tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

requestStorageAccessFor.sub.https.window.js (8870B)

      1 // META: script=/storage-access-api/helpers.js
      2 // META: script=/resources/testdriver.js
      3 // META: script=/resources/testdriver-vendor.js
      4 'use strict';
      5 
      6 const requestedOrigin = 'https://foo.com';
      7 const altOrigin = 'https://{{hosts[alt][www]}}:{{ports[https][0]}}';
      8 
      9 promise_test(
     10    async () => {
     11      assert_not_equals(document.requestStorageAccessFor, undefined);
     12    },
     13    '[top-level-context] document.requestStorageAccessFor() should be supported on the document interface');
     14 
     15 promise_test(
     16  t => {
     17    return promise_rejects_js(t, TypeError,
     18      document.requestStorageAccessFor(),
     19      'document.requestStorageAccessFor() call without origin argument');
     20  },
     21  '[top-level-context] document.requestStorageAccessFor() should be rejected when called with no argument');
     22 
     23 // Most tests need to start with the feature in "prompt" state.
     24 // For tests that rely on the permission state, this function is intended to be
     25 // run prior to executing test logic, rather than using clean-up functions for
     26 // the permission.
     27 async function CommonSetup() {
     28  await test_driver.set_permission(
     29    { name: 'top-level-storage-access', requestedOrigin }, 'prompt');
     30  await test_driver.set_permission(
     31    { name: 'top-level-storage-access', requestedOrigin: altOrigin }, 'prompt');
     32 }
     33 
     34 promise_test(async t => {
     35      await CommonSetup();
     36      return promise_rejects_dom(t, 'NotAllowedError',
     37        document.requestStorageAccessFor(requestedOrigin),
     38        'document.requestStorageAccessFor() call without user gesture');
     39    },
     40    '[top-level-context] document.requestStorageAccessFor() should be rejected by default with no user gesture');
     41 
     42 promise_test(async t => {
     43  const description =
     44      'document.requestStorageAccessFor() call in a detached frame';
     45  // Can't use promise_rejects_dom here because the exception is from the wrong global.
     46  return CreateDetachedFrame().requestStorageAccessFor(requestedOrigin)
     47      .then(t.unreached_func('Should have rejected: ' + description))
     48      .catch((e) => {
     49        assert_equals(e.name, 'InvalidStateError', description);
     50      });
     51 }, '[non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached frame');
     52 
     53 promise_test(async t => {
     54  const description =
     55      'document.requestStorageAccessFor() in a detached DOMParser result';
     56  return CreateDocumentViaDOMParser().requestStorageAccessFor(requestedOrigin)
     57      .then(t.unreached_func('Should have rejected: ' + description))
     58      .catch((e) => {
     59        assert_equals(e.name, 'InvalidStateError', description);
     60      });
     61 }, '[non-fully-active] document.requestStorageAccessFor() should not resolve when run in a detached DOMParser document');
     62 
     63 promise_test(
     64    async t => {
     65      await CommonSetup();
     66      await test_driver.set_permission(
     67          {name: 'top-level-storage-access', requestedOrigin}, 'granted');
     68 
     69      await document.requestStorageAccessFor(requestedOrigin);
     70    },
     71    '[top-level-context] document.requestStorageAccessFor() should be resolved without a user gesture with an existing permission');
     72 
     73 promise_test(
     74    async t => {
     75      await CommonSetup();
     76      await test_driver.set_permission(
     77          {name: 'top-level-storage-access', requestedOrigin: altOrigin},
     78          'granted');
     79 
     80      const frame = await CreateFrame(
     81        altOrigin + '/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
     82 
     83      await RunCallbackWithGesture(() => document.requestStorageAccessFor(altOrigin));
     84      assert_true(await RequestStorageAccessInFrame(frame));
     85    },
     86    '[top-level-context] document.requestStorageAccess() should be resolved without a user gesture after a successful requestStorageAccessFor() call');
     87 
     88 promise_test(
     89    async t => {
     90      await RunCallbackWithGesture(
     91        () => document.requestStorageAccessFor(document.location.origin));
     92    },
     93    '[top-level-context] document.requestStorageAccessFor() should be resolved when called properly with a user gesture and the same origin');
     94 
     95 promise_test(
     96   async t =>{
     97    await RunCallbackWithGesture(
     98      () => promise_rejects_js(t, TypeError, document.requestStorageAccessFor('bogus-url'),
     99          'document.requestStorageAccessFor() call with bogus URL'));
    100    },
    101    '[top-level-context] document.requestStorageAccessFor() should be rejected when called with an invalid origin');
    102 
    103 promise_test(
    104    async t => {
    105      await RunCallbackWithGesture(
    106        () => promise_rejects_dom(t, 'NotAllowedError', document.requestStorageAccessFor('data:,Hello%2C%20World%21'),
    107          'document.requestStorageAccessFor() call with data URL'));
    108    },
    109    '[top-level-context] document.requestStorageAccessFor() should be rejected when called with an opaque origin');
    110 
    111 promise_test(
    112    async (t) => {
    113      const altEchoCookieHeaderUrl =
    114          `${altOrigin}/storage-access-api/resources/echo-cookie-header.py`;
    115 
    116      await MaybeSetStorageAccess('*', '*', 'blocked');
    117      await CommonSetup();
    118 
    119      await test_driver.set_permission(
    120          {name: 'top-level-storage-access', requestedOrigin: altOrigin},
    121          'granted');
    122 
    123      // Set cross-site cookie for altOrigin. Note that this only works with
    124      // an existing top-level storage access permission.
