tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

network.https.window.js (14929B)

      1 // META: script=/resources/testdriver.js
      2 // META: script=/resources/testdriver-vendor.js
      3 // META: script=/common/subset-tests.js
      4 // META: script=/common/utils.js
      5 // META: script=resources/fledge-util.sub.js
      6 // META: timeout=long
      7 // META: variant=?1-5
      8 // META: variant=?6-10
      9 // META: variant=?11-15
     10 // META: variant=?16-last
     11 
     12 "use strict";
     13 
     14 // These tests focus on Protected Audience network requests - make sure they
     15 // have no cookies, can set no cookies, and otherwise behave in the expected
     16 // manner as related to the fetch spec. These tests don't cover additional
     17 // request or response headers specific to Protected Audience API.
     18 
     19 // URL that sets a cookie named "cookie" with a value of "cookie".
     20 const SET_COOKIE_URL = `${BASE_URL}resources/set-cookie.asis`;
     21 
     22 // URL that redirects to trusted bidding or scoring signals, depending on the
     23 // query parameters, maintaining the query parameters for the redirect.
     24 const REDIRECT_TO_TRUSTED_SIGNALS_URL = `${BASE_URL}resources/redirect-to-trusted-signals.py`;
     25 
     26 // Returns a URL that stores request headers. Headers can later be retrieved
     27 // as a name-to-list-of-values mapping with
     28 // "(await fetchTrackedData(uuid)).trackedHeaders"
     29 function createHeaderTrackerURL(uuid) {
     30  return createTrackerURL(window.location.origin, uuid, 'track_headers');
     31 }
     32 
     33 // Returns a URL that redirects to the provided URL. Uses query strings, so
     34 // not suitable for generating trusted bidding/scoring signals URLs.
     35 function createRedirectURL(location) {
     36  let url = new URL(`${BASE_URL}resources/redirect.py`);
     37  url.searchParams.append('location', location);
     38  return url.toString();
     39 }
     40 
     41 // Assert that "headers" has a single header with "name", whose value is "value".
     42 function assertHasHeader(headers, name, value) {
     43  assert_equals(JSON.stringify(headers[name]), JSON.stringify([value]),
     44                'Header ' + name);
     45 }
     46 
     47 // Assert that "headers" has no header with "name"
     48 function assertDoesNotHaveHeader(headers, name) {
     49  assert_equals(headers[name], undefined, 'Header ' + name);
     50 }
     51 
     52 subsetTest(promise_test, async test => {
     53  const uuid = generateUuid(test);
     54  await setCookie(test);
     55 
     56  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
     57      test,
     58      { uuid: uuid,
     59        interestGroupOverrides: { biddingLogicURL: createHeaderTrackerURL(uuid) }
     60      });
     61 
     62  let headers = (await fetchTrackedData(uuid)).trackedHeaders;
     63  assertHasHeader(headers, 'accept', 'application/javascript');
     64  assertHasHeader(headers, 'sec-fetch-dest', 'empty');
     65  assertHasHeader(headers, 'sec-fetch-mode', 'no-cors');
     66  assertHasHeader(headers, 'sec-fetch-site', 'same-origin');
     67  assertDoesNotHaveHeader(headers, 'cookie');
     68  assertDoesNotHaveHeader(headers, 'referer');
     69 }, 'biddingLogicURL request headers.');
     70 
     71 subsetTest(promise_test, async test => {
     72  const uuid = generateUuid(test);
     73  await deleteAllCookies();
     74 
     75  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
     76      test,
     77      { uuid: uuid,
     78        interestGroupOverrides: { biddingLogicURL: SET_COOKIE_URL }
     79      });
     80 
     81  assert_equals(document.cookie, '');
     82  await deleteAllCookies();
     83 }, 'biddingLogicURL Set-Cookie.');
     84 
     85 subsetTest(promise_test, async test => {
     86  const uuid = generateUuid(test);
     87  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
     88      test,
     89      { uuid: uuid,
     90        interestGroupOverrides: {
