securecontext.http.html (2498B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>WebAuthn Secure Context Tests</title> 4 <link rel="author" title="Adam Powers" href="mailto:adam@fidoalliance.org"> 5 <link rel="help" href="https://w3c.github.io/webauthn/#iface-credential"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <script src=helpers.js></script> 9 <body></body> 10 <script> 11 "use strict"; 12 13 // See https://www.w3.org/TR/secure-contexts/ 14 // Section 1.1 - 1.4 for list of examples referenced below 15 16 // Example 1 17 // http://example.com/ opened in a top-level browsing context is not a secure context, as it was not delivered over an authenticated and encrypted channel. 18 test (() => { 19 assert_false (typeof navigator.credentials === "object" && typeof navigator.credentials.create === "function"); 20 }, "no navigator.credentials.create in non-secure context"); 21 22 // Example 4: TODO 23 // If a non-secure context opens https://example.com/ in a new window, then things are more complicated. The new window’s status depends on how it was opened. If the non-secure context can obtain a reference to the secure context, or vice-versa, then the new window is not a secure context. 24 // 25 // This means that the following will both produce non-secure contexts: 26 //<a href="https://example.com/" target="_blank">Link!</a> 27 // <script> 28 // var w = window.open("https://example.com/"); 29 // < /script> 30 31 // Example 6: TODO 32 // If https://example.com/ was somehow able to frame http://non-secure.example.com/ (perhaps the user has overridden mixed content checking?), the top-level frame would remain secure, but the framed content is not a secure context. 33 34 // Example 7: TODO 35 // If, on the other hand, https://example.com/ is framed inside of http://non-secure.example.com/, then it is not a secure context, as its ancestor is not delivered over an authenticated and encrypted channel. 36 37 // Example 9: TODO 38 // If http://non-secure.example.com/ in a top-level browsing context frames https://example.com/, which runs https://example.com/worker.js, then neither the framed document nor the worker are secure contexts. 39 40 // Example 12: TODO 41 // https://example.com/ nested in http://non-secure.example.com/ may not connect to the secure worker, as it is not a secure context. 42 43 // Example 13: TODO 44 // Likewise, if https://example.com/ nested in http://non-secure.example.com/ runs https://example.com/worker.js as a Shared Worker, then both the document and the worker are considered non-secure. 45 46 </script>