mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1469714 - Part 8: Add a test for the interaction of the Storage Access API with the allow-storage-access-by-user-activation iframe sandbox; r=baku 

Differential Revision: https://phabricator.services.mozilla.com/D5817
This commit is contained in:
Ehsan Akhgari 2018-09-12 19:46:35 -04:00
Родитель 701bc2de3e
Коммит 8ce60f3157
3 изменённых файлов: 203 добавлений и 7 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
toolkit/components/antitracking/test/browser/browser.ini
Просмотреть файл

@ -38,3 +38,4 @@ support-files = server.sjs
support-files = subResources.sjs
[browser_script.js]
support-files = tracker.js
[browser_storageAccessSandboxed.js]

168
toolkit/components/antitracking/test/browser/browser_storageAccessSandboxed.js Normal file
Просмотреть файл

@ -0,0 +1,168 @@
ChromeUtils.import("resource://gre/modules/Services.jsm");
AntiTracking.runTest("Storage Access API called in a sandboxed iframe",
// blocking callback
async _ => {
let dwu = SpecialPowers.getDOMWindowUtils(window);
let helper = dwu.setHandlingUserInput(true);
let p;
let threw = false;
try {
p = document.requestStorageAccess();
} catch (e) {
threw = true;
} finally {
helper.destruct();
}
ok(!threw, "requestStorageAccess should not throw");
threw = false;
try {
await p;
} catch (e) {
threw = true;
}
ok(threw, "requestStorageAccess shouldn't be available");
},
null, // non-blocking callback
null, // cleanup function
[["dom.storage_access.enabled", true]], // extra prefs
false, // no window open test
false, // no user-interaction test
false, // no blocking notifications
false, // run in normal window
"allow-scripts allow-same-origin"
);
AntiTracking.runTest("Storage Access API called in a sandboxed iframe with" +
" allow-storage-access-by-user-activation",
// blocking callback
async _ => {
let dwu = SpecialPowers.getDOMWindowUtils(window);
let helper = dwu.setHandlingUserInput(true);
let p;
let threw = false;
try {
p = document.requestStorageAccess();
} catch (e) {
threw = true;
} finally {
helper.destruct();
}
ok(!threw, "requestStorageAccess should not throw");
threw = false;
try {
await p;
} catch (e) {
threw = true;
}
ok(!threw, "requestStorageAccess should be available");
},
null, // non-blocking callback
null, // cleanup function
[["dom.storage_access.enabled", true]], // extra prefs
false, // no window open test
false, // no user-interaction test
true, // expect blocking notifications
false, // run in normal window
"allow-scripts allow-same-origin allow-storage-access-by-user-activation"
);
AntiTracking.runTest("Verify that sandboxed contexts don't get the saved permission",
// blocking callback
async _ => {
let hasAccess = await document.hasStorageAccess();
ok(!hasAccess, "Doesn't yet have storage access");
try {
localStorage.foo = 42;
ok(false, "LocalStorage cannot be used!");
} catch (e) {
ok(true, "LocalStorage cannot be used!");
is(e.name, "SecurityError", "We want a security error message.");
}
},
null, // non-blocking callback
null, // cleanup function
[["dom.storage_access.enabled", true]], // extra prefs
false, // no window open test
false, // no user-interaction test
false, // no blocking notifications
false, // run in normal window
"allow-scripts allow-same-origin"
);
AntiTracking.runTest("Verify that sandboxed contexts with" +
" allow-storage-access-by-user-activation get the" +
" saved permission",
// blocking callback
async _ => {
let hasAccess = await document.hasStorageAccess();
ok(hasAccess, "Has storage access");
localStorage.foo = 42;
ok(true, "LocalStorage can be used!");
},
null, // non-blocking callback
null, // cleanup function
[["dom.storage_access.enabled", true]], // extra prefs
false, // no window open test
false, // no user-interaction test
false, // no blocking notifications
false, // run in normal window
"allow-scripts allow-same-origin allow-storage-access-by-user-activation"
);
AntiTracking.runTest("Verify that private browsing contexts don't get the saved permission",
// blocking callback
async _ => {
let hasAccess = await document.hasStorageAccess();
ok(!hasAccess, "Doesn't yet have storage access");
try {
localStorage.foo = 42;
ok(false, "LocalStorage cannot be used!");
} catch (e) {
ok(true, "LocalStorage cannot be used!");
is(e.name, "SecurityError", "We want a security error message.");
}
},
null, // non-blocking callback
null, // cleanup function
[["dom.storage_access.enabled", true]], // extra prefs
false, // no window open test
false, // no user-interaction test
false, // no blocking notifications
true, // run in private window
null // iframe sandbox
);
AntiTracking.runTest("Verify that non-sandboxed contexts get the" +
" saved permission",
// blocking callback
async _ => {
let hasAccess = await document.hasStorageAccess();
ok(hasAccess, "Has storage access");
localStorage.foo = 42;
ok(true, "LocalStorage can be used!");
},
null, // non-blocking callback
// cleanup function
async _ => {
await new Promise(resolve => {
Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => resolve());
});
},
[["dom.storage_access.enabled", true]], // extra prefs
false, // no window open test
false, // no user-interaction test
false // no blocking notifications
);