     91            biddingLogicURL: createRedirectURL(createBiddingScriptURL()) }
     92      });
     93 }, 'biddingLogicURL redirect.');
     94 
     95 subsetTest(promise_test, async test => {
     96  const uuid = generateUuid(test);
     97  await setCookie(test);
     98 
     99  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
    100      test,
    101      { uuid: uuid,
    102        interestGroupOverrides: { biddingWasmHelperURL: createHeaderTrackerURL(uuid) }
    103      });
    104 
    105  let headers = (await fetchTrackedData(uuid)).trackedHeaders;
    106  assertHasHeader(headers, 'accept', 'application/wasm');
    107  assertHasHeader(headers, 'sec-fetch-dest', 'empty');
    108  assertHasHeader(headers, 'sec-fetch-mode', 'no-cors');
    109  assertHasHeader(headers, 'sec-fetch-site', 'same-origin');
    110  assertDoesNotHaveHeader(headers, 'cookie');
    111  assertDoesNotHaveHeader(headers, 'referer');
    112 }, 'biddingWasmHelperURL request headers.');
    113 
    114 subsetTest(promise_test, async test => {
    115  const uuid = generateUuid(test);
    116  await deleteAllCookies();
    117 
    118  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
    119      test,
    120      { uuid: uuid,
    121        interestGroupOverrides: { biddingWasmHelperURL: SET_COOKIE_URL }
    122      });
    123 
    124  assert_equals(document.cookie, '');
    125  await deleteAllCookies();
    126 }, 'biddingWasmHelperURL Set-Cookie.');
    127 
    128 subsetTest(promise_test, async test => {
    129  const uuid = generateUuid(test);
    130  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
    131      test,
    132      { uuid: uuid,
    133        interestGroupOverrides:
    134            { biddingWasmHelperURL: createRedirectURL(createBiddingWasmHelperURL()) }
    135      });
    136 }, 'biddingWasmHelperURL redirect.');
    137 
    138 subsetTest(promise_test, async test => {
    139  const uuid = generateUuid(test);
    140  await setCookie(test);
    141 
    142  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
    143      test,
    144      { uuid: uuid,
    145        auctionConfigOverrides: { decisionLogicURL: createHeaderTrackerURL(uuid) }
    146      });
    147 
    148  let headers = (await fetchTrackedData(uuid)).trackedHeaders;
    149  assertHasHeader(headers, 'accept', 'application/javascript');
    150  assertHasHeader(headers, 'sec-fetch-dest', 'empty');
    151  assertHasHeader(headers, 'sec-fetch-mode', 'no-cors');
    152  assertHasHeader(headers, 'sec-fetch-site', 'same-origin');
    153  assertDoesNotHaveHeader(headers, 'cookie');
    154  assertDoesNotHaveHeader(headers, 'referer');
    155 }, 'decisionLogicURL request headers.');
    156 
    157 subsetTest(promise_test, async test => {
    158  const uuid = generateUuid(test);
    159  await deleteAllCookies();
    160 
    161  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
    162      test,
    163      { uuid: uuid,
    164        auctionConfigOverrides: { decisionLogicURL: SET_COOKIE_URL }
    165      });
    166 
    167  assert_equals(document.cookie, '');
    168  await deleteAllCookies();
    169 }, 'decisionLogicURL Set-Cookie.');
    170 
    171 subsetTest(promise_test, async test => {
    172  const uuid = generateUuid(test);
    173  await joinGroupAndRunBasicFledgeTestExpectingNoWinner(
    174      test,
    175      { uuid: uuid,
    176        auctionConfigOverrides:
    177            { decisionLogicURL: createRedirectURL(createDecisionScriptURL(uuid)) }
    178      });
    179 }, 'decisionLogicURL redirect.');
    180 
    181 subsetTest(promise_test, async test => {
    182  const uuid = generateUuid(test);
    183  await setCookie(test);
    184 
    185  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    186      test,
    187      { uuid: uuid,
    188        interestGroupOverrides: {
    189          trustedBiddingSignalsURL: TRUSTED_BIDDING_SIGNALS_URL,
    190          trustedBiddingSignalsKeys: ['headers'],
    191          biddingLogicURL: createBiddingScriptURL({
    192              generateBid:
    193                  `let headers = trustedBiddingSignals.headers;
    194                   function checkHeader(name, value) {
    195                     jsonActualValue = JSON.stringify(headers[name]);
    196                     if (jsonActualValue !== JSON.stringify([value]))
    197                       throw "Unexpected " + name + ": " + jsonActualValue;
    198                   }
    199                   checkHeader("accept", "application/json");
    200                   checkHeader("sec-fetch-dest", "empty");
    201                   checkHeader("sec-fetch-mode", "cors");
    202                   checkHeader("sec-fetch-site", "same-origin");
    203                   if (headers.cookie !== undefined)
    204                     throw "Unexpected cookie: " + JSON.stringify(headers.cookie);
    205                   if (headers.referer !== undefined)
    206                     throw "Unexpected referer: " + JSON.stringify(headers.referer);`,
    207          })
    208        }
    209      });
    210 }, 'trustedBiddingSignalsURL request headers.');
    211 
    212 subsetTest(promise_test, async test => {
    213  const uuid = generateUuid(test);
    214  let cookieFrame = await createFrame(test, OTHER_ORIGIN1);
    215  await runInFrame(test, cookieFrame, `await setCookie(test_instance)`);
    216 
    217  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    218      test,
    219      { uuid: uuid,
    220        interestGroupOverrides: {
    221          trustedBiddingSignalsURL: CROSS_ORIGIN_TRUSTED_BIDDING_SIGNALS_URL,
    222          trustedBiddingSignalsKeys: ['headers', 'cors'],
    223          biddingLogicURL: createBiddingScriptURL({
    224              generateBid:
    225                  `let headers = crossOriginTrustedBiddingSignals[
    226                       '${OTHER_ORIGIN1}'].headers;
    227                   function checkHeader(name, value) {
    228                     jsonActualValue = JSON.stringify(headers[name]);
    229                     if (jsonActualValue !== JSON.stringify([value]))
    230                       throw "Unexpected " + name + ": " + jsonActualValue;
    231                   }
    232                   checkHeader("accept", "application/json");
    233                   checkHeader("sec-fetch-dest", "empty");
    234                   checkHeader("sec-fetch-mode", "cors");
    235                   checkHeader("sec-fetch-site", "cross-site");
    236                   checkHeader("origin", "${window.location.origin}");
    237                   if (headers.cookie !== undefined)
    238                     throw "Unexpected cookie: " + JSON.stringify(headers.cookie);
    239                   if (headers.referer !== undefined)
    240                     throw "Unexpected referer: " + JSON.stringify(headers.referer);`,
    241          })
    242        }
    243      });
    244 }, 'cross-origin trustedBiddingSignalsURL request headers.');
    245 
    246 subsetTest(promise_test, async test => {
    247  const uuid = generateUuid(test);
    248  await deleteAllCookies();
    249 
    250  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    251      test,
    252      { uuid: uuid,
    253        interestGroupOverrides: { trustedBiddingSignalsURL: SET_COOKIE_URL }
    254      });
    255 
    256  assert_equals(document.cookie, '');
    257  await deleteAllCookies();
    258 }, 'trustedBiddingSignalsURL Set-Cookie.');
    259 
    260 subsetTest(promise_test, async test => {
    261  const uuid = generateUuid(test);
    262 
    263  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    264      test,
    265      { uuid: uuid,
    266        interestGroupOverrides: {
    267          trustedBiddingSignalsURL: REDIRECT_TO_TRUSTED_SIGNALS_URL,
    268          trustedBiddingSignalsKeys: ['num-value'],
    269          biddingLogicURL: createBiddingScriptURL({
    270              generateBid:
    271                  `// The redirect should not be followed, so no signals should be received.
