tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

setcookie-navigation.https.html (5017B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <meta name="timeout" content="long">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/cookies/resources/cookie-helper.sub.js"></script>
      7 <script>
      8  // Asserts that cookies are present or not present (according to `expectation`)
      9  // in the cookie string `cookies` with the correct names and value.
     10  function assert_cookies_present(cookies, value, expected_cookie_names, expectation) {
     11    for (name of expected_cookie_names) {
     12      let re = new RegExp("(?:^|; )" + name + "=" + value + "(?:$|;)");
     13      let assertion = expectation ? assert_true : assert_false;
     14      assertion(re.test(cookies), "`" + name + "=" + value + "` in cookies");
     15    }
     16  }
     17 
     18  // Navigate from ORIGIN to |origin_to|, expecting the navigation to set SameSite
     19  // cookies on |origin_to|.
     20  function navigate_test(method, origin_to, title) {
     21    promise_test(async function(t) {
     22      // The cookies don't need to be cleared on each run because |value| is
     23      // a new random value on each run, so on each run we are overwriting and
     24      // checking for a cookie with a different random value.
     25      let value = "" + Math.random();
     26      let url_from = SECURE_ORIGIN + "/cookies/samesite/resources/navigate.html";
     27      let url_to = origin_to + "/cookies/resources/setSameSite.py?" + value;
     28      var w = window.open(url_from);
     29      await wait_for_message('READY', SECURE_ORIGIN);
     30      assert_equals(SECURE_ORIGIN, window.origin);
     31      assert_equals(SECURE_ORIGIN, w.origin);
     32      let command = (method === "POST") ? "post-form" : "navigate";
     33      w.postMessage({ type: command, url: url_to }, "*");
     34      let message = await wait_for_message('COOKIES_SET', origin_to);
     35      let samesite_cookie_names = ['samesite_strict', 'samesite_lax', 'samesite_none', 'samesite_unspecified'];
     36      assert_cookies_present(message.data.cookies, value, samesite_cookie_names, true);
     37      w.close();
     38    }, title);
     39  }
     40 
     41  // Opens a page on origin SECURE_ORIGIN containing an iframe on `iframe_origin_from`,
     42  // then navigates that iframe to `iframe_origin_to`. Expects that navigation to set
     43  // some subset of SameSite cookies.
     44  function navigate_iframe_test(iframe_origin_from, iframe_origin_to, cross_site, title) {
     45    promise_test(async function(t) {
     46      // The cookies don't need to be cleared on each run because |value| is
     47      // a new random value on each run, so on each run we are overwriting and
     48      // checking for a cookie with a different random value.
     49      let value = "" + Math.random();
     50      let parent_url = SECURE_ORIGIN + "/cookies/samesite/resources/navigate-iframe.html";
     51      let iframe_url_from = iframe_origin_from + "/cookies/samesite/resources/navigate.html";
     52      let iframe_url_to = iframe_origin_to + "/cookies/resources/setSameSite.py?" + value;
     53      var w = window.open(parent_url);
     54      await wait_for_message('LOADED', SECURE_ORIGIN);
     55      assert_equals(SECURE_ORIGIN, window.origin);
     56      assert_equals(SECURE_ORIGIN, w.origin);
     57      // Navigate the frame to its starting location.
     58      w.postMessage({ type: 'initialize-iframe', url: iframe_url_from }, '*');
     59      await wait_for_message('FRAME_READY', SECURE_ORIGIN);
     60      // Have the frame navigate itself, possibly cross-site.
     61      w.postMessage({ type: 'navigate-iframe', url: iframe_url_to }, '*');
     62      let message = await wait_for_message('FRAME_COOKIES_SET', SECURE_ORIGIN);
     63      // Check for the proper cookies.
     64      let samesite_none_cookies = ['samesite_none'];
     65      let samesite_cookies = ['samesite_strict', 'samesite_lax', 'samesite_unspecified'];
     66      assert_cookies_present(message.data.cookies, value, samesite_none_cookies, true);
     67      assert_cookies_present(message.data.cookies, value, samesite_cookies, !cross_site);
     68      w.close();
     69    }, title);
     70  }
     71 
     72  navigate_test("GET", SECURE_ORIGIN, "Same-site top-level navigation should be able to set SameSite=* cookies.");
     73  navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level navigation should be able to set SameSite=* cookies.");
     74  navigate_test("POST", SECURE_ORIGIN, "Same-site top-level POST should be able to set SameSite=* cookies.");
     75  navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "Cross-site top-level POST should be able to set SameSite=* cookies.");
     76 
     77  navigate_iframe_test(SECURE_ORIGIN, SECURE_ORIGIN, false, "Same-site to same-site iframe navigation should be able to set SameSite=* cookies.");
     78  navigate_iframe_test(SECURE_CROSS_SITE_ORIGIN, SECURE_ORIGIN, true, "Cross-site to same-site iframe navigation should only be able to set SameSite=None cookies.");
     79  navigate_iframe_test(SECURE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, true, "Same-site to cross-site-site iframe navigation should only be able to set SameSite=None cookies.");
     80  navigate_iframe_test(SECURE_CROSS_SITE_ORIGIN, SECURE_CROSS_SITE_ORIGIN, true, "Cross-site to cross-site iframe navigation should only be able to set SameSite=None cookies.");
     81 </script>