tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

stateful-client-bounce.sub.https.html (3074B)

      1 <!DOCTYPE HTML>
      2 <meta charset=utf-8>
      3 <title>Bounce Tracking Mitigations: Stateful Client Bounce</title>
      4 <body>body for test_driver.bless</body>
      5 <script src=/resources/testharness.js></script>
      6 <script src=/resources/testharnessreport.js></script>
      7 <script src=/resources/testdriver.js></script>
      8 <script src=/resources/testdriver-vendor.js></script>
      9 <script src=/cookies/resources/cookie-helper.sub.js></script>
     10 <script src=/storage-access-api/helpers.js></script>
     11 <script>
     12  async function CheckCrossSiteCookieAccess(t) {
     13    const altOrigin = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
     14    const altPath = "/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js";
     15    const url = `${altOrigin}${altPath}`;
     16 
     17    await SetFirstPartyCookie(altOrigin);
     18    t.add_cleanup(async () => {
     19      await test_driver.delete_all_cookies();
     20      await MaybeSetStorageAccess("*", "*", "allowed");
     21    });
     22 
     23    const frame = await CreateFrame(url);
     24    const hasCookieAccess = await HasUnpartitionedCookie(frame);
     25 
     26    return hasCookieAccess;
     27  }
     28 
     29  promise_test(async t => {
     30    await MaybeSetStorageAccess("*", "*", "blocked");
     31 
     32    if (await CheckCrossSiteCookieAccess(t)) {
     33      // Nothing to test here, as cross-site cookies are not blocked.
     34      // See https://github.com/privacycg/storage-access/issues/162.
     35      return;
     36    }
     37 
     38    let linkInNewPage = null;
     39 
     40    // Open a new tab and retrieve the link to start the test.
     41    await test_driver.bless('open page to start test', async () => {
     42      const otherTab = window.open(
     43        'resources/redirect-chain-start-stateful.sub.https.html');
     44 
     45      await new Promise(resolve => otherTab.addEventListener('load', resolve));
     46      linkInNewPage = otherTab.document.getElementById('navigate-link');
     47    });
     48 
     49    const redirectEndedPromise = new Promise(resolve => {
     50      window.addEventListener('message', resolve, {once: true});
     51    });
     52 
     53    // Click the link in the new tab.
     54    //
     55    // Ideally, we would click this from within the page, but because the page
     56    // immediately navigates away, test_driver fails as it expects the page to
     57    // not navigate away. Doing this from the main test page avoids the issue.
     58    test_driver.click(linkInNewPage);
     59 
     60    await redirectEndedPromise;
     61 
     62    let result = [];
     63    while (result.length == 0) {
     64      result = await test_driver.run_bounce_tracking_mitigations();
     65    }
     66    assert_array_equals(result, ['{{hosts[alt][]}}']);
     67 
     68    // Open a page on the bounce origin, and check that cookies have been
     69    // cleared.
     70    const getCookiesFromBounceOrigin = new Promise(
     71      resolve => {
     72        window.addEventListener(
     73          'message',
     74          (event) => { resolve(event.data.cookie) },
     75          {once: true})
     76    });
     77 
     78    const url = new URL(
     79      'resources/cross-origin-get-cookie.sub.https.html',
     80      window.location.href);
     81    url.hostname = '{{hosts[alt][]}}';
     82    window.open(url);
     83 
     84    assert_equals(await getCookiesFromBounceOrigin, '');
     85  }, 'Bounce tracking mitigations deleting state for a bounce tracker');
     86 </script>