зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1452496: Test for discarding same-site cookie in cross site context. r=mgoodwin
This commit is contained in:
Родитель
a6f01f147d
Коммит
3117bd6483
|
@ -0,0 +1,50 @@
|
|||
// Custom *.sjs file specifically for the needs of Bug 1452496
|
||||
|
||||
// small red image
|
||||
const IMG_BYTES = atob(
|
||||
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
|
||||
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
|
||||
|
||||
const FRAME = `
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1452496 - Do not allow same-site cookies in cross site context</title>
|
||||
</head>
|
||||
<body>
|
||||
<script type="application/javascript">
|
||||
let cookie = document.cookie;
|
||||
// now reset the cookie for the next test
|
||||
document.cookie = "myKey=;" + "expires=Thu, 01 Jan 1970 00:00:00 GMT";
|
||||
window.parent.postMessage({result: cookie}, 'http://mochi.test:8888');
|
||||
</script>
|
||||
</body>
|
||||
</html>`;
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
// avoid confusing cache behaviors
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
if (request.queryString === "setSameSiteCookie") {
|
||||
response.setHeader("Set-Cookie", "myKey=strictSameSiteCookie; samesite=strict", true);
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
response.write(IMG_BYTES);
|
||||
return;
|
||||
}
|
||||
|
||||
if (request.queryString === "setRegularCookie") {
|
||||
response.setHeader("Set-Cookie", "myKey=regularCookie;", true);
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
response.write(IMG_BYTES);
|
||||
return;
|
||||
}
|
||||
|
||||
if (request.queryString === "loadFrame") {
|
||||
response.write(FRAME);
|
||||
return;
|
||||
}
|
||||
|
||||
// we should never get here, but just in case return something unexpected
|
||||
response.write("D'oh");
|
||||
}
|
|
@ -10,6 +10,7 @@ support-files =
|
|||
file_block_subresource_redir_to_data.sjs
|
||||
file_same_site_cookies_subrequest.sjs
|
||||
file_same_site_cookies_toplevel_nav.sjs
|
||||
file_same_site_cookies_cross_origin_context.sjs
|
||||
|
||||
[test_contentpolicytype_targeted_link_iframe.html]
|
||||
[test_nosniff.html]
|
||||
|
@ -25,3 +26,4 @@ skip-if = toolkit == 'android'
|
|||
[test_block_subresource_redir_to_data.html]
|
||||
[test_same_site_cookies_subrequest.html]
|
||||
[test_same_site_cookies_toplevel_nav.html]
|
||||
[test_same_site_cookies_cross_origin_context.html]
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1452496 - Do not allow same-site cookies in cross site context</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<img id="cookieImage">
|
||||
<iframe id="testframe"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/*
|
||||
* Description of the test:
|
||||
* 1) We load an image from http://example.com which tries to
|
||||
* a) a same site cookie
|
||||
* b) a regular cookie
|
||||
* in the context of http://mochi.test
|
||||
* 2) We load an iframe from http://example.com and check if the cookie
|
||||
* is available.
|
||||
* 3) We observe that:
|
||||
* (a) same site cookie has been discarded in a cross origin context.
|
||||
* (b) the regular cookie is available.
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
const CROSS_ORIGIN = "http://example.com/";
|
||||
const PATH = "tests/dom/security/test/general/file_same_site_cookies_cross_origin_context.sjs";
|
||||
|
||||
let curTest = 0;
|
||||
|
||||
var tests = [
|
||||
{
|
||||
description: "regular cookie in cross origin context",
|
||||
imgSRC: CROSS_ORIGIN + PATH + "?setRegularCookie",
|
||||
frameSRC: CROSS_ORIGIN + PATH + "?loadFrame",
|
||||
result: "myKey=regularCookie",
|
||||
},
|
||||
{
|
||||
description: "same-site cookie in cross origin context",
|
||||
imgSRC: CROSS_ORIGIN + PATH + "?setSameSiteCookie",
|
||||
frameSRC: CROSS_ORIGIN + PATH + "?loadFrame",
|
||||
result: "", // no cookie should be set
|
||||
},
|
||||
];
|
||||
|
||||
|
||||
window.addEventListener("message", receiveMessage);
|
||||
function receiveMessage(event) {
|
||||
is(event.data.result, tests[curTest].result, tests[curTest].description);
|
||||
curTest += 1;
|
||||
|
||||
// // lets see if we ran all the tests
|
||||
if (curTest == tests.length) {
|
||||
window.removeEventListener("message", receiveMessage);
|
||||
SimpleTest.finish();
|
||||
return;
|
||||
}
|
||||
// otherwise it's time to run the next test
|
||||
setCookieAndInitTest();
|
||||
}
|
||||
|
||||
function setupQueryResultAndRunTest() {
|
||||
let testframe = document.getElementById("testframe");
|
||||
testframe.src = tests[curTest].frameSRC;
|
||||
}
|
||||
|
||||
function setCookieAndInitTest() {
|
||||
var cookieImage = document.getElementById("cookieImage");
|
||||
cookieImage.onload = function() {
|
||||
ok(true, "trying to set cookie for test (" + tests[curTest].description + ")");
|
||||
setupQueryResultAndRunTest();
|
||||
}
|
||||
cookieImage.onerror = function() {
|
||||
ok(false, "could not load image for test (" + tests[curTest].description + ")");
|
||||
}
|
||||
cookieImage.src = tests[curTest].imgSRC;
|
||||
}
|
||||
|
||||
// fire up the test
|
||||
setCookieAndInitTest();
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Загрузка…
Ссылка в новой задаче