tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

iframe.document.https.html (2647B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8"/>
      3 <meta name="timeout" content="long">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/cookies/resources/cookie-helper.sub.js"></script>
      7 <!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
      8 <body>
      9 <script>
     10  function create_test(target, expectedDomStatus, title) {
     11    promise_test(async t => {
     12      let cookieValue = await new Promise((resolve, reject) => {
     13        var iframe = document.createElement("iframe");
     14 
     15        window.onmessage = t.step_func(e => {
     16          if (e.source == iframe.contentWindow) {
     17            document.body.removeChild(iframe);
     18            resolve(e.data.value);
     19          }
     20        });
     21 
     22        iframe.src = target + "/cookies/samesite/resources/iframe.document.html";
     23        document.body.appendChild(iframe);
     24      });
     25 
     26      await new Promise((resolve, reject) => {
     27        var iframe = document.createElement("iframe");
     28 
     29        window.onmessage = t.step_func(e => {
     30          if (e.source == iframe.contentWindow) {
     31            // Cleanup, then verify cookie state:
     32            document.body.removeChild(iframe);
     33 
     34            const cookies = e.data;
     35            assert_equals(cookies["dc_samesite_none"], cookieValue, "SameSite=none cookies can be set via document.cookies even by cross-origin documents");
     36 
     37            if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) {
     38              assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be set via document.cookies by same-site documents");
     39              assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be set via document.cookies by same-site documents");
     40            } else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) {
     41              assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be set via document.cookies by same-site documents");
     42              assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be set via document.cookies by same-site documents");
     43            }
     44 
     45            resolve();
     46          }
     47        });
     48 
     49        iframe.src = target + "/cookies/resources/postToParent.py";
     50        document.body.appendChild(iframe);
     51      });
     52    }, title);
     53  }
     54 
     55  create_test(SECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-site iframes can set lax/strict cookies via document.cookie");
     56  create_test(SECURE_CROSS_SITE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-site iframe cannot set lax/strict cookies via document.cookie");
     57 </script>