tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

cookieStore_opaque_origin.https.html (2196B)

      1 <!DOCTYPE html>
      2 <meta charset=utf-8>
      3 <title>Cookie Store API: Opaque origins for cookieStore</title>
      4 <link rel=help href="https://cookiestore.spec.whatwg.org/">
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <script>
      8 
      9 const apiCalls = {
     10  'get': 'cookieStore.get("cookie-name")',
     11  'getAll': 'cookieStore.getAll()',
     12  'set': 'cookieStore.set("cookie-name", "cookie-value")',
     13  'delete': 'cookieStore.delete("cookie-name")'
     14 };
     15 
     16 const script = `
     17 <script>
     18  "use strict";
     19  window.onmessage = async () => {
     20    try {
     21      await %s;
     22      window.parent.postMessage({result: "no exception"}, "*");
     23    } catch (ex) {
     24      window.parent.postMessage({result: ex.name}, "*");
     25    };
     26  };
     27 <\/script>
     28 `;
     29 
     30 function load_iframe(apiCall, sandbox) {
     31  return new Promise(resolve => {
     32    const iframe = document.createElement('iframe');
     33    iframe.onload = () => { resolve(iframe); };
     34    if (sandbox)
     35      iframe.sandbox = sandbox;
     36    iframe.srcdoc = script.replace("%s", apiCalls[apiCall]);
     37    iframe.style.display = 'none';
     38    document.documentElement.appendChild(iframe);
     39  });
     40 }
     41 
     42 function wait_for_message(iframe) {
     43  return new Promise(resolve => {
     44    self.addEventListener('message', function listener(e) {
     45      if (e.source === iframe.contentWindow) {
     46        resolve(e.data);
     47        self.removeEventListener('message', listener);
     48      }
     49    });
     50  });
     51 }
     52 
     53 promise_test(async t => {
     54  for (apiCall in apiCalls) {
     55    const iframe = await load_iframe(apiCall);
     56    iframe.contentWindow.postMessage({}, '*');
     57    const message = await wait_for_message(iframe);
     58    assert_equals(message.result, 'no exception',
     59      'cookieStore ${apiCall} should not throw');
     60  }
     61 }, 'cookieStore in non-sandboxed iframe should not throw');
     62 
     63 promise_test(async t => {
     64  for (apiCall in apiCalls) {
     65    const iframe = await load_iframe(apiCall, 'allow-scripts');
     66    iframe.contentWindow.postMessage({}, '*');
     67    const message = await wait_for_message(iframe);
     68    assert_equals(message.result, 'SecurityError',
     69      'cookieStore ${apiCall} should throw SecurityError');
     70  }
     71 }, 'cookieStore in sandboxed iframe should throw SecurityError');
     72 
     73 </script>