[ tor-browser ].git.dasho

cookie.tentative.https.window.js (4537B)
      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=/common/utils.js
      3 // META: script=/common/dispatcher/dispatcher.js
      4 // META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js
      5 // META: script=./resources/common.js
      6 
      7 const same_origin = get_host_info().HTTPS_ORIGIN;
      8 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
      9 const cookie_key = "credentialless_iframe_load_cookie";
     10 const cookie_same_origin = "same_origin";
     11 const cookie_cross_origin = "cross_origin";
     12 
     13 const cookieFromResource = async resource_token => {
     14  let headers = JSON.parse(await receive(resource_token));
     15  return parseCookies(headers)[cookie_key];
     16 };
     17 
     18 // Load a credentialless iframe, return the HTTP request cookies.
     19 const cookieFromCredentiallessIframeRequest = async (iframe_origin) => {
     20  const resource_token = token();
     21  let iframe = document.createElement("iframe");
     22  iframe.src = `${showRequestHeaders(iframe_origin, resource_token)}`;
     23  iframe.credentialless = true;
     24  document.body.appendChild(iframe);
     25  return await cookieFromResource(resource_token);
     26 };
     27 
     28 // Load a resource `type` from the iframe with `document_token`,
     29 // return the HTTP request cookies.
     30 const cookieFromResourceInIframe =
     31    async (document_token, resource_origin, type = "img") => {
     32  const resource_token = token();
     33  send(document_token, `
     34    let el = document.createElement("${type}");
     35    el.src = "${showRequestHeaders(resource_origin, resource_token)}";
     36    document.body.appendChild(el);
     37  `);
     38  return await cookieFromResource(resource_token);
     39 };
     40 
     41 promise_test_parallel(async test => {
     42  await Promise.all([
     43    setCookie(same_origin, cookie_key, cookie_same_origin),
     44    setCookie(cross_origin, cookie_key, cookie_cross_origin),
     45  ]);
     46 
     47  promise_test_parallel(async test => {
     48    assert_equals(
     49      await cookieFromCredentiallessIframeRequest(same_origin),
     50      undefined
     51    );
     52  }, "Credentialless same-origin iframe is loaded without credentials");
     53 
     54  promise_test_parallel(async test => {
     55    assert_equals(
     56      await cookieFromCredentiallessIframeRequest(cross_origin),
     57      undefined
     58    );
     59  }, "Credentialless cross-origin iframe is loaded without credentials");
     60 
     61  const iframe_same_origin = newIframeCredentialless(same_origin);
     62  const iframe_cross_origin = newIframeCredentialless(cross_origin);
     63 
     64  promise_test_parallel(async test => {
     65    assert_equals(
     66      await cookieFromResourceInIframe(iframe_same_origin, same_origin),
     67      undefined
     68    );
     69  }, "same_origin credentialless iframe can't send same_origin credentials");
     70 
     71  promise_test_parallel(async test => {
     72    assert_equals(
     73      await cookieFromResourceInIframe(iframe_same_origin, cross_origin),
     74      undefined
     75    );
     76  }, "same_origin credentialless iframe can't send cross_origin credentials");
     77 
     78  promise_test_parallel(async test => {
     79    assert_equals(
     80      await cookieFromResourceInIframe(iframe_cross_origin, cross_origin),
     81      undefined
     82    );
     83  }, "cross_origin credentialless iframe can't send cross_origin credentials");
     84 
     85  promise_test_parallel(async test => {
     86    assert_equals(
     87      await cookieFromResourceInIframe(iframe_cross_origin, same_origin),
     88      undefined
     89    );
     90  }, "cross_origin credentialless iframe can't send same_origin credentials");
     91 
     92  promise_test_parallel(async test => {
     93    assert_equals(
     94      await cookieFromResourceInIframe(iframe_same_origin, same_origin,
     95                                       "iframe"),
     96      undefined
     97    );
     98  }, "same_origin credentialless iframe can't send same_origin credentials "
     99                        + "on child iframe");
    100 
    101  promise_test_parallel(async test => {
    102    assert_equals(
    103      await cookieFromResourceInIframe(iframe_same_origin, cross_origin,
    104                                       "iframe"),
    105      undefined
    106    );
    107  }, "same_origin credentialless iframe can't send cross_origin credentials "
    108    + "on child iframe");
    109 
    110  promise_test_parallel(async test => {
    111    assert_equals(
    112      await cookieFromResourceInIframe(iframe_cross_origin, cross_origin,
    113                                       "iframe"),
    114      undefined
    115    );
    116  }, "cross_origin credentialless iframe can't send cross_origin credentials "
    117    + "on child iframe");
    118 
    119  promise_test_parallel(async test => {
    120    assert_equals(
    121      await cookieFromResourceInIframe(iframe_cross_origin, same_origin,
    122                                       "iframe"),
    123      undefined
    124    );
    125  }, "cross_origin credentialless iframe can't send same_origin credentials "
    126    + "on child iframe");
    127 
    128 }, "Setup")
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE