tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

schemeful-subresource.tentative.html (2353B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8"/>
      3 <meta name="timeout" content="long">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/cookies/resources/cookie-helper.sub.js"></script>
      7 <!-- We're appending an <iframe> to the document's body, so execute tests after we have a body -->
      8 <body>
      9 <script>
     10  function create_test(target, expectedDomStatus, title) {
     11    promise_test(async t => {
     12      var cookieValue = "" + Math.random();
     13      document.cookie = `dc_samesite_strict=${cookieValue}; sameSite=strict; path=/`;
     14      document.cookie = `dc_samesite_lax=${cookieValue}; sameSite=lax; path=/`;
     15      // SameSite=None requires `Secure` which complicates the test and we don't
     16      // need it, so don't add it.
     17 
     18      await new Promise((resolve, reject) => {
     19        var iframe = document.createElement("iframe");
     20 
     21        window.onmessage = t.step_func(e => {
     22          if (e.source == iframe.contentWindow) {
     23            // Cleanup, then verify cookie state:
     24            document.body.removeChild(iframe);
     25 
     26            const cookies = e.data;
     27 
     28            if (expectedDomStatus === DomSameSiteStatus.SAME_SITE) {
     29              assert_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies can be sent to same-scheme subresources");
     30              assert_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies can be sent to same-scheme subresources");
     31            } else if (expectedDomStatus === DomSameSiteStatus.CROSS_SITE) {
     32              assert_not_equals(cookies["dc_samesite_lax"], cookieValue, "SameSite=lax cookies cannot be sent to cross-scheme subresources");
     33              assert_not_equals(cookies["dc_samesite_strict"], cookieValue, "SameSite=strict cookies cannot be sent to cross-scheme subresources");
     34            }
     35 
     36            resolve();
     37          }
     38        });
     39 
     40        iframe.src = target + "/cookies/resources/postToParent.py";
     41        document.body.appendChild(iframe);
     42      });
     43    }, title);
     44  }
     45 
     46  // Test that cross-scheme subresources (iframes in this case) are cross-site.
     47  create_test(INSECURE_ORIGIN, DomSameSiteStatus.SAME_SITE, "Same-scheme subresources can send lax/strict cookies");
     48  create_test(SECURE_ORIGIN, DomSameSiteStatus.CROSS_SITE, "Cross-scheme subresources cannot sent lax/strict cookies");
     49 </script>