tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

set-scope-specification.https.html (3360B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import { expireCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer} from "./helper.js";
      9 
     10  promise_test(async t => {
     11    await setupShardedServerState();
     12    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     13    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     14    addCookieAndSessionCleanup(t);
     15 
     16    // Configure server to set scope specification.
     17    await configureServer({ scopeSpecificationItems: [{
     18      "type": "include",
     19      "domain": location.hostname,
     20      "path": "/device-bound-session-credentials/excludeInScopeSpecification/excluded_verify_authenticated.py"
     21    }, {
     22      "type": "exclude",
     23      "domain": location.hostname,
     24      "path": "/device-bound-session-credentials/excludeInScopeSpecification"
     25    }, {
     26      "type": "include",
     27      "domain": location.hostname,
     28      "path": "/device-bound-session-credentials/includeInScopeSpecification/included_verify_authenticated.py"
     29    }, {
     30      "type": "exclude",
     31      "domain": location.hostname,
     32      "path": "/device-bound-session-credentials/verify_authenticated.py"
     33    }, {
     34      "type": "include",
     35      "domain": location.hostname,
     36      "path": "/device-bound-session-credentials/verify_authenticated_alternate.py"
     37    }, {
     38      "type": "include",
     39      "domain": `www1.${location.hostname}`,
     40      "path": "/device-bound-session-credentials/verify_authenticated.py"
     41    }, {
     42      "type": "exclude",
     43      "domain": `www2.${location.hostname}`,
     44      "path": "/device-bound-session-credentials/verify_authenticated.py"
     45    }] });
     46 
     47    // Prompt starting a session, and wait until registration completes.
     48    const loginResponse = await fetch('login.py');
     49    assert_equals(loginResponse.status, 200);
     50    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     51 
     52    async function expireCookieAndTriggerRequest(endpoint, expectRefresh) {
     53      expireCookie(expectedCookieAndAttributes);
     54      const authResponse = await fetch(endpoint, { credentials: "include" });
     55      assert_equals(authResponse.status, expectRefresh ? 200 : 403);
     56    }
     57 
     58    await expireCookieAndTriggerRequest("verify_authenticated.py", /*expectRefresh=*/false);
     59    await expireCookieAndTriggerRequest("verify_authenticated_alternate.py", /*expectRefresh=*/true);
     60    // This one is marked as included, but excludeInScopeSpecification/ is marked as excluded, and order matters.
     61    await expireCookieAndTriggerRequest("excludeInScopeSpecification/excluded_verify_authenticated.py", /*expectRefresh=*/false);
     62    await expireCookieAndTriggerRequest("includeInScopeSpecification/included_verify_authenticated.py", /*expectRefresh=*/true);
     63    await expireCookieAndTriggerRequest(`${location.protocol}//www1.${location.host}/device-bound-session-credentials/verify_authenticated.py`, /*expectRefresh=*/true);
     64    await expireCookieAndTriggerRequest(`${location.protocol}//www2.${location.host}/device-bound-session-credentials/verify_authenticated.py`, /*expectRefresh=*/false);
     65  }, "Scope specification configuration is respected");
     66 </script>