tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

navigation-sets-cookie.https.html (6351B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8"/>
      3 <meta name="timeout" content="long">
      4 <title>Service Worker: Navigation setting cookies</title>
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <script src="/common/get-host-info.sub.js"></script>
      8 <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
      9 <script src="/cookies/resources/cookie-helper.sub.js"></script>
     10 <body>
     11 <script>
     12 'use strict';
     13 
     14 const scopepath = '/cookies/resources/setSameSite.py?with-sw';
     15 
     16 async function unregister_service_worker(origin) {
     17  let target_url = origin +
     18      '/service-workers/service-worker/resources/unregister-rewrite-worker.html' +
     19      '?scopepath=' + encodeURIComponent(scopepath);
     20  const w = window.open(target_url);
     21  try {
     22    await wait_for_message('SW-UNREGISTERED');
     23  } finally {
     24    w.close();
     25  }
     26 }
     27 
     28 async function register_service_worker(origin) {
     29  let target_url = origin +
     30      '/service-workers/service-worker/resources/register-rewrite-worker.html' +
     31      '?scopepath=' + encodeURIComponent(scopepath);
     32  const w = window.open(target_url);
     33  try {
     34    await wait_for_message('SW-REGISTERED');
     35  } finally {
     36    w.close();
     37  }
     38 }
     39 
     40 async function clear_cookies(origin) {
     41  let target_url = origin + '/cookies/samesite/resources/puppet.html';
     42  const w = window.open(target_url);
     43  try {
     44    await wait_for_message('READY');
     45    w.postMessage({ type: 'drop' }, '*');
     46    await wait_for_message('drop-complete');
     47  } finally {
     48    w.close();
     49  }
     50 }
     51 
     52 // The following tests are adapted from /cookies/samesite/setcookie-navigation.https.html
     53 
     54 // Asserts that cookies are present or not present (according to `expectation`)
     55 // in the cookie string `cookies` with the correct names and value.
     56 function assert_cookies_present(cookies, value, expected_cookie_names, expectation) {
     57  for (name of expected_cookie_names) {
     58    let re = new RegExp("(?:^|; )" + name + "=" + value + "(?:$|;)");
     59    let assertion = expectation ? assert_true : assert_false;
     60    assertion(re.test(cookies), "`" + name + "=" + value + "` in cookies");
     61  }
     62 }
     63 
     64 // Navigate from ORIGIN to |origin_to|, expecting the navigation to set SameSite
     65 // cookies on |origin_to|.
     66 function navigate_test(method, origin_to, query, title) {
     67  promise_test(async function(t) {
     68    // The cookies don't need to be cleared on each run because |value| is
     69    // a new random value on each run, so on each run we are overwriting and
     70    // checking for a cookie with a different random value.
     71    let value = query + "&" + Math.random();
     72    let url_from = SECURE_ORIGIN + "/cookies/samesite/resources/navigate.html"
     73    let url_to = origin_to + "/cookies/resources/setSameSite.py?" + value;
     74    var w = window.open(url_from);
     75    await wait_for_message('READY', SECURE_ORIGIN);
     76    assert_equals(SECURE_ORIGIN, window.origin);
     77    assert_equals(SECURE_ORIGIN, w.origin);
     78    let command = (method === "POST") ? "post-form" : "navigate";
     79    w.postMessage({ type: command, url: url_to }, "*");
     80    let message = await wait_for_message('COOKIES_SET', origin_to);
     81    let samesite_cookie_names = ['samesite_strict', 'samesite_lax', 'samesite_none', 'samesite_unspecified'];
     82    assert_cookies_present(message.data.cookies, value, samesite_cookie_names, true);
     83    w.close();
     84  }, title);
     85 }
     86 
     87 promise_test(async t => {
     88  await register_service_worker(SECURE_ORIGIN);
     89  await register_service_worker(SECURE_CROSS_SITE_ORIGIN);
     90 }, 'Setup service workers');
     91 
     92 navigate_test("GET", SECURE_ORIGIN, "with-sw&ignore",
     93              "Same-site top-level navigation with fallback service worker should be able to set SameSite=* cookies.");
     94 navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "with-sw&ignore",
     95              "Cross-site top-level navigation with fallback service worker should be able to set SameSite=* cookies.");
     96 navigate_test("POST", SECURE_ORIGIN, "with-sw&ignore",
     97              "Same-site top-level POST with fallback service worker should be able to set SameSite=* cookies.");
     98 navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "with-sw&ignore",
     99              "Cross-site top-level with fallback service worker POST should be able to set SameSite=* cookies.");
    100 
    101 navigate_test("GET", SECURE_ORIGIN, "with-sw",
    102              "Same-site top-level navigation with passthrough service worker should be able to set SameSite=* cookies.");
    103 navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "with-sw",
    104              "Cross-site top-level navigation with passthrough service worker should be able to set SameSite=* cookies.");
    105 navigate_test("POST", SECURE_ORIGIN, "with-sw",
    106              "Same-site top-level POST with passthrough service worker should be able to set SameSite=* cookies.");
    107 navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "with-sw",
    108              "Cross-site top-level with passthrough service worker POST should be able to set SameSite=* cookies.");
    109 
    110 navigate_test("GET", SECURE_ORIGIN, "with-sw&navpreload",
    111              "Same-site top-level navigation with navpreload service worker should be able to set SameSite=* cookies.");
    112 navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "with-sw&navpreload",
    113              "Cross-site top-level navigation with navpreload service worker should be able to set SameSite=* cookies.");
    114 // navpreload not supported with POST method
    115 
    116 navigate_test("GET", SECURE_ORIGIN, "with-sw&change-request",
    117              "Same-site top-level navigation with change-request service worker should be able to set SameSite=* cookies.");
    118 navigate_test("GET", SECURE_CROSS_SITE_ORIGIN, "with-sw&change-request",
    119              "Cross-site top-level navigation with change-request service worker should be able to set SameSite=* cookies.");
    120 navigate_test("POST", SECURE_ORIGIN, "with-sw&change-request",
    121              "Same-site top-level POST with change-request service worker should be able to set SameSite=* cookies.");
    122 navigate_test("POST", SECURE_CROSS_SITE_ORIGIN, "with-sw&change-request",
    123              "Cross-site top-level with change-request service worker POST should be able to set SameSite=* cookies.");
    124 
    125 promise_test(async t => {
    126  await unregister_service_worker(SECURE_ORIGIN);
    127  await unregister_service_worker(SECURE_CROSS_SITE_ORIGIN);
    128  await clear_cookies(SECURE_ORIGIN);
    129  await clear_cookies(SECURE_CROSS_SITE_ORIGIN);
    130 }, 'Cleanup service workers');
    131 
    132 </script>
    133 </body>