test_webauthn_sameorigin.html (12014B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <head> 4 <title>Test for MakeCredential for W3C Web Authentication</title> 5 <script src="/tests/SimpleTest/SimpleTest.js"></script> 6 <script type="text/javascript" src="u2futil.js"></script> 7 <script type="text/javascript" src="pkijs/common.js"></script> 8 <script type="text/javascript" src="pkijs/asn1.js"></script> 9 <script type="text/javascript" src="pkijs/x509_schema.js"></script> 10 <script type="text/javascript" src="pkijs/x509_simpl.js"></script> 11 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 12 </head> 13 <body> 14 15 <h1>Test Same Origin Policy for W3C Web Authentication</h1> 16 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a> 17 18 <script class="testbody" type="text/javascript"> 19 "use strict"; 20 21 add_task(async () => { 22 await addVirtualAuthenticator(); 23 }); 24 25 is(navigator.authentication, undefined, "navigator.authentication does not exist any longer"); 26 isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist"); 27 isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist"); 28 isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist"); 29 30 let credm; 31 let chall; 32 let user; 33 let param; 34 let gTrackedCredential; 35 add_task(() => { 36 credm = navigator.credentials; 37 38 chall = new Uint8Array(16); 39 window.crypto.getRandomValues(chall); 40 41 user = {id: new Uint8Array(16), name: "none", displayName: "none"}; 42 param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256}; 43 gTrackedCredential = {}; 44 }); 45 46 add_task(test_basic_good); 47 add_task(test_rp_id_unset); 48 add_task(test_rp_name_unset); 49 add_task(test_origin_with_optional_fields); 50 add_task(test_blank_rp_id); 51 add_task(test_subdomain); 52 add_task(test_same_origin); 53 add_task(test_etld); 54 add_task(test_different_domain_same_tld); 55 add_task(test_assertion_basic_good); 56 add_task(test_assertion_rp_id_unset); 57 add_task(test_assertion_origin_with_optional_fields); 58 add_task(test_assertion_blank_rp_id); 59 add_task(test_assertion_subdomain); 60 add_task(test_assertion_same_origin); 61 add_task(test_assertion_etld); 62 add_task(test_assertion_different_domain_same_tld); 63 add_task(test_basic_good_with_origin); 64 add_task(test_assertion_basic_good_with_origin); 65 add_task(test_assertion_invalid_rp_id); 66 add_task(test_assertion_another_invalid_rp_id); 67 68 function arrivingHereIsGood(aResult) { 69 ok(true, "Good result! Received a: " + aResult); 70 } 71 72 function arrivingHereIsBad(aResult) { 73 ok(false, "Bad result! Received a: " + aResult); 74 } 75 76 function expectSecurityError(aResult) { 77 ok(aResult.toString().startsWith("SecurityError"), "Expecting a SecurityError"); 78 } 79 80 function expectTypeError(aResult) { 81 ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError"); 82 } 83 84 function keepThisPublicKeyCredential(aIdentifier) { 85 return function(aPublicKeyCredential) { 86 gTrackedCredential[aIdentifier] = { 87 type: "public-key", 88 id: new Uint8Array(aPublicKeyCredential.rawId), 89 transports: [ "usb" ], 90 } 91 return Promise.resolve(aPublicKeyCredential); 92 } 93 } 94 95 function test_basic_good() { 96 // Test basic good call 97 let rp = {id: document.domain, name: "none"}; 98 let makeCredentialOptions = { 99 rp, user, challenge: chall, pubKeyCredParams: [param] 100 }; 101 return credm.create({publicKey: makeCredentialOptions}) 102 .then(keepThisPublicKeyCredential("basic")) 103 .then(arrivingHereIsGood) 104 .catch(arrivingHereIsBad); 105 } 106 function test_rp_id_unset() { 107 // Test rp.id being unset 108 let makeCredentialOptions = { 109 rp: {name: "none"}, user, challenge: chall, pubKeyCredParams: [param] 110 }; 111 return credm.create({publicKey: makeCredentialOptions}) 112 .then(arrivingHereIsGood) 113 .catch(arrivingHereIsBad); 114 } 115 function test_rp_name_unset() { 116 // Test rp.name being unset 117 let makeCredentialOptions = { 118 rp: {id: document.domain}, user, challenge: chall, pubKeyCredParams: [param] 119 }; 120 return credm.create({publicKey: makeCredentialOptions}) 121 .then(arrivingHereIsBad) 122 .catch(expectTypeError); 123 } 124 function test_origin_with_optional_fields() { 125 // Test this origin with optional fields 126 let rp = {id: "user:pass@" + document.domain + ":8888", name: "none"}; 127 let makeCredentialOptions = { 128 rp, user, challenge: chall, pubKeyCredParams: [param] 129 }; 130 return credm.create({publicKey: makeCredentialOptions}) 131 .then(arrivingHereIsBad) 132 .catch(expectSecurityError); 133 } 134 function test_blank_rp_id() { 135 // Test blank rp.id 136 let rp = {id: "", name: "none"}; 137 let makeCredentialOptions = { 138 rp, user, challenge: chall, pubKeyCredParams: [param] 139 }; 140 return credm.create({publicKey: makeCredentialOptions}) 141 .then(arrivingHereIsBad) 142 .catch(expectSecurityError); 143 } 144 function test_subdomain() { 145 // Test subdomain of this origin 146 let rp = {id: "subdomain." + document.domain, name: "none"}; 147 let makeCredentialOptions = { 148 rp, user, challenge: chall, pubKeyCredParams: [param] 149 }; 150 return credm.create({publicKey: makeCredentialOptions}) 151 .then(arrivingHereIsBad) 152 .catch(expectSecurityError); 153 } 154 function test_same_origin() { 155 // Test the same origin 156 let rp = {id: "example.com", name: "none"}; 157 