41
toolkit/components/antitracking/test/browser/head.js
Просмотреть файл

@ -25,7 +25,7 @@ requestLongerTimeout(2);
this.AntiTracking = {
runTest(name, callbackTracking, callbackNonTracking, cleanupFunction, extraPrefs,
windowOpenTest = true, userInteractionTest = true, expectedBlockingNotifications = true,
runInPrivateWindow = false) {
runInPrivateWindow = false, iframeSandbox = null) {
// Here we want to test that a 3rd party context is simply blocked.
this._createTask({
name,
@ -36,6 +36,7 @@ this.AntiTracking = {
extraPrefs,
expectedBlockingNotifications,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -81,6 +82,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -93,6 +95,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -105,6 +108,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -117,6 +121,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -129,6 +134,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -141,6 +147,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -154,6 +161,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
@ -166,6 +174,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
} else {
@ -178,6 +187,7 @@ this.AntiTracking = {
extraPrefs: [],
expectedBlockingNotifications: false,
runInPrivateWindow,
iframeSandbox,
});
this._createCleanupTask(cleanupFunction);
}
@ -185,14 +195,16 @@ this.AntiTracking = {
// Phase 2: Here we want to test that a third-party context doesn't
// get blocked with when the same origin is opened through window.open().
if (windowOpenTest) {
this._createWindowOpenTask(name, callbackTracking, callbackNonTracking, runInPrivateWindow, extraPrefs);
this._createWindowOpenTask(name, callbackTracking, callbackNonTracking,
runInPrivateWindow, iframeSandbox, extraPrefs);
this._createCleanupTask(cleanupFunction);
}
// Phase 3: Here we want to test that a third-party context doesn't
// get blocked with user interaction present
if (userInteractionTest) {
this._createUserInteractionTask(name, callbackTracking, callbackNonTracking, runInPrivateWindow, extraPrefs);
this._createUserInteractionTask(name, callbackTracking, callbackNonTracking,
runInPrivateWindow, iframeSandbox, extraPrefs);
this._createCleanupTask(cleanupFunction);
}
}
@ -223,7 +235,8 @@ this.AntiTracking = {
info("Starting " + (options.cookieBehavior != BEHAVIOR_ACCEPT ? "blocking" : "non-blocking") + " cookieBehavior (" + options.cookieBehavior + ") and " +
(options.blockingByContentBlocking ? "blocking" : "non-blocking") + " contentBlocking with" +
(options.allowList ? "" : "out") + " allow list test " + options.name +
" running in a " + (options.runInPrivateWindow ? "private" : "normal") + " window");
" running in a " + (options.runInPrivateWindow ? "private" : "normal") + " window " +
" with iframe sandbox set to " + options.iframeSandbox);
let win = window;
if (options.runInPrivateWindow) {
@ -263,7 +276,8 @@ this.AntiTracking = {
info("Creating a 3rd party content");
await ContentTask.spawn(browser,
{ page: TEST_3RD_PARTY_PAGE,
callback: options.callback.toString() },
callback: options.callback.toString(),
iframeSandbox: options.iframeSandbox },
async function(obj) {
await new content.Promise(resolve => {
let ifr = content.document.createElement("iframe");
@ -271,6 +285,9 @@ this.AntiTracking = {
info("Sending code to the 3rd party content");
ifr.contentWindow.postMessage(obj.callback, "*");
};
if (typeof obj.iframeSandbox == "string") {
ifr.setAttribute("sandbox", obj.iframeSandbox);
}
content.addEventListener("message", function msg(event) {
if (event.data.type == "finish") {
@ -327,7 +344,8 @@ this.AntiTracking = {
});
},
_createWindowOpenTask(name, blockingCallback, nonBlockingCallback, runInPrivateWindow, extraPrefs) {
_createWindowOpenTask(name, blockingCallback, nonBlockingCallback, runInPrivateWindow,
iframeSandbox, extraPrefs) {
add_task(async function() {
info("Starting window-open test " + name);
@ -356,6 +374,7 @@ this.AntiTracking = {
{ page: pageURL,
blockingCallback: blockingCallback.toString(),
nonBlockingCallback: nonBlockingCallback.toString(),
iframeSandbox,
},
async function(obj) {
await new content.Promise(resolve => {
@ -364,6 +383,9 @@ this.AntiTracking = {
info("Sending code to the 3rd party content");
ifr.contentWindow.postMessage(obj, "*");
};
if (typeof obj.iframeSandbox == "string") {
ifr.setAttribute("sandbox", obj.iframeSandbox);
}
content.addEventListener("message", function msg(event) {
if (event.data.type == "finish") {
@ -399,7 +421,8 @@ this.AntiTracking = {
});
},
_createUserInteractionTask(name, blockingCallback, nonBlockingCallback, runInPrivateWindow, extraPrefs) {
_createUserInteractionTask(name, blockingCallback, nonBlockingCallback,
runInPrivateWindow, iframeSandbox, extraPrefs) {
add_task(async function() {
info("Starting user-interaction test " + name);
@ -424,10 +447,14 @@ this.AntiTracking = {
popup: TEST_POPUP_PAGE,
blockingCallback: blockingCallback.toString(),
nonBlockingCallback: nonBlockingCallback.toString(),
iframeSandbox,
},
async function(obj) {
let ifr = content.document.createElement("iframe");
let loading = new content.Promise(resolve => { ifr.onload = resolve; });
if (typeof obj.iframeSandbox == "string") {
ifr.setAttribute("sandbox", obj.iframeSandbox);
}
content.document.body.appendChild(ifr);
ifr.src = obj.page;
await loading;