tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

blob.https.html (3050B)

      1 <!doctype html>
      2 <meta charset=utf-8>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/common/dispatcher/dispatcher.js"></script>
      6 <script src="/common/get-host-info.sub.js"></script>
      7 <script src="/common/utils.js"></script>
      8 <div id=log></div>
      9 <script>
     10 const origins = get_host_info();
     11 [
     12  {
     13    "origin": origins.HTTPS_ORIGIN,
     14    "crossOrigin": origins.HTTPS_REMOTE_ORIGIN
     15  },
     16  {
     17    "origin": origins.HTTPS_REMOTE_ORIGIN,
     18    "crossOrigin": origins.HTTPS_NOTSAMESITE_ORIGIN
     19  },
     20  {
     21    "origin": origins.HTTPS_NOTSAMESITE_ORIGIN,
     22    "crossOrigin": origins.HTTPS_ORIGIN
     23  }
     24 ].forEach(({ origin, crossOrigin }) => {
     25  ["subframe", "navigate", "popup"].forEach(variant => {
     26    // Due to `noopener` being enforced on Blob URLs where the corresponding
     27    // origin is cross-site to the opening context's top-level site, require
     28    // dispatcher.js to pass information back after window.open().
     29    if (origin === origins.HTTPS_NOTSAMESITE_ORIGIN &&
     30        crossOrigin === origins.HTTPS_ORIGIN &&
     31        variant === "popup") {
     32      return;
     33    }
     34    async_test(t => {
     35      const id = token();
     36      const frame = document.createElement("iframe");
     37      t.add_cleanup(() => { frame.remove(); });
     38      const path = new URL("resources/blob-url-factory.html", window.location).pathname;
     39      frame.src = `${origin}${path}?id=${id}&variant=${variant}&crossOrigin=${crossOrigin}`;
     40      window.addEventListener("message", t.step_func(({ data }) => {
     41        if (data.id !== id) {
     42          return;
     43        }
     44        assert_equals(data.origin, origin);
     45        assert_true(data.sameOriginNoCORPSuccess, "Same-origin without CORP did not succeed");
     46        assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail");
     47        t.done();
     48      }));
     49      document.body.append(frame);
     50    }, `Cross-Origin-Embedder-Policy and blob: URL from ${origin} in subframe via ${variant}`);
     51  });
     52 });
     53 
     54 // New test for the specific case using dispatcher.js for popups.
     55 promise_test(async t => {
     56  const origin = origins.HTTPS_NOTSAMESITE_ORIGIN;
     57  const crossOrigin = origins.HTTPS_ORIGIN;
     58  const variant = "popup-dispatch";
     59  const id = token();
     60 
     61  const frame = document.createElement("iframe");
     62  t.add_cleanup(() => { frame.remove(); });
     63 
     64  const path = new URL("resources/blob-url-factory.html", window.location).pathname;
     65  frame.src = `${origin}${path}?id=${id}&variant=${variant}&crossOrigin=${crossOrigin}`;
     66  document.body.append(frame);
     67 
     68  // Use dispatcher to wait for the message.
     69  const message = await receive(id);
     70  const data = JSON.parse(message);
     71 
     72  assert_equals(data.origin, origin, "Message origin should match test origin");
     73  assert_true(data.sameOriginNoCORPSuccess, "Same-origin fetch without CORP should succeed");
     74  assert_true(data.crossOriginNoCORPFailure, "Cross-origin fetch without CORP should fail");
     75 
     76 }, `Cross-Origin-Embedder-Policy and blob: URL from ${origins.HTTPS_NOTSAMESITE_ORIGIN} in popup (using dispatcher)`);
     77 
     78 </script>