    125      await fetch(
    126          `${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`,
    127          {mode: 'cors', credentials: 'include'});
    128 
    129      const httpCookies1 = await fetch(altEchoCookieHeaderUrl, {
    130                              mode: 'cors',
    131                              credentials: 'include'
    132                            }).then((resp) => resp.text());
    133      assert_true(
    134          httpCookies1.includes('cookie=1'),
    135          'After obtaining top-level storage access, cross-site subresource requests with CORS mode should have cookie access.');
    136 
    137      const httpCookies2 = await fetch(altEchoCookieHeaderUrl, {
    138                              mode: 'no-cors',
    139                              credentials: 'include'
    140                            }).then((resp) => resp.text());
    141      assert_false(
    142          httpCookies2.includes('cookie=1'),
    143          'Cross-site subresource requests without CORS mode cannot access cookie even with an existing permission.');
    144    },
    145    '[top-level-context] Top-level storage access only allows cross-site subresource requests to access cookie when using CORS mode.');
    146 
    147 promise_test(
    148    async () => {
    149      const frame = await CreateFrame(
    150        '/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
    151      assert_not_equals(frame.contentWindow.document.requestStorageAccessFor, undefined);
    152    },
    153    '[same-origin-iframe] document.requestStorageAccessFor() should be supported on the document interface');
    154 
    155 promise_test(
    156    async t => {
    157      const frame = await CreateFrame(
    158        '/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
    159      return promise_rejects_js(t, frame.contentWindow.TypeError,
    160        frame.contentWindow.document.requestStorageAccessFor(),
    161        'document.requestStorageAccessFor() call without origin argument');
    162    },
    163    '[same-origin-iframe] document.requestStorageAccessFor() should be rejected when called with no argument');
    164 
    165 promise_test(
    166    async t => {
    167      const frame = await CreateFrame(
    168        '/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js');
    169 
    170      await RunCallbackWithGesture(() =>
    171          promise_rejects_dom(t, 'NotAllowedError', frame.contentWindow.DOMException,
    172            frame.contentWindow.document.requestStorageAccessFor(document.location.origin),
    173            'document.requestStorageAccessFor() call in a non-top-level context'));
    174    },
    175    '[same-origin-iframe] document.requestStorageAccessFor() should be rejected when called in an iframe');
    176 
    177 promise_test(
    178    async (t) => {
    179      await MaybeSetStorageAccess('*', '*', 'blocked');
    180      await CommonSetup();
    181 
    182      const frame = await CreateFrame(
    183        `/storage-access-api/resources/script-with-cookie-header.py?script=embedded_responder.js`);
    184 
    185      // Set cross-site cookie for altOrigin. Note that cookie won't be set
    186      // even with an existing top-level storage access permission in an
    187      // iframe.
    188      await FetchFromFrame(frame,
    189          `${altOrigin}/cookies/resources/set-cookie.py?name=cookie&path=/&samesite=None&secure=`);
    190 
    191      await test_driver.set_permission(
    192          {name: 'top-level-storage-access', requestedOrigin: altOrigin},
    193          'granted');
    194 
    195      const httpCookies = await FetchSubresourceCookiesFromFrame(frame, altOrigin);
    196      assert_false(httpCookies.includes('cookie=1'));
    197    },
    198    '[same-origin-iframe] Existing top-level storage access permission should not allow cookie access for the cross-site subresource requests made in a non-top-level context.');