tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_same_site_cookies_iframe.html (6306B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1454027 - Update SameSite cookie handling inside iframes</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      7 </head>
      8 <body>
      9 <img id="cookieImage">
     10 <iframe id="testframe"></iframe>
     11 
     12 <script class="testbody" type="text/javascript">
     13 
     14 /*
     15 * Description of the test:
     16 * 1) We load an image from http://mochi.test which sets a same site cookie
     17 * 2) We then load the following iframes:
     18 *    (a) cross-origin iframe
     19 *    (b) sandboxed iframe
     20 *    (c) data: URI iframe
     21 *    (d) same origin iframe which loads blob: URI iframe (to simulate same origin blobs)
     22 *    (e) cross origin iframe which loads blob: URI iframe (to simulate cross origin blobs)
     23 *    which all:
     24 *    * navigate the iframe to http://mochi.test
     25 *    * include another iframe from http://mochi.test
     26 * 3) We observe that none of the nested iframes have access to the same-site cookie.
     27 */
     28 
     29 SimpleTest.waitForExplicitFinish();
     30 
     31 const SAME_ORIGIN = "http://mochi.test:8888/"
     32 const CROSS_ORIGIN = "http://example.com/";
     33 const PATH = "tests/dom/security/test/general/";
     34 const SERVER_FILE = "file_same_site_cookies_iframe.sjs";
     35 
     36 const NESTED_DATA_IFRAME_NAVIGATION = `
     37  data:text/html,
     38  <html>
     39  <body>
     40    <a id="testlink" href="http://mochi.test:8888/tests/dom/security/test/general/file_same_site_cookies_iframe.sjs"></a>
     41    <script type="application/javascript">
     42      let link = document.getElementById("testlink");
     43      link.click();
     44    <\/script>
     45  </body>
     46  </html>`;
     47 
     48 const NESTED_DATA_IFRAME_INCLUSION = `
     49  data:text/html,
     50  <html>
     51  <body>
     52    <script type="application/javascript">
     53    window.addEventListener("message", receiveMessage);
     54    function receiveMessage(event) {
     55      window.removeEventListener("message", receiveMessage);
     56      window.parent.postMessage({result: event.data.result}, '*');
     57    }
     58    <\/script>
     59    <iframe src="http://mochi.test:8888/tests/dom/security/test/general/file_same_site_cookies_iframe.sjs"></iframe>
     60  </body>
     61  </html>`;
     62 
     63 let curTest = 0;
     64 
     65 var tests = [
     66  // NAVIGATION TESTS
     67  {
     68    description: "nested same origin iframe navigation [mochi.test -> mochi.test -> mochi.test]",
     69    frameSRC: SAME_ORIGIN + PATH + SERVER_FILE + "?nestedIframeNavigation",
     70    result: "myKey=mySameSiteIframeTestCookie", // cookie should be set for baseline test
     71  },
     72  {
     73    description: "nested cross origin iframe navigation [mochi.test -> example.com -> mochi.test]",
     74    frameSRC: CROSS_ORIGIN + PATH + SERVER_FILE + "?nestedIframeNavigation",
     75    result: "", // no cookie should be set
     76  },
     77  {
     78    description: "nested sandboxed iframe navigation [mochi.test -> sandbox -> mochi.test]",
     79    frameSRC: CROSS_ORIGIN + PATH + SERVER_FILE + "?nestedSandboxIframeNavigation",
     80    result: "", // no cookie should be set
     81  },
     82  {
     83    description: "nested data iframe navigation [mochi.test -> data: -> mochi.test]",
     84    frameSRC: NESTED_DATA_IFRAME_NAVIGATION,
     85    result: "", // no cookie should be set
     86  },
     87  {
     88    description: "nested same site blob iframe navigation [mochi.test -> mochi.test -> blob: -> mochi.test]",
