tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

HostEnsureCanAddPrivateElement.window.js (4975B)

      1 // META: script=/common/get-host-info.sub.js
      2 
      3 // HTML PR https://github.com/whatwg/html/pull/8198 adds a definition for the
      4 // HostEnsureCanAddPrivateElement host hook which disallows private fields on
      5 // WindowProxy and Location objects.
      6 //
      7 // This test case ensure the hook works as designed.
      8 
      9 let host_info = get_host_info();
     10 
     11 const path = location.pathname.substring(0, location.pathname.lastIndexOf('/')) + '/frame.html';
     12 const path_setdomain = path + "?setdomain";
     13 
     14 class Base {
     15    constructor(o) {
     16        return o;
     17    }
     18 }
     19 
     20 class Stamper extends Base {
     21    #x = 10;
     22    static hasX(o) { return #x in o; }
     23 };
     24 
     25 function test_iframe_window(a_src, b_src) {
     26    const iframe = document.body.appendChild(document.createElement("iframe"));
     27 
     28    var resolve, reject;
     29    var promise = new Promise((res, rej) => {
     30        resolve = res;
     31        reject = rej
     32    });
     33 
     34    iframe.src = a_src;
     35    iframe.onload = () => {
     36        const windowA = iframe.contentWindow;
     37        try {
     38            assert_throws_js(TypeError, () => {
     39                new Stamper(windowA);
     40            }, "Can't Stamp (maybe cross-origin) exotic WindowProxy");
     41            assert_equals(Stamper.hasX(windowA), false, "Didn't stamp on WindowProxy");
     42        } catch (e) {
     43            reject(e);
     44            return;
     45        }
     46 
     47        iframe.src = b_src;
     48        iframe.onload = () => {
     49            const windowB = iframe.contentWindow;
     50            try {
     51                assert_equals(windowA == windowB, true, "Window is same")
     52                assert_throws_js(TypeError, () => {
     53                    new Stamper(windowA);
     54                }, "Can't Stamp (maybe cross-origin) exotics on WindowProxy");
     55                assert_equals(Stamper.hasX(windowB), false, "Didn't stamp on WindowProxy");
     56            } catch (e) {
     57                reject(e);
     58                return;
     59            }
     60            resolve();
     61        }
     62    };
     63 
     64    return promise;
     65 }
     66 
     67 
     68 function test_iframe_location(a_src, b_src) {
     69    const iframe = document.body.appendChild(document.createElement("iframe"));
     70 
     71    var resolve, reject;
     72    var promise = new Promise((res, rej) => {
     73        resolve = res;
     74        reject = rej
     75    });
     76 
     77    iframe.src = a_src;
     78    iframe.onload = () => {
     79        const locA = iframe.contentWindow.location;
     80        try {
     81            assert_throws_js(TypeError, () => {
     82                new Stamper(locA);
     83            }, "Can't Stamp (maybe cross-origin) exotic Location");
     84            assert_equals(Stamper.hasX(locA), false, "Didn't stamp on Location");
     85        } catch (e) {
     86            reject(e);
     87            return;
     88        }
     89 
     90        iframe.src = b_src;
     91        iframe.onload = () => {
     92            const locB = iframe.contentWindow.location
     93            try {
     94                assert_throws_js(TypeError, () => {
     95                    new Stamper(locB);
     96                }, "Can't Stamp cross-origin exotic Location");
     97                assert_equals(Stamper.hasX(locB), false, "Didn't stamp on Location");
     98            } catch (e) {
     99                reject(e);
    100                return;
    101            }
    102            resolve();
    103        }
    104    };
    105 
    106    return promise;
    107 }
    108 
    109 promise_test(() => test_iframe_window(host_info.HTTP_ORIGIN, host_info.HTTP_ORIGIN), "Same Origin: WindowProxy")
    110 promise_test(() => test_iframe_window(host_info.HTTP_ORIGIN, host_info.HTTP_ORIGIN_WITH_DIFFERENT_PORT), "Cross Origin (port): WindowProxy")
    111 promise_test(() => test_iframe_window(host_info.HTTP_ORIGIN, host_info.HTTP_REMOTE_ORIGIN), "Cross Origin (remote): WindowProxy")
    112 promise_test(() => test_iframe_window(path, path_setdomain), "Same Origin + document.domain WindowProxy")
    113 
    114 
    115 promise_test(() => test_iframe_location(host_info.HTTP_ORIGIN, host_info.HTTP_ORIGIN), "Same Origin: Location")
    116 promise_test(() => test_iframe_location(host_info.HTTP_ORIGIN, host_info.HTTP_ORIGIN_WITH_DIFFERENT_PORT), "Cross Origin (remote): Location")
    117 promise_test(() => test_iframe_location(host_info.HTTP_ORIGIN, host_info.HTTP_REMOTE_ORIGIN), "Cross Origin: Location")
    118 promise_test(() => test_iframe_location(path, path_setdomain), "Same Origin + document.domain: Location")
    119 
    120 // We can do this because promise_test promises to queue tests
    121 // https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests
    122 
    123 promise_test(async () => document.domain = document.domain, "Set document.domain");
    124 
    125 promise_test(() => test_iframe_location(path, path_setdomain), "(After document.domain set) Same Origin + document.domain: Location")
    126 promise_test(() => test_iframe_window(path, path_setdomain), "(After document.domain set) Same Origin + document.domain WindowProxy does carry private fields after navigation")
    127 
    128 promise_test(() => test_iframe_location(path_setdomain, path_setdomain), "(After document.domain set) Local navigation (setdomain) Location")
    129 promise_test(() => test_iframe_window(path_setdomain, path_setdomain), "(After document.domain set) Local navigation (setdomain) WindowProxy does carry private fields after navigation")