tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

assorted.window.js (7738B)

      1 // META: script=/common/utils.js
      2 // META: script=/common/get-host-info.sub.js
      3 
      4 const origins = get_host_info();
      5 
      6 promise_test(async function () {
      7  const stash = token(),
      8        redirectPath = "/fetch/origin/resources/redirect-and-stash.py";
      9 
     10  // Cross-origin -> same-origin will result in setting the tainted origin flag for the second
     11  // request.
     12  let url = origins.HTTP_ORIGIN + redirectPath + "?stash=" + stash;
     13  url = origins.HTTP_REMOTE_ORIGIN + redirectPath + "?stash=" + stash + "&location=" + encodeURIComponent(url) + "&dummyJS";
     14 
     15  await fetch(url, { mode: "no-cors", method: "POST" });
     16 
     17  const json = await (await fetch(redirectPath + "?dump&stash=" + stash)).json();
     18 
     19  assert_equals(json[0], origins.HTTP_ORIGIN);
     20  assert_equals(json[1], "null");
     21 }, "Origin header and 308 redirect");
     22 
     23 promise_test(async function () {
     24  const stash = token(),
     25        redirectPath = "/fetch/origin/resources/redirect-and-stash.py";
     26 
     27  let url = origins.HTTP_ORIGIN + redirectPath + "?stash=" + stash;
     28  url = origins.HTTP_REMOTE_ORIGIN + redirectPath + "?stash=" + stash + "&location=" + encodeURIComponent(url);
     29 
     30  await new Promise(resolve => {
     31    const frame = document.createElement("iframe");
     32    frame.src = url;
     33    frame.onload = () => {
     34      resolve();
     35      frame.remove();
     36    }
     37    document.body.appendChild(frame);
     38  });
     39 
     40  const json = await (await fetch(redirectPath + "?dump&stash=" + stash)).json();
     41 
     42  assert_equals(json[0], "no Origin header");
     43  assert_equals(json[1], "no Origin header");
     44 }, "Origin header and GET navigation");
     45 
     46 promise_test(async function () {
     47  const stash = token(),
     48        redirectPath = "/fetch/origin/resources/redirect-and-stash.py";
     49 
     50  let url = origins.HTTP_ORIGIN + redirectPath + "?stash=" + stash;
     51  url = origins.HTTP_REMOTE_ORIGIN + redirectPath + "?stash=" + stash + "&location=" + encodeURIComponent(url);
     52 
     53  await new Promise(resolve => {
     54    const frame = document.createElement("iframe");
     55    self.addEventListener("message", e => {
     56      if (e.data === "loaded") {
     57        resolve();
     58        frame.remove();
     59      }
     60    }, { once: true });
     61    frame.onload = () => {
     62      const doc = frame.contentDocument,
     63            form = doc.body.appendChild(doc.createElement("form")),
     64            submit = form.appendChild(doc.createElement("input"));
     65      form.action = url;
     66      form.method = "POST";
     67      submit.type = "submit";
     68      submit.click();
     69    }
     70    document.body.appendChild(frame);
     71  });
     72 
     73  const json = await (await fetch(redirectPath + "?dump&stash=" + stash)).json();
     74 
     75  assert_equals(json[0], origins.HTTP_ORIGIN);
     76  assert_equals(json[1], "null");
     77 }, "Origin header and POST navigation");
     78 
     79 function navigationReferrerPolicy(referrerPolicy, destination, expectedOrigin) {
     80  return async function () {
     81    const stash = token();
     82    const referrerPolicyPath = "/fetch/origin/resources/referrer-policy.py";
     83    const redirectPath = "/fetch/origin/resources/redirect-and-stash.py";
     84 
     85    let postUrl =
     86            (destination === "same-origin" ? origins.HTTP_ORIGIN
     87                                           : origins.HTTP_REMOTE_ORIGIN) +
     88            redirectPath + "?stash=" + stash;
     89 
     90    await new Promise(resolve => {
     91      const frame = document.createElement("iframe");
     92      document.body.appendChild(frame);
     93      frame.src = origins.HTTP_ORIGIN + referrerPolicyPath +
     94                  "?referrerPolicy=" + referrerPolicy;
     95      self.addEventListener("message", function listener(e) {
     96        if (e.data === "loaded") {
     97          resolve();
     98          frame.remove();
     99          self.removeEventListener("message", listener);
    100        } else if (e.data === "action") {
    101          const doc = frame.contentDocument,
    102                form = doc.body.appendChild(doc.createElement("form")),
    103                submit = form.appendChild(doc.createElement("input"));
