tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

worker-cookies.tentative.https.window.js (2502B)

      1 // META: timeout=long
      2 // META: variant=?worker=dedicated_worker
      3 // META: variant=?worker=shared_worker
      4 // META: variant=?worker=service_worker
      5 // META: script=/common/get-host-info.sub.js
      6 // META: script=/common/utils.js
      7 // META: script=/common/dispatcher/dispatcher.js
      8 // META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js
      9 // META: script=./resources/common.js
     10 
     11 // Execute the same set of tests for every type of worker.
     12 // - DedicatedWorkers
     13 // - SharedWorkers
     14 // - ServiceWorkers.
     15 const params = new URLSearchParams(document.location.search);
     16 const worker_param = params.get("worker") || "dedicated_worker";
     17 
     18 const cookie_key = token();
     19 const cookie_value = "cookie_value";
     20 const cookie_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
     21 
     22 // Create worker spawned from `context` and return its uuid.
     23 const workerFrom = context => {
     24  const reply = token();
     25  send(context, `
     26    for(deps of [
     27      "/common/utils.js",
     28      "/resources/testharness.js",
     29      "/html/cross-origin-embedder-policy/credentialless/resources/common.js",
     30    ]) {
     31      await new Promise(resolve => {
     32        const script = document.createElement("script");
     33        script.src = deps;
     34        script.onload = resolve;
     35        document.body.appendChild(script);
     36      });
     37    }
     38 
     39    const worker_constructor = environments["${worker_param}"];
     40    const headers = "";
     41    const [worker, error] = worker_constructor(headers);
     42    send("${reply}", worker);
     43  `);
     44  return receive(reply);
     45 };
     46 
     47 // Set a cookie from a top-level document.
     48 promise_test(async test => {
     49  await setCookie(cookie_origin, cookie_key, cookie_value);
     50 }, "set cookies");
     51 
     52 // Control: iframe is not credentialless. The worker can access cookies.
     53 promise_test(async test => {
     54  const headers = token();
     55  send(await workerFrom(newIframe(cookie_origin)), `
     56    fetch("${showRequestHeaders(cookie_origin, headers)}");
     57  `);
     58  const cookie = parseCookies(JSON.parse(await receive(headers)));
     59  assert_equals(cookie[cookie_key], cookie_value)
     60 }, "Worker spawned from normal iframe can access global cookies");
     61 
     62 // Experiment: iframe is credentialless.
     63 promise_test(async test => {
     64  const headers = token();
     65  send(await workerFrom(newIframeCredentialless(cookie_origin)), `
     66    fetch("${showRequestHeaders(cookie_origin, headers)}");
     67  `);
     68  const cookie = parseCookies(JSON.parse(await receive(headers)));
     69  assert_equals(cookie[cookie_key], undefined)
     70 }, "Worker spawned from credentialless iframe can't access global cookies");