tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

credentialless-fetch.https.tentative.window.js (4350B)

      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=/common/utils.js
      3 // META: script=/common/dispatcher/dispatcher.js
      4 // META: script=./resources/common.js
      5 
      6 promise_test(async test => {
      7  const same_origin = get_host_info().HTTPS_ORIGIN;
      8  const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
      9  const cookie_key = "dip_credentialless_fetch";
     10  const cookie_same_origin = "same_origin";
     11  const cookie_cross_origin = "cross_origin";
     12 
     13  await Promise.all([
     14    setCookie(same_origin, cookie_key, cookie_same_origin +
     15      cookie_same_site_none),
     16    setCookie(cross_origin, cookie_key, cookie_cross_origin +
     17      cookie_same_site_none),
     18  ]);
     19 
     20  // One window with DIP:none. (control)
     21  const w_control_token = token();
     22  const w_control_url = same_origin + executor_path +
     23    dip_none + `&uuid=${w_control_token}`
     24  const w_control = window.open(w_control_url);
     25  add_completion_callback(() => w_control.close());
     26 
     27  // One window with DIP:isolate-and-credentialless. (experiment)
     28  const w_credentialless_token = token();
     29  const w_credentialless_url = same_origin + executor_path +
     30    dip_credentialless + `&uuid=${w_credentialless_token}`;
     31  const w_credentialless = window.open(w_credentialless_url);
     32  add_completion_callback(() => w_credentialless.close());
     33 
     34  const fetchTest = function(
     35    description, origin, mode, credentials,
     36    expected_cookies_control,
     37    expected_cookies_credentialless)
     38  {
     39    promise_test_parallel(async test => {
     40      const token_1 = token();
     41      const token_2 = token();
     42 
     43      send(w_control_token, `
     44        fetch("${showRequestHeaders(origin, token_1)}", {
     45          mode:"${mode}",
     46          credentials: "${credentials}",
     47        });
     48      `);
     49      send(w_credentialless_token, `
     50        fetch("${showRequestHeaders(origin, token_2)}", {
     51          mode:"${mode}",
     52          credentials: "${credentials}",
     53        });
     54      `);
     55 
     56      const headers_control = JSON.parse(await receive(token_1));
     57      const headers_credentialless = JSON.parse(await receive(token_2));
     58 
     59      assert_equals(parseCookies(headers_control)[cookie_key],
     60        expected_cookies_control,
     61        "dip:none => ");
     62      assert_equals(parseCookies(headers_credentialless)[cookie_key],
     63        expected_cookies_credentialless,
     64        "dip:isolate-and-credentialless => ");
     65    }, `fetch ${description}`)
     66  };
     67 
     68  // Cookies are never sent with credentials='omit'
     69  fetchTest("same-origin + no-cors + credentials:omit",
     70    same_origin, 'no-cors', 'omit',
     71    undefined,
     72    undefined);
     73  fetchTest("same-origin + cors + credentials:omit",
     74    same_origin, 'cors', 'omit',
     75    undefined,
     76    undefined);
     77  fetchTest("cross-origin + no-cors + credentials:omit",
     78    cross_origin, 'no-cors', 'omit',
     79    undefined,
     80    undefined);
     81  fetchTest("cross-origin + cors + credentials:omit",
     82    cross_origin, 'cors', 'omit',
     83    undefined,
     84    undefined);
     85 
     86  // Same-origin request contains Cookies.
     87  fetchTest("same-origin + no-cors + credentials:include",
     88    same_origin, 'no-cors', 'include',
     89    cookie_same_origin,
     90    cookie_same_origin);
     91  fetchTest("same-origin + cors + credentials:include",
     92    same_origin, 'cors', 'include',
     93    cookie_same_origin,
     94    cookie_same_origin);
     95  fetchTest("same-origin + no-cors + credentials:same-origin",
     96    same_origin, 'no-cors', 'same-origin',
     97    cookie_same_origin,
     98    cookie_same_origin);
     99  fetchTest("same-origin + cors + credentials:same-origin",
    100    same_origin, 'cors', 'same-origin',
    101    cookie_same_origin,
    102    cookie_same_origin);
    103 
    104  // Cross-origin CORS requests contains Cookies, if credentials mode is set to
    105  // 'include'. This does not depends on DIP.
    106  fetchTest("cross-origin + cors + credentials:include",
    107    cross_origin, 'cors', 'include',
    108    cookie_cross_origin,
    109    cookie_cross_origin);
    110  fetchTest("cross-origin + cors + same-origin-credentials",
    111    cross_origin, 'cors', 'same-origin',
    112    undefined,
    113    undefined);
    114 
    115  // Cross-origin no-CORS requests includes Cookies when:
    116  // 1. credentials mode is 'include'
    117  // 2. DIP: is not credentialless.
    118  fetchTest("cross-origin + no-cors + credentials:include",
    119    cross_origin, 'no-cors', 'include',
    120    cookie_cross_origin,
    121    undefined);
    122 
    123  fetchTest("cross-origin + no-cors + credentials:same-origin",
    124    cross_origin, 'no-cors', 'same-origin',
    125    undefined,
    126    undefined);
    127 }, "");