diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
commit | 2aa4a82499d4becd2284cdb482213d541b8804dd (patch) | |
tree | b80bf8bf13c3766139fbacc530efd0dd9d54394c /toolkit/components/antitracking/test | |
parent | Initial commit. (diff) | |
download | firefox-upstream.tar.xz firefox-upstream.zip |
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
142 files changed, 18163 insertions, 0 deletions
diff --git a/toolkit/components/antitracking/test/browser/.eslintrc.js b/toolkit/components/antitracking/test/browser/.eslintrc.js new file mode 100644 index 0000000000..e57058ecb1 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/.eslintrc.js @@ -0,0 +1,7 @@ +"use strict"; + +module.exports = { + env: { + webextensions: true, + }, +}; diff --git a/toolkit/components/antitracking/test/browser/3rdParty.html b/toolkit/components/antitracking/test/browser/3rdParty.html new file mode 100644 index 0000000000..38aa117c55 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdParty.html @@ -0,0 +1,52 @@ +<html> +<head> + <title>3rd party content!</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Here the 3rd party content!</h1> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +onmessage = function(e) { + let data = e.data; + if (data.includes("!!!")) { + // The data argument may be packed with information about whether we are on + // the allow list. In that case, extract that information and prepare it + // for our callbacks to access it. + let parts = data.split("!!!"); + // Only consider ourselves allow-listed when the cookie policy is set to + // 'block third-party trackers or 'block third-party trackers and partition + // third-party cookies', since otherwise we won't obtain storage access by + // default, which is what this data is used for in tests. + let cookieBehavior = + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior"); + window.allowListed = + parts[0] === "true" && + (cookieBehavior == SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER || + cookieBehavior == SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN || + (cookieBehavior == SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN && + SpecialPowers.Services.prefs.getBoolPref("network.cookie.rejectForeignWithExceptions.enabled"))); + data = parts[1]; + } + let runnableStr = `(() => {return (${data});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + runnable.call(this, /* Phase */ 1).then(_ => { + parent.postMessage({ type: "finish" }, "*"); + }); +}; + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyOpen.html b/toolkit/components/antitracking/test/browser/3rdPartyOpen.html new file mode 100644 index 0000000000..1110834c0e --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyOpen.html @@ -0,0 +1,16 @@ +<html> +<head> + <title>A popup!</title> +</head> +<body> +<h1>hi!</h1> +<script> + +if (opener) { + opener.postMessage("hello!", "*"); +} +window.close(); + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html b/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html new file mode 100644 index 0000000000..5afbb5d89b --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html @@ -0,0 +1,17 @@ +<html> +<head> + <title>A popup!</title> +</head> +<body> +<h1>hi!</h1> +<script> + +SpecialPowers.wrap(document).userInteractionForTesting(); +if (window.location.search == "?messageme") { + window.opener.postMessage("done", "*"); +} +window.close(); + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyPartitioned.html b/toolkit/components/antitracking/test/browser/3rdPartyPartitioned.html new file mode 100644 index 0000000000..f97ed4791f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyPartitioned.html @@ -0,0 +1,29 @@ +<html> +<head> + <title>3rd party content!</title> +</head> +<body> +<h1>Here the 3rd party content!</h1> +<script> + +onmessage = async function(e) { + let cb = e.data.cb; + let runnableStr = `(() => {return (${cb});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + let variant = (new URL(location.href)).searchParams.get("variant"); + let win = this; + if (variant == "initial-aboutblank") { + let i = win.document.createElement("iframe"); + i.src = "about:blank"; + win.document.body.appendChild(i); + // override win to make it point to the initial about:blank window + win = i.contentWindow; + } + + let result = await runnable.call(this, win, e.data.value); + parent.postMessage(result, "*"); +}; + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyRelay.html b/toolkit/components/antitracking/test/browser/3rdPartyRelay.html new file mode 100644 index 0000000000..64e713913b --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyRelay.html @@ -0,0 +1,41 @@ +<html> +<head> + <title>Tracker</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Relay</h1> +<iframe></iframe> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +onmessage = function(e) { + switch (e.data.type || "") { + case "finish": + case "ok": + case "info": + parent.postMessage(e.data, "*"); + break; + default: + let iframe = document.querySelector("iframe"); + iframe.contentWindow.postMessage(e.data, "*"); + break; + } +}; + +document.querySelector("iframe").src = location.search.substr(1); + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartySVG.html b/toolkit/components/antitracking/test/browser/3rdPartySVG.html new file mode 100644 index 0000000000..df791f355f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartySVG.html @@ -0,0 +1,20 @@ +<html> +<head> + <title>3rd party content!</title> + <style> + body { + background-image: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 32 32"><path fill="context-fill" d="M28.5,8.1c0-1.1-1-1.9-2.1-2.4V3.7c-0.2-0.2-0.3-0.3-0.6-0.3c-0.6,0-1.1,0.8-1.3,2.1c-0.2,0-0.3,0-0.5,0l0,0c0-0.2,0-0.3-0.2-0.5c-0.3-1.1-0.8-1.9-1.3-2.6C22,2.6,21.7,3.2,21.7,4L22,6.3c-0.3,0.2-0.6,0.3-1,0.6l-3.5,3.7l0,0c0,0-6.3-0.8-10.9,0.2c-0.6,0-1,0.2-1.1,0.3c-0.5,0.2-0.8,0.3-1.1,0.6c-1.1-0.8-2.2-2.1-3.2-4c0-0.3-0.5-0.5-0.8-0.5s-0.5,0.6-0.3,1c0.8,2.1,2.1,3.5,3.4,4.5c-0.5,0.5-0.8,1-1,1.6c0,0-0.3,2.2-0.3,5.5l1.4,8c0,1,0.8,1.8,1.9,1.8c1,0,1.9-0.8,1.9-1.8V23l0.5-1.3h8.8l0.8,1.3v4.7c0,1,0.8,1.8,1.9,1.8c1,0,1.6-0.6,1.8-1.4l0,0l1.9-9l0,0l2.1-6.4h3c3.4,0,3.7-2.9,3.7-2.9L28.5,8.1z"/></svg>'); + } + </style> +</head> +<body> +<h1>3rd party content with an SVG image background</h1> +<script> + +onload = function(e) { + parent.postMessage({ type: "finish" }, "*"); +}; + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyStorage.html b/toolkit/components/antitracking/test/browser/3rdPartyStorage.html new file mode 100644 index 0000000000..749ead7c20 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyStorage.html @@ -0,0 +1,44 @@ +<html> +<head> + <title>3rd party content!</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Here the 3rd party content!</h1> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +onmessage = function(e) { + let data = e.data; + let runnableStr = `(() => {return (${data});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + + let win = window.open("3rdPartyStorageWO.html"); + win.onload = async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + await runnable.call(this, this, win, false /* allowed */); + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + await runnable.call(this, this, win, true /* allowed */); + + win.close(); + parent.postMessage({ type: "finish" }, "*"); + }; +}; + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyStorageWO.html b/toolkit/components/antitracking/test/browser/3rdPartyStorageWO.html new file mode 100644 index 0000000000..b04916103d --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyStorageWO.html @@ -0,0 +1,8 @@ +<html> +<head> + <title>1st party content!</title> +</head> +<body> +<h1>Here the 1st party content!</h1> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyUI.html b/toolkit/components/antitracking/test/browser/3rdPartyUI.html new file mode 100644 index 0000000000..57693fbcbd --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyUI.html @@ -0,0 +1,32 @@ +<html> +<head> + <title>Tracker</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Tracker</h1> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +onmessage = function(e) { + let runnableStr = `(() => {return (${e.data.callback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + runnable.call(this, e.data.arg || /* Phase */ 3).then(_ => { + parent.postMessage({ type: "finish" }, "*"); + }); +}; + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyWO.html b/toolkit/components/antitracking/test/browser/3rdPartyWO.html new file mode 100644 index 0000000000..7986b31063 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyWO.html @@ -0,0 +1,80 @@ +<html> +<head> + <title>Interact with me!</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Interact with me!</h1> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +onmessage = function(e) { + let runnableStr = `(() => {return (${e.data.blockingCallback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + runnable.call(this, /* Phase */ 2).then(_ => { + info("Let's do a window.open()"); + return new Promise(resolve => { + if (location.search == "?noopener") { + let features = "noopener"; + + window.open("3rdPartyOpen.html", undefined, features); + setTimeout(resolve, 1000); + } else { + onmessage = resolve; + + window.open("3rdPartyOpen.html"); + } + }); + }).then(_ => { + info("The popup has been dismissed!"); + // First time storage access should not be granted because the tracker has + // not had user interaction yet. + let runnableStr = `(() => {return (${e.data.blockingCallback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + return runnable.call(this, /* Phase */ 2); + }).then(_ => { + info("Let's interact with the tracker"); + return new Promise(resolve => { + onmessage = resolve; + + window.open("3rdPartyOpenUI.html?messageme"); + }); + }).then(_ => { + info("Let's do another window.open()"); + return new Promise(resolve => { + if (location.search == "?noopener") { + let features = "noopener"; + + window.open("3rdPartyOpen.html", undefined, features); + setTimeout(resolve, 1000); + } else { + onmessage = resolve; + + window.open("3rdPartyOpen.html"); + } + }); + }).then(_ => { + // This time the tracker must have been able to obtain first-party storage + // access because it has had user interaction before. + let runnableStr = `(() => {return (${e.data.nonBlockingCallback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + return runnable.call(this, /* Phase */ 2); + }).then(_ => { + parent.postMessage({ type: "finish" }, "*"); + }); +}; + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/3rdPartyWorker.html b/toolkit/components/antitracking/test/browser/3rdPartyWorker.html new file mode 100644 index 0000000000..e79a992660 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/3rdPartyWorker.html @@ -0,0 +1,55 @@ +<html> +<head> + <title>Tracker</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Tracker</h1> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +function workerCode() { + onmessage = e => { + try { + indexedDB.open("test", "1"); + postMessage(true); + } catch (e) { + postMessage(false); + } + }; +} + +var worker; +function createWorker() { + let blob = new Blob([workerCode.toString() + "; workerCode();"]); + let blobURL = URL.createObjectURL(blob); + info("Blob created"); + + worker = new Worker(blobURL); + info("Worker created"); +} + +onmessage = function(e) { + let runnableStr = `(() => {return (${e.data.callback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + runnable.call(this, e.data.arg || /* Phase */ 3).then(_ => { + parent.postMessage({ type: "finish" }, "*"); + }); +}; + +createWorker(); + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/antitracking_head.js b/toolkit/components/antitracking/test/browser/antitracking_head.js new file mode 100644 index 0000000000..bb987742df --- /dev/null +++ b/toolkit/components/antitracking/test/browser/antitracking_head.js @@ -0,0 +1,1400 @@ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* import-globals-from head.js */ + +"use strict"; + +var gFeatures = undefined; +var gTestTrackersCleanedUp = false; +var gTestTrackersCleanupRegistered = false; + +/** + * Force garbage collection. + */ +function forceGC() { + SpecialPowers.gc(); + SpecialPowers.forceShrinkingGC(); + SpecialPowers.forceCC(); + SpecialPowers.gc(); + SpecialPowers.forceShrinkingGC(); + SpecialPowers.forceCC(); +} + +this.AntiTracking = { + runTestInNormalAndPrivateMode( + name, + callbackTracking, + callbackNonTracking, + cleanupFunction, + extraPrefs, + windowOpenTest = true, + userInteractionTest = true, + expectedBlockingNotifications = Ci.nsIWebProgressListener + .STATE_COOKIES_BLOCKED_TRACKER, + iframeSandbox = null, + accessRemoval = null, + callbackAfterRemoval = null + ) { + // Normal mode + this.runTest( + name, + callbackTracking, + callbackNonTracking, + cleanupFunction, + extraPrefs, + windowOpenTest, + userInteractionTest, + expectedBlockingNotifications, + false, + iframeSandbox, + accessRemoval, + callbackAfterRemoval + ); + + // Private mode + this.runTest( + name, + callbackTracking, + callbackNonTracking, + cleanupFunction, + extraPrefs, + windowOpenTest, + userInteractionTest, + expectedBlockingNotifications, + true, + iframeSandbox, + accessRemoval, + callbackAfterRemoval + ); + }, + + runTest( + name, + callbackTracking, + callbackNonTracking, + cleanupFunction, + extraPrefs, + windowOpenTest = true, + userInteractionTest = true, + expectedBlockingNotifications = Ci.nsIWebProgressListener + .STATE_COOKIES_BLOCKED_TRACKER, + runInPrivateWindow = false, + iframeSandbox = null, + accessRemoval = null, + callbackAfterRemoval = null + ) { + let runExtraTests = true; + let options = {}; + if (typeof callbackNonTracking == "object" && !!callbackNonTracking) { + options.callback = callbackNonTracking.callback; + runExtraTests = callbackNonTracking.runExtraTests; + if ("cookieBehavior" in callbackNonTracking) { + options.cookieBehavior = callbackNonTracking.cookieBehavior; + } else { + options.cookieBehavior = BEHAVIOR_ACCEPT; + } + if ("expectedBlockingNotifications" in callbackNonTracking) { + options.expectedBlockingNotifications = + callbackNonTracking.expectedBlockingNotifications; + } else { + options.expectedBlockingNotifications = 0; + } + if ("blockingByAllowList" in callbackNonTracking) { + options.blockingByAllowList = callbackNonTracking.blockingByAllowList; + if (options.blockingByAllowList) { + // If we're on the allow list, there won't be any blocking! + options.expectedBlockingNotifications = 0; + } + } else { + options.blockingByAllowList = false; + } + callbackNonTracking = options.callback; + options.accessRemoval = null; + options.callbackAfterRemoval = null; + } + + // Here we want to test that a 3rd party context is simply blocked. + this._createTask({ + name, + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: false, + callback: callbackTracking, + extraPrefs, + expectedBlockingNotifications, + runInPrivateWindow, + iframeSandbox, + accessRemoval, + callbackAfterRemoval, + }); + this._createCleanupTask(cleanupFunction); + + if (callbackNonTracking) { + // Phase 1: Here we want to test that a 3rd party context is not blocked if pref is off. + if (runExtraTests) { + // There are five ways in which the third-party context may not be blocked: + // * If the cookieBehavior pref causes it to not be blocked. + // * If the contentBlocking pref causes it to not be blocked. + // * If both of these prefs cause it to not be blocked. + // * If the top-level page is on the content blocking allow list. + // * If the contentBlocking third-party cookies UI pref is off, the allow list will be ignored. + // All of these cases are tested here. + this._createTask({ + name, + cookieBehavior: BEHAVIOR_ACCEPT, + allowList: false, + callback: callbackNonTracking, + extraPrefs, + expectedBlockingNotifications: 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_ACCEPT, + allowList: true, + callback: callbackNonTracking, + extraPrefs, + expectedBlockingNotifications: 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_REJECT, + allowList: false, + callback: callbackTracking, + extraPrefs, + expectedBlockingNotifications: expectedBlockingNotifications + ? Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_ALL + : 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_LIMIT_FOREIGN, + allowList: true, + callback: callbackNonTracking, + extraPrefs, + expectedBlockingNotifications: 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name: name + " reject foreign without exception", + cookieBehavior: BEHAVIOR_REJECT_FOREIGN, + allowList: true, + callback: callbackNonTracking, + extraPrefs: [ + ["network.cookie.rejectForeignWithExceptions.enabled", false], + ...(extraPrefs || []), + ], + expectedBlockingNotifications: 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name: name + " reject foreign with exception", + cookieBehavior: BEHAVIOR_REJECT_FOREIGN, + allowList: true, + callback: callbackNonTracking, + extraPrefs: [ + ["network.cookie.rejectForeignWithExceptions.enabled", true], + ...(extraPrefs || []), + ], + expectedBlockingNotifications: 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval, + callbackAfterRemoval, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_REJECT_FOREIGN, + allowList: false, + callback: callbackTracking, + extraPrefs: [ + ["network.cookie.rejectForeignWithExceptions.enabled", false], + ...(extraPrefs || []), + ], + expectedBlockingNotifications: expectedBlockingNotifications + ? Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_FOREIGN + : 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval, + callbackAfterRemoval, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_REJECT_FOREIGN, + allowList: false, + callback: callbackNonTracking, + extraPrefs: [ + ["network.cookie.rejectForeignWithExceptions.enabled", true], + ...(extraPrefs || []), + ], + expectedBlockingNotifications: false, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + thirdPartyPage: TEST_ANOTHER_3RD_PARTY_PAGE, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: true, + callback: callbackNonTracking, + extraPrefs, + expectedBlockingNotifications: 0, + runInPrivateWindow, + iframeSandbox, + accessRemoval, + callbackAfterRemoval, + }); + this._createCleanupTask(cleanupFunction); + + this._createTask({ + name, + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: false, + callback: callbackNonTracking, + extraPrefs, + expectedBlockingNotifications: false, + runInPrivateWindow, + iframeSandbox, + accessRemoval: null, // only passed with non-blocking callback + callbackAfterRemoval: null, + thirdPartyPage: TEST_ANOTHER_3RD_PARTY_PAGE, + }); + this._createCleanupTask(cleanupFunction); + } else { + // This is only used for imageCacheWorker.js tests + this._createTask({ + name, + cookieBehavior: options.cookieBehavior, + allowList: options.blockingByAllowList, + callback: options.callback, + extraPrefs, + expectedBlockingNotifications: options.expectedBlockingNotifications, + runInPrivateWindow, + iframeSandbox, + accessRemoval: options.accessRemoval, + callbackAfterRemoval: options.callbackAfterRemoval, + }); + this._createCleanupTask(cleanupFunction); + } + + // Phase 2: Here we want to test that a third-party context doesn't + // get blocked with when the same origin is opened through window.open(). + if (windowOpenTest) { + this._createWindowOpenTask( + name, + BEHAVIOR_REJECT_TRACKER, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + false, + extraPrefs + ); + this._createCleanupTask(cleanupFunction); + + this._createWindowOpenTask( + name, + BEHAVIOR_REJECT_FOREIGN, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + false, + [ + ["network.cookie.rejectForeignWithExceptions.enabled", true], + ...(extraPrefs || []), + ] + ); + this._createCleanupTask(cleanupFunction); + + // Now, check if it works for nested iframes. + this._createWindowOpenTask( + name, + BEHAVIOR_REJECT_TRACKER, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + true, + extraPrefs + ); + this._createCleanupTask(cleanupFunction); + + this._createWindowOpenTask( + name, + BEHAVIOR_REJECT_FOREIGN, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + true, + [ + ["network.cookie.rejectForeignWithExceptions.enabled", true], + ...(extraPrefs || []), + ] + ); + this._createCleanupTask(cleanupFunction); + } + + // Phase 3: Here we want to test that a third-party context doesn't + // get blocked with user interaction present + if (userInteractionTest) { + this._createUserInteractionTask( + name, + BEHAVIOR_REJECT_TRACKER, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + false, + extraPrefs + ); + this._createCleanupTask(cleanupFunction); + + this._createUserInteractionTask( + name, + BEHAVIOR_REJECT_FOREIGN, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + false, + [ + ["network.cookie.rejectForeignWithExceptions.enabled", true], + ...(extraPrefs || []), + ] + ); + this._createCleanupTask(cleanupFunction); + + // Now, check if it works for nested iframes. + this._createUserInteractionTask( + name, + BEHAVIOR_REJECT_TRACKER, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + true, + extraPrefs + ); + this._createCleanupTask(cleanupFunction); + + this._createUserInteractionTask( + name, + BEHAVIOR_REJECT_FOREIGN, + callbackTracking, + callbackNonTracking, + runInPrivateWindow, + iframeSandbox, + true, + [ + ["network.cookie.rejectForeignWithExceptions.enabled", true], + ...(extraPrefs || []), + ] + ); + this._createCleanupTask(cleanupFunction); + } + } + }, + + _waitObserver(targetTopic, expectedCount) { + let cnt = 0; + + return new Promise(resolve => { + Services.obs.addObserver(function observer(subject, topic, data) { + if (topic != targetTopic) { + return; + } + cnt++; + + if (cnt != expectedCount) { + return; + } + + Services.obs.removeObserver(observer, targetTopic); + resolve(); + }, targetTopic); + }); + }, + + _waitUserInteractionPerm() { + return this._waitObserver( + "antitracking-test-user-interaction-perm-added", + 1 + ); + }, + + _waitStorageAccessPerm(expectedCount) { + return this._waitObserver( + "antitracking-test-storage-access-perm-added", + expectedCount + ); + }, + + async interactWithTracker() { + let win = await BrowserTestUtils.openNewBrowserWindow(); + await BrowserTestUtils.withNewTab( + { gBrowser: win.gBrowser, url: TEST_3RD_PARTY_PAGE }, + async function(browser) { + info("Let's interact with the tracker"); + + await SpecialPowers.spawn(browser, [], async function() { + SpecialPowers.wrap(content.document).userInteractionForTesting(); + }); + } + ); + await BrowserTestUtils.closeWindow(win); + }, + + async _setupTest(win, cookieBehavior, extraPrefs) { + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + ["network.cookie.cookieBehavior", cookieBehavior], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + [ + "privacy.trackingprotection.annotate_channels", + cookieBehavior != BEHAVIOR_ACCEPT, + ], + ["privacy.restrict3rdpartystorage.console.lazy", false], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ["privacy.antitracking.testing", true], + ], + }); + + if (extraPrefs && Array.isArray(extraPrefs) && extraPrefs.length) { + await SpecialPowers.pushPrefEnv({ set: extraPrefs }); + + for (let item of extraPrefs) { + // When setting up exception URLs, we need to wait to ensure our prefs + // actually take effect. In order to do this, we set up a exception + // list observer and wait until it calls us back. + if (item[0] == "urlclassifier.trackingAnnotationSkipURLs") { + info("Waiting for the exception list service to initialize..."); + let classifier = Cc[ + "@mozilla.org/url-classifier/dbservice;1" + ].getService(Ci.nsIURIClassifier); + let feature = classifier.getFeatureByName("tracking-annotation"); + await TestUtils.waitForCondition(() => { + for (let x of item[1].toLowerCase().split(",")) { + if (feature.exceptionHostList.split(",").includes(x)) { + return true; + } + } + return false; + }, "Exception list service initialized"); + break; + } + } + } + + await UrlClassifierTestUtils.addTestTrackers(); + if (!gTestTrackersCleanupRegistered) { + registerCleanupFunction(_ => { + if (gTestTrackersCleanedUp) { + return; + } + UrlClassifierTestUtils.cleanupTestTrackers(); + gTestTrackersCleanedUp = true; + }); + gTestTrackersCleanupRegistered = true; + } + }, + + _createTask(options) { + add_task(async function() { + info( + "Starting " + + (options.cookieBehavior != BEHAVIOR_ACCEPT + ? "blocking" + : "non-blocking") + + " cookieBehavior (" + + options.cookieBehavior + + ") with" + + (options.allowList ? "" : "out") + + " allow list test " + + options.name + + " running in a " + + (options.runInPrivateWindow ? "private" : "normal") + + " window " + + " with iframe sandbox set to " + + options.iframeSandbox + + " and access removal set to " + + options.accessRemoval + + (typeof options.thirdPartyPage == "string" + ? " and third party page set to " + options.thirdPartyPage + : "") + + (typeof options.topPage == "string" + ? " and top page set to " + options.topPage + : "") + ); + + is( + !!options.callbackAfterRemoval, + !!options.accessRemoval, + "callbackAfterRemoval must be passed when accessRemoval is non-null" + ); + + let win = window; + if (options.runInPrivateWindow) { + win = OpenBrowserWindow({ private: true }); + await TestUtils.topicObserved("browser-delayed-startup-finished"); + } + + await AntiTracking._setupTest( + win, + options.cookieBehavior, + options.extraPrefs + ); + + let topPage; + if (typeof options.topPage == "string") { + topPage = options.topPage; + } else { + topPage = TEST_TOP_PAGE; + } + + let thirdPartyPage, thirdPartyDomainURI; + if (typeof options.thirdPartyPage == "string") { + thirdPartyPage = options.thirdPartyPage; + let url = new URL(thirdPartyPage); + thirdPartyDomainURI = Services.io.newURI(url.origin); + } else { + thirdPartyPage = TEST_3RD_PARTY_PAGE; + thirdPartyDomainURI = Services.io.newURI(TEST_3RD_PARTY_DOMAIN); + } + + // It's possible that the third-party domain has been exceptionlisted + // through extraPrefs, so let's try annotating it here and adjust our + // blocking expectations as necessary. + if ( + options.expectedBlockingNotifications == + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER + ) { + if ( + !