    104          form.action = postUrl;
    105          form.method = "POST";
    106          submit.type = "submit";
    107          submit.click();
    108        }
    109      });
    110    });
    111 
    112    const json = await (await fetch(redirectPath + "?dump&stash=" + stash)).json();
    113 
    114    assert_equals(json[0], expectedOrigin);
    115  };
    116 }
    117 
    118 function fetchReferrerPolicy(referrerPolicy, destination, fetchMode, expectedOrigin, httpMethod) {
    119  return async function () {
    120    const stash = token();
    121    const redirectPath = "/fetch/origin/resources/redirect-and-stash.py";
    122 
    123    let fetchUrl =
    124        (destination === "same-origin" ? origins.HTTP_ORIGIN
    125                                       : origins.HTTP_REMOTE_ORIGIN) +
    126        redirectPath + "?stash=" + stash + "&dummyJS";
    127 
    128    await fetch(fetchUrl, { mode: fetchMode, method: httpMethod , "referrerPolicy": referrerPolicy});
    129 
    130    const json = await (await fetch(redirectPath + "?dump&stash=" + stash)).json();
    131 
    132    assert_equals(json[0], expectedOrigin);
    133  };
    134 }
    135 
    136 function referrerPolicyTestString(referrerPolicy, method, destination) {
    137  return "Origin header and " + method + " " + destination + " with Referrer-Policy " +
    138         referrerPolicy;
    139 }
    140 
    141 [
    142  {
    143    "policy": "no-referrer",
    144    "expectedOriginForSameOrigin": "null",
    145    "expectedOriginForCrossOrigin": "null"
    146  },
    147  {
    148    "policy": "same-origin",
    149    "expectedOriginForSameOrigin": origins.HTTP_ORIGIN,
    150    "expectedOriginForCrossOrigin": "null"
    151  },
    152  {
    153    "policy": "origin-when-cross-origin",
    154    "expectedOriginForSameOrigin": origins.HTTP_ORIGIN,
    155    "expectedOriginForCrossOrigin": origins.HTTP_ORIGIN
    156  },
    157  {
    158    "policy": "no-referrer-when-downgrade",
    159    "expectedOriginForSameOrigin": origins.HTTP_ORIGIN,
    160    "expectedOriginForCrossOrigin": origins.HTTP_ORIGIN
    161  },
    162  {
    163    "policy": "unsafe-url",
    164    "expectedOriginForSameOrigin": origins.HTTP_ORIGIN,
    165    "expectedOriginForCrossOrigin": origins.HTTP_ORIGIN
    166  },
    167 ].forEach(testObj => {
    168  [
    169    {
    170      "name": "same-origin",
    171      "expectedOrigin": testObj.expectedOriginForSameOrigin
    172    },
    173    {
    174      "name": "cross-origin",
    175      "expectedOrigin": testObj.expectedOriginForCrossOrigin
    176    }
    177  ].forEach(destination => {
    178    // Test form POST navigation
    179    promise_test(navigationReferrerPolicy(testObj.policy,
    180                                          destination.name,
    181                                          destination.expectedOrigin),
    182                 referrerPolicyTestString(testObj.policy, "POST",
    183                                          destination.name + " navigation"));
    184    // Test fetch
    185    promise_test(fetchReferrerPolicy(testObj.policy,
    186                                     destination.name,
    187                                     "no-cors",
    188                                     destination.expectedOrigin,
    189                                     "POST"),
    190                 referrerPolicyTestString(testObj.policy, "POST",
    191                                          destination.name + " fetch no-cors mode"));
    192 
    193    // Test cors mode POST
    194    promise_test(fetchReferrerPolicy(testObj.policy,
    195                                     destination.name,
    196                                     "cors",
    197                                     origins.HTTP_ORIGIN,
    198                                     "POST"),
    199                 referrerPolicyTestString(testObj.policy, "POST",
    200                                          destination.name + " fetch cors mode"));
    201 
    202    // Test cors mode GET
    203    promise_test(fetchReferrerPolicy(testObj.policy,
    204                                     destination.name,
    205                                     "cors",
    206                                     (destination.name == "same-origin") ? "no Origin header" : origins.HTTP_ORIGIN,
    207                                     "GET"),
    208                 referrerPolicyTestString(testObj.policy, "GET",
    209                                          destination.name + " fetch cors mode"));
    210  });
    211 });