tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

shared-workers.tentative.https.html (4820B)

      1 <!doctype html>
      2 <html>
      3 <meta charset="utf-8">
      4 <meta name="timeout" content="long">
      5 <title>COEP - policy derivation for Shared Workers</title>
      6 <script src="/resources/testharness.js"></script>
      7 <script src="/resources/testharnessreport.js"></script>
      8 <script src="/common/dispatcher/dispatcher.js"></script>
      9 <script src="/common/get-host-info.sub.js"></script>
     10 <script src="/common/utils.js"></script>
     11 <script src="resources/common.js"></script>
     12 <script src="resources/worker-support.js"></script>
     13 <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
     14 <body>
     15 <p>Verify the Document Isolation Policy for Shared Workers by performing a
     16 cross-origin "fetch" request for a resource that does not specify CORP. Only
     17 Shared Workers with the default DIP should be able to successfully perform
     18 this operation.</p>
     19 <script>
     20 'use strict';
     21 
     22 function makeWorkerUrl(options) {
     23  return resolveUrl("resources/shared-worker-fetch.js.py", options);
     24 }
     25 
     26 /**
     27 * Create a Shared Worker within an iframe and insrtuct it to fetch from a
     28 * specified URL and report on the success of the operation.
     29 *
     30 * @param {object} t - a testharness.js subtest instance (used to reset global
     31 *                     state)
     32 * @param {string} url - the URL from which the Shared Worker should be
     33 *                       created
     34 * @param {string} ownerDip - the Document Isolation Policy of the
     35                                       iframe
     36 */
     37 async function fetchFromWorker(t, url, ownerDip) {
     38  const uuid = await createIframeContext(t, get_host_info().HTTPS_ORIGIN, ownerDip);
     39  const ctx = new RemoteContext(uuid[0]);
     40  const resourceUrl =
     41   get_host_info().HTTPS_REMOTE_ORIGIN+"/html/document-isolation-policy/resources/nothing-no-corp.js";
     42  const result = await ctx.execute_script(
     43    async (workerUrl, fetchUrl) => {
     44      try {
     45        const worker = new SharedWorker(workerUrl);
     46        worker.onerror = (event) => {throw new Error("Worker.onerror should not be called");};
     47        await new Promise((resolve) => {
     48          worker.port.addEventListener('message', resolve, { once: true });
     49          worker.port.start();
     50        });
     51        return await new Promise((resolve) => {
     52          worker.port.postMessage(fetchUrl);
     53          worker.port.addEventListener(
     54          'message', (event) => resolve(event.data), { once: true });
     55        });
     56      } catch (error) {
     57        return error;
     58      }
     59    }, [url, resourceUrl]);
     60  return result;
     61 }
     62 
     63 promise_test(async (t) => {
     64  const result = await fetchFromWorker(t, makeWorkerUrl(), dip_none);
     65  assert_equals(result, 'success');
     66 }, 'default policy (derived from response)');
     67 
     68 promise_test(async (t) => {
     69  const result = await fetchFromWorker(t, makeWorkerUrl({ dip: 'isolate-and-require-corp' }), dip_none);
     70  assert_equals(result, 'failure');
     71 }, '"isolate-and-require-corp" (derived from response)');
     72 
     73 promise_test(async (t) => {
     74  const blobUrl = await createLocalUrl(t, {
     75    url: makeWorkerUrl(),
     76    scheme: "blob",
     77  });
     78  const result = await fetchFromWorker(t, blobUrl, dip_none);
     79  assert_equals(result, 'success');
     80 }, 'default policy (derived from owner set due to use of local scheme - blob URL)');
     81 
     82 promise_test(async (t) => {
     83  const blobUrl = await createLocalUrl(t, {
     84    url: makeWorkerUrl(),
     85    creatorDip: "isolate-and-require-corp",
     86    scheme: "blob",
     87  });
     88  const result = await fetchFromWorker(t, blobUrl, dip_none);
     89  assert_equals(result, 'failure');
     90 }, 'isolate-and-require-corp (derived from blob URL creator)');
     91 
     92 promise_test(async (t) => {
     93  const blobUrl = await createLocalUrl(t, {
     94    url: makeWorkerUrl(),
     95    scheme: "blob",
     96  });
     97  const result = await fetchFromWorker(t, blobUrl, dip_require_corp);
     98  assert_equals(result, 'failure');
     99 }, '"isolate-and-require-corp" (derived from owner set due to use of local scheme - blob URL)');
    100 
    101 promise_test(async (t) => {
    102  const dataUrl = await createLocalUrl(t, {
    103    url: makeWorkerUrl(),
    104    scheme: "data",
    105  });
    106  const result = await fetchFromWorker(t, dataUrl, dip_none);
    107  assert_equals(result, 'success');
    108 }, 'default policy (derived from owner set due to use of local scheme - data URL)');
    109 
    110 promise_test(async (t) => {
    111  const dataUrl = await createLocalUrl(t, {
    112    url: makeWorkerUrl(),
    113    creatorDip: "isolate-and-require-corp",
    114    scheme: "data",
    115  });
    116  const result = await fetchFromWorker(t, dataUrl, dip_none);
    117  assert_equals(result, 'success');
    118 }, 'default policy (not derived from data URL creator)');
    119 
    120 promise_test(async (t) => {
    121  const dataUrl = await createLocalUrl(t, {
    122    url: makeWorkerUrl(),
    123    scheme: "data",
    124  });
    125  const result = await fetchFromWorker(t, dataUrl, dip_require_corp);
    126  assert_equals(result, 'failure');
    127 }, '"isolate-and-require-corp" (derived from owner set due to use of local scheme - data URL)');
    128 </script>
    129 </body>
    130 </html>