(await AntiTracking._isThirdPartyPageClassifiedAsTracker( + topPage, + thirdPartyDomainURI + )) + ) { + options.expectedBlockingNotifications = 0; + } + } + + let cookieBlocked = 0; + let listener = { + onContentBlockingEvent(webProgress, request, event) { + if (event & options.expectedBlockingNotifications) { + ++cookieBlocked; + } + }, + }; + function prepareTestEnvironmentOnPage() { + win.gBrowser.addProgressListener(listener); + + Services.console.reset(); + } + + if (!options.allowList) { + prepareTestEnvironmentOnPage(); + } + + let consoleWarningPromise; + + if (options.expectedBlockingNotifications) { + consoleWarningPromise = new Promise(resolve => { + let consoleListener = { + observe(msg) { + if ( + msg + .QueryInterface(Ci.nsIScriptError) + .category.startsWith("cookieBlocked") + ) { + Services.console.unregisterListener(consoleListener); + resolve(); + } + }, + }; + + Services.console.registerListener(consoleListener); + }); + } else { + consoleWarningPromise = Promise.resolve(); + } + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(win.gBrowser, topPage); + win.gBrowser.selectedTab = tab; + + let browser = win.gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Check the cookieJarSettings of the browser object"); + ok( + browser.cookieJarSettings, + "The browser object has the cookieJarSettings." + ); + is( + browser.cookieJarSettings.cookieBehavior, + options.cookieBehavior, + "The cookieJarSettings has the correct cookieBehavior" + ); + + if (options.allowList) { + info("Disabling content blocking for this page"); + win.gProtectionsHandler.disableForCurrentPage(); + + prepareTestEnvironmentOnPage(); + + // The previous function reloads the browser, so wait for it to load again! + await BrowserTestUtils.browserLoaded(browser); + } + + info("Creating a 3rd party content"); + let doAccessRemovalChecks = + typeof options.accessRemoval == "string" && + options.cookieBehavior == BEHAVIOR_REJECT_TRACKER && + !options.allowList; + await SpecialPowers.spawn( + browser, + [ + { + page: thirdPartyPage, + nextPage: TEST_4TH_PARTY_PAGE, + callback: options.callback.toString(), + callbackAfterRemoval: options.callbackAfterRemoval + ? options.callbackAfterRemoval.toString() + : null, + accessRemoval: options.accessRemoval, + iframeSandbox: options.iframeSandbox, + allowList: options.allowList, + doAccessRemovalChecks, + }, + ], + async function(obj) { + let id = "id" + Math.random(); + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.id = id; + ifr.onload = function() { + info("Sending code to the 3rd party content"); + let callback = obj.allowList + "!!!" + obj.callback; + ifr.contentWindow.postMessage(callback, "*"); + }; + if (typeof obj.iframeSandbox == "string") { + ifr.setAttribute("sandbox", obj.iframeSandbox); + } + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + + if (obj.doAccessRemovalChecks) { + info(`Running after removal checks (${obj.accessRemoval})`); + switch (obj.accessRemoval) { + case "navigate-subframe": + await new content.Promise(resolve => { + let ifr = content.document.getElementById(id); + let oldWindow = ifr.contentWindow; + ifr.onload = function() { + info("Sending code to the old 3rd party content"); + oldWindow.postMessage(obj.callbackAfterRemoval, "*"); + }; + if (typeof obj.iframeSandbox == "string") { + ifr.setAttribute("sandbox", obj.iframeSandbox); + } + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + ifr.src = obj.nextPage; + }); + break; + case "navigate-topframe": + // pass-through + break; + default: + ok( + false, + "Unexpected accessRemoval code passed: " + obj.accessRemoval + ); + break; + } + } + } + ); + + if ( + doAccessRemovalChecks && + options.accessRemoval == "navigate-topframe" + ) { + BrowserTestUtils.loadURI(browser, TEST_4TH_PARTY_PAGE); + await BrowserTestUtils.browserLoaded(browser); + + let pageshow = BrowserTestUtils.waitForContentEvent( + tab.linkedBrowser, + "pageshow" + ); + gBrowser.goBack(); + await pageshow; + + await SpecialPowers.spawn( + browser, + [ + { + page: thirdPartyPage, + callbackAfterRemoval: options.callbackAfterRemoval + ? options.callbackAfterRemoval.toString() + : null, + iframeSandbox: options.iframeSandbox, + }, + ], + async function(obj) { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info( + "Sending code to the 3rd party content to verify accessRemoval" + ); + ifr.contentWindow.postMessage(obj.callbackAfterRemoval, "*"); + }; + if (typeof obj.iframeSandbox == "string") { + ifr.setAttribute("sandbox", obj.iframeSandbox); + } + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + } + ); + } + + // Wait until the message appears on the console. + await consoleWarningPromise; + + let allMessages = Services.console.getMessageArray().filter(msg => { + try { + // Select all messages that the anti-tracking backend could generate. + return msg + .QueryInterface(Ci.nsIScriptError) + .category.startsWith("cookieBlocked"); + } catch (e) { + return false; + } + }); + let expectedCategory = ""; + // When changing this list, please make sure to update the corresponding + // code in ReportBlockingToConsole(). + switch (options.expectedBlockingNotifications) { + case Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_BY_PERMISSION: + expectedCategory = "cookieBlockedPermission"; + break; + case Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER: + expectedCategory = "cookieBlockedTracker"; + break; + case Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_ALL: + expectedCategory = "cookieBlockedAll"; + break; + case Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_FOREIGN: + expectedCategory = "cookieBlockedForeign"; + break; + } + + if (expectedCategory == "") { + is(allMessages.length, 0, "No console messages should be generated"); + } else { + ok(!!allMessages.length, "Some console message should be generated"); + if (options.errorMessageDomains) { + is( + allMessages.length, + options.errorMessageDomains.length, + "Enough items provided in errorMessageDomains" + ); + } + } + let index = 0; + for (let msg of allMessages) { + is( + msg.category, + expectedCategory, + "Message should be of expected category" + ); + + if (options.errorMessageDomains) { + ok( + msg.errorMessage.includes(options.errorMessageDomains[index]), + `Error message domain ${options.errorMessageDomains[index]} (${index}) found in "${msg.errorMessage}"` + ); + index++; + } + } + + if (options.allowList) { + info("Enabling content blocking for this page"); + win.gProtectionsHandler.enableForCurrentPage(); + + // The previous function reloads the browser, so wait for it to load again! + await BrowserTestUtils.browserLoaded(browser); + } + + win.gBrowser.removeProgressListener(listener); + + is( + !!cookieBlocked, + !!options.expectedBlockingNotifications, + "Checking cookie blocking notifications" + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + if (options.runInPrivateWindow) { + win.close(); + } + }); + }, + + _createCleanupTask(cleanupFunction) { + add_task(async function() { + info("Cleaning up."); + if (cleanupFunction) { + await cleanupFunction(); + } + + // While running these tests we typically do not have enough idle time to do + // GC reliably, so force it here. + forceGC(); + }); + }, + + _createWindowOpenTask( + name, + cookieBehavior, + blockingCallback, + nonBlockingCallback, + runInPrivateWindow, + iframeSandbox, + testInSubIFrame, + extraPrefs + ) { + add_task(async function() { + info( + `Starting window-open${ + testInSubIFrame ? " sub iframe" : "" + } test ${name}` + ); + + let win = window; + if (runInPrivateWindow) { + win = OpenBrowserWindow({ private: true }); + await TestUtils.topicObserved("browser-delayed-startup-finished"); + } + + await AntiTracking._setupTest(win, cookieBehavior, extraPrefs); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE); + win.gBrowser.selectedTab = tab; + + let browser = win.gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Create a first-level iframe to test sub iframes."); + if (testInSubIFrame) { + let iframeBrowsingContext = await SpecialPowers.spawn( + browser, + [{ page: TEST_IFRAME_PAGE }], + async function(obj) { + // Add an iframe. + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + return ifr.browsingContext; + } + ); + + browser = iframeBrowsingContext; + } + + let pageURL = TEST_3RD_PARTY_PAGE_WO; + if (gFeatures == "noopener") { + pageURL += "?noopener"; + } + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: pageURL, + blockingCallback: blockingCallback.toString(), + nonBlockingCallback: nonBlockingCallback.toString(), + iframeSandbox, + }, + ], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj, "*"); + }; + if (typeof obj.iframeSandbox == "string") { + ifr.setAttribute("sandbox", obj.iframeSandbox); + } + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + if (runInPrivateWindow) { + win.close(); + } + }); + }, + + _createUserInteractionTask( + name, + cookieBehavior, + blockingCallback, + nonBlockingCallback, + runInPrivateWindow, + iframeSandbox, + testInSubIFrame, + extraPrefs + ) { + add_task(async function() { + info( + `Starting user-interaction${ + testInSubIFrame ? " sub iframe" : "" + } test ${name}` + ); + + let win = window; + if (runInPrivateWindow) { + win = OpenBrowserWindow({ private: true }); + await TestUtils.topicObserved("browser-delayed-startup-finished"); + } + + await AntiTracking._setupTest(win, cookieBehavior, extraPrefs); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE); + win.gBrowser.selectedTab = tab; + + let browser = win.gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + if (testInSubIFrame) { + info("Create a first-level iframe to test sub iframes."); + let iframeBrowsingContext = await SpecialPowers.spawn( + browser, + [{ page: TEST_IFRAME_PAGE }], + async function(obj) { + // Add an iframe. + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + return ifr.browsingContext; + } + ); + + browser = iframeBrowsingContext; + } + + // The following test will open an popup which interacts with the tracker + // page. So there will be an user-interaction permission added. We wait + // it explicitly. + let promiseUIPerm = AntiTracking._waitUserInteractionPerm(); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + blockingCallback: blockingCallback.toString(), + iframeSandbox, + }, + ], + async function(obj) { + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + if (typeof obj.iframeSandbox == "string") { + ifr.setAttribute("sandbox", obj.iframeSandbox); + } + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info( + "The 3rd party content should not have access to first party storage." + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage( + { callback: obj.blockingCallback }, + "*" + ); + }); + + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + if (aTopic == "domwindowclosed") { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + info("Opening a window from the iframe."); + SpecialPowers.spawn(ifr, [{ popup: obj.popup }], async function(obj) { + content.open(obj.popup); + }); + + info("Let's wait for the window to be closed"); + await windowClosed; + + info( + "First time, the 3rd party content should not have access to first party storage " + + "because the tracker did not have user interaction" + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage( + { callback: obj.blockingCallback }, + "*" + ); + }); + } + ); + + // We wait until the user-interaction permission is added. + await promiseUIPerm; + + // We also need to wait the user-interaction permission here. + promiseUIPerm = AntiTracking._waitUserInteractionPerm(); + await AntiTracking.interactWithTracker(); + await promiseUIPerm; + + // Following test will also open an popup to interact with the page. We + // need to explicitly wait it. Without waiting it, it could be added after + // we clear up the test and interfere the next test. + promiseUIPerm = AntiTracking._waitUserInteractionPerm(); + + // We have to wait until the storage access permission is added. This has + // the same reason as above user-interaction permission. Note that there + // will be two storage access permission added due to the way how we + // trigger the heuristic. The first permission is added due to 'Opener' + // heuristic and the second one is due to 'Opener after user interaction'. + // The page we use to trigger the heuristic will trigger both heuristic, + // so we have to wait 2 permissions. + let promiseStorageAccessPerm = AntiTracking._waitStorageAccessPerm(2); + + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + nonBlockingCallback: nonBlockingCallback.toString(), + iframeSandbox, + }, + ], + async function(obj) { + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + if (typeof obj.iframeSandbox == "string") { + ifr.setAttribute("sandbox", obj.iframeSandbox); + } + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + if (aTopic == "domwindowclosed") { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + info("Opening a window from the iframe."); + SpecialPowers.spawn(ifr, [{ popup: obj.popup }], async function(obj) { + content.open(obj.popup); + }); + + info("Let's wait for the window to be closed"); + await windowClosed; + + info( + "The 3rd party content should now have access to first party storage." + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage( + { callback: obj.nonBlockingCallback }, + "*" + ); + }); + } + ); + + // Explicitly wait the user-interaction and storage access permission + // before we do the cleanup. + await promiseUIPerm; + await promiseStorageAccessPerm; + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + if (runInPrivateWindow) { + win.close(); + } + }); + }, + + async _isThirdPartyPageClassifiedAsTracker(topPage, thirdPartyDomainURI) { + let channel; + await new Promise((resolve, reject) => { + channel = NetUtil.newChannel({ + uri: thirdPartyDomainURI, + loadingPrincipal: Services.scriptSecurityManager.createContentPrincipal( + thirdPartyDomainURI, + {} + ), + securityFlags: + Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL, + contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER, + }); + + channel + .QueryInterface(Ci.nsIHttpChannelInternal) + .setTopWindowURIIfUnknown(Services.io.newURI(topPage)); + + function Listener() {} + Listener.prototype = { + onStartRequest(request) {}, + onDataAvailable(request, stream, off, cnt) { + // Consume the data to prevent hitting the assertion. + NetUtil.readInputStreamToString(stream, cnt); + }, + onStopRequest(request, st) { + let status = request.QueryInterface(Ci.nsIHttpChannel).responseStatus; + if (status == 200) { + resolve(); + } else { + reject(); + } + }, + }; + let listener = new Listener(); + channel.asyncOpen(listener); + }); + + return !!( + channel.QueryInterface(Ci.nsIClassifiedChannel).classificationFlags & + Ci.nsIClassifiedChannel.CLASSIFIED_ANY_BASIC_TRACKING + ); + }, +}; diff --git a/toolkit/components/antitracking/test/browser/browser.ini b/toolkit/components/antitracking/test/browser/browser.ini new file mode 100644 index 0000000000..6daf1f4737 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser.ini @@ -0,0 +1,172 @@ +[DEFAULT] +skip-if = os == "linux" && (asan || tsan) # bug 1662229 - task exception +prefs = + # Disable the Storage Access API prompts for all of the tests in this directory + dom.storage_access.prompt.testing=true + dom.storage_access.prompt.testing.allow=true + dom.testing.sync-content-blocking-notifications=true + # Enable the window.open() heuristics globally in this directory + privacy.restrict3rdpartystorage.heuristic.window_open=true + privacy.restrict3rdpartystorage.heuristic.opened_window_after_interaction=true + +support-files = + container.html + container2.html + embedder.html + embedder2.html + head.js + antitracking_head.js + dynamicfpi_head.js + partitionedstorage_head.js + storageprincipal_head.js + cookiesCORS.sjs + iframe.html + image.sjs + imageCacheWorker.js + page.html + 3rdParty.html + 3rdPartyRelay.html + 3rdPartySVG.html + 3rdPartyUI.html + 3rdPartyWO.html + 3rdPartyWorker.html + 3rdPartyOpen.html + 3rdPartyOpenUI.html + empty.js + empty-altsvc.js + empty-altsvc.js^headers^ + empty.html + file_localStorage.html + popup.html + redirect.sjs + server.sjs + storageAccessAPIHelpers.js + 3rdPartyStorage.html + 3rdPartyStorageWO.html + 3rdPartyPartitioned.html + localStorage.html + raptor.jpg + !/browser/modules/test/browser/head.js + !/browser/base/content/test/general/head.js + !/browser/base/content/test/protectionsUI/cookieServer.sjs + !/browser/base/content/test/protectionsUI/trackingPage.html + !/browser/base/content/test/protectionsUI/trackingAPI.js + !/toolkit/content/tests/browser/common/mockTransfer.js + +[browser_aboutblank.js] +[browser_allowListNotifications.js] +support-files = subResources.sjs +[browser_addonHostPermissionIgnoredInTP.js] +[browser_allowListSeparationInPrivateAndNormalWindows.js] +skip-if = os == "mac" && !debug # Bug 1503778, 1577362 +[browser_backgroundImageAssertion.js] +[browser_blockingCookies.js] +[browser_blockingDOMCache.js] +[browser_blockingIndexedDb.js] +[browser_blockingIndexedDbInWorkers.js] +[browser_blockingIndexedDbInWorkers2.js] +[browser_blockingLocalStorage.js] +[browser_blockingSessionStorage.js] +[browser_blockingServiceWorkers.js] +[browser_blockingServiceWorkersStorageAccessAPI.js] +[browser_blockingSharedWorkers.js] +[browser_blockingMessaging.js] +skip-if = os == "linux" && debug #bug 1627094 +[browser_blockingNoOpener.js] +[browser_contentBlockingAllowListPrincipal.js] +support-files = + sandboxed.html + sandboxed.html^headers^ +[browser_contentBlockingTelemetry.js] +[browser_doublyNestedTracker.js] +[browser_existingCookiesForSubresources.js] +[browser_fileUrl.js] +[browser_firstPartyCookieRejectionHonoursAllowList.js] +[browser_hasStorageAccess.js] +[browser_imageCache4.js] +[browser_imageCache8.js] +[browser_onBeforeRequestNotificationForTrackingResources.js] +[browser_onModifyRequestNotificationForTrackingResources.js] +[browser_permissionInNormalWindows.js] +[browser_permissionInPrivateWindows.js] +[browser_permissionPropagation.js] +[browser_referrerDefaultPolicy.js] +support-files = referrer.sjs +[browser_siteSpecificWorkArounds.js] +[browser_subResources.js] +support-files = subResources.sjs +[browser_subResourcesPartitioned.js] +support-files = subResources.sjs +[browser_script.js] +support-files = tracker.js +[browser_userInteraction.js] +[browser_serviceWorkersWithStorageAccessGranted.js] +[browser_storageAccessDoorHanger.js] +[browser_storageAccessPromiseRejectHandlerUserInteraction.js] +[browser_storageAccessPromiseResolveHandlerUserInteraction.js] +[browser_storageAccessRemovalNavigateSubframe.js] +[browser_storageAccessRemovalNavigateTopframe.js] +[browser_storageAccessSandboxed.js] +[browser_storageAccessThirdPartyChecks.js] +[browser_storageAccessWithDynamicFpi.js] +[browser_storageAccessWithHeuristics.js] +[browser_networkIsolation.js] +[browser_allowPermissionForTracker.js] +[browser_denyPermissionForTracker.js] +[browser_localStorageEvents.js] +[browser_partitionedLocalStorage.js] +[browser_partitionedLocalStorage_events.js] +support-files = localStorageEvents.html +[browser_workerPropagation.js] +support-files = workerIframe.html +[browser_cookieBetweenTabs.js] +[browser_partitionedMessaging.js] +skip-if = true #Bug 1588241 +[browser_partitionedIndexedDB.js] +[browser_partitionedCookies.js] +support-files = cookies.sjs +[browser_partitionedDOMCache.js] +[browser_partitionedServiceWorkers.js] +support-files = matchAll.js +[browser_partitionedSharedWorkers.js] +support-files = sharedWorker.js partitionedSharedWorker.js +[browser_socialtracking.js] +[browser_socialtracking_save_image.js] +[browser_thirdPartyStorageRejectionForCORS.js] +[browser_urlDecorationStripping.js] +tags = remote-settings +[browser_staticPartition_cache.js] +support-files = + !/browser/components/originattributes/test/browser/file_cache.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.audio.ogg + !/browser/components/originattributes/test/browser/file_thirdPartyChild.embed.png + !/browser/components/originattributes/test/browser/file_thirdPartyChild.fetch.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.iframe.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.img.png + !/browser/components/originattributes/test/browser/file_thirdPartyChild.favicon.png + !/browser/components/originattributes/test/browser/file_thirdPartyChild.import.js + !/browser/components/originattributes/test/browser/file_thirdPartyChild.link.css + !/browser/components/originattributes/test/browser/file_thirdPartyChild.object.png + !/browser/components/originattributes/test/browser/file_thirdPartyChild.request.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.script.js + !/browser/components/originattributes/test/browser/file_thirdPartyChild.sharedworker.js + !/browser/components/originattributes/test/browser/file_thirdPartyChild.video.ogv + !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.fetch.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.js + !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.request.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.xhr.html + !/browser/components/originattributes/test/browser/file_thirdPartyChild.xhr.html +[browser_staticPartition_network.js] +[browser_staticPartition_CORS_preflight.js] +support-files = browser_staticPartition_CORS_preflight.sjs +[browser_staticPartition_HSTS.js] +support-files = browser_staticPartition_HSTS.sjs +[browser_staticPartition_saveAs.js] +support-files = + file_saveAsImage.sjs + file_saveAsVideo.sjs + file_saveAsPageInfo.html + file_video.ogv +[browser_partitionedClearSiteDataHeader.js] +support-files = + clearSiteData.sjs diff --git a/toolkit/components/antitracking/test/browser/browser_aboutblank.js b/toolkit/components/antitracking/test/browser/browser_aboutblank.js new file mode 100644 index 0000000000..683b380c3f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_aboutblank.js @@ -0,0 +1,40 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +add_task(async function test_aboutblankInIframe() { + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ], + ], + }); + + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_TOP_PAGE + ); + let browser = tab.linkedBrowser; + + await SpecialPowers.spawn(browser, [], async function(obj) { + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + ifr.src = "about:blank"; + content.document.body.appendChild(ifr); + await loading; + + await SpecialPowers.spawn(ifr, [], async function(obj) { + ok( + content.navigator.cookieEnabled, + "Cookie should be enabled in about blank" + ); + }); + }); + + BrowserTestUtils.removeTab(tab); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_addonHostPermissionIgnoredInTP.js b/toolkit/components/antitracking/test/browser/browser_addonHostPermissionIgnoredInTP.js new file mode 100644 index 0000000000..979a00429f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_addonHostPermissionIgnoredInTP.js @@ -0,0 +1,48 @@ +ChromeUtils.import("resource://gre/modules/Services.jsm"); + +add_task(async function() { + info("Starting test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [["privacy.trackingprotection.enabled", true]], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let extension = ExtensionTestUtils.loadExtension({ + manifest: { permissions: ["https://tracking.example.com/"] }, + files: { + "page.html": + '<html><head></head><body><script src="script.js"></script><iframe src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/container2.html"></iframe></body></html>', + "script.js": + 'window.count=0;window.p=new Promise(resolve=>{onmessage=e=>{count=e.data.data;resolve();};});p.then(()=>{document.documentElement.setAttribute("count",count);});', + }, + async background() { + browser.test.sendMessage("ready", browser.runtime.getURL("page.html")); + }, + }); + await extension.startup(); + let url = await extension.awaitMessage("ready"); + + info("Creating a new tab"); + let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, url); + let browser = tab.linkedBrowser; + + info("Verify the number of script nodes found"); + await ContentTask.spawn(browser, [], async function(obj) { + // Need to wait a bit for cross-process postMessage... + await ContentTaskUtils.waitForCondition( + () => content.document.documentElement.getAttribute("count") !