    272                   if (trustedBiddingSignals !== null)
    273                     throw "Unexpected trustedBiddingSignals: " + JSON.stringify(trustedBiddingSignals);`
    274          })
    275        }
    276      });
    277 }, 'trustedBiddingSignalsURL redirect.');
    278 
    279 subsetTest(promise_test, async test => {
    280  const uuid = generateUuid(test);
    281  await setCookie(test);
    282 
    283  let renderURL = createRenderURL(uuid, /*script=*/null, /*signalsParam=*/'headers');
    284 
    285  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    286      test,
    287      { uuid: uuid,
    288        interestGroupOverrides: {
    289          ads: [{ renderURL: renderURL }]
    290        },
    291        auctionConfigOverrides: {
    292          trustedScoringSignalsURL: TRUSTED_SCORING_SIGNALS_URL,
    293          decisionLogicURL: createDecisionScriptURL(uuid,
    294            {
    295              scoreAd:
    296                  `let headers = trustedScoringSignals.renderURL["${renderURL}"];
    297                   function checkHeader(name, value) {
    298                     jsonActualValue = JSON.stringify(headers[name]);
    299                     if (jsonActualValue !== JSON.stringify([value]))
    300                       throw "Unexpected " + name + ": " + jsonActualValue;
    301                   }
    302                   checkHeader("accept", "application/json");
    303                   checkHeader("sec-fetch-dest", "empty");
    304                   checkHeader("sec-fetch-mode", "cors");
    305                   checkHeader("sec-fetch-site", "same-origin");
    306                   if (headers.cookie !== undefined)
    307                     throw "Unexpected cookie: " + JSON.stringify(headers.cookie);
    308                   if (headers.referer !== undefined)
    309                     throw "Unexpected referer: " + JSON.stringify(headers.referer);`,
    310            })
    311        }
    312      });
    313 }, 'trustedScoringSignalsURL request headers.');
    314 
    315 subsetTest(promise_test, async test => {
    316  const uuid = generateUuid(test);
    317  let cookieFrame = await createFrame(test, OTHER_ORIGIN1);
    318  await runInFrame(test, cookieFrame, `await setCookie(test_instance)`);
    319 
    320  let renderURL = createRenderURL(uuid, /*script=*/null, /*signalsParam=*/'headers,cors');
    321 
    322  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    323      test,
    324      { uuid: uuid,
    325        interestGroupOverrides: {
    326          ads: [{ renderURL: renderURL }]
    327        },
    328        auctionConfigOverrides: {
    329          trustedScoringSignalsURL: CROSS_ORIGIN_TRUSTED_SCORING_SIGNALS_URL,
    330          decisionLogicURL: createDecisionScriptURL(uuid,
    331            {
    332              permitCrossOriginTrustedSignals: `"${OTHER_ORIGIN1}"`,
    333              scoreAd:
    334                  `let headers = crossOriginTrustedScoringSignals[
    335                      '${OTHER_ORIGIN1}'].renderURL["${renderURL}"];
    336                   function checkHeader(name, value) {
    337                     jsonActualValue = JSON.stringify(headers[name]);
    338                     if (jsonActualValue !== JSON.stringify([value]))
    339                       throw "Unexpected " + name + ": " + jsonActualValue;
    340                   }
    341                   checkHeader("accept", "application/json");
    342                   checkHeader("sec-fetch-dest", "empty");
    343                   checkHeader("sec-fetch-mode", "cors");
    344                   checkHeader("sec-fetch-site", "cross-site");
    345                   checkHeader("origin", "${window.location.origin}");
    346                   if (headers.cookie !== undefined)
    347                     throw "Unexpected cookie: " + JSON.stringify(headers.cookie);
    348                   if (headers.referer !== undefined)
    349                     throw "Unexpected referer: " + JSON.stringify(headers.referer);`,
    350            })
    351        }
    352      });
    353 }, 'cross-origin trustedScoringSignalsURL request headers.');
    354 
    355 subsetTest(promise_test, async test => {
    356  const uuid = generateUuid(test);
    357  await deleteAllCookies();
    358 
    359  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    360      test,
    361      { uuid: uuid,
    362        auctionConfigOverrides: { trustedScoringSignalsURL: SET_COOKIE_URL }
    363      });
    364 
    365  assert_equals(document.cookie, '');
    366  await deleteAllCookies();
    367 }, 'trustedScoringSignalsURL Set-Cookie.');
    368 
    369 subsetTest(promise_test, async test => {
    370  const uuid = generateUuid(test);
    371 
    372  await joinGroupAndRunBasicFledgeTestExpectingWinner(
    373      test,
    374      { uuid: uuid,
    375        auctionConfigOverrides: {
    376          trustedScoringSignalsURL: REDIRECT_TO_TRUSTED_SIGNALS_URL,
    377          decisionLogicURL: createDecisionScriptURL(uuid,
    378            {
    379              scoreAd:
    380                  `// The redirect should not be followed, so no signals should be received.
    381                   if (trustedScoringSignals !== null)
    382                     throw "Unexpected trustedScoringSignals: " + JSON.stringify(trustedScoringSignals);`
    383            })
    384        }
    385      });
    386 }, 'trustedScoringSignalsURL redirect.');