tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

websockets.https.html (2556B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import { expireCookie, documentHasCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer } from "./helper.js";
      9 
     10  function ws_connect(url) {
     11    return new Promise(function(resolve,reject) {
     12      const ws = new WebSocket(url);
     13      ws.onopen = function () { resolve(); };
     14      ws.onerror = function(error) { reject(error); };
     15    });
     16  }
     17 
     18  promise_test(async t => {
     19    await setupShardedServerState();
     20    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     21    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     22    addCookieAndSessionCleanup(t);
     23 
     24    // In order to validate DBSC is applying to a WebSocket handshake,
     25    // we need an endpoint that can validate the cookie was refreshed
     26    // without triggering a refresh itself. Add an excluded endpoint to
     27    // do that.
     28    await configureServer({ scopeSpecificationItems: [
     29      {
     30      "type": "exclude",
     31      "domain": location.hostname,
     32      "path": "/device-bound-session-credentials/excludeInScopeSpecification"
     33      },
     34    ]});
     35 
     36    // Prompt starting a session, and wait until registration completes.
     37    const loginResponse = await fetch('login.py');
     38    assert_equals(loginResponse.status, 200);
     39    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     40 
     41    // Confirm that a request has the cookie set.
     42    const authResponse = await fetch('verify_authenticated.py');
     43    assert_equals(authResponse.status, 200);
     44 
     45    // Confirm that expiring the cookie still leads to a request with the cookie set (refresh occurs).
     46    expireCookie(expectedCookieAndAttributes);
     47    assert_false(documentHasCookie(expectedCookieAndValue));
     48 
     49    // Start a WebSocket handshake. This will fail, but DBSC will still apply to the request.
     50    try {
     51      await ws_connect(`wss://${location.host}/device-bound-session-credentials/websocket`);
     52    } catch (error) {
     53    }
     54 
     55    // Confirm we're logged in by checking the excluded endpoint.
     56    const authResponseAfterExpiry = await fetch('excludeInScopeSpecification/excluded_verify_authenticated.py');
     57    assert_equals(authResponseAfterExpiry.status, 200);
     58    assert_true(documentHasCookie(expectedCookieAndValue));
     59  }, "An established session applies to WebSocket handshakes");
     60 </script>