== null, + "waiting for 'count' attribute" + ); + let count = content.document.documentElement.getAttribute("count"); + is(count, 3, "Expected script nodes found"); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + await extension.unload(); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_allowListNotifications.js b/toolkit/components/antitracking/test/browser/browser_allowListNotifications.js new file mode 100644 index 0000000000..d4802f2d7f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_allowListNotifications.js @@ -0,0 +1,133 @@ +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + gProtectionsHandler.disableForCurrentPage(); + + // The previous function reloads the browser, so wait for it to load again! + await BrowserTestUtils.browserLoaded(browser); + + // Now load subresources from a few third-party origins. + // We should expect to see none of these origins in the content blocking log at the end. + await fetch( + "https://test1.example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, "0", "Cookies received for images"); + }); + + await fetch( + "https://test2.example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, "0", "Cookies received for images"); + }); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE, + blockingCallback: (async _ => {}).toString(), + nonBlockingCallback: (async _ => {}).toString(), + }, + ], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj.blockingCallback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + let expectTrackerFound = item => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_LOADED_LEVEL_1_TRACKING_CONTENT, + "Correct blocking type reported" + ); + is(item[1], true, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let log = JSON.parse(await browser.getContentBlockingLog()); + for (let trackerOrigin in log) { + is( + trackerOrigin + "/", + TEST_3RD_PARTY_DOMAIN, + "Correct tracker origin must be reported" + ); + let originLog = log[trackerOrigin]; + is(originLog.length, 1, "We should have 1 entry in the compressed log"); + expectTrackerFound(originLog[0]); + } + + gProtectionsHandler.enableForCurrentPage(); + + // The previous function reloads the browser, so wait for it to load again! + await BrowserTestUtils.browserLoaded(browser); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_allowListSeparationInPrivateAndNormalWindows.js b/toolkit/components/antitracking/test/browser/browser_allowListSeparationInPrivateAndNormalWindows.js new file mode 100644 index 0000000000..343feb8019 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_allowListSeparationInPrivateAndNormalWindows.js @@ -0,0 +1,54 @@ +// This test works by setting up an exception for the private window allow list +// manually, and it then expects to see some blocking notifications (note the +// document.cookie setter in the blocking callback.) +// If the exception lists aren't handled separately, we'd get confused and put +// the pages loaded under this test in the allow list, which would result in +// the test not passing because no blocking notifications would be observed. + +// Testing the reverse case would also be interesting, but unfortunately there +// isn't a super easy way to do that with our antitracking test framework since +// private windows wouldn't send any blocking notifications as they don't have +// storage access in the first place. + +/* import-globals-from antitracking_head.js */ + +"use strict"; +add_task(async _ => { + let uri = Services.io.newURI("https://example.net"); + PermissionTestUtils.add( + uri, + "trackingprotection-pb", + Services.perms.ALLOW_ACTION + ); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); +}); + +AntiTracking.runTest( + "Test that we don't honour a private allow list exception in a normal window", + // Blocking callback + async _ => { + document.cookie = "name=value"; + }, + + // Non blocking callback + async _ => { + // Nothing to do here. + }, + + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // no extra prefs + false, // run the window.open() test + false, // run the user interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + false +); // run in a normal window diff --git a/toolkit/components/antitracking/test/browser/browser_allowPermissionForTracker.js b/toolkit/components/antitracking/test/browser/browser_allowPermissionForTracker.js new file mode 100644 index 0000000000..fb56c3d477 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_allowPermissionForTracker.js @@ -0,0 +1,66 @@ +// This test works by setting up an exception for the tracker domain, which +// disables all the anti-tracking tests. + +/* import-globals-from antitracking_head.js */ + +add_task(async _ => { + PermissionTestUtils.add( + "https://tracking.example.org", + "cookie", + Services.perms.ALLOW_ACTION + ); + PermissionTestUtils.add( + "https://tracking.example.com", + "cookie", + Services.perms.ALLOW_ACTION + ); + // Grant interaction permission so we can directly call + // requestStorageAccess from the tracker. + PermissionTestUtils.add( + "https://tracking.example.org", + "storageAccessAPI", + Services.perms.ALLOW_ACTION + ); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); +}); + +AntiTracking._createTask({ + name: "Test that we do honour a cookie permission for nested windows", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: false, + allowList: false, + callback: async _ => { + document.cookie = "name=value"; + ok(document.cookie != "", "Nothing is blocked"); + + // requestStorageAccess should resolve + let dwu = SpecialPowers.getDOMWindowUtils(window); + let helper = dwu.setHandlingUserInput(true); + await document + .requestStorageAccess() + .then(() => { + ok(true, "Should grant storage access"); + }) + .catch(() => { + ok(false, "Should grant storage access"); + }); + helper.destruct(); + }, + extraPrefs: null, + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, +}); + +add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_backgroundImageAssertion.js b/toolkit/components/antitracking/test/browser/browser_backgroundImageAssertion.js new file mode 100644 index 0000000000..35712f27c4 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_backgroundImageAssertion.js @@ -0,0 +1,65 @@ +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + await SpecialPowers.spawn( + browser, + [{ page: TEST_3RD_PARTY_PAGE_WITH_SVG }], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + ok(true, "No crash, hopefully!"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingCookies.js b/toolkit/components/antitracking/test/browser/browser_blockingCookies.js new file mode 100644 index 0000000000..fef2c3db04 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingCookies.js @@ -0,0 +1,173 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(4); + +AntiTracking.runTestInNormalAndPrivateMode( + "Set/Get Cookies", + // Blocking callback + async _ => { + is(document.cookie, "", "No cookies for me"); + document.cookie = "name=value"; + is(document.cookie, "", "No cookies for me"); + + for (let arg of ["?checkonly", "?redirect-checkonly"]) { + info(`checking with arg=${arg}`); + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + // Let's do it twice. + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + } + + is(document.cookie, "", "Still no cookies for me"); + }, + + // Non blocking callback + async _ => { + is(document.cookie, "", "No cookies for me"); + + // Note: The ?redirect test is _not_ using checkonly, so it will actually + // set our foopy=1 cookie. + for (let arg of ["?checkonly", "?redirect"]) { + info(`checking with arg=${arg}`); + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + } + + document.cookie = "name=value"; + ok(document.cookie.includes("name=value"), "Some cookies for me"); + ok(document.cookie.includes("foopy=1"), "Some cookies for me"); + + for (let arg of ["", "?redirect"]) { + info(`checking with arg=${arg}`); + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-present", "We should have cookies"); + }); + } + + ok(document.cookie.length, "Some Cookies for me"); + }, + + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +AntiTracking.runTestInNormalAndPrivateMode( + "Cookies and Storage Access API", + // Blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + is(document.cookie, "", "No cookies for me"); + document.cookie = "name=value"; + is(document.cookie, "", "No cookies for me"); + + for (let arg of ["", "?redirect"]) { + info(`checking with arg=${arg}`); + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + // Let's do it twice. + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + } + + is(document.cookie, "", "Still no cookies for me"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + is(document.cookie, "", "No cookies for me"); + document.cookie = "name=value"; + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + is(document.cookie, "", "No cookies for me"); + } else { + is(document.cookie, "name=value", "I have the cookies!"); + } + }, + + // Non blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + is(document.cookie, "", "No cookies for me"); + + // Note: The ?redirect test is _not_ using checkonly, so it will actually + // set our foopy=1 cookie. + for (let arg of ["?checkonly", "?redirect"]) { + info(`checking with arg=${arg}`); + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + } + + document.cookie = "name=value"; + ok(document.cookie.includes("name=value"), "Some cookies for me"); + ok(document.cookie.includes("foopy=1"), "Some cookies for me"); + + for (let arg of ["", "?redirect"]) { + info(`checking with arg=${arg}`); + await fetch("server.sjs" + arg) + .then(r => r.text()) + .then(text => { + is(text, "cookie-present", "We should have cookies"); + }); + } + + ok(document.cookie.length, "Some Cookies for me"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + ok(document.cookie.length, "Still some Cookies for me"); + ok(document.cookie.includes("name=value"), "Some cookies for me"); + ok(document.cookie.includes("foopy=1"), "Some cookies for me"); + }, + + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingDOMCache.js b/toolkit/components/antitracking/test/browser/browser_blockingDOMCache.js new file mode 100644 index 0000000000..dedb3ebb1f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingDOMCache.js @@ -0,0 +1,107 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(2); + +AntiTracking.runTest( + "DOM Cache", + async _ => { + await caches.open("wow").then( + _ => { + ok(false, "DOM Cache cannot be used!"); + }, + _ => { + ok(true, "DOM Cache cannot be used!"); + } + ); + }, + async _ => { + await caches.open("wow").then( + _ => { + ok(true, "DOM Cache can be used!"); + }, + _ => { + ok(false, "DOM Cache can be used!"); + } + ); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [["dom.caches.testing.enabled", true]] +); + +AntiTracking.runTest( + "DOM Cache and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + await caches.open("wow").then( + _ => { + ok(false, "DOM Cache cannot be used!"); + }, + _ => { + ok(true, "DOM Cache cannot be used!"); + } + ); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + await caches.open("wow").then( + _ => { + ok(!shouldThrow, "DOM Cache can be used!"); + }, + _ => { + ok(shouldThrow, "DOM Cache can be used!"); + } + ); + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + await caches.open("wow").then( + _ => { + ok(true, "DOM Cache can be used!"); + }, + _ => { + ok(false, "DOM Cache can be used!"); + } + ); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + await caches.open("wow").then( + _ => { + ok(true, "DOM Cache can be used!"); + }, + _ => { + ok(false, "DOM Cache can be used!"); + } + ); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [["dom.caches.testing.enabled", true]], + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingIndexedDb.js b/toolkit/components/antitracking/test/browser/browser_blockingIndexedDb.js new file mode 100644 index 0000000000..60873e8693 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingIndexedDb.js @@ -0,0 +1,97 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(4); + +AntiTracking.runTestInNormalAndPrivateMode( + "IndexedDB", + // blocking callback + async _ => { + try { + indexedDB.open("test", "1"); + ok(false, "IDB should be blocked"); + } catch (e) { + ok(true, "IDB should be blocked"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + // non-blocking callback + async _ => { + indexedDB.open("test", "1"); + ok(true, "IDB should be allowed"); + }, + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +AntiTracking.runTestInNormalAndPrivateMode( + "IndexedDB and Storage Access API", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + try { + indexedDB.open("test", "1"); + ok(false, "IDB should be blocked"); + } catch (e) { + ok(true, "IDB should be blocked"); + is(e.name, "SecurityError", "We want a security error message."); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + let hasThrown; + try { + indexedDB.open("test", "1"); + hasThrown = false; + } catch (e) { + hasThrown = true; + is(e.name, "SecurityError", "We want a security error message."); + } + + is( + hasThrown, + shouldThrow, + "IDB should be allowed if not in cookieBehavior pref value BEHAVIOR_REJECT/BEHAVIOR_REJECT_FOREIGN" + ); + }, + // non-blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + indexedDB.open("test", "1"); + ok(true, "IDB should be allowed"); + + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + indexedDB.open("test", "1"); + ok(true, "IDB should be allowed"); + }, + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingIndexedDbInWorkers.js b/toolkit/components/antitracking/test/browser/browser_blockingIndexedDbInWorkers.js new file mode 100644 index 0000000000..c9ae0d1654 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingIndexedDbInWorkers.js @@ -0,0 +1,74 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTestInNormalAndPrivateMode( + "IndexedDB in workers", + async _ => { + function blockCode() { + try { + indexedDB.open("test", "1"); + postMessage(false); + } catch (e) { + postMessage(e.name == "SecurityError"); + } + } + + let blob = new Blob([blockCode.toString() + "; blockCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + function nonBlockCode() { + indexedDB.open("test", "1"); + postMessage(true); + } + + let blob = new Blob([nonBlockCode.toString() + "; nonBlockCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingIndexedDbInWorkers2.js b/toolkit/components/antitracking/test/browser/browser_blockingIndexedDbInWorkers2.js new file mode 100644 index 0000000000..2c465c4673 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingIndexedDbInWorkers2.js @@ -0,0 +1,146 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTestInNormalAndPrivateMode( + "IndexedDB in workers and Storage Access API", + async _ => { + function blockCode() { + try { + indexedDB.open("test", "1"); + postMessage(false); + } catch (e) { + postMessage(e.name == "SecurityError"); + } + } + function nonBlockCode() { + indexedDB.open("test", "1"); + postMessage(true); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + let blob = new Blob([blockCode.toString() + "; blockCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + blob = new Blob([blockCode.toString() + "; blockCode();"]); + } else { + blob = new Blob([nonBlockCode.toString() + "; nonBlockCode();"]); + } + ok(blob, "Blob has been created"); + + blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + function nonBlockCode() { + indexedDB.open("test", "1"); + postMessage(true); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + let blob = new Blob([nonBlockCode.toString() + "; nonBlockCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + + worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingLocalStorage.js b/toolkit/components/antitracking/test/browser/browser_blockingLocalStorage.js new file mode 100644 index 0000000000..b3aef3df3b --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingLocalStorage.js @@ -0,0 +1,90 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(4); + +AntiTracking.runTestInNormalAndPrivateMode( + "localStorage", + async _ => { + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + async _ => { + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +AntiTracking.runTestInNormalAndPrivateMode( + "localStorage and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + } else { + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + } + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingMessaging.js b/toolkit/components/antitracking/test/browser/browser_blockingMessaging.js new file mode 100644 index 0000000000..435c95dfa4 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingMessaging.js @@ -0,0 +1,312 @@ +/* import-globals-from antitracking_head.js */ + +if (AppConstants.MOZ_CODE_COVERAGE) { + requestLongerTimeout(12); +} else { + requestLongerTimeout(12); +} + +AntiTracking.runTestInNormalAndPrivateMode( + "BroadcastChannel", + async _ => { + try { + new BroadcastChannel("hello"); + ok(false, "BroadcastChannel cannot be used!"); + } catch (e) { + ok(true, "BroadcastChannel cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + async _ => { + new BroadcastChannel("hello"); + ok(true, "BroadcastChannel be used"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +AntiTracking.runTestInNormalAndPrivateMode( + "BroadcastChannel in workers", + async _ => { + function blockingCode() { + try { + new BroadcastChannel("hello"); + postMessage(false); + } catch (e) { + postMessage(e.name == "SecurityError"); + } + } + + let blob = new Blob([blockingCode.toString() + "; blockingCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + function nonBlockingCode() { + new BroadcastChannel("hello"); + postMessage(true); + } + + let blob = new Blob([nonBlockingCode.toString() + "; nonBlockingCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +AntiTracking.runTestInNormalAndPrivateMode( + "BroadcastChannel and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + try { + new BroadcastChannel("hello"); + ok(false, "BroadcastChannel cannot be used!"); + } catch (e) { + ok(true, "BroadcastChannel cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + try { + new BroadcastChannel("hello"); + ok(false, "BroadcastChannel cannot be used!"); + } catch (e) { + ok(true, "BroadcastChannel cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + } else { + new BroadcastChannel("hello"); + ok(true, "BroadcastChannel can be used"); + } + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + new BroadcastChannel("hello"); + ok(true, "BroadcastChanneli can be used"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + new BroadcastChannel("hello"); + ok(true, "BroadcastChannel can be used"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); + +AntiTracking.runTestInNormalAndPrivateMode( + "BroadcastChannel in workers and Storage Access API", + async _ => { + function blockingCode() { + try { + new BroadcastChannel("hello"); + postMessage(false); + } catch (e) { + postMessage(e.name == "SecurityError"); + } + } + function nonBlockingCode() { + new BroadcastChannel("hello"); + postMessage(true); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + let blob = new Blob([blockingCode.toString() + "; blockingCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + blob = new Blob([blockingCode.toString() + "; blockingCode();"]); + } else { + blob = new Blob([nonBlockingCode.toString() + "; nonBlockingCode();"]); + } + + ok(blob, "Blob has been created"); + + blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + function nonBlockingCode() { + new BroadcastChannel("hello"); + postMessage(true); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + let blob = new Blob([nonBlockingCode.toString() + "; nonBlockingCode();"]); + ok(blob, "Blob has been created"); + + let blobURL = URL.createObjectURL(blob); + ok(blobURL, "Blob URL has been created"); + + let worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + + worker = new Worker(blobURL); + ok(worker, "Worker has been created"); + + await new Promise((resolve, reject) => { + worker.onmessage = function(e) { + if (e.data) { + resolve(); + } else { + reject(); + } + }; + + worker.onerror = function(e) { + reject(); + }; + }); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingNoOpener.js b/toolkit/components/antitracking/test/browser/browser_blockingNoOpener.js new file mode 100644 index 0000000000..99c7d2bcdd --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingNoOpener.js @@ -0,0 +1,43 @@ +/* import-globals-from antitracking_head.js */ + +gFeatures = "noopener"; + +AntiTracking.runTestInNormalAndPrivateMode( + "Blocking in the case of noopener windows", + async _ => { + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + async phase => { + switch (phase) { + case 1: + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + break; + case 2: + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + break; + } + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + true, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingServiceWorkers.js b/toolkit/components/antitracking/test/browser/browser_blockingServiceWorkers.js new file mode 100644 index 0000000000..edaa107fea --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingServiceWorkers.js @@ -0,0 +1,32 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "ServiceWorkers", + async _ => { + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(false, "ServiceWorker cannot be used!"); + }, + _ => { + ok(true, "ServiceWorker cannot be used!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + }, + null, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.ipc.processCount", 1], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ] +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingServiceWorkersStorageAccessAPI.js b/toolkit/components/antitracking/test/browser/browser_blockingServiceWorkersStorageAccessAPI.js new file mode 100644 index 0000000000..92dbfa6fd2 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingServiceWorkersStorageAccessAPI.js @@ -0,0 +1,127 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(2); + +AntiTracking.runTest( + "ServiceWorkers and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(false, "ServiceWorker cannot be used!"); + }, + _ => { + ok(true, "ServiceWorker cannot be used!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(false, "ServiceWorker cannot be used!"); + }, + _ => { + ok(true, "ServiceWorker cannot be used!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + } else { + await navigator.serviceWorker + .register("empty.js") + .then( + reg => { + ok(true, "ServiceWorker can be used!"); + return reg; + }, + _ => { + ok(false, "ServiceWorker cannot be used! " + _); + } + ) + .then( + reg => reg.unregister(), + _ => { + ok(false, "unregister failed"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + } + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + await navigator.serviceWorker + .register("empty.js") + .then( + reg => { + ok(true, "ServiceWorker can be used!"); + return reg; + }, + _ => { + ok(false, "ServiceWorker cannot be used!"); + } + ) + .then( + reg => reg.unregister(), + _ => { + ok(false, "unregister failed"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + await navigator.serviceWorker + .register("empty.js") + .then( + reg => { + ok(true, "ServiceWorker can be used!"); + return reg; + }, + _ => { + ok(false, "ServiceWorker cannot be used!"); + } + ) + .then( + reg => reg.unregister(), + _ => { + ok(false, "unregister failed"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.ipc.processCount", 1], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingSessionStorage.js b/toolkit/components/antitracking/test/browser/browser_blockingSessionStorage.js new file mode 100644 index 0000000000..a06527bf33 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingSessionStorage.js @@ -0,0 +1,116 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(4); + +AntiTracking.runTestInNormalAndPrivateMode( + "sessionStorage", + async _ => { + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + let hasThrown; + try { + sessionStorage.foo = 42; + hasThrown = false; + } catch (e) { + hasThrown = true; + is(e.name, "SecurityError", "We want a security error message."); + } + + is( + hasThrown, + shouldThrow, + "SessionStorage show thrown only if cookieBehavior is REJECT" + ); + }, + async _ => { + sessionStorage.foo = 42; + ok(true, "SessionStorage is always allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [], + true, + true +); + +AntiTracking.runTestInNormalAndPrivateMode( + "sessionStorage and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + let hasThrown; + try { + sessionStorage.foo = 42; + hasThrown = false; + } catch (e) { + hasThrown = true; + is(e.name, "SecurityError", "We want a security error message."); + } + + is( + hasThrown, + shouldThrow, + "SessionStorage show thrown only if cookieBehavior is REJECT" + ); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + try { + sessionStorage.foo = 42; + hasThrown = false; + } catch (e) { + hasThrown = true; + is(e.name, "SecurityError", "We want a security error message."); + } + + is( + hasThrown, + shouldThrow, + "SessionStorage show thrown only if cookieBehavior is REJECT" + ); + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + sessionStorage.foo = 42; + ok(true, "SessionStorage is always allowed"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + sessionStorage.foo = 42; + ok( + true, + "SessionStorage is allowed after calling the storage access API too" + ); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_blockingSharedWorkers.js b/toolkit/components/antitracking/test/browser/browser_blockingSharedWorkers.js new file mode 100644 index 0000000000..bb405b8701 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_blockingSharedWorkers.js @@ -0,0 +1,90 @@ +/* import-globals-from antitracking_head.js */ + +requestLongerTimeout(4); + +AntiTracking.runTestInNormalAndPrivateMode( + "SharedWorkers", + async _ => { + try { + new SharedWorker("a.js", "foo"); + ok(false, "SharedWorker cannot be used!"); + } catch (e) { + ok(true, "SharedWorker cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + async _ => { + new SharedWorker("a.js", "foo"); + ok(true, "SharedWorker is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +AntiTracking.runTestInNormalAndPrivateMode( + "SharedWorkers and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + try { + new SharedWorker("a.js", "foo"); + ok(false, "SharedWorker cannot be used!"); + } catch (e) { + ok(true, "SharedWorker cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if ( + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) + ) { + try { + new SharedWorker("a.js", "foo"); + ok(false, "SharedWorker cannot be used!"); + } catch (e) { + ok(true, "SharedWorker cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + } else { + new SharedWorker("a.js", "foo"); + ok(true, "SharedWorker is allowed"); + } + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + new SharedWorker("a.js", "foo"); + ok(true, "SharedWorker is allowed"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + new SharedWorker("a.js", "bar"); + ok(true, "SharedWorker is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, + false, + false +); diff --git a/toolkit/components/antitracking/test/browser/browser_contentBlockingAllowListPrincipal.js b/toolkit/components/antitracking/test/browser/browser_contentBlockingAllowListPrincipal.js new file mode 100644 index 0000000000..82cf23af44 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_contentBlockingAllowListPrincipal.js @@ -0,0 +1,236 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +const TEST_SANDBOX_URL = + "https://example.com/browser/toolkit/components/antitracking/test/browser/sandboxed.html"; + +/** + * Tests the contentBlockingAllowListPrincipal. + * @param {Browser} browser - Browser to test. + * @param {("content"|"system")} type - Expected principal type. + * @param {String} [origin] - Expected origin of principal. Defaults to the + * origin of the browsers content principal. + */ +function checkAllowListPrincipal( + browser, + type, + origin = browser.contentPrincipal.origin +) { + let principal = + browser.browsingContext.currentWindowGlobal + .contentBlockingAllowListPrincipal; + ok(principal, "Principal is set"); + + if (type == "content") { + ok(principal.isContentPrincipal, "Is content principal"); + + ok( + principal.schemeIs("https"), + "allowlist content principal must have https scheme" + ); + } else if (type == "system") { + ok(principal.isSystemPrincipal, "Is system principal"); + } else { + throw new Error("Unexpected principal type"); + } + + is(principal.origin, origin, "Correct origin"); +} + +/** + * Runs a given test in a normal window and in a private browsing window. + * @param {String} initialUrl - URL to load in the initial test tab. + * @param {Function} testCallback - Test function to run in both windows. + */ +async function runTestInNormalAndPrivateMode(initialUrl, testCallback) { + for (let i = 0; i < 2; i++) { + let isPrivateBrowsing = !!i; + info("Running