[ tor-browser ].git.dasho

credentials-matching.https.html (5045B)
      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import { expireCookie, documentHasCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer, pullServerState} from "./helper.js";
      9 
     10  const futureDate = new Date();
     11  futureDate.setFullYear(futureDate.getFullYear() + 1);
     12 
     13  async function runTest(t, sessionCookieAttributes, requestCookieAttributes, expectCallRefresh) {
     14    await setupShardedServerState();
     15    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     16    const expectedAttributes = sessionCookieAttributes;
     17    const expectedCookieAndAttributes = `${expectedCookieAndValue};${expectedAttributes}`;
     18    addCookieAndSessionCleanup(t);
     19 
     20    // Configure server to set the session credentials and the associated Set-Cookie header.
     21    await configureServer({ cookieDetails: [{ attributes: expectedAttributes }] });
     22 
     23    // Prompt starting a session, and wait until registration completes.
     24    const loginResponse = await fetch('login.py');
     25    assert_equals(loginResponse.status, 200);
     26    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     27 
     28    // Confirm that a request has the cookie set.
     29    const authResponse = await fetch('verify_authenticated.py');
     30    assert_equals(authResponse.status, 200);
     31 
     32    // Delete the cookie, and replace it with a similar cookie with custom attributes.
     33    expireCookie(expectedCookieAndAttributes);
     34    assert_false(documentHasCookie(expectedCookieAndValue));
     35    await fetch('set_cookie.py', {
     36      method: 'POST',
     37      body: `${expectedCookieAndValue};${requestCookieAttributes}`,
     38    });
     39 
     40    // Send a request. Then, confirm refresh was or was not sent.
     41    const authResponseAfterExpiry = await fetch('verify_authenticated.py');
     42    assert_equals(authResponseAfterExpiry.status, 200);
     43    assert_true(documentHasCookie(expectedCookieAndValue));
     44    const serverState = await pullServerState();
     45    assert_equals(serverState.hasCalledRefresh, expectCallRefresh);
     46  }
     47 
     48  promise_test(async t => {
     49    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     50    const requestCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;Expires=${futureDate.toUTCString()}`;
     51    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/false);
     52  }, "Expires attribute in credentials doesn't affect matching");
     53 
     54  promise_test(async t => {
     55    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     56    const requestCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;Max-Age=86400`;
     57    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/false);
     58  }, "Max-Age attribute in credentials doesn't affect matching");
     59 
     60  promise_test(async t => {
     61    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     62    const requestCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;HttpOnly`;
     63    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/true);
     64  }, "HttpOnly attribute in credentials affects matching");
     65 
     66  promise_test(async t => {
     67    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     68    const requestCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;SameSite=Strict`;
     69    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/true);
     70  }, "SameSite attribute in credentials affects matching");
     71 
     72  promise_test(async t => {
     73    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     74    const requestCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;Secure`;
     75    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/true);
     76  }, "Secure attribute in credentials affects matching");
     77 
     78  promise_test(async t => {
     79    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     80    const requestCookieAttributes = `Domain=${location.hostname};Path=/`;
     81    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/true);
     82  }, "Path attribute in credentials affects matching");
     83 
     84  promise_test(async t => {
     85    const sessionCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;Secure`;
     86    const requestCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials;Partitioned;Secure`;
     87    await runTest(t, sessionCookieAttributes, requestCookieAttributes, /*expectCallRefresh=*/true);
     88  }, "Partition attribute in credentials affects matching");
     89 </script>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE