tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

localstorage-about-blank-3P-iframe-opens-3P-window.partitioned.html (2804B)

      1 <!doctype html>
      2 <meta charset=utf-8>
      3 <title>localStorage: about:blank partitioning</title>
      4 <meta name=help href="https://privacycg.github.io/storage-partitioning/">
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <script src="/common/get-host-info.sub.js"></script>
      8 <script src="/webstorage/resources/partitioning-utils.js"></script>
      9 <body>
     10 <script>
     11 const path =
     12  "webstorage/resources/localstorage-about-blank-partitioned-win-open.html";
     13 const crossSiteURL = `${get_host_info().HTTP_NOTSAMESITE_ORIGIN}/${path}`;
     14 const sameSiteURL = `${get_host_info().HTTP_ORIGIN}/${path}`;
     15 let firstPartyID = getOrCreateID("userID3");
     16 let crossSiteIframeID;
     17 let sameSiteIframeID;
     18 let crossSiteIframe;
     19 let crossSiteIframeAboutBlankID;
     20 let frameMessageCount = 0;
     21 
     22 promise_test(async t => {
     23  localStorage.clear();
     24 
     25  // Step 1. Add a cross-site iframe
     26  return addIframePromise(crossSiteURL).then(async crossSiteIframe => {
     27    return new Promise(resolve => {
     28      window.addEventListener("message", async e => {
     29        const payload = {
     30          command: "open about:blank window"
     31        }
     32 
     33        if (e.data.message === "window loaded") {
     34          // Step 2. cross-site iframe is loaded, capture reference to its ID
     35          crossSiteIframeID = e.data.userID;
     36          // Step 3. Ask the cross-site iframe to create an about:blank window
     37          crossSiteIframe.contentWindow.postMessage(payload, e.origin);
     38        }
     39 
     40        if (e.data.message === "about:blank frame ID") {
     41          // Step 4. capture reference to 3P iframe's about:blank window ID
     42          crossSiteIframeAboutBlankID = e.data.userID;
     43          crossSiteIframe.contentWindow.postMessage(
     44            {command: "close about:blank window"}, "*");
     45        }
     46 
     47        if (e.data.message === "about:blank window closed") {
     48          resolve({crossSiteIframeID, crossSiteIframeAboutBlankID});
     49        }
     50      });
     51    }).then(ids => {
     52      const {
     53        crossSiteIframeID,
     54        crossSiteIframeAboutBlankID
     55      } = ids;
     56      // Step 5. Assert some things
     57      for (let id in ids) {
     58        assert_true(id !== undefined, "id is not undefined");
     59      }
     60      // Note: we use assert_true, rather than assert_equals becuase we're
     61      // setting random numbers as IDs - this would mean expectations
     62      // files wouldn't work as intended.
     63      assert_true(crossSiteIframeAboutBlankID !== crossSiteIframeID,
     64        "about:blank window opened by 3P iframe does not inherit 3P iframe's StorageKey");
     65      assert_true(firstPartyID !== crossSiteIframeAboutBlankID,
     66        "about:blank window open by 3P iframe does not inherit 1P StorageKey");
     67 
     68      localStorage.clear();
     69    })
     70  });
     71 
     72 
     73 }, "StorageKey: test 3P about:blank window opened from a 3P iframe");
     74 </script>
     75 </body>