny.com",
     59    "camera",
     60    Ci.nsIPermissionManager.DENY_ACTION,
     61    Ci.nsIPermissionManager.EXPIRE_SESSION
     62  );
     63  PermissionTestUtils.add(
     64    "https://www.pre-existing-deny.com",
     65    "microphone",
     66    Ci.nsIPermissionManager.DENY_ACTION,
     67    Ci.nsIPermissionManager.EXPIRE_SESSION
     68  );
     69  PermissionTestUtils.add(
     70    "https://www.pre-existing-deny.com",
     71    "geo",
     72    Ci.nsIPermissionManager.DENY_ACTION,
     73    Ci.nsIPermissionManager.EXPIRE_SESSION
     74  );
     75  PermissionTestUtils.add(
     76    "https://www.pre-existing-deny.com",
     77    "desktop-notification",
     78    Ci.nsIPermissionManager.DENY_ACTION,
     79    Ci.nsIPermissionManager.EXPIRE_SESSION
     80  );
     81  PermissionTestUtils.add(
     82    "https://www.pre-existing-deny.com",
     83    "autoplay-media",
     84    Ci.nsIPermissionManager.DENY_ACTION,
     85    Ci.nsIPermissionManager.EXPIRE_SESSION
     86  );
     87  PermissionTestUtils.add(
     88    "https://www.pre-existing-deny.com",
     89    "xr",
     90    Ci.nsIPermissionManager.DENY_ACTION,
     91    Ci.nsIPermissionManager.EXPIRE_SESSION
     92  );
     93 });
     94 
     95 add_task(async function test_setup_activate_policies() {
     96  await setupPolicyEngineWithJson({
     97    policies: {
     98      Permissions: {
     99        Camera: {
    100          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    101          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    102        },
    103        Microphone: {
    104          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    105          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    106        },
    107        Location: {
    108          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    109          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    110        },
    111        Notifications: {
    112          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    113          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    114        },
    115        Autoplay: {
    116          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    117          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    118        },
    119        VirtualReality: {
    120          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    121          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    122        },
    123        ScreenShare: {
    124          Allow: ["https://www.allow.com", "https://www.pre-existing-deny.com"],
    125          Block: ["https://www.deny.com", "https://www.pre-existing-allow.com"],
    126        },
    127      },
    128    },
    129  });
    130  equal(
    131    Services.policies.status,
    132    Ci.nsIEnterprisePolicies.ACTIVE,
    133    "Engine is active"
    134  );
    135 });
    136 
    137 function checkPermission(url, expected, permissionName) {
    138  let expectedValue = Ci.nsIPermissionManager[`${expected}_ACTION`];
    139  let uri = Services.io.newURI(`https://www.${url}`);
    140 
    141  equal(
    142    PermissionTestUtils.testPermission(uri, permissionName),
    143    expectedValue,
    144    `Correct (${permissionName}=${expected}) for URL ${url}`
    145  );
    146 
    147  if (expected != "UNKNOWN") {
    148    let permission = PermissionTestUtils.getPermissionObject(
    149      uri,
    150      permissionName,
    151      true
    152    );
    153    ok(permission, "Permission object exists");
    154    equal(
    155      permission.expireType,
    156      Ci.nsIPermissionManager.EXPIRE_POLICY,
    157      "Permission expireType is correct"
    158    );
    159  }
    160 }
    161 
    162 function checkAllPermissionsForType(type, typeSupportsDeny = true) {
    163  checkPermission("allow.com", "ALLOW", type);
    164  checkPermission("unknown.com", "UNKNOWN", type);
    165  checkPermission("pre-existing-deny.com", "ALLOW", type);
    166 
    167  if (typeSupportsDeny) {
    168    checkPermission("deny.com", "DENY", type);
    169    checkPermission("pre-existing-allow.com", "DENY", type);
    170  }
    171 }
    172 
    173 add_task(async function test_camera_policy() {
    174  checkAllPermissionsForType("camera");
    175 });
    176 
    177 add_task(async function test_microphone_policy() {
    178  checkAllPermissionsForType("microphone");
    179 });
    180 
    181 add_task(async function test_location_policy() {
    182  checkAllPermissionsForType("geo");
    183 });
    184 
    185 add_task(async function test_notifications_policy() {
    186  checkAllPermissionsForType("desktop-notification");
    187 });
    188 
    189 add_task(async function test_autoplay_policy() {
    190  checkAllPermissionsForType("autoplay-media");
    191 });
    192 
    193 add_task(async function test_xr_policy() {
    194  checkAllPermissionsForType("xr");
    195 });
    196 
    197 add_task(async function test_change_permission() {
    198  // Checks that changing a permission will still retain the
    199  // value set through the engine.
