tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

schemeful-websockets.sub.tentative.html (2553B)

      1 <!doctype html>
      2 <html>
      3 <head>
      4  <meta charset=utf-8>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="/cookies/resources/testharness-helpers.js"></script>
      8  <script src="/cookies/resources/cookie-helper.sub.js"></script>
      9 </head>
     10 <body>
     11 <div id=log></div>
     12 <script>
     13  promise_test(async function (t) {
     14    var value = "" + Math.random();
     15    document.cookie = `schemeful_same_site_websockets_strict=${value}; sameSite=strict; path=/`;
     16    document.cookie = `schemeful_same_site_websockets_lax=${value}; sameSite=lax; path=/`;
     17    await credFetch(SECURE_ORIGIN + "/cookies/resources/setSameSiteNone.py?" + value)
     18    t.add_cleanup(async function() {
     19      await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_strict");
     20      await credFetch(origin + "/cookies/resources/drop.py?name=" + "schemeful_same_site_websockets_lax");
     21      await credFetch(SECURE_ORIGIN + "/cookies/resources/dropSameSiteNone.py");
     22    });
     23 
     24    var ws = new WebSocket("ws://{{host}}:{{ports[ws][0]}}/echo-cookie");
     25    return new Promise((resolve, reject) => {
     26      ws.onclose = t.step_func_done(function () {
     27        assert_unreached("'close' should not fire before 'open'.");
     28      });
     29      ws.onmessage = t.step_func(function (e) {
     30        ws.onclose = null;
     31        ws.close();
     32        // Same-scheme WebSockets should get Lax and Strict cookies.
     33        var strictRegex = new RegExp("schemeful_same_site_websockets_strict=" + value);
     34        var laxRegex = new RegExp("schemeful_same_site_websockets_lax=" + value);
     35        assert_regexp_match(e.data, strictRegex, "Same-scheme strict");
     36        assert_regexp_match(e.data, laxRegex, "Same-scheme strict");
     37 
     38        var ws2 = new WebSocket("wss://{{host}}:{{ports[wss][0]}}/echo-cookie");
     39        ws2.onclose = t.step_func_done(function () {
     40          assert_unreached("'close' should not fire before 'open'.");
     41        });
     42        ws2.onmessage = t.step_func(function (e2) {
     43          ws2.onclose = null;
     44          ws2.close();
     45          // Cross-scheme WebSockets should only get samesite_none.
     46          var noneRegex = new RegExp("samesite_none_secure=" + value);
     47          assert_regexp_match(e2.data, noneRegex, "Cross-scheme none");
     48          assert_false(strictRegex.test(e2.data), "Cross-scheme strict");
     49          assert_false(laxRegex.test(e2.data), "Cross-scheme lax");
     50          resolve();
     51        });
     52      });
     53    });
     54  }, "Cross-scheme WebSockets are cross-site");
     55 </script>
     56 </body>
     57 </html>