tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

credentialless-dedicated-worker.https.tentative.window.js (3110B)

      1 // META: timeout=long
      2 // META: script=/common/get-host-info.sub.js
      3 // META: script=/common/utils.js
      4 // META: script=/common/dispatcher/dispatcher.js
      5 // META: script=/service-workers/service-worker/resources/test-helpers.sub.js
      6 // META: script=./resources/common.js
      7 
      8 const same_origin = get_host_info().HTTPS_ORIGIN;
      9 const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
     10 const cookie_key = "credentialless_dedicated_worker";
     11 const cookie_same_origin = "same_origin";
     12 const cookie_cross_origin = "cross_origin";
     13 
     14 promise_test(async test => {
     15 
     16  await Promise.all([
     17    setCookie(same_origin, cookie_key, cookie_same_origin +
     18      cookie_same_site_none),
     19    setCookie(cross_origin, cookie_key, cookie_cross_origin +
     20      cookie_same_site_none),
     21  ]);
     22 
     23  let GetCookie = (response) => {
     24    const headers_credentialless = JSON.parse(response);
     25    return parseCookies(headers_credentialless)[cookie_key];
     26  }
     27 
     28  async function fetchInRemoteContext(ctx, request_url) {
     29    // The fail might fail in when a DedicatedWorker with DIP
     30    // isolate-and-require-corp tries to fetch a cross-origin resource. Silently
     31    // catch the error as we're only interested in whether the cookies were sent
     32    // with the fetch in the first place.
     33    try {
     34    await ctx.execute_script(
     35        async (url) => {
     36          await fetch(url, {mode: 'no-cors', credentials: 'include'});
     37        }, [request_url]);
     38    } catch(error) {}
     39  }
     40 
     41  const dedicatedWorkerTest = function(
     42    description, origin, dip_for_worker,
     43    expected_cookies) {
     44    promise_test_parallel(async t => {
     45      // Create one iframe with the specified DIP isolate-and-credentialless.
     46      // Then start a DedicatedWorker. The DedicatedWorker will inherit the DIP
     47      // of its creator.
     48      const worker = await createDedicatedWorkerContext(test, same_origin, dip_for_worker);
     49      const worker_context = new RemoteContext(worker[0]);
     50 
     51      // Fetch resources with the worker.
     52      const request_token = token();
     53      const request_url = showRequestHeaders(origin, request_token);
     54 
     55      await fetchInRemoteContext(worker_context, request_url);
     56      const response_worker = await receive(request_token).then(GetCookie);
     57      assert_equals(response_worker,
     58        expected_cookies,
     59        "dip => ");
     60    }, `fetch ${description}`)
     61  };
     62 
     63  dedicatedWorkerTest("same-origin + credentialless worker",
     64    same_origin, dip_credentialless,
     65    cookie_same_origin);
     66 
     67  dedicatedWorkerTest("same-origin + require_corp worker",
     68    same_origin, dip_require_corp,
     69    cookie_same_origin);
     70 
     71  dedicatedWorkerTest("cross-origin + credentialless worker",
     72    cross_origin, dip_credentialless,
     73    undefined // Worker created successfully with credentialless, and fetch doesn't get credentials
     74  );
     75 
     76  dedicatedWorkerTest("cross-origin + require_corp worker",
     77    cross_origin, dip_require_corp,
     78    cookie_cross_origin // The worker's policy is require_corp, so the resource will be requested with cookies
     79                        // but the load will fail because the response does not
     80                        // have CORP cross-origin.
     81  );
     82 })