tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

sessionStorage-basic-partitioned.sub.html (3270B)

      1 <!doctype html>
      2 <meta charset=utf-8>
      3 <title>sessionStorage: partitioned storage test</title>
      4 <meta name=help href="https://privacycg.github.io/storage-partitioning/">
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <iframe id="shared-iframe" src="http://{{host}}:{{ports[http][0]}}/webstorage/resources/sessionStorage-about-blank-partitioned-iframe.html"></iframe>
      8 <body>
      9 <script>
     10 // Here's the set-up for this test:
     11 // Step 1. (main window) set up messaging and same-site iframe load listeners.
     12 // Step 2. (same-site iframe) loads, requests sessionStorage for "userID".
     13 // Step 3. (same-site iframe) receives the message, gets or allocates sessionStorage,
     14 // and returns the generated ID to the main frame.
     15 // Step 4. (main window) receives "storage got set" message from same-site iframe.
     16 // Step 5. (main window) opens a new cross-site window with the shared-iframe inside.
     17 // Step 6. (cross-site iframe) loads, requests sessionStorage for "userID", gets or
     18 // allocates that sessionStorage, and returns the generated ID to the main frame.
     19 // Step 7. (main window) asserts that the generated IDs should be different, as
     20 // they should have a different StorageKey.
     21 const altOrigin = "http://{{hosts[alt][]}}:{{ports[http][0]}}";
     22 
     23 async_test(t => {
     24  let crossSiteWindow;
     25  let crossSiteID;
     26  let sameSiteID;
     27  // Retrieve the iframe we created in the HTML above.
     28  const iframe = document.getElementById("shared-iframe");
     29 
     30  // Once the iframe loads, we request sessionStorage.
     31  iframe.addEventListener("load", t.step_func(e => {
     32    const payload = {
     33      command: "create ID",
     34      key: "userID",
     35    };
     36    iframe.contentWindow.postMessage(payload, iframe.origin);
     37  }), {once: true});
     38 
     39  window.addEventListener("message", t.step_func(e => {
     40    // Once we get or allocate the sessionStorage, we expect the iframe
     41    // to message us back with the generated ID.
     42    if (e.data.message === "ID created") {
     43      sameSiteID = e.data.userID;
     44      assert_true(typeof sameSiteID === "string");
     45 
     46      // Now that same-site storage has been secured, we need to open a
     47      // new cross-site window that contains our shared-iframe to repeat
     48      // the process in a cross-site environment.
     49      if (location.origin !== altOrigin) {
     50        crossSiteWindow = window.open(`${altOrigin}/webstorage/sessionStorage-basic-partitioned.sub.html`, "", "noopener=false");
     51        t.add_cleanup(() => crossSiteWindow.close());
     52      }
     53    }
     54 
     55    // We expect that once the cross-site iframe requests sessionStorage,
     56    // it will message us back with the generated ID.
     57    if (e.data.message === "cross-site window iframe loaded") {
     58      crossSiteID = e.data.userID;
     59      t.step(() => {
     60        // Same and cross-site iframes should have different generated IDs.
     61        assert_true(typeof crossSiteID === "string");
     62        assert_true(sameSiteID !== crossSiteID, "IDs pulled from two partitioned iframes are different.")
     63      });
     64 
     65      // Clear storage state to clean up after the test.
     66      iframe.contentWindow.sessionStorage.clear();
     67      crossSiteWindow.postMessage({command: "clearStorage"}, altOrigin);
     68      t.done();
     69    };
     70  }));
     71 }, "Simple test for partitioned sessionStorage");
     72 </script>
     73 </body>