test. Private browsing: " + !!i); + let win = await BrowserTestUtils.openNewBrowserWindow({ + private: isPrivateBrowsing, + }); + let tab = BrowserTestUtils.addTab(win.gBrowser, initialUrl); + let browser = tab.linkedBrowser; + + await BrowserTestUtils.browserLoaded(browser); + + await testCallback(browser, isPrivateBrowsing); + + await BrowserTestUtils.closeWindow(win); + } +} + +/** + * Creates an iframe in the passed browser and waits for it to load. + * @param {Browser} browser - Browser to create the frame in. + * @param {String} src - Frame source url. + * @param {String} id - Frame id. + * @param {String} [sandboxAttr] - Optional list of sandbox attributes to set + * for the iframe. Defaults to no sandbox. + * @returns {Promise} - Resolves once the frame has loaded. + */ +function createFrame(browser, src, id, sandboxAttr) { + return SpecialPowers.spawn( + browser, + [{ page: src, frameId: id, sandboxAttr }], + async function(obj) { + await new content.Promise(resolve => { + let frame = content.document.createElement("iframe"); + frame.src = obj.page; + frame.id = obj.frameId; + if (obj.sandboxAttr) { + frame.setAttribute("sandbox", obj.sandboxAttr); + } + frame.addEventListener("load", resolve, { once: true }); + content.document.body.appendChild(frame); + }); + } + ); +} + +add_task(async setup => { + // Disable heuristics. We don't need them and if enabled the resulting + // telemetry can race with the telemetry in the next test. + // See Bug 1686836, Bug 1686894. + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.restrict3rdpartystorage.heuristic.redirect", false], + ["privacy.restrict3rdpartystorage.heuristic.recently_visited", false], + ["privacy.restrict3rdpartystorage.heuristic.window_open", false], + ], + }); +}); + +/** + * Test that we get the correct allow list principal which matches the content + * principal for an https site. + */ +add_task(async test_contentPrincipalHTTPS => { + await runTestInNormalAndPrivateMode("https://example.com", browser => { + checkAllowListPrincipal(browser, "content"); + }); +}); + +/** + * Tests that the scheme of the allowlist principal is HTTPS, even though the + * site is loaded via HTTP. + */ +add_task(async test_contentPrincipalHTTP => { + await runTestInNormalAndPrivateMode( + "http://example.net", + (browser, isPrivateBrowsing) => { + checkAllowListPrincipal( + browser, + "content", + "https://example.net" + + (isPrivateBrowsing ? "^privateBrowsingId=1" : "") + ); + } + ); +}); + +/** + * Tests that the allow list principal is a system principal for the preferences + * about site. + */ +add_task(async test_systemPrincipal => { + await runTestInNormalAndPrivateMode("about:preferences", browser => { + checkAllowListPrincipal(browser, "system"); + }); +}); + +/** + * Tests that we get a valid content principal for top level sandboxed pages, + * and not the document principal which is a null principal. + */ +add_task(async test_TopLevelSandbox => { + await runTestInNormalAndPrivateMode( + TEST_SANDBOX_URL, + (browser, isPrivateBrowsing) => { + ok( + browser.contentPrincipal.isNullPrincipal, + "Top level sandboxed page should have null principal" + ); + checkAllowListPrincipal( + browser, + "content", + "https://example.com" + + (isPrivateBrowsing ? "^privateBrowsingId=1" : "") + ); + } + ); +}); + +/** + * Tests that we get a valid content principal for a new tab opened via + * window.open. + */ +add_task(async test_windowOpen => { + await runTestInNormalAndPrivateMode("https://example.com", async browser => { + checkAllowListPrincipal(browser, "content"); + + let promiseTabOpened = BrowserTestUtils.waitForNewTab( + browser.ownerGlobal.gBrowser, + "https://example.org/", + true + ); + + // Call window.open from iframe. + await SpecialPowers.spawn(browser, [], async function() { + content.open("https://example.org/"); + }); + + let tab = await promiseTabOpened; + + checkAllowListPrincipal(tab.linkedBrowser, "content"); + + BrowserTestUtils.removeTab(tab); + }); +}); + +/** + * Tests that we get a valid content principal for a new tab opened via + * window.open from a sandboxed iframe. + */ +add_task(async test_windowOpenFromSandboxedFrame => { + await runTestInNormalAndPrivateMode( + "https://example.com", + async (browser, isPrivateBrowsing) => { + checkAllowListPrincipal(browser, "content"); + + // Create sandboxed iframe, allow popups. + await createFrame( + browser, + "https://example.com", + "sandboxedIframe", + "allow-popups" + ); + // Iframe BC is the only child of the test browser. + let [frameBrowsingContext] = browser.browsingContext.children; + + let promiseTabOpened = BrowserTestUtils.waitForNewTab( + browser.ownerGlobal.gBrowser, + "https://example.org/", + true + ); + + // Call window.open from iframe. + await SpecialPowers.spawn(frameBrowsingContext, [], async function() { + content.open("https://example.org/"); + }); + + let tab = await promiseTabOpened; + + checkAllowListPrincipal( + tab.linkedBrowser, + "content", + "https://example.org" + + (isPrivateBrowsing ? "^privateBrowsingId=1" : "") + ); + + BrowserTestUtils.removeTab(tab); + } + ); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_contentBlockingTelemetry.js b/toolkit/components/antitracking/test/browser/browser_contentBlockingTelemetry.js new file mode 100644 index 0000000000..3432f40b4a --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_contentBlockingTelemetry.js @@ -0,0 +1,381 @@ +/** + * Bug 1668199 - Testing the content blocking telemetry. + */ + +"use strict"; + +/* import-globals-from antitracking_head.js */ + +const { TelemetryTestUtils } = ChromeUtils.import( + "resource://testing-common/TelemetryTestUtils.jsm" +); + +const LABEL_STORAGE_GRANTED = 0; +const LABEL_STORAGE_ACCESS_API = 1; +const LABEL_OPENER_AFTER_UI = 2; +const LABEL_OPENER = 3; +const LABEL_REDIRECT = 4; + +function clearTelemetry() { + Services.telemetry.getSnapshotForHistograms("main", true /* clear */); + Services.telemetry.getHistogramById("STORAGE_ACCESS_REMAINING_DAYS").clear(); +} + +async function testTelemetry( + aProbeInParent, + aExpectedCnt, + aLabel, + aExpectedIdx +) { + info("Trigger the 'idle-daily' to trigger the telemetry probe."); + // Synthesis a fake 'idle-daily' notification to the content blocking + // telemetry service. + let cbts = Cc["@mozilla.org/content-blocking-telemetry-service;1"].getService( + Ci.nsIObserver + ); + cbts.observe(null, "idle-daily", null); + + let storageAccessGrantedHistogram; + + // Wait until the telemetry probe appears. + await BrowserTestUtils.waitForCondition(() => { + let histograms; + if (aProbeInParent) { + histograms = Services.telemetry.getSnapshotForHistograms( + "main", + false /* clear */ + ).parent; + } else { + histograms = Services.telemetry.getSnapshotForHistograms( + "main", + false /* clear */ + ).content; + } + storageAccessGrantedHistogram = histograms.STORAGE_ACCESS_GRANTED_COUNT; + + return ( + !!storageAccessGrantedHistogram && + storageAccessGrantedHistogram.values[LABEL_STORAGE_GRANTED] == + aExpectedCnt + ); + }); + + is( + storageAccessGrantedHistogram.values[LABEL_STORAGE_GRANTED], + aExpectedCnt, + "There should be expected storage access granted count in telemetry." + ); + is( + storageAccessGrantedHistogram.values[aLabel], + 1, + "There should be one reason count in telemetry." + ); + + let storageAccessRemainingDaysHistogram = Services.telemetry.getHistogramById( + "STORAGE_ACCESS_REMAINING_DAYS" + ); + + TelemetryTestUtils.assertHistogram( + storageAccessRemainingDaysHistogram, + aExpectedIdx, + 1 + ); + + // Clear telemetry probes + clearTelemetry(); +} + +add_task(async function setup() { + await SpecialPowers.pushPrefEnv({ + set: [ + ["network.cookie.cookieBehavior", BEHAVIOR_REJECT_TRACKER], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ["privacy.restrict3rdpartystorage.heuristic.redirect", true], + ["toolkit.telemetry.ipcBatchTimeout", 0], + ], + }); + + // Clear Telemetry probes before testing. + // There can be telemetry race conditions if the previous test generates + // content blocking telemetry. + // See Bug 1686836, Bug 1686894. + clearTelemetry(); + + await UrlClassifierTestUtils.addTestTrackers(); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); +}); + +add_task(async function testTelemetryForStorageAccessAPI() { + info("Starting testing if storage access API send telemetry probe ..."); + + // First, clear all permissions. + Services.perms.removeAll(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading the tracking iframe and call the RequestStorageAccess."); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_UI, + }, + ], + async obj => { + let msg = {}; + msg.callback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + }).toString(); + + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(msg, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + // The storage access permission will be expired in 29 days, so the expected + // index in the telemetry probe would be 29. + await testTelemetry(false, 1, LABEL_STORAGE_ACCESS_API, 29); +}); + +add_task(async function testTelemetryForWindowOpenHeuristic() { + info("Starting testing if window open heuristic send telemetry probe ..."); + + // First, clear all permissions. + Services.perms.removeAll(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading the tracking iframe and trigger the heuristic"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_WO, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + info("Checking if storage access is denied"); + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(msg, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + // The storage access permission will be expired in 29 days, so the expected + // index in the telemetry probe would be 29. + await testTelemetry(false, 1, LABEL_OPENER, 29); +}); + +add_task(async function testTelemetryForUserInteractionHeuristic() { + info( + "Starting testing if UserInteraction heuristic send telemetry probe ..." + ); + + // First, clear all permissions. + Services.perms.removeAll(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Interact with the tracker in top-level."); + await AntiTracking.interactWithTracker(); + + info("Loading the tracking iframe and trigger the heuristic"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + await noStorageAccessInitially(); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info("Opening a window from the iframe."); + await SpecialPowers.spawn(ifr, [obj.popup], async popup => { + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + // We need to check the document URI here as well for the same + // reason above. + if ( + aTopic == "domwindowclosed" && + aSubject.document.documentURI == + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html" + ) { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + content.open(popup); + + info("Let's wait for the window to be closed"); + await windowClosed; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + // The storage access permission will be expired in 29 days, so the expected + // index in the telemetry probe would be 29. + // + // Note that the expected count here is 2. It's because the opener heuristic + // will also be triggered when triggered UserInteraction Heuristic. + await testTelemetry(false, 2, LABEL_OPENER_AFTER_UI, 29); +}); + +add_task(async function testTelemetryForRedirectHeuristic() { + info("Starting testing if redirect heuristic send telemetry probe ..."); + + const TEST_TRACKING_PAGE = TEST_3RD_PARTY_DOMAIN + TEST_PATH + "page.html"; + const TEST_REDIRECT_PAGE = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "redirect.sjs?" + TEST_TOP_PAGE; + + // First, clear all permissions. + Services.perms.removeAll(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TRACKING_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading the tracking page and trigger the redirect."); + SpecialPowers.spawn(browser, [TEST_REDIRECT_PAGE], async url => { + content.document.userInteractionForTesting(); + + let link = content.document.createElement("a"); + link.appendChild(content.document.createTextNode("click me!")); + link.href = url; + content.document.body.appendChild(link); + link.click(); + }); + + await BrowserTestUtils.browserLoaded(browser, false, TEST_TOP_PAGE); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + // We would only grant the storage permission for 15 mins for the redirect + // heuristic, so the expected index in the telemetry probe would be 0. + await testTelemetry(true, 1, LABEL_REDIRECT, 0); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_cookieBetweenTabs.js b/toolkit/components/antitracking/test/browser/browser_cookieBetweenTabs.js new file mode 100644 index 0000000000..323bc83b58 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_cookieBetweenTabs.js @@ -0,0 +1,58 @@ +add_task(async function() { + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + ["network.cookie.cookieBehavior", BEHAVIOR_REJECT], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["dom.ipc.processCount", 4], + ], + }); + + info("First tab opened"); + let tab = BrowserTestUtils.addTab( + gBrowser, + TEST_DOMAIN + TEST_PATH + "empty.html" + ); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Disabling content blocking for this page"); + gProtectionsHandler.disableForCurrentPage(); + + await BrowserTestUtils.browserLoaded(browser); + + await SpecialPowers.spawn(browser, [], async _ => { + is(content.document.cookie, "", "No cookie set"); + content.document.cookie = "a=b"; + is(content.document.cookie, "a=b", "Cookie set"); + }); + + info("Second tab opened"); + let tab2 = BrowserTestUtils.addTab( + gBrowser, + TEST_DOMAIN + TEST_PATH + "empty.html" + ); + gBrowser.selectedTab = tab2; + + let browser2 = gBrowser.getBrowserForTab(tab2); + await BrowserTestUtils.browserLoaded(browser2); + + await SpecialPowers.spawn(browser2, [], async _ => { + is(content.document.cookie, "a=b", "Cookie set"); + }); + + info("Removing tabs"); + BrowserTestUtils.removeTab(tab); + BrowserTestUtils.removeTab(tab2); + + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_denyPermissionForTracker.js b/toolkit/components/antitracking/test/browser/browser_denyPermissionForTracker.js new file mode 100644 index 0000000000..9856529f94 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_denyPermissionForTracker.js @@ -0,0 +1,67 @@ +// This test works by setting up an exception for the tracker domain, which +// disables all the anti-tracking tests. + +/* import-globals-from antitracking_head.js */ + +add_task(async _ => { + PermissionTestUtils.add( + "https://tracking.example.org", + "cookie", + Services.perms.DENY_ACTION + ); + PermissionTestUtils.add( + "https://tracking.example.com", + "cookie", + Services.perms.DENY_ACTION + ); + // Grant interaction permission so we can directly call + // requestStorageAccess from the tracker. + PermissionTestUtils.add( + "https://tracking.example.org", + "storageAccessAPI", + Services.perms.ALLOW_ACTION + ); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); +}); + +AntiTracking._createTask({ + name: "Test that we do honour a cookie permission for nested windows", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: true, + allowList: false, + callback: async _ => { + document.cookie = "name=value"; + ok(document.cookie == "", "All is blocked"); + + // requestStorageAccess should reject + let dwu = SpecialPowers.getDOMWindowUtils(window); + let helper = dwu.setHandlingUserInput(true); + await document + .requestStorageAccess() + .then(() => { + ok(false, "Should not grant storage access"); + }) + .catch(() => { + ok(true, "Should not grant storage access"); + }); + helper.destruct(); + }, + extraPrefs: null, + expectedBlockingNotifications: + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_BY_PERMISSION, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, +}); + +add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_doublyNestedTracker.js b/toolkit/components/antitracking/test/browser/browser_doublyNestedTracker.js new file mode 100644 index 0000000000..b2ff316588 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_doublyNestedTracker.js @@ -0,0 +1,123 @@ +add_task(async function() { + info("Starting doubly nested tracker test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let tab = BrowserTestUtils.addTab(gBrowser, TEST_3RD_PARTY_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + async function loadSubpage() { + async function runChecks() { + is(document.cookie, "", "No cookies for me"); + document.cookie = "name=value"; + is(document.cookie, "name=value", "I have the cookies!"); + } + + await new Promise(resolve => { + let ifr = document.createElement("iframe"); + ifr.onload = _ => { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(runChecks.toString(), "*"); + }; + + addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + document.body.appendChild(ifr); + ifr.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdParty.html"; + }); + } + + // We need to use the same scheme in Fission test. + let testAnotherThirdPartyPage = SpecialPowers.useRemoteSubframes + ? TEST_ANOTHER_3RD_PARTY_PAGE_HTTPS + : TEST_ANOTHER_3RD_PARTY_PAGE; + + await SpecialPowers.spawn( + browser, + [{ page: testAnotherThirdPartyPage, callback: loadSubpage.toString() }], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = _ => { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj.callback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_existingCookiesForSubresources.js b/toolkit/components/antitracking/test/browser/browser_existingCookiesForSubresources.js new file mode 100644 index 0000000000..cf335269b1 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_existingCookiesForSubresources.js @@ -0,0 +1,231 @@ +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_3RD_PARTY_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info( + "Loading tracking scripts and tracking images before restricting 3rd party cookies" + ); + await SpecialPowers.spawn(browser, [], async function() { + // Let's load the script twice here. + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + + // Let's load an image twice here. + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, "1", "Cookies received for images"); + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + is(text, "1", "Cookies received for scripts"); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + Services.perms.removeAll(); + + // Now set up our prefs + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + info("Creating a new tab"); + tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [{ page: TEST_3RD_PARTY_PAGE, callback: (async _ => {}).toString() }], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj.callback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Loading tracking scripts and tracking images again"); + await SpecialPowers.spawn(browser, [], async function() { + // Let's load the script twice here. + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + + // Let's load an image twice here. + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, "0", "No cookie received for images."); + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + is(text, "0", "No cookie received received for scripts."); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_fileUrl.js b/toolkit/components/antitracking/test/browser/browser_fileUrl.js new file mode 100644 index 0000000000..d4bc3a63c3 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_fileUrl.js @@ -0,0 +1,38 @@ +/** + * Bug 1663192 - Testing for ensuring the top-level window in a fire url is + * treated as first-party. + */ + +"use strict"; + +add_task(async function setup() { + await SpecialPowers.pushPrefEnv({ + set: [["network.cookie.cookieBehavior", 1]], + }); +}); + +add_task(async function() { + let dir = getChromeDir(getResolvedURI(gTestPath)); + dir.append("file_localStorage.html"); + const uriString = Services.io.newFileURI(dir).spec; + let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, uriString); + + await SpecialPowers.spawn(tab.linkedBrowser, [], function() { + let result = content.document.getElementById("result"); + + is( + result.textContent, + "PASS", + "The localStorage is accessible in top-level window" + ); + + let loadInfo = content.docShell.currentDocumentChannel.loadInfo; + + ok( + !loadInfo.isThirdPartyContextToTopWindow, + "The top-level window shouldn't be third-party" + ); + }); + + BrowserTestUtils.removeTab(tab); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_firstPartyCookieRejectionHonoursAllowList.js b/toolkit/components/antitracking/test/browser/browser_firstPartyCookieRejectionHonoursAllowList.js new file mode 100644 index 0000000000..031eb261bb --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_firstPartyCookieRejectionHonoursAllowList.js @@ -0,0 +1,73 @@ +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_REJECT], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Disabling content blocking for this page"); + gProtectionsHandler.disableForCurrentPage(); + + // The previous function reloads the browser, so wait for it to load again! + await BrowserTestUtils.browserLoaded(browser); + + await SpecialPowers.spawn(browser, [], async function(obj) { + await new content.Promise(async resolve => { + let document = content.document; + let window = document.defaultView; + + is(document.cookie, "", "No cookies for me"); + + await window + .fetch("server.sjs") + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + + document.cookie = "name=value"; + ok(document.cookie.includes("name=value"), "Some cookies for me"); + ok(document.cookie.includes("foopy=1"), "Some cookies for me"); + + await window + .fetch("server.sjs") + .then(r => r.text()) + .then(text => { + is(text, "cookie-present", "We should have cookies"); + }); + + ok(document.cookie.length, "Some Cookies for me"); + + resolve(); + }); + }); + + info("Enabling content blocking for this page"); + gProtectionsHandler.enableForCurrentPage(); + + // The previous function reloads the browser, so wait for it to load again! + await BrowserTestUtils.browserLoaded(browser); + + BrowserTestUtils.removeTab(tab); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_hasStorageAccess.js b/toolkit/components/antitracking/test/browser/browser_hasStorageAccess.js new file mode 100644 index 0000000000..13a484eb57 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_hasStorageAccess.js @@ -0,0 +1,183 @@ +// This test ensures HasStorageAccess API returns the right value under different +// scenarios. + +/* import-globals-from antitracking_head.js */ + +var settings = [ + // 3rd-party no-tracker + { + name: "Test whether 3rd-party non-tracker frame has storage access", + topPage: TEST_TOP_PAGE, + thirdPartyPage: TEST_4TH_PARTY_PAGE, + }, + // 3rd-party no-tracker with permission + { + name: + "Test whether 3rd-party non-tracker frame has storage access when storage permission is granted before", + topPage: TEST_TOP_PAGE, + thirdPartyPage: TEST_4TH_PARTY_PAGE, + setup: () => { + let type = "3rdPartyStorage^http://not-tracking.example.com"; + let permission = Services.perms.ALLOW_ACTION; + let expireType = Services.perms.EXPIRE_SESSION; + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); + }, + }, + // 3rd-party tracker + { + name: "Test whether 3rd-party tracker frame has storage access", + topPage: TEST_TOP_PAGE, + thirdPartyPage: TEST_3RD_PARTY_PAGE, + }, + // 3rd-party tracker with permission + { + name: + "Test whether 3rd-party tracker frame has storage access when storage access permission is granted before", + topPage: TEST_TOP_PAGE, + thirdPartyPage: TEST_3RD_PARTY_PAGE, + setup: () => { + let type = "3rdPartyStorage^https://tracking.example.org"; + let permission = Services.perms.ALLOW_ACTION; + let expireType = Services.perms.EXPIRE_SESSION; + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); + }, + }, + // same-site 3rd-party tracker + { + name: "Test whether same-site 3rd-party tracker frame has storage access", + topPage: TEST_TOP_PAGE, + thirdPartyPage: TEST_ANOTHER_3RD_PARTY_PAGE, + }, + // same-origin 3rd-party tracker + { + name: "Test whether same-origin 3rd-party tracker frame has storage access", + topPage: TEST_ANOTHER_3RD_PARTY_DOMAIN + TEST_PATH + "page.html", + thirdPartyPage: TEST_ANOTHER_3RD_PARTY_PAGE, + }, +]; + +var testCases = [ + { + behavior: BEHAVIOR_ACCEPT, // 0 + hasStorageAccess: [ + true /* 3rd-party non-tracker */, + true /* 3rd-party non-tracker with permission */, + true /* 3rd-party tracker */, + true /* 3rd-party tracker with permission */, + true /* same-site tracker */, + true /* same-origin tracker */, + ], + }, + { + behavior: BEHAVIOR_REJECT_FOREIGN, // 1 + hasStorageAccess: [ + false /* 3rd-party non-tracker */, + SpecialPowers.Services.prefs.getBoolPref( + "network.cookie.rejectForeignWithExceptions.enabled" + ) /* 3rd-party tracker with permission */, + false /* 3rd-party tracker */, + SpecialPowers.Services.prefs.getBoolPref( + "network.cookie.rejectForeignWithExceptions.enabled" + ) /* 3rd-party non-tracker with permission */, + true /* same-site tracker */, + true /* same-origin tracker */, + ], + }, + { + behavior: BEHAVIOR_REJECT, // 2 + hasStorageAccess: [ + false /* 3rd-party non-tracker */, + false /* 3rd-party non-tracker with permission */, + false /* 3rd-party tracker */, + false /* 3rd-party tracker with permission */, + false /* same-site tracker */, + true /* same-origin tracker */, + ], + }, + { + behavior: BEHAVIOR_LIMIT_FOREIGN, // 3 + hasStorageAccess: [ + false /* 3rd-party non-tracker */, + false /* 3rd-party non-tracker with permission */, + false /* 3rd-party tracker */, + false /* 3rd-party tracker with permission */, + true /* same-site tracker */, + true /* same-origin tracker */, + ], + }, + { + behavior: BEHAVIOR_REJECT_TRACKER, // 4 + hasStorageAccess: [ + true /* 3rd-party non-tracker */, + true /* 3rd-party non-tracker with permission */, + false /* 3rd-party tracker */, + true /* 3rd-party tracker with permission */, + true /* same-site tracker */, + true /* same-origin tracker */, + ], + }, + { + behavior: BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, // 5 + hasStorageAccess: [ + false /* 3rd-party non-tracker */, + true /* 3rd-party non-tracker with permission */, + false /* 3rd-party tracker */, + true /* 3rd-party tracker with permission */, + true /* same-site tracker */, + true /* same-origin tracker */, + ], + }, +]; + +(function() { + settings.forEach(setting => { + if (setting.setup) { + add_task(async _ => { + setting.setup(); + }); + } + + testCases.forEach(test => { + let callback = test.hasStorageAccess[settings.indexOf(setting)] + ? async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + } + : async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }; + + AntiTracking._createTask({ + name: setting.name, + cookieBehavior: test.behavior, + allowList: false, + callback, + extraPrefs: null, + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + topPage: setting.topPage, + thirdPartyPage: setting.thirdPartyPage, + }); + }); + + add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }); + }); +})(); diff --git a/toolkit/components/antitracking/test/browser/browser_imageCache4.js b/toolkit/components/antitracking/test/browser/browser_imageCache4.js new file mode 100644 index 0000000000..8fcc298cf0 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_imageCache4.js @@ -0,0 +1,13 @@ +let cookieBehavior = BEHAVIOR_REJECT_TRACKER; +let blockingByAllowList = false; +let expectedBlockingNotifications = + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER; + +let rootDir = getRootDirectory(gTestPath); +let jar = getJar(rootDir); +if (jar) { + let tmpdir = extractJarToTmp(jar); + rootDir = "file://" + tmpdir.path + "/"; +} +/* import-globals-from imageCacheWorker.js */ +Services.scriptloader.loadSubScript(rootDir + "imageCacheWorker.js", this); diff --git a/toolkit/components/antitracking/test/browser/browser_imageCache8.js b/toolkit/components/antitracking/test/browser/browser_imageCache8.js new file mode 100644 index 0000000000..b57bf1dca5 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_imageCache8.js @@ -0,0 +1,13 @@ +let cookieBehavior = BEHAVIOR_REJECT_TRACKER; +let blockingByAllowList = true; +let expectedBlockingNotifications = + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER; + +let rootDir = getRootDirectory(gTestPath); +let jar = getJar(rootDir); +if (jar) { + let tmpdir = extractJarToTmp(jar); + rootDir = "file://" + tmpdir.path + "/"; +} +/* import-globals-from imageCacheWorker.js */ +Services.scriptloader.loadSubScript(rootDir + "imageCacheWorker.js", this); diff --git a/toolkit/components/antitracking/test/browser/browser_localStorageEvents.js b/toolkit/components/antitracking/test/browser/browser_localStorageEvents.js new file mode 100644 index 0000000000..c77465114f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_localStorageEvents.js @@ -0,0 +1,182 @@ +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); +}); + +add_task(async function testLocalStorageEventPropagation() { + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_DOMAIN + TEST_PATH + "localStorage.html", + }, + ], + async obj => { + info("Creating tracker iframe"); + + let ifr = content.document.createElement("iframe"); + ifr.src = obj.page; + + await new content.Promise(resolve => { + ifr.onload = function() { + resolve(); + }; + content.document.body.appendChild(ifr); + }); + + info("LocalStorage should be blocked."); + await new content.Promise(resolve => { + content.addEventListener( + "message", + e => { + if (e.data.type == "test") { + is(e.data.status, false, "LocalStorage blocked"); + } else { + ok(false, "Unknown message"); + } + resolve(); + }, + { once: true } + ); + ifr.contentWindow.postMessage("test", "*"); + }); + + info("Let's open the popup"); + await new content.Promise(resolve => { + content.addEventListener( + "message", + e => { + if (e.data.type == "test") { + is(e.data.status, true, "LocalStorage unblocked"); + } else { + ok(false, "Unknown message"); + } + resolve(); + }, + { once: true } + ); + ifr.contentWindow.postMessage("open", "*"); + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +add_task(async function testBlockedLocalStorageEventPropagation() { + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_DOMAIN + TEST_PATH + "localStorage.html", + }, + ], + async obj => { + info("Creating tracker iframe"); + + let ifr = content.document.createElement("iframe"); + ifr.src = obj.page; + + await new content.Promise(resolve => { + ifr.onload = function() { + resolve(); + }; + content.document.body.appendChild(ifr); + }); + + info("LocalStorage should be blocked."); + await new content.Promise(resolve => { + content.addEventListener( + "message", + e => { + if (e.data.type == "test") { + is(e.data.status, false, "LocalStorage blocked"); + } else { + ok(false, "Unknown message"); + } + resolve(); + }, + { once: true } + ); + ifr.contentWindow.postMessage("test", "*"); + }); + + info("Let's open the popup"); + await new content.Promise(resolve => { + content.addEventListener( + "message", + e => { + if (e.data.type == "test") { + is(e.data.status, false, "LocalStorage still blocked"); + } else { + ok(false, "Unknown message"); + } + resolve(); + }, + { once: true } + ); + ifr.contentWindow.postMessage("open and test", "*"); + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_networkIsolation.js b/toolkit/components/antitracking/test/browser/browser_networkIsolation.js new file mode 100644 index 0000000000..6a4b4f7653 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_networkIsolation.js @@ -0,0 +1,204 @@ +function isIsolated(key) { + return key.charAt(7) == "i"; +} + +function hasTopWindowOrigin(key, origin) { + let tokenAtEnd = `{{${origin}}}`; + let endPart = key.slice(-tokenAtEnd.length); + return endPart == tokenAtEnd; +} + +function hasAnyTopWindowOrigin(key) { + return !!key.match(/{{[^}]+}}/); +} + +function altSvcCacheKeyIsolated(parsed) { + return parsed.length > 5 && parsed[5] == "I"; +} + +function altSvcTopWindowOrigin(key) { + let index = -1; + for (let i = 0; i < 6; ++i) { + index = key.indexOf(":", index + 1); + } + let indexEnd = key.indexOf("|", index + 1); + return key.substring(index + 1, indexEnd); +} + +const gHttpHandler = Cc["@mozilla.org/network/protocol;1?name=http"].getService( + Ci.nsIHttpProtocolHandler +); + +add_task(async function() { + info("Starting tlsSessionTickets test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["browser.cache.disk.enable", false], + ["browser.cache.memory.enable", false], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["network.http.altsvc.proxy_checks", false], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["privacy.partition.network_state", false], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + const trackingURL = + "https://tlsresumptiontest.example.org/browser/toolkit/components/antitracking/test/browser/empty-altsvc.js"; + const topWindowOrigin = TEST_DOMAIN.replace(/\/$/, ""); + const kTopic = "http-on-examine-response"; + + let resumedState = []; + let hashKeys = []; + + function observer(subject, topic, data) { + if (topic != kTopic) { + return; + } + + subject.QueryInterface(Ci.nsIChannel); + if (subject.URI.spec != trackingURL) { + return; + } + + resumedState.push( + subject.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo).resumed + ); + hashKeys.push( + subject.QueryInterface(Ci.nsIHttpChannelInternal).connectionInfoHashKey + ); + } + + Services.obs.addObserver(observer, kTopic); + registerCleanupFunction(() => Services.obs.removeObserver(observer, kTopic)); + + function checkAltSvcCache(expectedCount, expectedIsolated) { + let arr = gHttpHandler.altSvcCacheKeys; + is( + arr.length, + expectedCount, + "Found the expected number of items in the cache" + ); + for (let i = 0; i < arr.length; ++i) { + let key = arr[i]; + let parsed = key.split(":"); + if (altSvcCacheKeyIsolated(parsed)) { + ok(expectedIsolated[i], "We expected to find an isolated item"); + is( + altSvcTopWindowOrigin(key), + topWindowOrigin, + "Expected top window origin found in the Alt-Svc cache key" + ); + } else { + ok(!expectedIsolated[i], "We expected to find a non-isolated item"); + } + } + } + + checkAltSvcCache(0, []); + + info("Loading tracking scripts and tracking images"); + await SpecialPowers.spawn(browser, [{ trackingURL }], async function(obj) { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = obj.trackingURL; + await p; + }); + + checkAltSvcCache(1, [true]); + + // Load our tracking URL two more times, but this time in the first-party context. + // The TLS session should be resumed the second time here. + await fetch(trackingURL); + // Wait a little bit before issuing the second load to ensure both don't happen + // at the same time. + // eslint-disable-next-line mozilla/no-arbitrary-setTimeout + await new Promise(resolve => setTimeout(resolve, 10)); + + checkAltSvcCache(2, [false, true]); + await fetch(trackingURL).then(() => { + checkAltSvcCache(2, [false, true]); + + is( + resumedState.length, + 3, + "We should have observed 3 loads for " + trackingURL + ); + ok(!resumedState[0], "The first load should NOT have been resumed"); + ok(!resumedState[1], "The second load should NOT have been resumed"); + ok(resumedState[2], "The third load SHOULD have been resumed"); + + // We also verify that the hashKey of the first connection is different to + // both the second and third connections, and that the hashKey of the + // second and third connections are the same. The reason why this check is + // done is that the private bit on the connection info object is used to + // construct the hash key, so when the connection is isolated because it + // comes from a third-party tracker context, its hash key must be + // different. + is( + hashKeys.length, + 3, + "We should have observed 3 loads for " + trackingURL + ); + is(hashKeys[1], hashKeys[2], "The second and third hash keys should match"); + isnot( + hashKeys[0], + hashKeys[1], + "The first and second hash keys should not match" + ); + + ok(isIsolated(hashKeys[0]), "The first connection must have been isolated"); + ok( + !isIsolated(hashKeys[1]), + "The second connection must not have been isolated" + ); + ok( + !isIsolated(hashKeys[2]), + "The third connection must not have been isolated" + ); + ok( + hasTopWindowOrigin(hashKeys[0], topWindowOrigin), + "The first connection must be bound to its top-level window" + ); + ok( + !hasAnyTopWindowOrigin(hashKeys[1]), + "The second connection must not be bound to a top-level window" + ); + ok( + !hasAnyTopWindowOrigin(hashKeys[2]), + "The third connection must not be bound to a top-level window" + ); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_onBeforeRequestNotificationForTrackingResources.js b/toolkit/components/antitracking/test/browser/browser_onBeforeRequestNotificationForTrackingResources.js new file mode 100644 index 0000000000..2243921d47 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_onBeforeRequestNotificationForTrackingResources.js @@ -0,0 +1,96 @@ +/** + * This test ensures that onBeforeRequest is dispatched for webRequest loads that + * are blocked by tracking protection. It sets up a page with a third-party script + * resource on it that is blocked by TP, and sets up an onBeforeRequest listener + * which waits to be notified about that resource. The test would time out if the + * onBeforeRequest listener isn't called dispatched before the load is canceled. + */ + +let extension; +add_task(async function() { + extension = ExtensionTestUtils.loadExtension({ + manifest: { permissions: ["webRequest", "webRequestBlocking", "*://*/*"] }, + async background() { + let gExpectedResourcesSeen = 0; + function onBeforeRequest(details) { + let spec = details.url; + browser.test.log("Observed channel for " + spec); + // We would use TEST_3RD_PARTY_DOMAIN_TP here, but the variable is inaccessible + // since it is defined in head.js! + if (!spec.startsWith("https://tracking.example.com/")) { + return undefined; + } + if (spec.endsWith("empty.js")) { + browser.test.succeed("Correct resource observed"); + ++gExpectedResourcesSeen; + } else if (spec.endsWith("empty.js?redirect")) { + return { redirectUrl: spec.replace("empty.js?redirect", "head.js") }; + } else if (spec.endsWith("head.js")) { + ++gExpectedResourcesSeen; + } + if (gExpectedResourcesSeen == 2) { + browser.webRequest.onBeforeRequest.removeListener(onBeforeRequest); + browser.test.sendMessage("finish"); + } + return undefined; + } + + browser.webRequest.onBeforeRequest.addListener( + onBeforeRequest, + { urls: ["*://*/*"] }, + ["blocking"] + ); + browser.test.sendMessage("ready"); + }, + }); + await extension.startup(); + await extension.awaitMessage("ready"); +}); + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.trackingprotection.enabled", true], + // the test doesn't open a private window, so we don't care about this pref's value + ["privacy.trackingprotection.pbmode.enabled", false], + // tracking annotations aren't needed in this test, only TP is needed + ["privacy.trackingprotection.annotate_channels", false], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ["privacy.trackingprotection.testing.report_blocked_node", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let promise = extension.awaitMessage("finish"); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_EMBEDDER_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + await promise; + + info("Verify the number of tracking nodes found"); + await SpecialPowers.spawn(browser, [{ expected: 3 }], async function(obj) { + is( + content.document.blockedNodeByClassifierCount, + obj.expected, + "Expected tracking nodes found" + ); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + await extension.unload(); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_onModifyRequestNotificationForTrackingResources.js b/toolkit/components/antitracking/test/browser/browser_onModifyRequestNotificationForTrackingResources.js new file mode 100644 index 0000000000..da458097d0 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_onModifyRequestNotificationForTrackingResources.js @@ -0,0 +1,96 @@ +/* eslint-disable mozilla/no-arbitrary-setTimeout */ +/** + * This test ensures that http-on-modify-request is dispatched for channels that + * are blocked by tracking protection. It sets up a page with a third-party script + * resource on it that is blocked by TP, and sets up an http-on-modify-request + * observer which waits to be notified about that resource. The test would time out + * if the http-on-modify-request notification isn't dispatched before the channel is + * canceled. + */ + +let gExpectedResourcesSeen = 0; +async function onModifyRequest() { + return new Promise((resolve, reject) => { + Services.obs.addObserver(function observer(subject, topic, data) { + let httpChannel = subject.QueryInterface(Ci.nsIHttpChannel); + let spec = httpChannel.URI.spec; + info("Observed channel for " + spec); + if (httpChannel.URI.prePath + "/" != TEST_3RD_PARTY_DOMAIN_TP) { + return; + } + if (spec.endsWith("empty.js")) { + ok(true, "Correct resource observed"); + ++gExpectedResourcesSeen; + } else if (spec.endsWith("empty.js?redirect")) { + httpChannel.redirectTo( + Services.io.newURI(spec.replace("empty.js?redirect", "head.js")) + ); + } else if (spec.endsWith("empty.js?redirect2")) { + httpChannel.suspend(); + setTimeout(() => { + httpChannel.redirectTo( + Services.io.newURI(spec.replace("empty.js?redirect2", "head.js")) + ); + httpChannel.resume(); + }, 100); + } else if (spec.endsWith("head.js")) { + ++gExpectedResourcesSeen; + } + if (gExpectedResourcesSeen == 3) { + Services.obs.removeObserver(observer, "http-on-modify-request"); + resolve(); + } + }, "http-on-modify-request"); + }); +} + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.trackingprotection.enabled", true], + // the test doesn't open a private window, so we don't care about this pref's value + ["privacy.trackingprotection.pbmode.enabled", false], + // tracking annotations aren't needed in this test, only TP is needed + ["privacy.trackingprotection.annotate_channels", false], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ["privacy.trackingprotection.testing.report_blocked_node", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let promise = onModifyRequest(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_EMBEDDER_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + await promise; + + info("Verify the number of tracking nodes found"); + await SpecialPowers.spawn( + browser, + [{ expected: gExpectedResourcesSeen }], + async function(obj) { + is( + content.document.blockedNodeByClassifierCount, + obj.expected, + "Expected tracking nodes found" + ); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedClearSiteDataHeader.js b/toolkit/components/antitracking/test/browser/browser_partitionedClearSiteDataHeader.js new file mode 100644 index 0000000000..7561450ae5 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedClearSiteDataHeader.js @@ -0,0 +1,590 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +"use-strict"; + +/** + * Tests that when receiving the "clear-site-data" header - with dFPI enabled - + * we clear storage under the correct partition. + */ + +const { SiteDataTestUtils } = ChromeUtils.import( + "resource://testing-common/SiteDataTestUtils.jsm" +); + +const HOST_A = "example.com"; +const HOST_B = "example.org"; +const ORIGIN_A = `https://${HOST_A}`; +const ORIGIN_B = `https://${HOST_B}`; +const CLEAR_SITE_DATA_PATH = `/${TEST_PATH}clearSiteData.sjs`; +const CLEAR_SITE_DATA_URL_ORIGIN_B = ORIGIN_B + CLEAR_SITE_DATA_PATH; +const CLEAR_SITE_DATA_URL_ORIGIN_A = ORIGIN_A + CLEAR_SITE_DATA_PATH; +const THIRD_PARTY_FRAME_ID_ORIGIN_B = "thirdPartyFrame"; +const THIRD_PARTY_FRAME_ID_ORIGIN_A = "thirdPartyFrame2"; +const STORAGE_KEY = "testKey"; + +// Skip localStorage tests when using legacy localStorage. The legacy +// localStorage implementation does not support clearing data by principal. See +// Bug 1688221, Bug 1688665. +let skipLocalStorageTests = !Services.prefs.getBoolPref("dom.storage.next_gen"); + +/** + * Creates an iframe in the passed browser and waits for it to load. + * @param {Browser} browser - Browser to create the frame in. + * @param {String} src - Frame source url. + * @param {String} id - Frame id. + * @param {boolean} sandbox - Whether the frame should be sandboxed. + * @returns {Promise} - Resolves once the frame has loaded. + */ +function createFrame(browser, src, id, sandbox) { + return SpecialPowers.spawn( + browser, + [{ page: src, frameId: id, sandbox }], + async function(obj) { + await new content.Promise(resolve => { + let frame = content.document.createElement("iframe"); + if (obj.sandbox) { + frame.setAttribute("sandbox", "allow-scripts"); + } + frame.src = obj.page; + frame.id = obj.frameId; + frame.addEventListener("load", resolve, { once: true }); + content.document.body.appendChild(frame); + }); + } + ); +} + +/** + * Creates a new tab, loads a url and creates an iframe. + * Callers need to clean up the tab before the test ends. + * @param {String} firstPartyUrl - Url to load in tab. + * @param {String} thirdPartyUrl - Url to load in frame. + * @param {String} frameId - Id of iframe element. + * @param {boolean} sandbox - Whether the frame should be sandboxed. + * @returns {Promise} - Resolves with the tab and the frame BrowsingContext once + * the tab and the frame have loaded. + */ +async function createTabWithFrame( + firstPartyUrl, + thirdPartyUrl, + frameId, + sandbox +) { + // Create tab and wait for it to be loaded. + let tab = BrowserTestUtils.addTab(gBrowser, firstPartyUrl); + await BrowserTestUtils.browserLoaded(tab.linkedBrowser); + + // Create cross origin iframe. + await createFrame(tab.linkedBrowser, thirdPartyUrl, frameId, sandbox); + + // Return BrowsingContext of created iframe. + return { tab, frameBC: tab.linkedBrowser.browsingContext.children[0] }; +} + +/** + * Test wrapper for the ClearSiteData tests. + * Loads ORIGIN_A and ORIGIN_B in two tabs and inserts a cross origin pointing + * to the other iframe each. + * Both frames ORIGIN_B under ORIGIN_A and ORIGIN_A under ORIGIN_B will be + * storage partitioned. + * Depending on the clearDataContext variable we then either navigate ORIGIN_A + * (as top level) or ORIGIN_B (as third party frame) to the clear-site-data + * endpoint. + * @param {function} cbPreClear - Called after initial setup, once top levels + * and frames have been loaded. + * @param {function} cbPostClear - Called after data has been cleared via the + * "Clear-Site-Data" header. + * @param {("firstParty"|"thirdPartyPartitioned")} clearDataContext - Whether to + * navigate to the path that sets the "Clear-Site-Data" header with the first or + * third party. + * @param {boolean} [sandboxFrame] - Whether the frames should be sandboxed. No + * sandbox by default. + */ +async function runClearSiteDataTest( + cbPreClear, + cbPostClear, + clearDataContext, + sandboxFrame = false +) { + // Create a tabs for origin A and B with cross origins frames B and A + let [ + { frameBC: frameContextB, tab: tabA }, + { frameBC: frameContextA, tab: tabB }, + ] = await Promise.all([ + createTabWithFrame( + ORIGIN_A, + ORIGIN_B, + THIRD_PARTY_FRAME_ID_ORIGIN_B, + sandboxFrame + ), + createTabWithFrame( + ORIGIN_B, + ORIGIN_A, + THIRD_PARTY_FRAME_ID_ORIGIN_A, + sandboxFrame + ), + ]); + + let browserA = tabA.linkedBrowser; + let contextA = browserA.browsingContext; + let browserB = tabB.linkedBrowser; + let contextB = browserB.browsingContext; + + // Run test callback before clear-site-data + if (cbPreClear) { + await cbPreClear(contextA, contextB, frameContextB, frameContextA); + } + + // Navigate to path with clear-site-data header + // Depending on the clearDataContext variable we either do this with the + // top browser or the third party storage partitioned frame (B embedded in A). + info(`Opening path with clear-site-data-header for ${clearDataContext}`); + if (clearDataContext == "firstParty") { + // Open in new tab so we keep our current test tab intact. The + // post-clear-callback might need it. + await BrowserTestUtils.withNewTab( + (browserA, CLEAR_SITE_DATA_URL_ORIGIN_A), + () => {} + ); + } else if (clearDataContext == "thirdPartyPartitioned") { + // Navigate frame to path with clear-site-data header + await SpecialPowers.spawn( + browserA, + [ + { + page: CLEAR_SITE_DATA_URL_ORIGIN_B, + frameId: THIRD_PARTY_FRAME_ID_ORIGIN_B, + }, + ], + async function(obj) { + await new content.Promise(resolve => { + let frame = content.document.getElementById(obj.frameId); + frame.addEventListener("load", resolve, { once: true }); + frame.src = obj.page; + }); + } + ); + } else { + ok(false, "Invalid context requested for clear-site-data"); + } + + if (cbPostClear) { + await cbPostClear(contextA, contextB, frameContextB, frameContextA); + } + + info("Cleaning up."); + BrowserTestUtils.removeTab(tabA); + BrowserTestUtils.removeTab(tabB); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, resolve); + }); +} + +/** + * Create an origin with partitionKey. + * @param {String} originNoSuffix - Origin without origin attributes. + * @param {String} [firstParty] - First party to create partitionKey. + * @returns {String} Origin with suffix. If not passed this will return the + * umodified origin. + */ +function getOrigin(originNoSuffix, firstParty) { + let origin = originNoSuffix; + if (firstParty) { + let [scheme, host] = firstParty.split("://"); + origin += `^partitionKey=(${scheme},${host})`; + } + return origin; +} + +/** + * Sets a storage item for an origin. + * @param {("cookie"|"localStorage")} storageType - Which storage type to use. + * @param {String} originNoSuffix - Context to set storage item in. + * @param {String} [firstParty] - Optional first party domain to partition + * under. + * @param {String} key - Key of the entry. + * @param {String} value - Value of the entry. + */ +function setStorageEntry(storageType, originNoSuffix, firstParty, key, value) { + if (storageType != "cookie" && storageType != "localStorage") { + ok(false, "Invalid storageType passed"); + return; + } + + let origin = getOrigin(originNoSuffix, firstParty); + + if (storageType == "cookie") { + SiteDataTestUtils.addToCookies(origin, key, value); + return; + } + // localStorage + SiteDataTestUtils.addToLocalStorage(origin, key, value); +} + +/** + * Tests whether a host sets a cookie. + * For the purpose of this test we assume that there is either one or no cookie + * set. + * This performs cookie lookups directly via the cookie service. + * @param {boolean} hasCookie - Whether we expect to see a cookie. + * @param {String} originNoSuffix - Origin the cookie is stored for. + * @param {String|null} firstParty - Whether to test for a partitioned cookie. + * If set this will be used to construct the partitionKey. + * @param {String} [key] - Expected key / name of the cookie. + * @param {String} [value] - Expected value of the cookie. + */ +function testHasCookie(hasCookie, originNoSuffix, firstParty, key, value) { + let origin = getOrigin(originNoSuffix, firstParty); + + let label = `${originNoSuffix}${ + firstParty ? ` (partitioned under ${firstParty})` : "" + }`; + + if (!hasCookie) { + ok( + !SiteDataTestUtils.hasCookies(origin), + `Cookie for ${label} is not set for key ${key}` + ); + return; + } + + ok( + SiteDataTestUtils.hasCookies(origin, [{ key, value }]), + `Cookie for ${label} is set ${key}=${value}` + ); +} + +/** + * Tests whether a context has a localStorage entry. + * @param {boolean} hasEntry - Whether we expect to see an entry. + * @param {String} originNoSuffix - Origin to test localStorage for. + * @param {String} [firstParty] - First party context to test under. + * @param {String} key - key of the localStorage item. + * @param {String} [expectedValue] - Expected value of the item. + */ +function testHasLocalStorageEntry( + hasEntry, + originNoSuffix, + firstParty, + key, + expectedValue +) { + if (key == null) { + ok(false, "localStorage key is mandatory"); + return; + } + let label = `${originNoSuffix}${ + firstParty ? ` (partitioned under ${firstParty})` : "" + }`; + let origin = getOrigin(originNoSuffix, firstParty); + if (hasEntry) { + let hasEntry = SiteDataTestUtils.hasLocalStorage(origin, [ + { key, value: expectedValue }, + ]); + ok( + hasEntry, + `localStorage for ${label} has expected value ${key}=${expectedValue}` + ); + } else { + let hasEntry = SiteDataTestUtils.hasLocalStorage(origin); + ok(!hasEntry, `localStorage for ${label} is not set for key ${key}`); + } +} + +/** + * Sets the initial storage entries used by the storage tests in this file. + * 1. first party ( A ) + * 2. first party ( B ) + * 3. third party partitioned ( B under A) + * 4. third party partitioned ( A under B) + * The entry values reflect which context they are set for. + * @param {("cookie"|"localStorage")} storageType - Storage type to initialize. + */ +async function setupInitialStorageState(storageType) { + if (storageType != "cookie" && storageType != "localStorage") { + ok(false, "Invalid storageType passed"); + return; + } + + // Set a first party entry + setStorageEntry(storageType, ORIGIN_A, null, STORAGE_KEY, "firstParty"); + + // Set a storage entry in the storage partitioned third party frame + setStorageEntry( + storageType, + ORIGIN_B, + ORIGIN_A, + STORAGE_KEY, + "thirdPartyPartitioned" + ); + + // Set a storage entry in the non storage partitioned third party page + setStorageEntry(storageType, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + + // Set a storage entry in the second storage partitioned third party frame. + setStorageEntry( + storageType, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + + info("Test that storage entries are set for all contexts"); + + if (storageType == "cookie") { + testHasCookie(true, ORIGIN_A, null, STORAGE_KEY, "firstParty"); + testHasCookie(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + testHasCookie( + true, + ORIGIN_B, + ORIGIN_A, + STORAGE_KEY, + "thirdPartyPartitioned" + ); + testHasCookie( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + return; + } + + testHasLocalStorageEntry(true, ORIGIN_A, null, STORAGE_KEY, "firstParty"); + testHasLocalStorageEntry(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + testHasLocalStorageEntry( + true, + ORIGIN_B, + ORIGIN_A, + STORAGE_KEY, + "thirdPartyPartitioned" + ); + testHasLocalStorageEntry( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); +} + +add_task(async function setup() { + info("Starting ClearSiteData test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + // Needed for SiteDataTestUtils#hasLocalStorage + ["dom.storage.client_validation", false], + ], + }); +}); + +/** + * Test clearing partitioned cookies via clear-site-data header + * (Cleared via the cookie service). + */ + +/** + * Tests that when a storage partitioned third party frame loads a site with + * "Clear-Site-Data", the cookies are cleared for only that partitioned frame. + */ +add_task(async function cookieClearThirdParty() { + await runClearSiteDataTest( + // Pre Clear-Site-Data + () => setupInitialStorageState("cookie"), + // Post Clear-Site-Data + () => { + info("Testing: First party cookie has not changed"); + testHasCookie(true, ORIGIN_A, null, STORAGE_KEY, "firstParty"); + info("Testing: Unpartitioned cookie has not changed"); + testHasCookie(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + info("Testing: Partitioned cookie for HOST_B (HOST_A) has been cleared"); + testHasCookie(false, ORIGIN_B, ORIGIN_A); + info("Testing: Partitioned cookie for HOST_A (HOST_B) has not changed"); + testHasCookie( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + }, + // Send clear-site-data header in partitioned third party context. + "thirdPartyPartitioned" + ); +}); + +/** + * Tests that when a sandboxed storage partitioned third party frame loads a + * site with "Clear-Site-Data", no cookies are cleared and we don't crash. + * Crash details in Bug 1686938. + */ +add_task(async function cookieClearThirdPartySandbox() { + await runClearSiteDataTest( + // Pre Clear-Site-Data + () => setupInitialStorageState("cookie"), + // Post Clear-Site-Data + () => { + info("Testing: First party cookie has not changed"); + testHasCookie(true, ORIGIN_A, null, STORAGE_KEY, "firstParty"); + info("Testing: Unpartitioned cookie has not changed"); + testHasCookie(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + info("Testing: Partitioned cookie for HOST_B (HOST_A) has not changed"); + testHasCookie( + true, + ORIGIN_B, + ORIGIN_A, + STORAGE_KEY, + "thirdPartyPartitioned" + ); + info("Testing: Partitioned cookie for HOST_A (HOST_B) has not changed"); + testHasCookie( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + }, + // Send clear-site-data header in partitioned third party context. + "thirdPartyPartitioned", + true + ); +}); + +/** + * Tests that when the we load a path with "Clear-Site-Data" at top level, the + * cookies are cleared only in the first party context. + */ +add_task(async function cookieClearFirstParty() { + await runClearSiteDataTest( + // Pre Clear-Site-Data + () => setupInitialStorageState("cookie"), + // Post Clear-Site-Data + () => { + info("Testing: First party cookie has been cleared"); + testHasCookie(false, ORIGIN_A, null); + info("Testing: Unpartitioned cookie has not changed"); + testHasCookie(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + info("Testing: Partitioned cookie for HOST_B (HOST_A) has not changed"); + testHasCookie( + true, + ORIGIN_B, + ORIGIN_A, + STORAGE_KEY, + "thirdPartyPartitioned" + ); + info("Testing: Partitioned cookie for HOST_A (HOST_B) has not changed"); + testHasCookie( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + }, + // Send clear-site-data header in first party context. + "firstParty" + ); +}); + +/** + * Test clearing partitioned localStorage via clear-site-data header + * (Cleared via the quota manager). + */ + +/** + * Tests that when a storage partitioned third party frame loads a site with + * "Clear-Site-Data", localStorage is cleared for only that partitioned frame. + */ +add_task(async function localStorageClearThirdParty() { + // Bug 1688221, Bug 1688665. + if (skipLocalStorageTests) { + info("Skipping test"); + return; + } + await runClearSiteDataTest( + // Pre Clear-Site-Data + () => setupInitialStorageState("localStorage"), + // Post Clear-Site-Data + async () => { + info("Testing: First party localStorage has not changed"); + testHasLocalStorageEntry(true, ORIGIN_A, null, STORAGE_KEY, "firstParty"); + info("Testing: Unpartitioned localStorage has not changed"); + testHasLocalStorageEntry(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + info( + "Testing: Partitioned localStorage for HOST_B (HOST_A) has been cleared" + ); + testHasLocalStorageEntry(false, ORIGIN_B, ORIGIN_A, STORAGE_KEY); + info( + "Testing: Partitioned localStorage for HOST_A (HOST_B) has not changed" + ); + testHasLocalStorageEntry( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + }, + // Send clear-site-data header in partitioned third party context. + "thirdPartyPartitioned" + ); +}); + +/** + * Tests that when the we load a path with "Clear-Site-Data" at top level, + * localStorage is cleared only in the first party context. + */ +add_task(async function localStorageClearFirstParty() { + // Bug 1688221, Bug 1688665. + if (skipLocalStorageTests) { + info("Skipping test"); + return; + } + await runClearSiteDataTest( + // Pre Clear-Site-Data + () => setupInitialStorageState("localStorage"), + // Post Clear-Site-Data + () => { + info("Testing: First party localStorage has been cleared"); + testHasLocalStorageEntry(false, ORIGIN_A, null, STORAGE_KEY); + info("Testing: Unpartitioned thirdParty localStorage has not changed"); + testHasLocalStorageEntry(true, ORIGIN_B, null, STORAGE_KEY, "thirdParty"); + info( + "Testing: Partitioned localStorage for HOST_B (HOST_A) has not changed" + ); + testHasLocalStorageEntry( + true, + ORIGIN_B, + ORIGIN_A, + STORAGE_KEY, + "thirdPartyPartitioned" + ); + info( + "Testing: Partitioned localStorage for HOST_A (HOST_B) has not changed" + ); + testHasLocalStorageEntry( + true, + ORIGIN_A, + ORIGIN_B, + STORAGE_KEY, + "thirdPartyPartitioned2" + ); + }, + // Send clear-site-data header in first party context. + "firstParty" + ); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedCookies.js b/toolkit/components/antitracking/test/browser/browser_partitionedCookies.js new file mode 100644 index 0000000000..e938b198c3 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedCookies.js @@ -0,0 +1,137 @@ +/* import-globals-from partitionedstorage_head.js */ + +PartitionedStorageHelper.runTestInNormalAndPrivateMode( + "HTTP Cookies", + async (win3rdParty, win1stParty, allowed) => { + await win3rdParty.fetch("cookies.sjs?3rd").then(r => r.text()); + await win3rdParty + .fetch("cookies.sjs") + .then(r => r.text()) + .then(text => { + is(text, "cookie:foopy=3rd", "3rd party cookie set"); + }); + + await win1stParty.fetch("cookies.sjs?first").then(r => r.text()); + await win1stParty + .fetch("cookies.sjs") + .then(r => r.text()) + .then(text => { + is(text, "cookie:foopy=first", "First party cookie set"); + }); + + await win3rdParty + .fetch("cookies.sjs") + .then(r => r.text()) + .then(text => { + if (allowed) { + is( + text, + "cookie:foopy=first", + "3rd party has the first party cookie set" + ); + } else { + is( + text, + "cookie:foopy=3rd", + "3rd party has not the first party cookie set" + ); + } + }); + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +PartitionedStorageHelper.runTestInNormalAndPrivateMode( + "DOM Cookies", + async (win3rdParty, win1stParty, allowed) => { + win3rdParty.document.cookie = "foo=3rd"; + is(win3rdParty.document.cookie, "foo=3rd", "3rd party cookie set"); + + win1stParty.document.cookie = "foo=first"; + is(win1stParty.document.cookie, "foo=first", "First party cookie set"); + + if (allowed) { + is( + win3rdParty.document.cookie, + "foo=first", + "3rd party has the first party cookie set" + ); + } else { + is( + win3rdParty.document.cookie, + "foo=3rd", + "3rd party has not the first party cookie set" + ); + } + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +PartitionedStorageHelper.runPartitioningTestInNormalAndPrivateMode( + "Partitioned tabs - DOM Cookies", + "cookies", + + // getDataCallback + async win => { + return win.document.cookie; + }, + + // addDataCallback + async (win, value) => { + win.document.cookie = value; + return true; + }, + + // cleanup + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +PartitionedStorageHelper.runPartitioningTestInNormalAndPrivateMode( + "Partitioned tabs - Network Cookies", + "cookies", + + // getDataCallback + async win => { + return win + .fetch("cookies.sjs") + .then(r => r.text()) + .then(text => { + return text.substring("cookie:foopy=".length); + }); + }, + + // addDataCallback + async (win, value) => { + await win.fetch("cookies.sjs?" + value).then(r => r.text()); + return true; + }, + + // cleanup + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedDOMCache.js b/toolkit/components/antitracking/test/browser/browser_partitionedDOMCache.js new file mode 100644 index 0000000000..ff6c8b9b75 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedDOMCache.js @@ -0,0 +1,35 @@ +/* import-globals-from partitionedstorage_head.js */ + +PartitionedStorageHelper.runTest( + "DOMCache", + async (win3rdParty, win1stParty, allowed) => { + // DOM Cache is not supported. Always blocked. + await win3rdParty.caches.open("wow").then( + _ => { + ok(allowed, "DOM Cache cannot be used!"); + }, + _ => { + ok(!allowed, "DOM Cache cannot be used!"); + } + ); + + await win1stParty.caches.open("wow").then( + _ => { + ok(true, "DOM Cache should be available"); + }, + _ => { + ok(false, "DOM Cache should be available"); + } + ); + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + + [["dom.caches.testing.enabled", true]] +); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedIndexedDB.js b/toolkit/components/antitracking/test/browser/browser_partitionedIndexedDB.js new file mode 100644 index 0000000000..cfec4c3dbe --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedIndexedDB.js @@ -0,0 +1,102 @@ +/* import-globals-from partitionedstorage_head.js */ + +PartitionedStorageHelper.runTest( + "IndexedDB", + async (win3rdParty, win1stParty, allowed) => { + await new Promise(resolve => { + let a = win1stParty.indexedDB.open("test", 1); + ok(!!a, "IDB should not be blocked in 1st party contexts"); + + a.onsuccess = e => { + let db = e.target.result; + is(db.objectStoreNames.length, 1, "We have 1 objectStore"); + is(db.objectStoreNames[0], "foobar", "We have 'foobar' objectStore"); + resolve(); + }; + + a.onupgradeneeded = e => { + let db = e.target.result; + is(db.objectStoreNames.length, 0, "We have 0 objectStores"); + db.createObjectStore("foobar", { keyPath: "test" }); + }; + }); + + await new Promise(resolve => { + let a = win3rdParty.indexedDB.open("test", 1); + ok(!!a, "IDB should not be blocked in 3rd party contexts"); + + a.onsuccess = e => { + let db = e.target.result; + + if (allowed) { + is(db.objectStoreNames.length, 1, "We have 1 objectStore"); + is(db.objectStoreNames[0], "foobar", "We have 'foobar' objectStore"); + } else { + is(db.objectStoreNames.length, 0, "We have 0 objectStore"); + } + resolve(); + }; + }); + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +PartitionedStorageHelper.runPartitioningTest( + "Partitioned tabs - IndexedDB", + "indexeddb", + + // getDataCallback + async win => { + return new Promise(resolve => { + let a = win.indexedDB.open("test", 1); + + a.onupgradeneeded = e => { + let db = e.target.result; + db.createObjectStore("foobar", { keyPath: "id" }); + }; + + a.onsuccess = e => { + let db = e.target.result; + db + .transaction("foobar") + .objectStore("foobar") + .get(1).onsuccess = ee => { + resolve(ee.target.result === undefined ? "" : ee.target.result.value); + }; + }; + }); + }, + + // addDataCallback + async (win, value) => { + return new Promise(resolve => { + let a = win.indexedDB.open("test", 1); + + a.onsuccess = e => { + let db = e.target.result; + db + .transaction("foobar", "readwrite") + .objectStore("foobar") + .put({ id: 1, value }).onsuccess = _ => { + resolve(true); + }; + }; + }); + }, + + // cleanup + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedLocalStorage.js b/toolkit/components/antitracking/test/browser/browser_partitionedLocalStorage.js new file mode 100644 index 0000000000..76b28c8edb --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedLocalStorage.js @@ -0,0 +1,112 @@ +/* import-globals-from antitracking_head.js */ +/* import-globals-from partitionedstorage_head.js */ + +AntiTracking.runTestInNormalAndPrivateMode( + "localStorage and Storage Access API", + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + let hasThrown; + try { + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + is(localStorage.foo, "42", "The value matches"); + hasThrown = false; + } catch (e) { + is(e.name, "SecurityError", "We want a security error message."); + hasThrown = true; + } + + is(hasThrown, shouldThrow, "LocalStorage has been exposed correctly"); + + let prevLocalStorage; + if (!shouldThrow) { + prevLocalStorage = localStorage; + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if (shouldThrow) { + try { + is(localStorage.foo, undefined, "Undefined value after."); + ok(false, "localStorage should not be available"); + } catch (e) { + ok(true, "localStorage should not be available"); + } + } else { + ok(localStorage != prevLocalStorage, "We have a new localStorage"); + is(localStorage.foo, undefined, "Undefined value after."); + + localStorage.foo = 42; + ok(true, "LocalStorage is still allowed"); + is(localStorage.foo, "42", "The value matches"); + } + }, + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + is(localStorage.foo, "42", "The value matches"); + + var prevLocalStorage = localStorage; + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + // For non-tracking windows, calling the API is a no-op + ok(localStorage == prevLocalStorage, "We have a new localStorage"); + is(localStorage.foo, "42", "The value matches"); + ok(true, "LocalStorage is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [ + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,tracking.example.com", + ], + ], + false, + false +); + +PartitionedStorageHelper.runPartitioningTestInNormalAndPrivateMode( + "Partitioned tabs - localStorage", + "localstorage", + + // getDataCallback + async win => { + return "foo" in win.localStorage ? win.localStorage.foo : ""; + }, + + // addDataCallback + async (win, value) => { + win.localStorage.foo = value; + return true; + }, + + // cleanup + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedLocalStorage_events.js b/toolkit/components/antitracking/test/browser/browser_partitionedLocalStorage_events.js new file mode 100644 index 0000000000..dda2b9dade --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedLocalStorage_events.js @@ -0,0 +1,1055 @@ +function log(test) { + if ("iteration" in test) { + info( + `Running test ${ + test.withStoragePrincipalEnabled + ? "with storage principal enabled" + : "without storage principal" + } with prefValue: ${test.prefValue} (Test #${test.iteration + 1})` + ); + test.iteration++; + } else { + test.iteration = 0; + log(test); + } +} + +function runAllTests(withStoragePrincipalEnabled, prefValue) { + const storagePrincipalTest = + prefValue == Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER; + const dynamicFPITest = + prefValue == + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; + + if (dynamicFPITest && withStoragePrincipalEnabled) { + // This isn't a meaningful configuration, ignore it. + return; + } + + const test = { withStoragePrincipalEnabled, dynamicFPITest, prefValue }; + + // For dynamic FPI tests, we want to test the conditions as if + // storage principal was enabled, so from now on we set this variable to + // true. + if (dynamicFPITest) { + withStoragePrincipalEnabled = true; + } + + let thirdPartyDomain; + if (storagePrincipalTest) { + thirdPartyDomain = TEST_3RD_PARTY_DOMAIN; + } + if (dynamicFPITest) { + thirdPartyDomain = TEST_4TH_PARTY_DOMAIN; + } + ok(thirdPartyDomain, "Sanity check"); + + let storagePrincipalPrefValue; + if (storagePrincipalTest) { + storagePrincipalPrefValue = withStoragePrincipalEnabled; + } + if (dynamicFPITest) { + storagePrincipalPrefValue = false; + } + + // A same origin (and same-process via setting "dom.ipc.processCount" to 1) + // top-level window with access to real localStorage does not share storage + // with an ePartitionOrDeny iframe that should have PartitionedLocalStorage and + // no storage events are received in either direction. (Same-process in order + // to avoid having to worry about any e10s propagation issues.) + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", prefValue], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("Creating a tracker top-level context"); + let trackerTab = BrowserTestUtils.addTab( + gBrowser, + thirdPartyDomain + TEST_PATH + "page.html" + ); + let trackerBrowser = gBrowser.getBrowserForTab(trackerTab); + await BrowserTestUtils.browserLoaded(trackerBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok( + value.startsWith("tracker-"), + "The value is correctly set by the tracker" + ); + } + ); + + info("The tracker page should not have received events"); + await SpecialPowers.spawn(trackerBrowser, [], async _ => { + is(content.localStorage.foo, undefined, "Undefined value!"); + content.localStorage.foo = "normal-" + Math.random(); + }); + + info("Let's see if non-tracker page has received events"); + await SpecialPowers.spawn(normalBrowser, [], async _ => { + let ifr = content.document.getElementById("ifr"); + + info("Getting the value..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok( + value.startsWith("tracker-"), + "The value is correctly set by the tracker" + ); + + info("Getting the events..."); + let events = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getEvents", "*"); + }); + + is(events, 0, "No events"); + }); + + BrowserTestUtils.removeTab(trackerTab); + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // Two ePartitionOrDeny iframes in the same tab in the same origin see + // the same localStorage values but no storage events are received from each + // other if storage principal and dFPI are disbled. + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", prefValue], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + withStoragePrincipalEnabled: test.withStoragePrincipalEnabled, + dynamicFPITest: test.dynamicFPITest, + }, + ], + async obj => { + let ifr1 = content.document.createElement("iframe"); + ifr1.setAttribute("id", "ifr1"); + ifr1.setAttribute("src", obj.page); + + info("Iframe 1 loading..."); + await new content.Promise(resolve => { + ifr1.onload = resolve; + content.document.body.appendChild(ifr1); + }); + + let ifr2 = content.document.createElement("iframe"); + ifr2.setAttribute("id", "ifr2"); + ifr2.setAttribute("src", obj.page); + + info("Iframe 2 loading..."); + await new content.Promise(resolve => { + ifr2.onload = resolve; + content.document.body.appendChild(ifr2); + }); + + info("Setting localStorage value in ifr1..."); + ifr1.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr1..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr1.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr1"); + + info("Getting the value from ifr2..."); + value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr2.contentWindow.postMessage("getValue", "*"); + }); + + if (obj.withStoragePrincipalEnabled || obj.dynamicFPITest) { + ok( + value.startsWith("tracker-"), + "The value is correctly set in ifr2" + ); + } else { + is(value, null, "The value is not set in ifr2"); + } + + info("Getting the events received by ifr2..."); + let events = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr2.contentWindow.postMessage("getEvents", "*"); + }); + + if (obj.withStoragePrincipalEnabled || obj.dynamicFPITest) { + is(events, 1, "one event"); + } else { + is(events, 0, "No events"); + } + } + ); + + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // Same as the previous test but with a cookie behavior of BEHAVIOR_ACCEPT + // instead of BEHAVIOR_REJECT_TRACKER so the iframes get real, persistent + // localStorage instead of partitioned localStorage. + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_ACCEPT], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr1 = content.document.createElement("iframe"); + ifr1.setAttribute("id", "ifr1"); + ifr1.setAttribute("src", obj.page); + + info("Iframe 1 loading..."); + await new content.Promise(resolve => { + ifr1.onload = resolve; + content.document.body.appendChild(ifr1); + }); + + let ifr2 = content.document.createElement("iframe"); + ifr2.setAttribute("id", "ifr2"); + ifr2.setAttribute("src", obj.page); + + info("Iframe 2 loading..."); + await new content.Promise(resolve => { + ifr2.onload = resolve; + content.document.body.appendChild(ifr2); + }); + + info("Setting localStorage value in ifr1..."); + ifr1.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr1..."); + let value1 = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr1.contentWindow.postMessage("getValue", "*"); + }); + + ok(value1.startsWith("tracker-"), "The value is correctly set in ifr1"); + + info("Getting the value from ifr2..."); + let value2 = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr2.contentWindow.postMessage("getValue", "*"); + }); + + is(value2, value1, "The values match"); + + info("Getting the events received by ifr2..."); + let events = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr2.contentWindow.postMessage("getEvents", "*"); + }); + + is(events, 1, "One event"); + } + ); + + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // An ePartitionOrDeny iframe navigated between two distinct pages on the same + // origin does not see the values stored by the previous iframe. + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", prefValue], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + withStoragePrincipalEnabled: test.withStoragePrincipalEnabled, + dynamicFPITest: test.dynamicFPITest, + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value in ifr..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr"); + + info("Navigate..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + ifr.setAttribute("src", obj.page + "?" + Math.random()); + }); + + info("Getting the value from ifr..."); + let value2 = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + if (obj.withStoragePrincipalEnabled || obj.dynamicFPITest) { + is(value, value2, "The value is received"); + } else { + is(value2, null, "The value is undefined"); + } + } + ); + + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // Like the previous test, but accepting trackers + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_ACCEPT], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value in ifr..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr"); + + info("Navigate..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + ifr.setAttribute("src", obj.page + "?" + Math.random()); + }); + + info("Getting the value from ifr..."); + let value2 = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + is(value, value2, "The value is received"); + } + ); + + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // An ePartitionOrDeny iframe on the same origin that is navigated to itself + // via window.location.reload() or equivalent does not see the values stored + // by its previous self. + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", prefValue], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + withStoragePrincipalEnabled: test.withStoragePrincipalEnabled, + dynamicFPITest: test.dynamicFPITest, + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value in ifr..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr"); + + info("Reload..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + ifr.contentWindow.postMessage("reload", "*"); + }); + + info("Getting the value from ifr..."); + let value2 = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + if (obj.withStoragePrincipalEnabled || obj.dynamicFPITest) { + is(value, value2, "The value is equal"); + } else { + is(value2, null, "The value is undefined"); + } + } + ); + + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // Like the previous test, but accepting trackers + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_ACCEPT], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value in ifr..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr"); + + info("Reload..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + ifr.contentWindow.postMessage("reload", "*"); + }); + + info("Getting the value from ifr..."); + let value2 = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + is(value, value2, "The value is equal"); + } + ); + + BrowserTestUtils.removeTab(normalTab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // An ePartitionOrDeny iframe on different top-level domain tabs + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", prefValue], + ["privacy.firstparty.isolate", false], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + let result1 = await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value in ifr..