    200  PermissionTestUtils.add(
    201    "https://www.allow.com",
    202    "camera",
    203    Ci.nsIPermissionManager.DENY_ACTION,
    204    Ci.nsIPermissionManager.EXPIRE_SESSION
    205  );
    206  PermissionTestUtils.add(
    207    "https://www.allow.com",
    208    "microphone",
    209    Ci.nsIPermissionManager.DENY_ACTION,
    210    Ci.nsIPermissionManager.EXPIRE_SESSION
    211  );
    212  PermissionTestUtils.add(
    213    "https://www.allow.com",
    214    "geo",
    215    Ci.nsIPermissionManager.DENY_ACTION,
    216    Ci.nsIPermissionManager.EXPIRE_SESSION
    217  );
    218  PermissionTestUtils.add(
    219    "https://www.allow.com",
    220    "desktop-notification",
    221    Ci.nsIPermissionManager.DENY_ACTION,
    222    Ci.nsIPermissionManager.EXPIRE_SESSION
    223  );
    224  PermissionTestUtils.add(
    225    "https://www.allow.com",
    226    "autoplay-media",
    227    Ci.nsIPermissionManager.DENY_ACTION,
    228    Ci.nsIPermissionManager.EXPIRE_SESSION
    229  );
    230  PermissionTestUtils.add(
    231    "https://www.allow.com",
    232    "xr",
    233    Ci.nsIPermissionManager.DENY_ACTION,
    234    Ci.nsIPermissionManager.EXPIRE_SESSION
    235  );
    236  PermissionTestUtils.add(
    237    "https://www.allow.com",
    238    "screen",
    239    Ci.nsIPermissionManager.DENY_ACTION,
    240    Ci.nsIPermissionManager.EXPIRE_SESSION
    241  );
    242 
    243  checkPermission("allow.com", "ALLOW", "camera");
    244  checkPermission("allow.com", "ALLOW", "microphone");
    245  checkPermission("allow.com", "ALLOW", "geo");
    246  checkPermission("allow.com", "ALLOW", "desktop-notification");
    247  checkPermission("allow.com", "ALLOW", "autoplay-media");
    248  checkPermission("allow.com", "ALLOW", "xr");
    249  checkPermission("allow.com", "ALLOW", "screen");
    250 
    251  // Also change one un-managed permission to make sure it doesn't
    252  // cause any problems to the policy engine or the permission manager.
    253  PermissionTestUtils.add(
    254    "https://www.unmanaged.com",
    255    "camera",
    256    Ci.nsIPermissionManager.DENY_ACTION,
    257    Ci.nsIPermissionManager.EXPIRE_SESSION
    258  );
    259  PermissionTestUtils.add(
    260    "https://www.unmanaged.com",
    261    "microphone",
    262    Ci.nsIPermissionManager.DENY_ACTION,
    263    Ci.nsIPermissionManager.EXPIRE_SESSION
    264  );
    265  PermissionTestUtils.add(
    266    "https://www.unmanaged.com",
    267    "geo",
    268    Ci.nsIPermissionManager.DENY_ACTION,
    269    Ci.nsIPermissionManager.EXPIRE_SESSION
    270  );
    271  PermissionTestUtils.add(
    272    "https://www.unmanaged.com",
    273    "desktop-notification",
    274    Ci.nsIPermissionManager.DENY_ACTION,
    275    Ci.nsIPermissionManager.EXPIRE_SESSION
    276  );
    277  PermissionTestUtils.add(
    278    "https://www.unmanaged.com",
    279    "autoplay-media",
    280    Ci.nsIPermissionManager.DENY_ACTION,
    281    Ci.nsIPermissionManager.EXPIRE_SESSION
    282  );
    283  PermissionTestUtils.add(
    284    "https://www.unmanaged.com",
    285    "xr",
    286    Ci.nsIPermissionManager.DENY_ACTION,
    287    Ci.nsIPermissionManager.EXPIRE_SESSION
    288  );
    289  PermissionTestUtils.add(
    290    "https://www.unmanaged.com",
    291    "screen",
    292    Ci.nsIPermissionManager.DENY_ACTION,
    293    Ci.nsIPermissionManager.EXPIRE_SESSION
    294  );
    295 });
    296 
    297 add_task(async function test_setup_trackingprotection() {
    298  await setupPolicyEngineWithJson({
    299    policies: {
    300      EnableTrackingProtection: {
    301        Exceptions: ["https://www.allow.com"],
    302      },
    303    },
    304  });
    305  equal(
    306    Services.policies.status,
    307    Ci.nsIEnterprisePolicies.ACTIVE,
    308    "Engine is active"
    309  );
    310 });
    311 
    312 add_task(async function test_trackingprotection() {
    313  checkPermission("allow.com", "ALLOW", "trackingprotection");
    314 });
    315 
    316 // This seems a little out of place, but it's really a cookie
    317 // permission, not cookies per say.
    318 add_task(async function test_cookie_allow_session() {
    319  await setupPolicyEngineWithJson({
    320    policies: {
    321      Cookies: {
    322        AllowSession: ["https://allowsession.example.com"],
    323      },
    324    },
    325  });
    326  equal(
    327    PermissionTestUtils.testPermission(
    328      URI("https://allowsession.example.com"),
    329      "cookie"
    330    ),
    331    Ci.nsICookiePermission.ACCESS_SESSION
    332  );
    333 });
    334 
    335 // This again seems out of place, but AutoLaunchProtocolsFromOrigins
    336 // is all permissions.
    337 add_task(async function test_autolaunchprotocolsfromorigins() {
    338  await setupPolicyEngineWithJson({
    339    policies: {
    340      AutoLaunchProtocolsFromOrigins: [
    341        {
    342          allowed_origins: ["https://allowsession.example.com"],
    343          protocol: "test-protocol",
    344        },
    345      ],
    346    },
    347  });
    348  equal(
    349    PermissionTestUtils.testPermission(
    350      URI("https://allowsession.example.com"),
    351      "open-protocol-handler^test-protocol"
    352    ),
    353    Ci.nsIPermissionManager.ALLOW_ACTION
    354  );
    355 });
    356 
    357 // This again seems out of place, but PasswordManagerExceptions
    358 // is all permissions.
    359 add_task(async function test_passwordmanagerexceptions() {
    360  await setupPolicyEngineWithJson({
    361    policies: {
    362      PasswordManagerExceptions: ["https://pwexception.example.com"],
    363    },
    364  });
    365  equal(
    366    PermissionTestUtils.testPermission(
    367      URI("https://pwexception.example.com"),
    368      "login-saving"
    369    ),
    370    Ci.nsIPermissionManager.DENY_ACTION
    371  );
    372 });
    373 
    374 // This again seems out of place, but HttpAllowlist
    375 // is all permissions.
    376 add_task(async function test_httpsonly_exceptions() {
    377  await setupPolicyEngineWithJson({
    378    policies: {
    379      HttpAllowlist: ["https://http.example.com"],
    380    },
    381  });
    382  equal(
    383    PermissionTestUtils.testPermission(
    384      URI("https://http.example.com"),
    385      "https-only-load-insecure"
    386    ),
    387    Ci.nsIPermissionManager.ALLOW_ACTION
    388  );
    389 });