tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

service-worker-sandbox.https.html (2522B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
      6 <body>
      7 <script>
      8 let frame = null;
      9 let worker = null;
     10 const scope = 'support/empty.html';
     11 const script = 'support/sandboxed-service-worker.js';
     12 
     13 // Currently, sandbox directives for workers are not specified
     14 // https://github.com/w3c/webappsec-csp/issues/279
     15 // and thus this test asserts that the origin of ServiceWorker is not sandboxed.
     16 
     17 // Global setup: this must be the first promise_test.
     18 promise_test(async (t) => {
     19  const registration =
     20      await service_worker_unregister_and_register(t, script, scope);
     21  worker = registration.installing;
     22  await wait_for_state(t, worker, 'activated');
     23  frame = await with_iframe(scope);
     24 
     25  // Global cleanup: the final promise_test.
     26  promise_test(() => {
     27    if (frame)
     28      frame.remove();
     29     return registration.unregister();
     30  }, 'global cleanup');
     31 }, 'global setup');
     32 
     33 promise_test(async (t) => {
     34  const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'});
     35  const j = await r.json();
     36  assert_equals(j.origin, location.origin, 'Origin should not be sandboxed');
     37 }, 'Origin of service worker');
     38 
     39 promise_test(async (t) => {
     40  const r = await frame.contentWindow.fetch('/get-origin',
     41                                            {mode: 'same-origin'});
     42  const j = await r.json();
     43  assert_equals(j.origin, location.origin, 'Origin should not be opaque');
     44 }, 'Response generated by service worker can be fetched as same-origin');
     45 
     46 // Because the origin of service worker should be `location.origin`,
     47 // fetches from service worker to `location.origin` should be successful.
     48 for (const mode of ['same-origin', 'cors']) {
     49  for (const hasACAOrigin of [true, false]) {
     50    promise_test(async (t) => {
     51      const final_url = new URL('/fetch/api/resources/', location);
     52      final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt';
     53      final_url.searchParams.set('hash', Math.random());
     54 
     55      const url = new URL('/fetch', location);
     56      url.searchParams.set('url', final_url);
     57      url.searchParams.set('hash', Math.random());
     58      const r = await frame.contentWindow.fetch(url, {mode});
     59      const text = await r.text();
     60      assert_equals(text, 'top');
     61    }, 'Origin used in fetch on service worker (mode: ' +
     62       mode +
     63       (hasACAOrigin ? ', with ACAOrigin' : '') +
     64       ')');
     65  }
     66 }
     67 </script>