tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

fetch-canvas-tainting-tests.js (9374B)

      1 // This is the main driver of the canvas tainting tests.
      2 const NOT_TAINTED = 'NOT_TAINTED';
      3 const TAINTED = 'TAINTED';
      4 const LOAD_ERROR = 'LOAD_ERROR';
      5 
      6 let frame;
      7 
      8 // Creates a single promise_test.
      9 function canvas_taint_test(url, cross_origin, expected_result) {
     10  promise_test(t => {
     11      return frame.contentWindow.create_test_case_promise(url, cross_origin)
     12        .then(result => {
     13          assert_equals(result, expected_result);
     14        });
     15    }, 'url "' + url + '" with crossOrigin "' + cross_origin + '" should be ' +
     16           expected_result);
     17 }
     18 
     19 
     20 // Runs all the tests. The given |params| has these properties:
     21 // * |resource_path|: the relative path to the (image/video) resource to test.
     22 // * |cache|: when true, the service worker bounces responses into
     23 //   Cache Storage and back out before responding with them.
     24 function do_canvas_tainting_tests(params) {
     25  const host_info = get_host_info();
     26  let resource_path = params.resource_path;
     27  if (params.cache)
     28    resource_path += "&cache=true";
     29  const resource_url = host_info['HTTPS_ORIGIN'] + resource_path;
     30  const remote_resource_url = host_info['HTTPS_REMOTE_ORIGIN'] + resource_path;
     31 
     32  // Set up the service worker and the frame.
     33  promise_test(function(t) {
     34      const SCOPE = 'resources/fetch-canvas-tainting-iframe.html';
     35      const SCRIPT = 'resources/fetch-rewrite-worker.js';
     36      const host_info = get_host_info();
     37 
     38      // login_https() is needed because some test cases use credentials.
     39      return login_https(t)
     40        .then(function() {
     41            return service_worker_unregister_and_register(t, SCRIPT, SCOPE);
     42          })
     43        .then(function(registration) {
     44            promise_test(() => {
     45                if (frame)
     46                  frame.remove();
     47                return registration.unregister();
     48              }, 'restore global state');
     49 
     50            return wait_for_state(t, registration.installing, 'activated');
     51          })
     52        .then(function() { return with_iframe(SCOPE); })
     53        .then(f => {
     54            frame = f;
     55          });
     56    }, 'initialize global state');
     57 
     58  // Reject tests. Add '&reject' so the service worker responds with a rejected promise.
     59  // A load error is expected.
     60  canvas_taint_test(resource_url + '&reject', '', LOAD_ERROR);
     61  canvas_taint_test(resource_url + '&reject', 'anonymous', LOAD_ERROR);
     62  canvas_taint_test(resource_url + '&reject', 'use-credentials', LOAD_ERROR);
     63 
     64  // Fallback tests. Add '&ignore' so the service worker does not respond to the fetch
     65  // request, and we fall back to network.
     66  canvas_taint_test(resource_url + '&ignore', '', NOT_TAINTED);
     67  canvas_taint_test(remote_resource_url + '&ignore', '', TAINTED);
     68  canvas_taint_test(remote_resource_url + '&ignore', 'anonymous', LOAD_ERROR);
     69  canvas_taint_test(
     70      remote_resource_url + '&ACAOrigin=' + host_info['HTTPS_ORIGIN'] +
     71          '&ignore',
     72      'anonymous',
     73      NOT_TAINTED);
     74  canvas_taint_test(remote_resource_url + '&ignore', 'use-credentials', LOAD_ERROR);
     75  canvas_taint_test(
     76      remote_resource_url + '&ACAOrigin=' + host_info['HTTPS_ORIGIN'] +
     77          '&ignore',
     78      'use-credentials',
     79      LOAD_ERROR);
     80  canvas_taint_test(
     81      remote_resource_url + '&ACAOrigin=' + host_info['HTTPS_ORIGIN'] +
     82          '&ACACredentials=true&ignore',
     83      'use-credentials',
     84      NOT_TAINTED);
     85 
     86  // Credential tests (with fallback). Add '&Auth' so the server requires authentication.
     87  // Furthermore, add '&ignore' so the service worker falls back to network.
     88  canvas_taint_test(resource_url + '&Auth&ignore', '', NOT_TAINTED);
     89  canvas_taint_test(remote_resource_url + '&Auth&ignore', '', TAINTED);
     90  canvas_taint_test(
     91      remote_resource_url + '&Auth&ignore', 'anonymous', LOAD_ERROR);
     92  canvas_taint_test(
     93      remote_resource_url + '&Auth&ignore',
     94      'use-credentials',
     95      LOAD_ERROR);
     96  canvas_taint_test(
     97      remote_resource_url + '&Auth&ACAOrigin=' + host_info['HTTPS_ORIGIN'] +
     98      '&ignore',
     99      'use-credentials',
    100      LOAD_ERROR);
    101  canvas_taint_test(
    102      remote_resource_url + '&Auth&ACAOrigin=' + host_info['HTTPS_ORIGIN'] +
    103      '&ACACredentials=true&ignore',
    104      'use-credentials',
    105      NOT_TAINTED);
    106 
    107  // In the following tests, the service worker provides a response.
    108  // Add '&url' so the service worker responds with fetch(url).
    109  // Add '&mode' to configure the fetch request options.
    110 
    111  // Basic response tests. Set &url to the original url.
    112  canvas_taint_test(
    113      resource_url + '&mode=same-origin&url=' + encodeURIComponent(resource_url),
    114      '',
    115      NOT_TAINTED);
    116  canvas_taint_test(
    117      resource_url + '&mode=same-origin&url=' + encodeURIComponent(resource_url),
    118      'anonymous',
    119      NOT_TAINTED);
    120  canvas_taint_test(
    121      resource_url + '&mode=same-origin&url=' + encodeURIComponent(resource_url),
    122      'use-credentials',
    123      NOT_TAINTED);
    124  canvas_taint_test(
    125      remote_resource_url + '&mode=same-origin&url=' +
    126          encodeURIComponent(resource_url),
    127      '',
    128      NOT_TAINTED);
    129  canvas_taint_test(
    130      remote_resource_url + '&mode=same-origin&url=' +
    131          encodeURIComponent(resource_url),
    132      'anonymous',
    133      NOT_TAINTED);
    134  canvas_taint_test(
    135      remote_resource_url + '&mode=same-origin&url=' +
    136          encodeURIComponent(resource_url),
    137      'use-credentials',
    138      NOT_TAINTED);
    139 
    140  // Opaque response tests. Set &url to the cross-origin URL, and &mode to
    141  // 'no-cors' so we expect an opaque response.
    142  canvas_taint_test(
    143      resource_url +
    144          '&mode=no-cors&url=' + encodeURIComponent(remote_resource_url),
    145      '',
    146      TAINTED);
    147  canvas_taint_test(
    148      resource_url +
    149          '&mode=no-cors&url=' + encodeURIComponent(remote_resource_url),
    150      'anonymous',
    151      LOAD_ERROR);
    152  canvas_taint_test(
    153      resource_url +
    154          '&mode=no-cors&url=' + encodeURIComponent(remote_resource_url),
    155      'use-credentials',
    156      LOAD_ERROR);
    157  canvas_taint_test(
    158      remote_resource_url +
    159          '&mode=no-cors&url=' + encodeURIComponent(remote_resource_url),
    160      '',
    161      TAINTED);
    162  canvas_taint_test(
    163      remote_resource_url +
    164          '&mode=no-cors&url=' + encodeURIComponent(remote_resource_url),
    165      'anonymous',
    166      LOAD_ERROR);
    167  canvas_taint_test(
    168      remote_resource_url +
    169          '&mode=no-cors&url=' + encodeURIComponent(remote_resource_url),
    170      'use-credentials',
    171      LOAD_ERROR);
    172 
    173  // CORS response tests. Set &url to the cross-origin URL, and &mode
    174  // to 'cors' to attempt a CORS request.
    175  canvas_taint_test(
    176      resource_url + '&mode=cors&url=' +
    177          encodeURIComponent(remote_resource_url +
    178                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    179      '',
    180      LOAD_ERROR); // We expect LOAD_ERROR since the server doesn't respond
    181                   // with an Access-Control-Allow-Credentials header.
    182  canvas_taint_test(
    183      resource_url + '&mode=cors&credentials=same-origin&url=' +
    184          encodeURIComponent(remote_resource_url +
    185                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    186      '',
    187      NOT_TAINTED);
    188  canvas_taint_test(
    189      resource_url + '&mode=cors&url=' +
    190          encodeURIComponent(remote_resource_url +
    191                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    192      'anonymous',
    193      NOT_TAINTED);
    194  canvas_taint_test(
    195      resource_url + '&mode=cors&url=' +
    196          encodeURIComponent(remote_resource_url +
    197                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    198      'use-credentials',
    199      LOAD_ERROR); // We expect LOAD_ERROR since the server doesn't respond
    200                   // with an Access-Control-Allow-Credentials header.
    201  canvas_taint_test(
    202      resource_url + '&mode=cors&url=' +
    203          encodeURIComponent(
    204              remote_resource_url +
    205              '&ACACredentials=true&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    206      'use-credentials',
    207      NOT_TAINTED);
    208  canvas_taint_test(
    209      remote_resource_url + '&mode=cors&url=' +
    210          encodeURIComponent(remote_resource_url +
    211                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    212      '',
    213      LOAD_ERROR); // We expect LOAD_ERROR since the server doesn't respond
    214                   // with an Access-Control-Allow-Credentials header.
    215  canvas_taint_test(
    216      remote_resource_url + '&mode=cors&credentials=same-origin&url=' +
    217          encodeURIComponent(remote_resource_url +
    218                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    219      '',
    220      NOT_TAINTED);
    221  canvas_taint_test(
    222      remote_resource_url + '&mode=cors&url=' +
    223          encodeURIComponent(remote_resource_url +
    224                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    225      'anonymous',
    226      NOT_TAINTED);
    227  canvas_taint_test(
    228      remote_resource_url + '&mode=cors&url=' +
    229          encodeURIComponent(remote_resource_url +
    230                             '&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    231      'use-credentials',
    232      LOAD_ERROR); // We expect LOAD_ERROR since the server doesn't respond
    233                   // with an Access-Control-Allow-Credentials header.
    234  canvas_taint_test(
    235      remote_resource_url + '&mode=cors&url=' +
    236          encodeURIComponent(
    237              remote_resource_url +
    238              '&ACACredentials=true&ACAOrigin=' + host_info['HTTPS_ORIGIN']),
    239      'use-credentials',
    240      NOT_TAINTED);
    241 }