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr"); + return value; + } + ); + ok(result1.startsWith("tracker-"), "The value is correctly set in tab1"); + + info("Creating a non-tracker top-level context"); + let normalTab2 = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE_2); + let normalBrowser2 = gBrowser.getBrowserForTab(normalTab2); + await BrowserTestUtils.browserLoaded(normalBrowser2); + + info("The non-tracker page opens a tracker iframe"); + let result2 = await SpecialPowers.spawn( + normalBrowser2, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + return value; + } + ); + + ok(!result2, "The value is null"); + + BrowserTestUtils.removeTab(normalTab); + BrowserTestUtils.removeTab(normalTab2); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // Like the previous test, but accepting trackers + add_task(async _ => { + log(test); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_ACCEPT], + ["privacy.firstparty.isolate", false], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.partitionedHosts", + "tracking.example.org,not-tracking.example.com", + ], + [ + "privacy.storagePrincipal.enabledForTrackers", + storagePrincipalPrefValue, + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let normalTab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let normalBrowser = gBrowser.getBrowserForTab(normalTab); + await BrowserTestUtils.browserLoaded(normalBrowser); + + info("The non-tracker page opens a tracker iframe"); + let result1 = await SpecialPowers.spawn( + normalBrowser, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Setting localStorage value in ifr..."); + ifr.contentWindow.postMessage("setValue", "*"); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + + ok(value.startsWith("tracker-"), "The value is correctly set in ifr"); + return value; + } + ); + ok(result1.startsWith("tracker-"), "The value is correctly set in tab1"); + + info("Creating a non-tracker top-level context"); + let normalTab2 = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE_2); + let normalBrowser2 = gBrowser.getBrowserForTab(normalTab2); + await BrowserTestUtils.browserLoaded(normalBrowser2); + + info("The non-tracker page opens a tracker iframe"); + let result2 = await SpecialPowers.spawn( + normalBrowser2, + [ + { + page: thirdPartyDomain + TEST_PATH + "localStorageEvents.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + info("Getting the value from ifr..."); + let value = await new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + ifr.contentWindow.postMessage("getValue", "*"); + }); + return value; + } + ); + + is(result1, result2, "The value is undefined"); + + BrowserTestUtils.removeTab(normalTab); + BrowserTestUtils.removeTab(normalTab2); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); + + // Cleanup data. + add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }); +} + +for (let pref of [ + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, +]) { + runAllTests(false, pref); + runAllTests(true, pref); +} diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedMessaging.js b/toolkit/components/antitracking/test/browser/browser_partitionedMessaging.js new file mode 100644 index 0000000000..7e706f220a --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedMessaging.js @@ -0,0 +1,22 @@ +/* import-globals-from partitionedstorage_head.js */ + +PartitionedStorageHelper.runTestInNormalAndPrivateMode( + "BroadcastChannel", + async (win3rdParty, win1stParty, allowed) => { + let a = new win3rdParty.BroadcastChannel("hello"); + ok(!!a, "BroadcastChannel should be created by 3rd party iframe"); + + let b = new win1stParty.BroadcastChannel("hello"); + ok(!!b, "BroadcastChannel should be created by 1st party iframe"); + + // BroadcastChannel uses the incument global, this means that its CTOR will + // always use the 3rd party iframe's window as global. + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedServiceWorkers.js b/toolkit/components/antitracking/test/browser/browser_partitionedServiceWorkers.js new file mode 100644 index 0000000000..48b2e0f961 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedServiceWorkers.js @@ -0,0 +1,89 @@ +/* import-globals-from partitionedstorage_head.js */ + +PartitionedStorageHelper.runTest( + "ServiceWorkers", + async (win3rdParty, win1stParty, allowed) => { + // ServiceWorkers are not supported. Always blocked. + await win3rdParty.navigator.serviceWorker.register("empty.js").then( + _ => { + ok(allowed, "Success: ServiceWorker cannot be used!"); + }, + _ => { + ok(!allowed, "Failed: ServiceWorker cannot be used!"); + } + ); + + await win1stParty.navigator.serviceWorker.register("empty.js").then( + _ => { + ok(true, "Success: ServiceWorker should be available!"); + }, + _ => { + ok(false, "Failed: ServiceWorker should be available!"); + } + ); + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + + [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.ipc.processCount", 1], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ] +); + +PartitionedStorageHelper.runTest( + "ServiceWorkers - MatchAll", + async (win3rdParty, win1stParty, allowed) => { + if (!win1stParty.sw) { + let reg = await win1stParty.navigator.serviceWorker.register( + "matchAll.js" + ); + if (reg.installing.state !== "activated") { + await new Promise(resolve => { + let w = reg.installing; + w.addEventListener("statechange", function onStateChange() { + if (w.state === "activated") { + w.removeEventListener("statechange", onStateChange); + win1stParty.sw = reg.active; + resolve(); + } + }); + }); + } + } + + let msgPromise = new Promise(resolve => { + win1stParty.navigator.serviceWorker.addEventListener("message", msg => { + resolve(msg.data); + }); + }); + + win1stParty.sw.postMessage(win3rdParty.location.href); + let msg = await msgPromise; + + is(allowed, msg, "We want to have the 3rd party window controlled."); + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + + [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.ipc.processCount", 1], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ] +); diff --git a/toolkit/components/antitracking/test/browser/browser_partitionedSharedWorkers.js b/toolkit/components/antitracking/test/browser/browser_partitionedSharedWorkers.js new file mode 100644 index 0000000000..eba56d6936 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_partitionedSharedWorkers.js @@ -0,0 +1,80 @@ +/* import-globals-from partitionedstorage_head.js */ + +PartitionedStorageHelper.runTestInNormalAndPrivateMode( + "SharedWorkers", + async (win3rdParty, win1stParty, allowed) => { + // This test fails if run with an HTTPS 3rd-party URL because the shared worker + // which would start from the window opened from 3rdPartyStorage.html will become + // secure context and per step 11.4.3 of + // https://html.spec.whatwg.org/multipage/workers.html#dom-sharedworker attempting + // to run the SharedWorker constructor would emit an error event. + is( + win3rdParty.location.protocol, + "http:", + "Our 3rd party URL shouldn't be HTTPS" + ); + + let sh1 = new win1stParty.SharedWorker("sharedWorker.js"); + await new Promise(resolve => { + sh1.port.onmessage = e => { + is(e.data, 1, "We expected 1 connection"); + resolve(); + }; + sh1.port.postMessage("count"); + }); + + let sh3 = new win3rdParty.SharedWorker("sharedWorker.js"); + await new Promise(resolve => { + sh3.port.onmessage = e => { + is( + e.data, + allowed ? 2 : 1, + `We expected ${allowed ? 2 : 1} connection for 3rd party SharedWorker` + ); + resolve(); + }; + sh3.onerror = _ => { + ok(false, "We should not be here"); + resolve(); + }; + sh3.port.postMessage("count"); + }); + + sh1.port.postMessage("close"); + sh3.port.postMessage("close"); + }, + + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } +); + +PartitionedStorageHelper.runPartitioningTestInNormalAndPrivateMode( + "Partitioned tabs - SharedWorker", + "sharedworker", + + // getDataCallback + async win => { + win.sh = new win.SharedWorker("partitionedSharedWorker.js"); + return new Promise(resolve => { + win.sh.port.onmessage = e => { + resolve(e.data); + }; + win.sh.port.postMessage({ what: "get" }); + }); + }, + + // addDataCallback + async (win, value) => { + win.sh = new win.SharedWorker("partitionedSharedWorker.js"); + win.sh.port.postMessage({ what: "put", value }); + return true; + }, + + // cleanup + async _ => {} +); diff --git a/toolkit/components/antitracking/test/browser/browser_permissionInNormalWindows.js b/toolkit/components/antitracking/test/browser/browser_permissionInNormalWindows.js new file mode 100644 index 0000000000..9b953daac5 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_permissionInNormalWindows.js @@ -0,0 +1,107 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Test whether we receive any persistent permissions in normal windows", + // Blocking callback + async _ => { + // Nothing to do here! + }, + + // Non blocking callback + async _ => { + try { + // We load the test script in the parent process to check permissions. + let chromeScript = SpecialPowers.loadChromeScript(_ => { + // eslint-disable-next-line no-undef + addMessageListener("go", _ => { + const { Services } = ChromeUtils.import( + "resource://gre/modules/Services.jsm" + ); + + function ok(what, msg) { + // eslint-disable-next-line no-undef + sendAsyncMessage("ok", { what: !!what, msg }); + } + + function is(a, b, msg) { + ok(a === b, msg); + } + + // We should use the principal of the TEST_DOMAIN since the storage + // permission is saved under it. + let principal = Services.scriptSecurityManager.createContentPrincipalFromOrigin( + "http://example.net/" + ); + + for (let perm of Services.perms.getAllForPrincipal(principal)) { + // Ignore permissions other than storage access + if (!perm.type.startsWith("3rdPartyStorage^")) { + continue; + } + is( + perm.expireType, + Services.perms.EXPIRE_TIME, + "Permission must expire at a specific time" + ); + ok(perm.expireTime > 0, "Permission must have a expiry time"); + } + + // eslint-disable-next-line no-undef + sendAsyncMessage("done"); + }); + }); + + chromeScript.addMessageListener("ok", obj => { + ok(obj.what, obj.msg); + }); + + await new Promise(resolve => { + chromeScript.addMessageListener("done", _ => { + chromeScript.destroy(); + resolve(); + }); + + chromeScript.sendAsyncMessage("go"); + }); + + // We check the permission in tracking processes for non-Fission mode. In + // Fission mode, the permission won't be synced to the tracking process, + // so we don't check it. + if (!SpecialPowers.useRemoteSubframes) { + let Services = SpecialPowers.Services; + let principal = Services.scriptSecurityManager.createContentPrincipalFromOrigin( + "http://example.net/" + ); + + for (let perm of Services.perms.getAllForPrincipal(principal)) { + // Ignore permissions other than storage access + if (!perm.type.startsWith("3rdPartyStorage^")) { + continue; + } + is( + perm.expireType, + Services.perms.EXPIRE_TIME, + "Permission must expire at a specific time" + ); + ok(perm.expireTime > 0, "Permission must have a expiry time"); + } + } + } catch (e) { + alert(e); + } + }, + + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // no extra prefs + true, // run the window.open() test + true, // run the user interaction test + 0, // don't expect blocking notifications + false +); // run in normal windows diff --git a/toolkit/components/antitracking/test/browser/browser_permissionInPrivateWindows.js b/toolkit/components/antitracking/test/browser/browser_permissionInPrivateWindows.js new file mode 100644 index 0000000000..9c31984456 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_permissionInPrivateWindows.js @@ -0,0 +1,47 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Test whether we receive any persistent permissions in private windows", + // Blocking callback + async _ => { + // Nothing to do here! + }, + + // Non blocking callback + async _ => { + try { + let Services = SpecialPowers.Services; + // We would use TEST_3RD_PARTY_DOMAIN here, except that the variable isn't + // accessible in the context of the web page... + let principal = SpecialPowers.wrap(document).nodePrincipal; + for (let perm of Services.perms.getAllForPrincipal(principal)) { + // Ignore permissions other than storage access + if (!perm.type.startsWith("3rdPartyStorage^")) { + continue; + } + is( + perm.expireType, + Services.perms.EXPIRE_SESSION, + "Permission must expire at the end of session" + ); + is(perm.expireTime, 0, "Permission must have no expiry time"); + } + } catch (e) { + alert(e); + } + }, + + // Cleanup callback + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // no extra prefs + true, // run the window.open() test + true, // run the user interaction test + 0, // don't expect blocking notifications + true +); // run in private windows diff --git a/toolkit/components/antitracking/test/browser/browser_permissionPropagation.js b/toolkit/components/antitracking/test/browser/browser_permissionPropagation.js new file mode 100644 index 0000000000..ede63f8306 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_permissionPropagation.js @@ -0,0 +1,416 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +/* eslint-disable mozilla/no-arbitrary-setTimeout */ + +/** + * This test makes sure the when we grant the storage permission, the + * permission is also propagated to iframes within the same agent cluster, + * but not to iframes in the other tabs. + */ + +async function createTab(topUrl, iframeCount, opener, params) { + let newTab; + let browser; + if (opener) { + let promise = BrowserTestUtils.waitForNewTab(gBrowser, topUrl); + await SpecialPowers.spawn(opener, [topUrl], function(url) { + content.window.open(url, "_blank"); + }); + newTab = await promise; + browser = gBrowser.getBrowserForTab(newTab); + } else { + newTab = BrowserTestUtils.addTab(gBrowser, topUrl); + + browser = gBrowser.getBrowserForTab(newTab); + await BrowserTestUtils.browserLoaded(browser); + } + + await SpecialPowers.spawn( + browser, + [params, iframeCount, createTrackerFrame.toString()], + async function(params, count, fn) { + // eslint-disable-next-line no-eval + let fnCreateTrackerFrame = eval(`(() => (${fn}))()`); + await fnCreateTrackerFrame(params, count, ifr => { + ifr.contentWindow.postMessage( + { callback: params.msg.blockingCallback }, + "*" + ); + }); + } + ); + + return Promise.resolve(newTab); +} + +async function createTrackerFrame(params, count, callback) { + let iframes = []; + for (var i = 0; i < count; i++) { + iframes[i] = content.document.createElement("iframe"); + await new content.Promise(resolve => { + iframes[i].id = "ifr" + i; + iframes[i].src = params.page; + iframes[i].onload = resolve; + content.document.body.appendChild(iframes[i]); + }); + + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + callback(iframes[i]); + }); + } +} + +async function testPermission(browser, block, params) { + await SpecialPowers.spawn(browser, [block, params], async function( + block, + params + ) { + for (let i = 0; ; i++) { + let ifr = content.document.getElementById("ifr" + i); + if (!ifr) { + break; + } + + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + if (block) { + ifr.contentWindow.postMessage( + { callback: params.msg.blockingCallback }, + "*" + ); + } else { + ifr.contentWindow.postMessage( + { callback: params.msg.nonBlockingCallback }, + "*" + ); + } + }); + } + }); +} + +add_task(async function testPermissionGrantedOn3rdParty() { + info("Starting permission propagation test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + await new Promise(resolve => { + // eslint-disable-next-line no-undef + let w = worker; + w.addEventListener( + "message", + e => { + ok(!e.data, "IDB is disabled"); + resolve(); + }, + { once: true } + ); + w.postMessage("go"); + }); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + console.log("test hasStorageAccessInitially\n"); + await hasStorageAccessInitially(); + + await new Promise(resolve => { + // eslint-disable-next-line no-undef + let w = worker; + w.addEventListener( + "message", + e => { + ok(e.data, "IDB is enabled"); + resolve(); + }, + { once: true } + ); + w.postMessage("go"); + }); + }).toString(); + + let top = TEST_TOP_PAGE; + let page = TEST_3RD_PARTY_PAGE_WORKER; + let pageOther = + TEST_ANOTHER_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyWorker.html"; + let params = { page, msg, pageOther }; + // Create 4 tabs: + // 1. The first tab has two tracker iframes, said A & B. + // 2. The second tab is opened by the first tab, and it has one tracker iframe, said C. + // 3. The third tab has one tracker iframe, said D. + // 4. The fourth tab is opened by the first tab but with a different top-level url). + // The tab has one tracker iframe, said E. + // + // This test grants permission on iframe A, which then should propagate storage + // permission to iframe B & C, but not D, E + + info("Creating the first tab"); + let tab1 = await createTab(top, 2, null, params); + let browser1 = gBrowser.getBrowserForTab(tab1); + + info("Creating the second tab"); + let tab2 = await createTab(top, 1, browser1 /* opener */, params); + let browser2 = gBrowser.getBrowserForTab(tab2); + + info("Creating the third tab"); + let tab3 = await createTab(top, 1, null, params); + let browser3 = gBrowser.getBrowserForTab(tab3); + + info("Creating the fourth tab"); + let tab4 = await createTab(TEST_TOP_PAGE_2, 1, browser1, params); + let browser4 = gBrowser.getBrowserForTab(tab4); + + info("Grant storage permission to the first iframe in the first tab"); + await SpecialPowers.spawn(browser1, [page, msg], async function(page, msg) { + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + let ifr = content.document.getElementById("ifr0"); + ifr.contentWindow.postMessage( + { + callback: (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + }).toString(), + }, + "*" + ); + }); + }); + + info("Both iframs of the first tab should have stroage permission"); + await testPermission(browser1, false /* block */, params); + + info("The iframe of the second tab should have storage permission"); + await testPermission(browser2, false /* block */, params); + + info("The iframe of the third tab should not have storage permission"); + await testPermission(browser3, true /* block */, params); + + info("The iframe of the fourth tab should not have storage permission"); + await testPermission(browser4, true /* block */, params); + + info("Removing the tabs"); + BrowserTestUtils.removeTab(tab1); + BrowserTestUtils.removeTab(tab2); + BrowserTestUtils.removeTab(tab3); + BrowserTestUtils.removeTab(tab4); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +add_task(async function testPermissionGrantedOnFirstParty() { + info("Starting permission propagation test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + await new Promise(resolve => { + // eslint-disable-next-line no-undef + let w = worker; + w.addEventListener( + "message", + e => { + ok(!e.data, "IDB is disabled"); + resolve(); + }, + { once: true } + ); + w.postMessage("go"); + }); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + console.log("test hasStorageAccessInitially\n"); + await hasStorageAccessInitially(); + + await new Promise(resolve => { + // eslint-disable-next-line no-undef + let w = worker; + w.addEventListener( + "message", + e => { + ok(e.data, "IDB is enabled"); + resolve(); + }, + { once: true } + ); + w.postMessage("go"); + }); + }).toString(); + + let top = TEST_TOP_PAGE; + let page = TEST_3RD_PARTY_PAGE_WORKER; + let params = { page, msg }; + // Create 4 tabs: + // 1. The first tab has two tracker iframes, said A & B. + // 2. The second tab is opened by the first tab, and it has one tracker iframe, said C. + // 3. The third tab has one tracker iframe, said D. + // 4. The fourth tab is opened by the first tab but with a different top-level url). + // The tab has one tracker iframe, said E. + // + // This test grants permission on iframe A, which then should propagate storage + // permission to iframe B & C, but not D, E + + info("Creating the first tab"); + let tab1 = await createTab(top, 2, null, params); + let browser1 = gBrowser.getBrowserForTab(tab1); + + info("Creating the second tab"); + let tab2 = await createTab(top, 1, browser1 /* opener */, params); + let browser2 = gBrowser.getBrowserForTab(tab2); + + info("Creating the third tab"); + let tab3 = await createTab(top, 1, null, params); + let browser3 = gBrowser.getBrowserForTab(tab3); + + info("Creating the fourth tab"); + let tab4 = await createTab(TEST_TOP_PAGE_2, 1, browser1, params); + let browser4 = gBrowser.getBrowserForTab(tab4); + + info("Grant storage permission to the first iframe in the first tab"); + let promise = BrowserTestUtils.waitForNewTab(gBrowser, page); + await SpecialPowers.spawn(browser1, [page], async function(page) { + content.window.open(page, "_blank"); + }); + let tab = await promise; + BrowserTestUtils.removeTab(tab); + + info("Both iframs of the first tab should have stroage permission"); + await testPermission(browser1, false /* block */, params); + + info("The iframe of the second tab should have storage permission"); + await testPermission(browser2, false /* block */, params); + + info("The iframe of the third tab should not have storage permission"); + await testPermission(browser3, true /* block */, params); + + info("The iframe of the fourth tab should not have storage permission"); + await testPermission(browser4, true /* block */, params); + + info("Removing the tabs"); + BrowserTestUtils.removeTab(tab1); + BrowserTestUtils.removeTab(tab2); + BrowserTestUtils.removeTab(tab3); + BrowserTestUtils.removeTab(tab4); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_referrerDefaultPolicy.js b/toolkit/components/antitracking/test/browser/browser_referrerDefaultPolicy.js new file mode 100644 index 0000000000..46465d9b8a --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_referrerDefaultPolicy.js @@ -0,0 +1,571 @@ +requestLongerTimeout(8); + +const CHROME_BASE = + "chrome://mochitests/content/browser/browser/base/content/test/general/"; +Services.scriptloader.loadSubScript(CHROME_BASE + "head.js", this); +/* import-globals-from ../../../../../browser/base/content/test/general/head.js */ + +async function openAWindow(private) { + info("Creating a new " + (private ? "private" : "normal") + " window"); + let win = OpenBrowserWindow({ private }); + await TestUtils.topicObserved( + "browser-delayed-startup-finished", + subject => subject == win + ).then(() => win); + await BrowserTestUtils.firstBrowserLoaded(win); + return win; +} + +async function testOnWindowBody(win, expectedReferrer, rp) { + let browser = win.gBrowser; + let tab = browser.selectedTab; + let b = browser.getBrowserForTab(tab); + await promiseTabLoadEvent(tab, TEST_TOP_PAGE); + + info("Loading tracking scripts and tracking images"); + let referrer = await SpecialPowers.spawn(b, [{ rp }], async function({ rp }) { + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + if (rp) { + src.referrerPolicy = rp; + } + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/referrer.sjs?what=script"; + await p; + } + + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + if (rp) { + img.referrerPolicy = rp; + } + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/referrer.sjs?what=image"; + await p; + } + + { + let iframe = content.document.createElement("iframe"); + let p = new content.Promise(resolve => { + iframe.onload = resolve; + }); + content.document.body.appendChild(iframe); + if (rp) { + iframe.referrerPolicy = rp; + } + iframe.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/referrer.sjs?what=iframe"; + await p; + + p = new content.Promise(resolve => { + content.onmessage = event => { + resolve(event.data); + }; + }); + iframe.contentWindow.postMessage("ping", "*"); + return p; + } + }); + + is(referrer, expectedReferrer, "The correct referrer must be read from DOM"); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/referrer.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + is(text, expectedReferrer, "We sent the correct Referer header"); + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/referrer.