     89    frameSRC: SAME_ORIGIN + PATH + "file_same_site_cookies_blob_iframe_navigation.html",
     90    result: "myKey=mySameSiteIframeTestCookie", // cookie should be set, blobs inherit security context
     91  },
     92  {
     93    description: "nested cross site blob iframe navigation [mochi.test -> example.com -> blob: -> mochi.test]",
     94    frameSRC: CROSS_ORIGIN + PATH + "file_same_site_cookies_blob_iframe_navigation.html",
     95    result: "", // no cookie should be set
     96  },
     97  // INCLUSION TESTS
     98  {
     99    description: "nested same origin iframe inclusion [mochi.test -> mochi.test -> mochi.test]",
    100    frameSRC: SAME_ORIGIN + PATH + SERVER_FILE + "?nestedIframeInclusion",
    101    result: "myKey=mySameSiteIframeTestCookie", // cookie should be set for baseline test
    102  },
    103  {
    104    description: "nested cross origin iframe inclusion [mochi.test -> example.com -> mochi.test]",
    105    frameSRC: CROSS_ORIGIN + PATH + SERVER_FILE + "?nestedIframeInclusion",
    106    result: "", // no cookie should be set
    107  },
    108  {
    109    description: "nested sandboxed iframe inclusion [mochi.test -> sandbox -> mochi.test]",
    110    frameSRC: CROSS_ORIGIN + PATH + SERVER_FILE + "?nestedSandboxIframeInclusion",
    111    result: "", // no cookie should be set
    112  },
    113  {
    114    description: "nested data iframe inclusion [mochi.test -> data: -> mochi.test]",
    115    frameSRC: NESTED_DATA_IFRAME_INCLUSION,
    116    result: "", // no cookie should be set
    117  },
    118  {
    119    description: "nested same site blob iframe inclusion [mochi.test -> mochi.test -> blob: -> mochi.test]",
    120    frameSRC: SAME_ORIGIN + PATH + "file_same_site_cookies_blob_iframe_inclusion.html",
    121    result: "myKey=mySameSiteIframeTestCookie", // cookie should be set, blobs inherit security context
    122  },
    123  {
    124    description: "same-site cookie, nested cross site blob iframe inclusion [mochi.test -> example.com -> blob: -> mochi.test]",
    125    frameSRC: CROSS_ORIGIN + PATH + "file_same_site_cookies_blob_iframe_inclusion.html",
    126    result: "", // no cookie should be set
    127  },
    128 ];
    129 
    130 window.addEventListener("message", receiveMessage);
    131 function receiveMessage(event) {
    132  is(event.data.result, tests[curTest].result, tests[curTest].description);
    133  curTest += 1;
    134 
    135  // // lets see if we ran all the tests
    136  if (curTest == tests.length) {
    137    window.removeEventListener("message", receiveMessage);
    138    SimpleTest.finish();
    139    return;
    140  }
    141  // otherwise it's time to run the next test
    142  setCookieAndInitTest();
    143 }
    144 
    145 function setupQueryResultAndRunTest() {
    146  let testframe = document.getElementById("testframe");
    147  testframe.src = tests[curTest].frameSRC;
    148 }
    149 
    150 function setCookieAndInitTest() {
    151  var cookieImage = document.getElementById("cookieImage");
    152  cookieImage.onload = function() {
    153    ok(true, "trying to set cookie for test (" + tests[curTest].description + ")");
    154    setupQueryResultAndRunTest();
    155  }
    156  cookieImage.onerror = function() {
    157    ok(false, "could not load image for test (" + tests[curTest].description + ")");
    158  }
    159  // appending math.random to avoid any unexpected caching behavior
    160  cookieImage.src = SAME_ORIGIN + PATH + SERVER_FILE + "?setSameSiteCookie" + Math.random();
    161 }
    162 
    163 // fire up the test
    164 setCookieAndInitTest();
    165 
    166 </script>
    167 </body>
    168 </html>