tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_toplevel_cookies.html (5018B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4 <title>Bug 1711453 : HTTPS-First: Add test for cookies </title>
      5 <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      7 </head>
      8 <body>
      9 
     10 <script class="testbody" type="text/javascript">
     11 "use strict";
     12 /*
     13 * Description of the test:
     14 * We perform each test with 4 different cookie settings and
     15 * expect https-first to detect which cookie is same origin and
     16 * which is cross origin. The cookies are in an image or in a frame.
     17 * The 4 cookie settings differ in two flags which are set or not.
     18 * The first call is always with secure flag not set and sameSite=none
     19 * In the second call we don't set the secure flag but sameSite=strict
     20 * In the third call we set the secure flag and sameSite=none
     21 * In the forth call we set the secure flag and sameSite=strict
     22 * More detailed:
     23 * We run the tests in the following order.
     24 * Test 1a: Image is loaded with cookie same-origin, not secure and sameSite=none
     25 * Test 1b: Image is loaded with cookie same-origin, not secure and sameSite=strict
     26 * Test 1c: Image is loaded with cookie same-origin, secure and sameSite=none
     27 * Test 1d: Image is loaded with cookie same-origin, secure and sameSite=strict
     28 * Test 1e: Image is loaded with cookie cross-origin, not secure and sameSite=none
     29 * Test 1f: Image is loaded with cookie cross-origin, not secure and sameSite=strict
     30 * Test 2a: Load frame navigation with cookie same-origin, not secure and sameSite=none
     31 * ...
     32 * Test 3a: Load frame navigation blank with cookie same-origin, not secure and sameSite=none
     33 * ...
     34 * Test 4a: Load frame Inc with cookie same-origin, not secure and sameSite=none
     35 * ...
     36 * Test 5a: Load frame Inc Blank with cookie same-origin, not secure and sameSite=none
     37 * ...
     38 */
     39 
     40 SimpleTest.waitForExplicitFinish();
     41 
     42 const SAME_ORIGIN =
     43  "http://example.com/tests/dom/security/test/https-first/file_toplevel_cookies.sjs?";
     44 
     45 const CROSS_ORIGIN =
     46  "http://example.org/tests/dom/security/test/https-first/file_toplevel_cookies.sjs?";
     47 
     48 const redirectQueries = ["setImage", "loadNav", "loadNavBlank","loadframeInc", "loadframeIncBlank"];
     49 let currentTest = 0;
     50 let sameOriginRequest = true;
     51 let testWin;
     52 let currentQuery;
     53 window.addEventListener("message", receiveMessage);
     54 let currentRun = 0;
     55 // All possible cookie attribute combinations
     56 // cookie attributes are secure=set/not set and sameSite= none/ strict
     57 const ALL_COOKIE_COMB = ["notSecure,none", "notSecure,strict", "secure,none", "secure,strict"]
     58 
     59 // Receive message and verify that it is from an https site.
     60 // When the message is 'upgraded' then it was send by an https site
     61 // and validate that we received the right cookie. Verify that for a cross
     62 //origin request we didn't receive a cookie.
     63 async function receiveMessage(event) {
     64  let data = event.data;
     65  currentQuery = redirectQueries[currentTest];
     66  ok(data.result === "upgraded", "Upgraded successful to https for " + currentQuery);
     67  ok(data.loc.includes("https"), "scheme is 'https' for " + currentQuery );
     68  if (!sameOriginRequest) {
     69    ok(data.cookie === "", "Cookie from cross-Origin site shouldn't be accepted " + currentQuery + " " + ALL_COOKIE_COMB[currentRun]);
     70  } else {
     71    is(data.cookie.includes(currentQuery +  "=" + currentRun), true, "Cookie successfully arrived for " + currentQuery + " " + ALL_COOKIE_COMB[currentRun]);
     72  }
     73  testWin.close();
     74  await SpecialPowers.removePermission(
     75    "https-only-load-insecure",
     76    sameOriginRequest ? SAME_ORIGIN : CROSS_ORIGIN
     77  );
     78  currentRun++;
     79  if (currentTest >= redirectQueries.length -1  && currentRun === ALL_COOKIE_COMB.length && !sameOriginRequest) {
     80    window.removeEventListener("message", receiveMessage);
     81    SpecialPowers.clearUserPref("network.cookie.sameSite.laxByDefault");
     82    SimpleTest.finish();
     83    return;
     84  }
     85  runTest();
     86 }
     87 
     88 async function runTest() {
     89  currentQuery = redirectQueries[currentTest];
     90  // send same origin request
     91  if (sameOriginRequest && currentRun < ALL_COOKIE_COMB.length) {
     92    testWin = window.open(SAME_ORIGIN + currentQuery + currentRun, "_blank");
     93  } else {
     94    // if same origin isn't set, check if we need to send cross origin requests
     95    // eslint-disable-next-line no-lonely-if
     96    if (!sameOriginRequest && currentRun < ALL_COOKIE_COMB.length ) {
     97    testWin = window.open(CROSS_ORIGIN + currentQuery +  currentRun, "_blank");
     98    } // else we completed all test case of the current query for the current origin. Prepare and call next test
     99    else {
    100      // reset currentRun and go to next query
    101      currentRun = 0;
    102      if(!sameOriginRequest){
    103        currentTest++;
    104      }
    105      // run same test again for crossOrigin or start new test with sameOrigin
    106      sameOriginRequest = !sameOriginRequest;
    107      currentQuery = redirectQueries[currentTest];
    108      runTest();
    109    }
    110  }
    111 }
    112 
    113 SpecialPowers.pushPrefEnv({ set: [
    114    ["dom.security.https_first", true],
    115    ["network.cookie.sameSite.noneRequiresSecure", false],
    116  ]}, runTest);
    117 
    118 </script>
    119 </body>
    120 </html>