tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subdomain-registration.https.html (3148B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/device-bound-session-credentials/helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import {
      9    addCookieAndSessionCleanup,
     10    configureServer,
     11    documentHasCookie,
     12    expireCookie,
     13    setupShardedServerState,
     14    waitForCookie
     15  } from "/device-bound-session-credentials/helper.js";
     16 
     17  async function waitForRefresh(cookieAndAttributes, cookieAndValue, expectRefreshed) {
     18    const startTime = Date.now();
     19    const refreshed = await new Promise(resolve => {
     20      async function tryRefresh() {
     21        expireCookie(cookieAndAttributes);
     22        assert_false(documentHasCookie(cookieAndValue));
     23        const authResponseAfterExpiry = await fetch('verify_authenticated.py');
     24        if (authResponseAfterExpiry.status == 200) {
     25          resolve(true);
     26          return;
     27        }
     28        if (!expectRefreshed && Date.now() - startTime >= 1000) {
     29          resolve(false);
     30          return;
     31        }
     32 
     33        step_timeout(tryRefresh, 100);
     34      }
     35 
     36      tryRefresh();
     37    });
     38 
     39    assert_equals(refreshed, expectRefreshed);
     40  }
     41 
     42  async function runTest(t, subdomain, expectRegistration) {
     43    await setupShardedServerState();
     44    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     45    const expectedCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     46    const expectedCookieAndAttributes = `${expectedCookieAndValue};${expectedCookieAttributes}`;
     47    addCookieAndSessionCleanup(t);
     48 
     49    // Configure the server with the parent domain's origin + cookie
     50    // details instead of the subdomain's.
     51    await configureServer({
     52      "scopeOrigin": location.origin,
     53      "cookieDetails": [
     54        {
     55          "nameAndValue": expectedCookieAndValue,
     56          "attributes": expectedCookieAttributes
     57        }
     58      ]
     59    });
     60 
     61    // .well-known/device-bound-sessions hardcodes www as allowed, but not www1.
     62    const loginUrl = new URL("/device-bound-session-credentials/login.py", location);
     63    loginUrl.hostname = `${subdomain}.${location.hostname}`;
     64 
     65    const loginResponse = await fetch(loginUrl.toString(), {credentials: "include"});
     66    assert_equals(loginResponse.status, 200);
     67    // Wait for the cookie returned by the server providing the session config to
     68    // the user agent.
     69    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     70    // There is still well-known fetching after that, so we can't conclude yet that
     71    // registration is finished and has either succeeded or failed as expected.
     72    // Trigger repeated refresh attempts to confirm this instead.
     73    await waitForRefresh(expectedCookieAndAttributes, expectedCookieAndValue, /*expectRefresh=*/expectRegistration);
     74  }
     75 
     76  promise_test(async t => {
     77    await runTest(t, /*subdomain=*/"www1", /*expectRegistration=*/false);
     78  }, "Registration fails without a .well-known");
     79 
     80  promise_test(async t => {
     81    await runTest(t, /*subdomain=*/"www", /*expectRegistration=*/true);
     82  }, "Registration succeeds with a .well-known");
     83 </script>