tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

empty-response.https.html (3032B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import {
      9    expireCookie,
     10    documentHasCookie,
     11    waitForCookie,
     12    addCookieAndSessionCleanup,
     13    setupShardedServerState,
     14    configureServer
     15  } from "./helper.js";
     16 
     17  promise_test(async t => {
     18    await setupShardedServerState();
     19    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     20    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     21    addCookieAndSessionCleanup(t);
     22 
     23    // Configure the server to omit session instructions going forward
     24    configureServer({
     25      useEmptyResponse: true
     26    });
     27 
     28    // Prompt starting a session, and wait until registration completes.
     29    const loginResponse = await fetch('login.py');
     30    assert_equals(loginResponse.status, 200);
     31    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     32 
     33    // Since the session instructions were empty at registration, refresh should fail.
     34    expireCookie(expectedCookieAndAttributes);
     35    assert_false(documentHasCookie(expectedCookieAndValue));
     36    const authResponseAfterExpiry = await fetch('verify_authenticated.py');
     37    assert_equals(authResponseAfterExpiry.status, 403);
     38    assert_false(documentHasCookie(expectedCookieAndValue));
     39  }, "An empty response fails on registration");
     40 
     41  promise_test(async t => {
     42    await setupShardedServerState();
     43    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     44    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     45    addCookieAndSessionCleanup(t);
     46 
     47    // Prompt starting a session, and wait until registration completes.
     48    const loginResponse = await fetch('login.py');
     49    assert_equals(loginResponse.status, 200);
     50    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     51 
     52    // Configure the server to omit session instructions going forward
     53    configureServer({
     54      useEmptyResponse: true
     55    });
     56 
     57    // Confirm that expiring the cookie still leads to a request with the cookie set (refresh occurs).
     58    expireCookie(expectedCookieAndAttributes);
     59    assert_false(documentHasCookie(expectedCookieAndValue));
     60    const authResponseAfterExpiry = await fetch('verify_authenticated.py');
     61    assert_equals(authResponseAfterExpiry.status, 200);
     62    assert_true(documentHasCookie(expectedCookieAndValue));
     63 
     64    // If returning an empty response terminated the session, a second refresh would fail.
     65    expireCookie(expectedCookieAndAttributes);
     66    assert_false(documentHasCookie(expectedCookieAndValue));
     67    const authResponseAfterExpiry2 = await fetch('verify_authenticated.py');
     68    assert_equals(authResponseAfterExpiry2.status, 200);
     69    assert_true(documentHasCookie(expectedCookieAndValue));
     70  }, "An empty response is allowed on refresh");
     71 </script>