tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

frame_credman_iframes.html (2978B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4  <title>Embedded Frame for Credential Management: Prohibit use in cross-origin iframes</title>
      5  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      6  <meta charset=utf-8>
      7 </head>
      8 <body>
      9 
     10 <script class="testbody" type="text/javascript">
     11 "use strict";
     12 
     13 const cose_alg_ECDSA_w_SHA256 = -7;
     14 var _parentOrigin = "https://example.com/";
     15 
     16 function log(msg) {
     17  console.log(msg);
     18  let logBox = document.getElementById("log");
     19  if (logBox) {
     20    logBox.textContent += "\n" + msg;
     21  }
     22 }
     23 
     24 function local_finished() {
     25  parent.postMessage({"done": true}, _parentOrigin);
     26  log("Done.");
     27 }
     28 
     29 function local_ok(expression, message) {
     30  let body = {"test": expression, "status": expression, "msg": message};
     31  parent.postMessage(body, _parentOrigin);
     32  log(expression + ": " + message);
     33 }
     34 
     35 function testSameOrigin() {
     36  log("Same origin: " + document.domain);
     37 
     38  navigator.credentials.create({publicKey: makeCredentialOptions})
     39  .then(function sameOriginCreateThen(aResult) {
     40    local_ok(aResult != undefined, "Create worked " + aResult);
     41  })
     42  .catch(function sameOriginCatch(aResult) {
     43    local_ok(false, "Should not have failed " + aResult);
     44  })
     45  .then(function sameOriginPreventSilentAccess() {
     46    return navigator.credentials.preventSilentAccess();
     47  })
     48  .then(function sameOriginPreventSilentAccessThen(aResult) {
     49    local_ok(aResult == undefined, "PreventSilentAccess worked " + aResult);
     50  })
     51  .catch(function sameOriginPreventSilentAccessCatch(aResult) {
     52    local_ok(false, "Should not have failed " + aResult);
     53  })
     54  .then(function() {
     55    local_finished();
     56  });
     57 }
     58 
     59 function testCrossOrigin() {
     60  log("Cross-origin: " + document.domain);
     61 
     62  navigator.credentials.create({publicKey: makeCredentialOptions})
     63  .then(function crossOriginThen(aBad) {
     64    local_ok(false, "Should not have succeeded " + aBad);
     65  })
     66  .catch(function crossOriginCatch(aResult) {
     67    local_ok(aResult.toString().startsWith("NotAllowedError"),
     68             "Expecting a NotAllowedError, received " + aResult);
     69  })
     70  .then(function crossOriginPreventSilentAccess() {
     71    return navigator.credentials.preventSilentAccess();
     72  })
     73  .then(function crossOriginPreventSilentAccessThen(aResult) {
     74    local_ok(aResult == undefined, "PreventSilentAccess worked " + aResult);
     75  })
     76  .catch(function crossOriginPreventSilentAccessCatch(aResult) {
     77    local_ok(false, "Should not have failed " + aResult);
     78  })
     79  .then(function() {
     80    local_finished();
     81  });
     82 }
     83 
     84 let rp = {id: document.domain, name: "none", icon: "none"};
     85 let user = {
     86  id: crypto.getRandomValues(new Uint8Array(16)),
     87  name: "none", icon: "none", displayName: "none",
     88 };
     89 let param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256};
     90 let makeCredentialOptions = {
     91  rp, user, challenge: new Uint8Array(), pubKeyCredParams: [param],
     92 };
     93 
     94 if (document.domain == "example.com") {
     95  testSameOrigin();
     96 } else {
     97  testCrossOrigin();
     98 }
     99 
    100 </script>
    101 
    102 <div id="log"></div>
    103 
    104 </body>
    105 </html>