tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

fenced-frame-bypass.tentative.https.window.js (2637B)

      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=/common/utils.js
      3 // META: script=/common/dispatcher/dispatcher.js
      4 // META: script=/fenced-frame/resources/utils.js
      5 // META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js
      6 // META: script=./resources/common.js
      7 // META: timeout=long
      8 
      9 setup(() => {
     10  assert_implements(window.HTMLFencedFrameElement,
     11    "HTMLFencedFrameElement is not supported.");
     12 })
     13 
     14 // 4 actors:
     15 //                         A (this document)
     16 //   ┌─────────────────────┴───────┐
     17 // ┌─┼────────────────────────┐    D  (credentialless-iframe)
     18 // │ B (fenced-frame)         │
     19 // │ │                        │
     20 // │ C (credentialless-iframe)│
     21 // └──────────────────────────┘
     22 //
     23 // This test whether the two credentialless iframe can communicate and bypass the
     24 // fencedframe boundary. This shouldn't happen.
     25 promise_test(async test => {
     26  const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
     27  const msg_queue = token();
     28 
     29  // Create the 3 actors.
     30  const iframe_credentialless_1 = newIframeCredentialless(cross_origin);
     31  const fenced_frame = await newFencedFrame(cross_origin);
     32  send(fenced_frame, `
     33    const importScript = ${importScript};
     34    await importScript("/common/utils.js");
     35    await importScript("/html/cross-origin-embedder-policy/credentialless" +
     36      "/resources/common.js");
     37    await importScript("/html/anonymous-iframe/resources/common.js");
     38    const support_loading_mode_fenced_frame =
     39      "|header(Supports-Loading-Mode,fenced-frame)";
     40    const iframe_credentialless_2 = newIframeCredentialless("${cross_origin}",
     41      support_loading_mode_fenced_frame);
     42    send("${msg_queue}", iframe_credentialless_2);
     43  `);
     44  const iframe_credentialless_2 = await receive(msg_queue);
     45 
     46  // Try to communicate using BroadCastChannel, in between the credentialless
     47  // iframes.
     48  const bc_key = token();
     49  send(iframe_credentialless_1, `
     50    const bc = new BroadcastChannel("${bc_key}");
     51    bc.onmessage = event => send("${msg_queue}", event.data);
     52    send("${msg_queue}", "BroadcastChannel registered");
     53  `);
     54  assert_equals(await receive(msg_queue), "BroadcastChannel registered");
     55  await send(iframe_credentialless_2, `
     56    const bc = new BroadcastChannel("${bc_key}");
     57    bc.postMessage("Can communicate");
     58  `);
     59  test.step_timeout(() => {
     60    send(msg_queue, "Cannot communicate");
     61  }, 4000);
     62 
     63  assert_equals(await receive(msg_queue), "Cannot communicate");
     64 })