tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

secure-context.https.html (2672B)

      1 <!doctype html>
      2 <meta charset=utf-8>
      3 <title>Ensure service worker is bypassed in insecure contexts</title>
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/common/get-host-info.sub.js"></script>
      7 <script src="resources/test-helpers.sub.js"></script>
      8 <body>
      9 <script>
     10 
     11 // This test checks that an HTTPS iframe embedded in an HTTP document is not
     12 // loaded via a service worker, since it's not a secure context. To that end, we
     13 // first register a service worker, wait for its activation, and create an
     14 // iframe that is controlled by said service worker. We use the iframe as a
     15 // way to receive messages from the service worker.
     16 // The bulk of the test begins by opening an HTTP window with the noopener
     17 // option, installing a message event handler, and embedding an HTTPS iframe. If
     18 // the browser behaves correctly then the iframe will be loaded from the network
     19 // and will contain a script that posts a message to the parent window,
     20 // informing it that it was loaded from the network. If, however, the iframe is
     21 // intercepted, the service worker will return a page with a script that posts a
     22 // message to the parent window, informing it that it was intercepted.
     23 // Upon getting either result, the window will report the result to the service
     24 // worker by navigating to a reporting URL. The service worker will then inform
     25 // all clients about the result, including the controlled iframe from the
     26 // beginning of the test. The message event handler will verify that the result
     27 // is as expected, concluding the test.
     28 promise_test(t => {
     29    const SCRIPT = "resources/secure-context-service-worker.js";
     30    const SCOPE = "resources/";
     31    const HTTP_IFRAME_URL = get_host_info().HTTP_ORIGIN + base_path() + SCOPE + "secure-context/window.html";
     32    return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
     33        .then(registration => {
     34            t.add_cleanup(() => {
     35                return registration.unregister();
     36            });
     37            return wait_for_state(t, registration.installing, 'activated');
     38        })
     39        .then(() => {
     40            return with_iframe(SCOPE + "blank.html");
     41        })
     42        .then(iframe => {
     43            t.add_cleanup(() => {
     44                iframe.remove();
     45            });
     46            return new Promise(resolve => {
     47                iframe.contentWindow.navigator.serviceWorker.onmessage = t.step_func(event => {
     48                    assert_equals(event.data, 'network');
     49                    resolve();
     50                });
     51                window.open(HTTP_IFRAME_URL, 'MyWindow', 'noopener');
     52            });
     53        });
     54 })
     55 
     56 </script>
     57 </body>