tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

dedicated-worker.https.window.js (4812B)

      1 // META: timeout=long
      2 // META: script=/common/get-host-info.sub.js
      3 // META: script=/common/utils.js
      4 // META: script=/common/dispatcher/dispatcher.js
      5 // META: script=./resources/common.js
      6 
      7 const same_origin = get_host_info().HTTPS_ORIGIN;
      8 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
      9 const cookie_key = "credentialless_dedicated_worker";
     10 const cookie_same_origin = "same_origin";
     11 const cookie_cross_origin = "cross_origin";
     12 
     13 promise_test(async test => {
     14 
     15  await Promise.all([
     16    setCookie(same_origin, cookie_key, cookie_same_origin +
     17      cookie_same_site_none),
     18    setCookie(cross_origin, cookie_key, cookie_cross_origin +
     19      cookie_same_site_none),
     20  ]);
     21 
     22  // One window with COEP:none. (control)
     23  const w_control_token = token();
     24  const w_control_url = same_origin + executor_path +
     25    coep_none + `&uuid=${w_control_token}`
     26  const w_control = window.open(w_control_url);
     27  add_completion_callback(() => w_control.close());
     28 
     29  // One window with COEP:credentialless. (experiment)
     30  const w_credentialless_token = token();
     31  const w_credentialless_url = same_origin + executor_path +
     32    coep_credentialless + `&uuid=${w_credentialless_token}`;
     33  const w_credentialless = window.open(w_credentialless_url);
     34  add_completion_callback(() => w_credentialless.close());
     35 
     36  let GetCookie = (response) => {
     37    const headers_credentialless = JSON.parse(response);
     38    return parseCookies(headers_credentialless)[cookie_key];
     39  }
     40 
     41  const dedicatedWorkerTest = function(
     42    description, origin, coep_for_worker,
     43    expected_cookies_control,
     44    expected_cookies_credentialless) {
     45    promise_test_parallel(async t => {
     46      // Create workers for both window.
     47      const worker_token_1 = token();
     48      const worker_token_2 = token();
     49 
     50      // Used to check for errors creating the DedicatedWorker.
     51      const worker_error_1 = token();
     52      const worker_error_2 = token();
     53 
     54      const w_worker_src_1 = same_origin + executor_worker_path +
     55        coep_for_worker + `&uuid=${worker_token_1}`;
     56      send(w_control_token, `
     57        new Worker("${w_worker_src_1}", {});
     58        worker.onerror = () => {
     59          send("${worker_error_1}", "Worker blocked");
     60        }
     61      `);
     62 
     63      const w_worker_src_2 = same_origin + executor_worker_path +
     64        coep_for_worker + `&uuid=${worker_token_2}`;
     65      send(w_credentialless_token, `
     66        const worker = new Worker("${w_worker_src_2}", {});
     67        worker.onerror = () => {
     68          send("${worker_error_2}", "Worker blocked");
     69        }
     70      `);
     71 
     72      // Fetch resources with the workers.
     73      const request_token_1 = token();
     74      const request_token_2 = token();
     75      const request_url_1 = showRequestHeaders(origin, request_token_1);
     76      const request_url_2 = showRequestHeaders(origin, request_token_2);
     77 
     78      send(worker_token_1, `
     79        fetch("${request_url_1}", {mode: 'no-cors', credentials: 'include'})
     80      `);
     81      send(worker_token_2, `
     82        fetch("${request_url_2}", {mode: 'no-cors', credentials: 'include'});
     83      `);
     84 
     85      const response_control = await Promise.race([
     86        receive(worker_error_1),
     87        receive(request_token_1).then(GetCookie)
     88      ]);
     89      assert_equals(response_control,
     90        expected_cookies_control,
     91        "coep:none => ");
     92 
     93      const response_credentialless = await Promise.race([
     94        receive(worker_error_2),
     95        receive(request_token_2).then(GetCookie)
     96      ]);
     97      assert_equals(response_credentialless,
     98        expected_cookies_credentialless,
     99        "coep:credentialless => ");
    100    }, `fetch ${description}`)
    101  };
    102 
    103  dedicatedWorkerTest("same-origin + credentialless worker",
    104    same_origin, coep_credentialless,
    105    cookie_same_origin,
    106    cookie_same_origin);
    107 
    108  dedicatedWorkerTest("same-origin + require_corp worker",
    109    same_origin, coep_require_corp,
    110    cookie_same_origin,
    111    cookie_same_origin);
    112 
    113  dedicatedWorkerTest("same-origin",
    114    same_origin, coep_none,
    115    cookie_same_origin,
    116    "Worker blocked");
    117 
    118  dedicatedWorkerTest("cross-origin",
    119    cross_origin, coep_none,
    120    cookie_cross_origin,
    121    "Worker blocked" // Owner's policy is credentialles, so we can't
    122                     // create a worker with coep_none.
    123  );
    124 
    125  dedicatedWorkerTest("cross-origin + credentialless worker",
    126    cross_origin, coep_credentialless,
    127    undefined, // Worker created successfully with credentialless, and fetch doesn't get credentials
    128    undefined // Worker created successfully with credentialless, and fetch doesn't get credentials
    129  );
    130 
    131  dedicatedWorkerTest("cross-origin + require_corp worker",
    132    cross_origin, coep_require_corp,
    133    cookie_cross_origin,
    134    cookie_cross_origin // The worker's policy is require_corp and doing a
    135                        // fetch within it has nothing to do with the Owner's policy.
    136  );
    137 })