tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

browser_cookie_insecure_overwrites_secure.js (4353B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 
      5 let { HttpServer } = ChromeUtils.importESModule(
      6  "resource://testing-common/httpd.sys.mjs"
      7 );
      8 
      9 const urlPath = "/browser/netwerk/cookie/test/browser/file_empty.html";
     10 const baseDomain = "example.com";
     11 
     12 // eslint doesn't like http
     13 // eslint-disable-next-line @microsoft/sdl/no-insecure-url
     14 const URL_INSECURE_COM = "http://" + baseDomain + urlPath;
     15 const URL_SECURE_COM = "https://" + baseDomain + urlPath;
     16 
     17 // common cookie strings
     18 const COOKIE_BASIC = "foo=one";
     19 const COOKIE_OTHER = "foo=two";
     20 const COOKIE_THIRD = "foo=three";
     21 const COOKIE_FORTH = "foo=four";
     22 
     23 function securify(cookie) {
     24  return cookie + "; Secure";
     25 }
     26 
     27 registerCleanupFunction(() => {
     28  Services.prefs.clearUserPref("dom.security.https_first");
     29  Services.prefs.clearUserPref("network.cookie.cookieBehavior");
     30  Services.prefs.clearUserPref(
     31    "network.cookieJarSettings.unblocked_for_testing"
     32  );
     33  Services.prefs.clearUserPref("network.cookie.sameSite.laxByDefault");
     34  Services.prefs.clearUserPref("network.cookie.sameSite.noneRequiresSecure");
     35  Services.prefs.clearUserPref("network.cookie.sameSite.schemeful");
     36  info("Cleaning up the test");
     37 });
     38 
     39 async function setup() {
     40  // HTTPS-First would interfere with this test.
     41  Services.prefs.setBoolPref("dom.security.https_first", false);
     42 
     43  Services.prefs.setIntPref("network.cookie.cookieBehavior", 0);
     44 
     45  Services.prefs.setBoolPref(
     46    "network.cookieJarSettings.unblocked_for_testing",
     47    true
     48  );
     49 
     50  Services.prefs.setBoolPref("network.cookie.sameSite.laxByDefault", false);
     51  Services.prefs.setBoolPref(
     52    "network.cookie.sameSite.noneRequiresSecure",
     53    false
     54  );
     55  Services.prefs.setBoolPref("network.cookie.sameSite.schemeful", true);
     56  Services.cookies.removeAll();
     57 }
     58 add_task(setup);
     59 
     60 // note:
     61 // 1. The URL scheme will not matter for insecure cookies, since
     62 //    cookies are not "schemeful" in this sense.
     63 //    So an insecure cookie set anywhere will be visible on http and https sites
     64 //    Secure cookies are different, they will only be visible from https sites
     65 //    and will prevent cookie setting of the same name on insecure sites.
     66 //
     67 // 2. The different processes (tabs) shouldn't matter since
     68 //    cookie adds/changes are distributed to other processes on a need-to-know
     69 //    basis.
     70 
     71 add_task(async function test_insecure_cant_overwrite_secure_via_doc() {
     72  // insecure
     73  const tab1 = BrowserTestUtils.addTab(gBrowser, URL_INSECURE_COM);
     74  const browser = gBrowser.getBrowserForTab(tab1);
     75  await BrowserTestUtils.browserLoaded(browser);
     76 
     77  // secure
     78  const tab2 = BrowserTestUtils.addTab(gBrowser, URL_SECURE_COM);
     79  const browser2 = gBrowser.getBrowserForTab(tab2);
     80  await BrowserTestUtils.browserLoaded(browser2);
     81 
     82  // init with insecure cookie on insecure origin child process
     83  await SpecialPowers.spawn(
     84    browser,
     85    [COOKIE_BASIC, COOKIE_BASIC],
     86    (cookie, expected) => {
     87      content.document.cookie = cookie;
     88      is(content.document.cookie, expected);
     89    }
     90  );
     91 
     92  // insecure cookie visible on secure origin process (sanity check)
     93  await SpecialPowers.spawn(browser2, [COOKIE_BASIC], expected => {
     94    is(content.document.cookie, expected);
     95  });
     96 
     97  // overwrite insecure cookie on secure origin with secure cookie (sanity check)
     98  await SpecialPowers.spawn(
     99    browser2,
    100    [securify(COOKIE_OTHER), COOKIE_OTHER],
    101    (cookie, expected) => {
    102      content.document.cookie = cookie;
    103      is(content.document.cookie, expected);
    104    }
    105  );
    106 
    107  // insecure cookie will NOT overwrite the secure one on insecure origin
    108  // and cookie.document appears blank
    109  await SpecialPowers.spawn(browser, [COOKIE_THIRD, ""], (cookie, expected) => {
    110    content.document.cookie = cookie; // quiet failure here
    111    is(content.document.cookie, expected);
    112  });
    113 
    114  // insecure cookie will overwrite secure cookie on secure origin
    115  // a bit weird, but this is normal
    116  await SpecialPowers.spawn(
    117    browser2,
    118    [COOKIE_FORTH, COOKIE_FORTH],
    119    (cookie, expected) => {
    120      content.document.cookie = cookie;
    121      is(content.document.cookie, expected);
    122    }
    123  );
    124 
    125  BrowserTestUtils.removeTab(tab1);
    126  BrowserTestUtils.removeTab(tab2);
    127  Services.cookies.removeAll();
    128 });