tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

dedicated-worker-cache-storage.https.html (4945B)

      1 <!doctype html>
      2 <html>
      3 <title> Check enforcement of COEP in a DedicatedWorker using CacheStorage. </title>
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/common/get-host-info.sub.js"></script>
      7 <script>
      8 // See also: ./shared-worker-cache-storage.https.html
      9 
     10 function remote(path) {
     11  const REMOTE_ORIGIN = get_host_info().HTTPS_REMOTE_ORIGIN;
     12  return new URL(path, REMOTE_ORIGIN);
     13 }
     14 
     15 const iframe_path = "./resources/iframe.html?pipe=";
     16 const dedicated_worker_path = "./universal-worker.js?pipe=";
     17 const ressource_path = "/images/blue.png?pipe=";
     18 
     19 const coep_header= {
     20  "coep-none"         : "",
     21  "coep-require-corp" : "|header(Cross-Origin-Embedder-Policy,require-corp)",
     22 }
     23 
     24 const corp_header = {
     25  "corp-undefined": "",
     26  "corp-cross-origin": "|header(Cross-Origin-Resource-Policy,cross-origin)",
     27 }
     28 
     29 // Check enforcement of COEP in a DedicatedWorker using CacheStorage.
     30 //
     31 // 1) Fetch a response from a document with COEP:none. Store it in the
     32 //    CacheStorage. The response is cross-origin without any CORS header.
     33 // 2) From an iframe, start a DedicatedWorker and try to retrieve the response
     34 //    from the CacheStorage.
     35 //
     36 // Test parameters:
     37 // - |iframe_coep| the COEP header of the iframe's document response
     38 // - |worker_coep| the COEP header of the DedicatedWorker's script response.
     39 // - |response_corp| the CORP header of the response.
     40 //
     41 // Test expectations:
     42 // |result|
     43 //   - "success" when the worker is able to fetch the response from the
     44 //     CacheStorage,
     45 //   - "failure" when the worker is not able to fetch the response from the
     46 //     CacheStorage, and
     47 //   - "error" when it is unable to create a worker.
     48 // https://mikewest.github.io/corpp/#initialize-embedder-policy-for-global
     49 function check(
     50  // Test parameters:
     51  iframe_coep,
     52  worker_coep,
     53  response_corp,
     54 
     55  // Test expectations:
     56  result) {
     57 
     58  promise_test(async (t) => {
     59    // 1) Fetch a response from a document with COEP:none. Store it in the
     60    //    CacheStorage. The response is cross-origin without any CORS header.
     61    const resource_path = ressource_path + corp_header[response_corp];
     62    const resource_url = remote(resource_path);
     63    const fetch_request = new Request(resource_url, {mode: 'no-cors'});
     64    const cache = await caches.open('v1');
     65    const fetch_response = await fetch(fetch_request);
     66    await cache.put(fetch_request, fetch_response);
     67 
     68    // 2) From an iframe, start a DedicatedWorker and try to retrieve the
     69    //    response from the CacheStorage.
     70    const worker_url = dedicated_worker_path + coep_header[worker_coep];
     71    const worker_eval = `
     72      (async function() {
     73        const cache = await caches.open('v1');
     74        const request = new Request('${resource_url}', {
     75          mode: 'no-cors'
     76        });
     77        try {
     78          const response = await cache.match(request);
     79          postMessage('success');
     80        } catch(error) {
     81          postMessage('failure');
     82        }
     83      })()
     84    `;
     85 
     86    const iframe_url = iframe_path + coep_header[iframe_coep];
     87    const iframe_eval = `
     88      (async function() {
     89        const w = new Worker('${worker_url}');
     90        const worker_response = new Promise(resolve => w.onmessage = resolve);
     91        w.onerror = () => parent.postMessage('error');
     92        w.postMessage(\`${worker_eval}\`);
     93        const response = await worker_response;
     94        parent.postMessage(response.data);
     95      })();
     96    `;
     97 
     98    const iframe = document.createElement("iframe");
     99    t.add_cleanup(() => iframe.remove());
    100    iframe.src = iframe_url;
    101    const iframe_loaded = new Promise(resolve => iframe.onload = resolve);
    102    document.body.appendChild(iframe);
    103    await iframe_loaded;
    104 
    105    const iframe_response = new Promise(resolve => {
    106      window.addEventListener("message", resolve);
    107    })
    108    iframe.contentWindow.postMessage(iframe_eval);
    109 
    110    const {data} = await iframe_response;
    111    assert_equals(data, result);
    112  }, `${iframe_coep} ${worker_coep} ${response_corp}`)
    113 }
    114 
    115 // -----------------------------------------------------------------------------
    116 //    iframe_coep         , worker_coep         , response_corp       , loaded
    117 // -----------------------------------------------------------------------------
    118 check("coep-none"         , "coep-none"         , "corp-cross-origin" , "success");
    119 check("coep-none"         , "coep-none"         , "corp-undefined"    , "success");
    120 check("coep-none"         , "coep-require-corp" , "corp-cross-origin" , "success");
    121 check("coep-none"         , "coep-require-corp" , "corp-undefined"    , "failure");
    122 check("coep-require-corp" , "coep-none"         , "corp-cross-origin" , "error");
    123 check("coep-require-corp" , "coep-none"         , "corp-undefined"    , "error");
    124 check("coep-require-corp" , "coep-require-corp" , "corp-cross-origin" , "success");
    125 check("coep-require-corp" , "coep-require-corp" , "corp-undefined"    , "failure");
    126 
    127 </script>
    128 </html>