tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

iframeTest.js (3029B)

      1 // One document embeds another in an iframe. Both are loaded from the network.
      2 // Depending on the response headers:
      3 // - Cross-Origin-Embedder-Policy (COEP)
      4 // - Cross-Origin-Resource-Policy (CORP)
      5 // The child must load or must be blocked.
      6 //
      7 // What to do for:
      8 // - COEP:credentialless
      9 // - COEP:credentialless-on-children
     10 // is currently an active open question. This test will be updated/completed
     11 // later.
     12 
     13 // There are no interoperable ways to check an iframe failed to load. So a
     14 // timeout is being used. See https://github.com/whatwg/html/issues/125
     15 // Moreover, we want to track progress, managing timeout explicitly allows to
     16 // get a per-test results, even in case of failure of one.
     17 setup({ explicit_timeout: true });
     18 
     19 const same_origin = get_host_info().HTTPS_ORIGIN;
     20 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
     21 
     22 // Open a new window loaded with the given |headers|. The new document will
     23 // execute any script sent toward the token it returns.
     24 const newWindow = (headers) => {
     25  const executor_token = token();
     26  const url = same_origin + executor_path + headers + `&uuid=${executor_token}`;
     27  const w = window.open(url);
     28  add_completion_callback(() => w.close());
     29  return executor_token;
     30 };
     31 
     32 const EXPECT_LOAD = "load";
     33 const EXPECT_BLOCK = "block";
     34 
     35 // Load in iframe. Control both the parent and the child headers. Check whether
     36 // it loads or not.
     37 const iframeTest = function(
     38  description,
     39  parent_token,
     40  child_origin,
     41  child_headers,
     42  expectation
     43 ) {
     44  promise_test_parallel(async test => {
     45    const test_token = token();
     46 
     47    const child_token = token();
     48    const child_url = child_origin + executor_path + child_headers +
     49      `&uuid=${child_token}`;
     50 
     51    await send(parent_token, `
     52      let iframe = document.createElement("iframe");
     53      iframe.src = "${child_url}";
     54      document.body.appendChild(iframe);
     55    `);
     56 
     57    await send(child_token, `
     58      send("${test_token}", "load");
     59    `);
     60 
     61    // There are no interoperable ways to check an iframe failed to load. So a
     62    // timeout is being used.
     63    // See https://github.com/whatwg/html/issues/125
     64    // Use a shorter timeout when it is expected to be reached.
     65    // - The long delay reduces the false-positive rate. False-positive causes
     66    //   stability problems on bot, so a big delay is used to vanish them.
     67    //   https://crbug.com/1215956.
     68    // - The short delay avoids delaying too much the test(s) for nothing and
     69    //   timing out. False-negative are not a problem, they just need not to
     70    //   overwhelm the true-negative, which is trivial to get.
     71    step_timeout(()=>send(test_token, "block"), expectation == EXPECT_BLOCK
     72      ? 2000
     73      : 6000
     74    );
     75 
     76    assert_equals(await receive(test_token), expectation);
     77  }, description);
     78 }
     79 
     80 // A decorated version of iframeTest, adding CORP:cross-origin to the child.
     81 const iframeTestCORP = function() {
     82  arguments[0] += ", CORP:cross-origin"; // description
     83  arguments[3] += corp_cross_origin;     // child_headers
     84  iframeTest(...arguments);
     85 }