tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

img.https.html (4918B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8"/>
      3 <meta name="timeout" content="long">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/cookies/resources/cookie-helper.sub.js"></script>
      7 <script>
      8  function assert_cookie_present(origin, name, value) {
      9    return new Promise((resolve, reject) => {
     10      var img = document.createElement("img");
     11      img.onload = _ => resolve("'" + name + "=" + value + "' present on " + origin);
     12      img.onerror = _ => reject("'" + name + "=" + value + "' not present on " + origin);
     13 
     14      // We need to URL encode the destination path/query if we're redirecting:
     15      if (origin.match(/\/redir/))
     16        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
     17      else
     18        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
     19    });
     20  }
     21 
     22  function assert_cookie_absent(origin, name, value) {
     23    return new Promise((resolve, reject) => {
     24      var img = document.createElement("img");
     25      img.onload = _ => reject("'" + name + "=" + value + "' present on " + origin);
     26      img.onerror = _ => resolve("'" + name + "=" + value + "' not present on " + origin);
     27 
     28      // We need to URL encode the destination path/query if we're redirecting:
     29      if (origin.match(/\/redir/))
     30        img.src = origin + encodeURIComponent("/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value);
     31      else
     32        img.src = origin + "/cookies/resources/imgIfMatch.py?name=" + name + "&value=" + value;
     33    });
     34  }
     35 
     36  function create_test(origin, target, expectedStatus, title) {
     37    promise_test(t => {
     38      var value = "" + Math.random();
     39      return resetSameSiteCookies(origin, value)
     40        .then(_ => {
     41          var asserts = [assert_cookie_present(target, "samesite_none", value),
     42                         expectedStatus == SameSiteStatus.STRICT ?
     43                           assert_cookie_present(target, "samesite_strict", value) :
     44                           assert_cookie_absent(target, "samesite_strict", value),
     45                         expectedStatus == SameSiteStatus.CROSS_SITE ?
     46                           assert_cookie_absent(target, "samesite_lax", value) :
     47                           assert_cookie_present(target, "samesite_lax", value),
     48                         expectedStatus == SameSiteStatus.CROSS_SITE ?
     49                           assert_cookie_absent(target, "samesite_unspecified", value) :
     50                           assert_cookie_present(target, "samesite_unspecified", value)];
     51          return Promise.all(asserts);
     52        });
     53    }, title);
     54  }
     55 
     56  // No redirect:
     57  create_test(SECURE_ORIGIN, SECURE_ORIGIN, SameSiteStatus.STRICT, "Same-host images are strictly same-site");
     58  create_test(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN, SameSiteStatus.STRICT, "Subdomain images are strictly same-site");
     59  create_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, SameSiteStatus.CROSS_SITE, "Cross-site images are cross-site");
     60 
     61  // Redirect from {same-host,subdomain,cross-site} to same-host:
     62  create_test(SECURE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to same-host images are strictly same-site");
     63  create_test(SECURE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to same-host images are strictly same-site");
     64  create_test(SECURE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to same-host images are cross-site");
     65 
     66  // Redirect from {same-host,subdomain,cross-site} to same-host:
     67  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Same-host redirecting to subdomain images are strictly same-site");
     68  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.STRICT, "Subdomain redirecting to subdomain images are strictly same-site");
     69  create_test(SECURE_SUBDOMAIN_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_SUBDOMAIN_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to subdomain images are cross-site");
     70 
     71  // Redirect from {same-host,subdomain,cross-site} to cross-site:
     72  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Same-host redirecting to cross-site images are cross-site");
     73  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_SUBDOMAIN_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Subdomain redirecting to cross-site images are cross-site");
     74  create_test(SECURE_CROSS_SITE_ORIGIN, redirectTo(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN), SameSiteStatus.CROSS_SITE, "Cross-site redirecting to cross-site images are cross-site");
     75 </script>