let makeCredentialOptions = { 158 rp, user, challenge: chall, pubKeyCredParams: [param] 159 }; 160 return credm.create({publicKey: makeCredentialOptions}) 161 .then(arrivingHereIsGood) 162 .catch(arrivingHereIsBad); 163 } 164 function test_etld() { 165 // Test the eTLD 166 let rp = {id: "com", name: "none"}; 167 let makeCredentialOptions = { 168 rp, user, challenge: chall, pubKeyCredParams: [param] 169 }; 170 return credm.create({publicKey: makeCredentialOptions}) 171 .then(arrivingHereIsBad) 172 .catch(expectSecurityError); 173 } 174 function test_different_domain_same_tld() { 175 // Test a different domain within the same TLD 176 let rp = {id: "alt.test", name: "none"}; 177 let makeCredentialOptions = { 178 rp, user, challenge: chall, pubKeyCredParams: [param] 179 }; 180 return credm.create({publicKey: makeCredentialOptions}) 181 .then(arrivingHereIsBad) 182 .catch(expectSecurityError); 183 } 184 function test_assertion_basic_good() { 185 // Test basic good call 186 let publicKeyCredentialRequestOptions = { 187 challenge: chall, 188 rpId: document.domain, 189 allowCredentials: [gTrackedCredential.basic] 190 }; 191 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 192 .then(arrivingHereIsGood) 193 .catch(arrivingHereIsBad); 194 } 195 function test_assertion_rp_id_unset() { 196 // Test rpId being unset 197 let publicKeyCredentialRequestOptions = { 198 challenge: chall, 199 allowCredentials: [gTrackedCredential.basic] 200 }; 201 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 202 .then(arrivingHereIsGood) 203 .catch(arrivingHereIsBad); 204 } 205 function test_assertion_origin_with_optional_fields() { 206 // Test this origin with optional fields 207 let publicKeyCredentialRequestOptions = { 208 challenge: chall, 209 rpId: "user:pass@" + document.origin + ":8888", 210 allowCredentials: [gTrackedCredential.basic] 211 }; 212 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 213 .then(arrivingHereIsBad) 214 .catch(expectSecurityError); 215 } 216 function test_assertion_blank_rp_id() { 217 // Test blank rpId 218 let publicKeyCredentialRequestOptions = { 219 challenge: chall, 220 rpId: "", 221 allowCredentials: [gTrackedCredential.basic] 222 }; 223 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 224 .then(arrivingHereIsBad) 225 .catch(expectSecurityError); 226 } 227 function test_assertion_subdomain() { 228 // Test subdomain of this origin 229 let publicKeyCredentialRequestOptions = { 230 challenge: chall, 231 rpId: "subdomain." + document.domain, 232 allowCredentials: [gTrackedCredential.basic] 233 }; 234 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 235 .then(arrivingHereIsBad) 236 .catch(expectSecurityError); 237 } 238 function test_assertion_same_origin() { 239 // Test the same origin 240 let publicKeyCredentialRequestOptions = { 241 challenge: chall, 242 rpId: "example.com", 243 allowCredentials: [gTrackedCredential.basic] 244 }; 245 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 246 .then(arrivingHereIsGood) 247 .catch(arrivingHereIsBad); 248 } 249 function test_assertion_etld() { 250 // Test the eTLD 251 let publicKeyCredentialRequestOptions = { 252 challenge: chall, 253 rpId: "com", 254 allowCredentials: [gTrackedCredential.basic] 255 }; 256 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 257 .then(arrivingHereIsBad) 258 .catch(expectSecurityError); 259 } 260 function test_assertion_different_domain_same_tld() { 261 // Test a different domain within the same TLD 262 let publicKeyCredentialRequestOptions = { 263 challenge: chall, 264 rpId: "alt.test", 265 allowCredentials: [gTrackedCredential.basic] 266 }; 267 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 268 .then(arrivingHereIsBad) 269 .catch(expectSecurityError); 270 } 271 function test_basic_good_with_origin() { 272 // Test basic good Create call but using an origin (Bug 1380421) 273 let rp = {id: window.origin, name: "none"}; 274 let makeCredentialOptions = { 275 rp, user, challenge: chall, pubKeyCredParams: [param] 276 }; 277 return credm.create({publicKey: makeCredentialOptions}) 278 .then(arrivingHereIsBad) 279 .catch(expectSecurityError); 280 } 281 function test_assertion_basic_good_with_origin() { 282 // Test basic good Get call but using an origin (Bug 1380421) 283 let publicKeyCredentialRequestOptions = { 284 challenge: chall, 285 rpId: window.origin, 286 allowCredentials: [gTrackedCredential.basic] 287 }; 288 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 289 .then(arrivingHereIsBad) 290 .catch(expectSecurityError); 291 } 292 function test_assertion_invalid_rp_id() { 293 // Test with an rpId that is not a valid domain string 294 let publicKeyCredentialRequestOptions = { 295 challenge: chall, 296 rpId: document.domain + ":somejunk", 297 allowCredentials: [gTrackedCredential.basic] 298 }; 299 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 300 .then(arrivingHereIsBad) 301 .catch(arrivingHereIsGood); 302 } 303 function test_assertion_another_invalid_rp_id() { 304 // Test with another rpId that is not a valid domain string 305 let publicKeyCredentialRequestOptions = { 306 challenge: chall, 307 rpId: document.domain + ":8888", 308 allowCredentials: [gTrackedCredential.basic] 309 }; 310 return credm.get({publicKey: publicKeyCredentialRequestOptions}) 311 .then(arrivingHereIsBad) 312 .catch(arrivingHereIsGood); 313 } 314 </script> 315 316 </body> 317 </html>