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, expectedReferrer, "We sent the correct Referer header"); + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/referrer.sjs?result&what=iframe" + ) + .then(r => r.text()) + .then(text => { + is(text, expectedReferrer, "We sent the correct Referer header"); + }); +} + +async function closeAWindow(win) { + await BrowserTestUtils.closeWindow(win); +} + +let gRecording = true; +let gScenarios = []; +let gRPs = []; +let gTests = { private: [], nonPrivate: [] }; +const kPBPref = "network.http.referer.defaultPolicy.trackers.pbmode"; +const kNonPBPref = "network.http.referer.defaultPolicy.trackers"; + +function recordScenario(private, expectedReferrer, rp) { + if (!gRPs.includes(rp)) { + gRPs.push(rp); + } + gScenarios.push({ + private, + expectedReferrer, + rp, + pbPref: Services.prefs.getIntPref(kPBPref), + nonPBPref: Services.prefs.getIntPref(kNonPBPref), + }); +} + +async function testOnWindow(private, expectedReferrer, rp) { + if (gRecording) { + recordScenario(private, expectedReferrer, rp); + } +} + +function compileScenarios() { + let keys = { false: [], true: [] }; + for (let s of gScenarios) { + let key = { + rp: s.rp, + pbPref: s.pbPref, + nonPBPref: s.nonPBPref, + }; + let skip = false; + for (let k of keys[s.private]) { + if ( + key.rp == k.rp && + key.pbPref == k.pbPref && + key.nonPBPref == k.nonPBPref + ) { + skip = true; + break; + } + } + if (!skip) { + keys[s.private].push(key); + gTests[s.private ? "private" : "nonPrivate"].push({ + rp: s.rp, + pbPref: s.pbPref, + nonPBPref: s.nonPBPref, + expectedReferrer: s.expectedReferrer, + }); + } + } + + // Verify that all scenarios are checked + let counter = 1; + for (let s of gScenarios) { + let checked = false; + for (let tt in gTests) { + let private = tt == "private"; + for (let t of gTests[tt]) { + if ( + private == s.private && + t.rp == s.rp && + t.pbPref == s.pbPref && + t.nonPBPref == s.nonPBPref && + t.expectedReferrer == s.expectedReferrer + ) { + checked = true; + break; + } + } + } + ok(checked, `Scenario number ${counter++} checked`); + } +} + +async function executeTests() { + compileScenarios(); + + gRecording = false; + for (let mode in gTests) { + info(`Open a ${mode} window`); + while (gTests[mode].length) { + let test = gTests[mode].shift(); + info(`Running test ${test.toSource()}`); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["network.http.referer.defaultPolicy.trackers", test.nonPBPref], + ["network.http.referer.defaultPolicy.trackers.pbmode", test.pbPref], + ], + }); + + let win = await openAWindow(mode == "private"); + + await testOnWindowBody(win, test.expectedReferrer, test.rp); + + await closeAWindow(win); + } + } + + Services.prefs.clearUserPref(kPBPref); + Services.prefs.clearUserPref(kNonPBPref); +} + +function pn(name, private) { + return private ? name + ".pbmode" : name; +} + +async function testOnNoReferrer(private) { + // no-referrer pref when no-referrer is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, "", "no-referrer"); + + // strict-origin-when-cross-origin pref when no-referrer is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, "", "no-referrer"); + + // same-origin pref when no-referrer is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, "", "no-referrer"); + + // no-referrer pref when no-referrer is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, "", "no-referrer"); +} + +async function testOnSameOrigin(private) { + // same-origin pref when same-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, "", "same-origin"); + + // strict-origin-when-cross-origin pref when same-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, "", "same-origin"); + + // same-origin pref when same-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, "", "same-origin"); + + // same-origin pref when same-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, "", "same-origin"); +} + +async function testOnNoReferrerWhenDowngrade(private) { + // no-referrer-when-downgrade pref when no-referrer-when-downgrade is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "no-referrer-when-downgrade"); + + // strict-origin-when-cross-origin pref when no-referrer-when-downgrade is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "no-referrer-when-downgrade"); + + // same-origin pref when no-referrer-when-downgrade is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "no-referrer-when-downgrade"); + + // no-referrer pref when no-referrer-when-downgrade is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "no-referrer-when-downgrade"); +} + +async function testOnOrigin(private) { + // origin pref when origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin"); + + // strict-origin pref when origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin"); + + // same-origin pref when origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin"); + + // no-referrer pref when origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin"); +} + +async function testOnStrictOrigin(private) { + // strict-origin pref when strict-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin"); + + // strict-origin pref when strict-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin"); + + // same-origin pref when strict-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin"); + + // no-referrer pref when strict-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin"); +} + +async function testOnOriginWhenCrossOrigin(private) { + // origin-when-cross-origin pref when origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin-when-cross-origin"); + + // strict-origin-when-cross-origin pref when origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin-when-cross-origin"); + + // same-origin pref when origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin-when-cross-origin"); + + // no-referrer pref when origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, TEST_DOMAIN, "origin-when-cross-origin"); +} + +async function testOnStrictOriginWhenCrossOrigin(private) { + // origin-when-cross-origin pref when strict-origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin-when-cross-origin"); + + // strict-origin-when-cross-origin pref when strict-origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin-when-cross-origin"); + + // same-origin pref when strict-origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin-when-cross-origin"); + + // no-referrer pref when strict-origin-when-cross-origin is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, TEST_DOMAIN, "strict-origin-when-cross-origin"); +} + +async function testOnUnsafeUrl(private) { + // no-referrer-when-downgrade pref when unsafe-url is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 3]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "unsafe-url"); + + // strict-origin-when-cross-origin pref when unsafe-url is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 2]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "unsafe-url"); + + // same-origin pref when unsafe-url is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 1]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "unsafe-url"); + + // no-referrer pref when unsafe-url is forced + await SpecialPowers.pushPrefEnv({ + set: [[pn("network.http.referer.defaultPolicy.trackers", private), 0]], + }); + await testOnWindow(private, TEST_TOP_PAGE, "unsafe-url"); +} + +add_task(async function() { + info("Starting referrer default policy test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["network.http.referer.defaultPolicy", 3], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + // no-referrer-when-downgrade + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers", 3]], + }); + await testOnWindow(false, TEST_TOP_PAGE, null); + + // strict-origin-when-cross-origin + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers", 2]], + }); + await testOnWindow(false, TEST_DOMAIN, null); + + // same-origin + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers", 1]], + }); + await testOnWindow(false, "", null); + + // no-referrer + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers", 0]], + }); + await testOnWindow(false, "", null); + + // override with no-referrer + await testOnNoReferrer(false); + + // override with same-origin + await testOnSameOrigin(false); + + // override with no-referrer-when-downgrade + await testOnNoReferrerWhenDowngrade(false); + + // override with origin + await testOnOrigin(false); + + // override with strict-origin + await testOnStrictOrigin(false); + + // override with origin-when-cross-origin + await testOnOriginWhenCrossOrigin(false); + + // override with strict-origin-when-cross-origin + await testOnStrictOriginWhenCrossOrigin(false); + + // override with unsafe-url + await testOnUnsafeUrl(false); + + // Reset the pref. + Services.prefs.clearUserPref("network.http.referer.defaultPolicy.trackers"); + + // no-referrer-when-downgrade + await SpecialPowers.pushPrefEnv({ + set: [ + // Set both prefs, because if we only set the trackers pref, then the PB + // mode default policy pref (2) would apply! + ["network.http.referer.defaultPolicy.pbmode", 3], + ["network.http.referer.defaultPolicy.trackers.pbmode", 3], + ], + }); + await testOnWindow(true, TEST_TOP_PAGE, null); + + // strict-origin-when-cross-origin + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers.pbmode", 2]], + }); + await testOnWindow(true, TEST_DOMAIN, null); + + // same-origin + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers.pbmode", 1]], + }); + await testOnWindow(true, "", null); + + // no-referrer + await SpecialPowers.pushPrefEnv({ + set: [["network.http.referer.defaultPolicy.trackers.pbmode", 0]], + }); + await testOnWindow(true, "", null); + + // override with no-referrer + await testOnNoReferrer(true); + + // override with same-origin + await testOnSameOrigin(true); + + // override with no-referrer-when-downgrade + await testOnNoReferrerWhenDowngrade(true); + + // override with origin + await testOnOrigin(true); + + // override with strict-origin + await testOnStrictOrigin(true); + + // override with origin-when-cross-origin + await testOnOriginWhenCrossOrigin(true); + + // override with strict-origin-when-cross-origin + await testOnStrictOriginWhenCrossOrigin(true); + + // override with unsafe-url + await testOnUnsafeUrl(true); + + // Reset the pref. + Services.prefs.clearUserPref( + "network.http.referer.defaultPolicy.trackers.pbmode" + ); +}); + +add_task(async function() { + await UrlClassifierTestUtils.addTestTrackers(); + + await executeTests(); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_script.js b/toolkit/components/antitracking/test/browser/browser_script.js new file mode 100644 index 0000000000..b1dcb246e1 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_script.js @@ -0,0 +1,222 @@ +/* import-globals-from antitracking_head.js */ + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + scriptURL: TEST_DOMAIN + TEST_PATH + "tracker.js", + page: TEST_3RD_PARTY_PAGE, + }, + ], + async obj => { + info("Checking if permission is denied"); + let callbackBlocked = async _ => { + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }; + + let assertBlocked = () => + new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(callbackBlocked.toString(), "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + + await assertBlocked(); + + info("Triggering a 3rd party script..."); + let p = new content.Promise(resolve => { + let bc = new content.BroadcastChannel("a"); + bc.onmessage = resolve; + }); + + let src = content.document.createElement("script"); + content.document.body.appendChild(src); + src.src = obj.scriptURL; + + await p; + + info("Checking if permission is denied before interacting with tracker"); + await assertBlocked(); + } + ); + + await AntiTracking.interactWithTracker(); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + scriptURL: TEST_DOMAIN + TEST_PATH + "tracker.js", + page: TEST_3RD_PARTY_PAGE, + }, + ], + async obj => { + info("Checking if permission is denied"); + let callbackBlocked = async _ => { + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }; + + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(callbackBlocked.toString(), "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + + info("Triggering a 3rd party script..."); + let p = new content.Promise(resolve => { + let bc = new content.BroadcastChannel("a"); + bc.onmessage = resolve; + }); + + let src = content.document.createElement("script"); + content.document.body.appendChild(src); + src.src = obj.scriptURL; + + await p; + + info("Checking if permission is granted"); + let callbackAllowed = async _ => { + localStorage.foo = 42; + ok(true, "LocalStorage can be used!"); + }; + + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(callbackAllowed.toString(), "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_serviceWorkersWithStorageAccessGranted.js b/toolkit/components/antitracking/test/browser/browser_serviceWorkersWithStorageAccessGranted.js new file mode 100644 index 0000000000..973e47590e --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_serviceWorkersWithStorageAccessGranted.js @@ -0,0 +1,154 @@ +/** This tests that the service worker can be used if we have storage access + * permission. We manually write the storage access permission into the + * permission manager to simulate the storage access has been granted. We would + * test the service worker three times. The fist time is to check the service + * work is allowed. The second time is to load again and check it won't hit + * assertion, this assertion would only be hit if we have registered a service + * worker, see Bug 1631234. + * + * The third time is to load again but in a sandbox iframe to check it won't + * hit the assertion. See Bug 1637226 for details. + * + * The fourth time is to load again in a nested iframe to check it won't hit + * the assertion. See Bug 1641153 for details. + * */ + +/* import-globals-from antitracking_head.js */ + +add_task(async _ => { + // Manually add the storage permission. + PermissionTestUtils.add( + TEST_DOMAIN, + "3rdPartyStorage^https://tracking.example.org", + Services.perms.ALLOW_ACTION + ); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); + + AntiTracking._createTask({ + name: + "Test that we can use service worker if we have the storage access permission", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: false, + callback: async _ => { + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(true, "ServiceWorker can be used!"); + }, + _ => { + ok(false, "ServiceWorker can be used!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + }, + extraPrefs: [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + }); + + AntiTracking._createTask({ + name: + "Test again to check if we can still use service worker without hit the assertion.", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: false, + callback: async _ => { + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(true, "ServiceWorker can be used!"); + }, + _ => { + ok(false, "ServiceWorker can be used!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + }, + extraPrefs: [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + }); + + AntiTracking._createTask({ + name: + "Test again to check if we cannot use service worker in a sandbox iframe without hit the assertion.", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: false, + callback: async _ => { + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(false, "ServiceWorker cannot be used in sandbox iframe!"); + }, + _ => { + ok(true, "ServiceWorker cannot be used in sandbox iframe!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + }, + extraPrefs: [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + expectedBlockingNotifications: + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications, + runInPrivateWindow: false, + iframeSandbox: "allow-scripts allow-same-origin", + accessRemoval: null, + callbackAfterRemoval: null, + }); + + const NESTED_THIRD_PARTY_PAGE = + TEST_DOMAIN + TEST_PATH + "3rdPartyRelay.html?" + TEST_3RD_PARTY_PAGE; + + AntiTracking._createTask({ + name: + "Test again to check if we can use service worker in a nested iframe without hit the assertion.", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + allowList: false, + callback: async _ => { + await navigator.serviceWorker + .register("empty.js") + .then( + _ => { + ok(true, "ServiceWorker can be used in nested iframe!"); + }, + _ => { + ok(false, "ServiceWorker can be used in nested iframe!"); + } + ) + .catch(e => ok(false, "Promise rejected: " + e)); + }, + extraPrefs: [ + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + thirdPartyPage: NESTED_THIRD_PARTY_PAGE, + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_siteSpecificWorkArounds.js b/toolkit/components/antitracking/test/browser/browser_siteSpecificWorkArounds.js new file mode 100644 index 0000000000..6272cddb18 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_siteSpecificWorkArounds.js @@ -0,0 +1,111 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "localStorage with a tracker that is entitylisted via a pref", + async _ => { + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + let hasThrown; + try { + localStorage.foo = 42; + hasThrown = false; + } catch (e) { + hasThrown = true; + } + + is(hasThrown, shouldThrow, "LocalStorage is allowed"); + }, + async _ => { + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [["urlclassifier.trackingAnnotationSkipURLs", "TRACKING.EXAMPLE.ORG"]], + false, // run the window.open() test + false, // run the user interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + false +); // run in a normal window + +AntiTracking.runTest( + "localStorage with a tracker that is entitylisted via a fancy pref", + async _ => { + let shouldThrow = [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT, + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ); + + let hasThrown; + try { + localStorage.foo = 42; + hasThrown = false; + } catch (e) { + hasThrown = true; + } + + is(hasThrown, shouldThrow, "LocalStorage is allowed"); + }, + async _ => { + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [ + [ + "urlclassifier.trackingAnnotationSkipURLs", + "foobar.example,*.example.org,baz.example", + ], + ], + false, // run the window.open() test + false, // run the user interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + false +); // run in a normal window + +AntiTracking.runTest( + "localStorage with a tracker that is entitylisted via a misconfigured pref", + async _ => { + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + async _ => { + localStorage.foo = 42; + ok(true, "LocalStorage is allowed"); + }, + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [["urlclassifier.trackingAnnotationSkipURLs", "*.tracking.example.org"]], + false, // run the window.open() test + false, // run the user interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + false +); // run in a normal window diff --git a/toolkit/components/antitracking/test/browser/browser_socialtracking.js b/toolkit/components/antitracking/test/browser/browser_socialtracking.js new file mode 100644 index 0000000000..ae0a42f5ef --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_socialtracking.js @@ -0,0 +1,144 @@ +/* eslint-disable prettier/prettier */ + +function runTest(obj) { + add_task(async _ => { + info("Test: " + obj.testName); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.ipc.processCount", 1], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["privacy.storagePrincipal.enabledForTrackers", false], + [ + "privacy.trackingprotection.socialtracking.enabled", + obj.protectionEnabled, + ], + ["privacy.socialtracking.block_cookies.enabled", obj.cookieBlocking], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a non-tracker top-level context"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("The non-tracker page opens a tracker iframe"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_DOMAIN_STP + TEST_PATH + "localStorage.html", + image: TEST_3RD_PARTY_DOMAIN_STP + TEST_PATH + "raptor.jpg", + loading: obj.loading, + result: obj.result, + }, + ], + async obj => { + let loading = await new content.Promise(resolve => { + let image = new content.Image(); + image.src = obj.image + "?" + Math.random(); + image.onload = _ => resolve(true); + image.onerror = _ => resolve(false); + }); + + is(loading, obj.loading, "Loading expected"); + + if (obj.loading) { + let ifr = content.document.createElement("iframe"); + ifr.setAttribute("id", "ifr"); + ifr.setAttribute("src", obj.page); + + info("Iframe loading..."); + await new content.Promise(resolve => { + ifr.onload = resolve; + content.document.body.appendChild(ifr); + }); + + let p = new Promise(resolve => { + content.addEventListener( + "message", + e => { + resolve(e.data); + }, + { once: true } + ); + }); + + info("Setting localStorage value..."); + ifr.contentWindow.postMessage("test", "*"); + + info("Getting the value..."); + let value = await p; + is(value.status, obj.result, "We expect to succeed"); + } + } + ); + + info("Checking content blocking log."); + let contentBlockingLog = JSON.parse(await browser.getContentBlockingLog()); + let origins = Object.keys(contentBlockingLog); + is(origins.length, 1, "There should be one origin entry in the log."); + for (let origin of origins) { + is( + origin + "/", + TEST_3RD_PARTY_DOMAIN_STP, + "Correct tracker origin must be reported" + ); + Assert.deepEqual( + contentBlockingLog[origin], + obj.expectedLogItems, + "Content blocking log should be as expected" + ); + } + + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); + }); +} + +runTest({ + testName: + "Socialtracking-annotation feature enabled but not considered for tracking detection.", + protectionEnabled: false, + loading: true, + cookieBlocking: false, + result: true, + expectedLogItems: [ + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED, true, 1], + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED_SOCIALTRACKER, true, 1], + ], +}); + +runTest({ + testName: + "Socialtracking-annotation feature enabled and considered for tracking detection.", + protectionEnabled: false, + loading: true, + cookieBlocking: true, + result: false, + expectedLogItems: [ + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED, true, 1], + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED_SOCIALTRACKER, true, 1], + [Ci.nsIWebProgressListener.STATE_LOADED_SOCIALTRACKING_CONTENT, true, 2], + [Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_SOCIALTRACKER, true, 2], + ], +}); + +runTest({ + testName: "Socialtracking-protection feature enabled.", + protectionEnabled: true, + loading: false, + cookieBlocking: true, + result: false, + expectedLogItems: [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_SOCIALTRACKING_CONTENT, true, 1], + ], +}); diff --git a/toolkit/components/antitracking/test/browser/browser_socialtracking_save_image.js b/toolkit/components/antitracking/test/browser/browser_socialtracking_save_image.js new file mode 100644 index 0000000000..75885722cb --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_socialtracking_save_image.js @@ -0,0 +1,115 @@ +/** + * Bug 1663992 - Testing the 'Save Image As' works in an image document if the + * image is blocked by social tracker. + */ +"use strict"; + +/* import-globals-from ../../../../content/tests/browser/common/mockTransfer.js */ +Services.scriptloader.loadSubScript( + "chrome://mochitests/content/browser/toolkit/content/tests/browser/common/mockTransfer.js", + this +); + +const TEST_IMAGE_URL = + "http://social-tracking.example.org/browser/toolkit/components/antitracking/test/browser/raptor.jpg"; + +let MockFilePicker = SpecialPowers.MockFilePicker; +MockFilePicker.init(window); + +const tempDir = createTemporarySaveDirectory(); +MockFilePicker.displayDirectory = tempDir; + +function createTemporarySaveDirectory() { + let saveDir = Services.dirsvc.get("TmpD", Ci.nsIFile); + saveDir.append("testsavedir"); + saveDir.createUnique(Ci.nsIFile.DIRECTORY_TYPE, 0o755); + return saveDir; +} + +function createPromiseForTransferComplete() { + return new Promise(resolve => { + MockFilePicker.showCallback = fp => { + info("MockFilePicker showCallback"); + + let fileName = fp.defaultString; + let destFile = tempDir.clone(); + destFile.append(fileName); + + MockFilePicker.setFiles([destFile]); + MockFilePicker.filterIndex = 0; // kSaveAsType_Complete + + MockFilePicker.showCallback = null; + mockTransferCallback = function(downloadSuccess) { + ok(downloadSuccess, "Image should have been downloaded successfully"); + mockTransferCallback = () => {}; + resolve(); + }; + }; + }); +} + +add_task(async function setup() { + info("Setting up the prefs."); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.trackingprotection.socialtracking.enabled", true], + [ + "urlclassifier.features.socialtracking.blacklistHosts", + "social-tracking.example.org", + ], + ], + }); + + info("Setting MockFilePicker."); + mockTransferRegisterer.register(); + + registerCleanupFunction(function() { + mockTransferRegisterer.unregister(); + MockFilePicker.cleanup(); + tempDir.remove(true); + }); +}); + +add_task(async function() { + info("Open a new tab for testing"); + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_IMAGE_URL + ); + + let popupShownPromise = BrowserTestUtils.waitForEvent(document, "popupshown"); + + let browser = gBrowser.selectedBrowser; + + info("Open the context menu."); + await BrowserTestUtils.synthesizeMouseAtCenter( + "img", + { + type: "contextmenu", + button: 2, + }, + browser + ); + + await popupShownPromise; + + let transferCompletePromise = createPromiseForTransferComplete(); + let saveElement = document.getElementById(`context-saveimage`); + info("Triggering the save process."); + saveElement.doCommand(); + + info("Wait until the save is finished."); + await transferCompletePromise; + + info("Close the context menu."); + let contextMenu = document.getElementById("contentAreaContextMenu"); + let popupHiddenPromise = BrowserTestUtils.waitForEvent( + contextMenu, + "popuphidden" + ); + contextMenu.hidePopup(); + await popupHiddenPromise; + + BrowserTestUtils.removeTab(tab); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.js b/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.js new file mode 100644 index 0000000000..b6b46be03d --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.js @@ -0,0 +1,151 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +const TEST_PAGE = + "http://example.org/browser/toolkit/components/antitracking/test/browser/empty.html"; +const TEST_ANOTHER_PAGE = + "http://example.com/browser/toolkit/components/antitracking/test/browser/empty.html"; +const TEST_PREFLIGHT_IFRAME_PAGE = + "http://mochi.test:8888/browser/toolkit/components/antitracking/test/browser/empty.html"; +const TEST_PREFLIGHT_PAGE = + "http://example.net/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.sjs"; + +add_task(async function() { + let uuidGenerator = Cc["@mozilla.org/uuid-generator;1"].getService( + Ci.nsIUUIDGenerator + ); + + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ], + }); + + // First, create one tab under one first party. + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_PAGE + ); + let token = uuidGenerator.generateUUID().toString(); + + // Use fetch to verify that preflight cache is working. The preflight + // cache is keyed by the loading principal and the url. So, we load an + // iframe with one origin and use fetch in there to ensure we will have + // the same loading principal. + await SpecialPowers.spawn( + tab.linkedBrowser, + [TEST_PREFLIGHT_PAGE, TEST_PREFLIGHT_IFRAME_PAGE, token], + async (url, iframe_url, token) => { + let iframe = content.document.createElement("iframe"); + + await new Promise(resolve => { + iframe.onload = () => { + resolve(); + }; + content.document.body.appendChild(iframe); + iframe.src = iframe_url; + }); + + await SpecialPowers.spawn( + iframe, + [url, token], + async (url, token) => { + const test_url = `${url}?token=${token}`; + let response = await content.fetch( + new content.Request(test_url, { + mode: "cors", + method: "GET", + headers: [["x-test-header", "check"]], + }) + ); + + is( + await response.text(), + "1", + "The preflight should be sent at first time" + ); + + response = await content.fetch( + new content.Request(test_url, { + mode: "cors", + method: "GET", + headers: [["x-test-header", "check"]], + }) + ); + + is( + await response.text(), + "0", + "The preflight shouldn't be sent due to the preflight cache" + ); + } + ); + } + ); + + // Load the tab with a different first party. And use fetch to check if + // the preflight cache is partitioned. The fetch will also be performed in + // the iframe with the same origin as above to ensure we use the same + // loading principal. + BrowserTestUtils.loadURI(tab.linkedBrowser, TEST_ANOTHER_PAGE); + await BrowserTestUtils.browserLoaded(tab.linkedBrowser); + + await SpecialPowers.spawn( + tab.linkedBrowser, + [ + TEST_PREFLIGHT_PAGE, + TEST_PREFLIGHT_IFRAME_PAGE, + token, + networkIsolation, + ], + async (url, iframe_url, token, partitioned) => { + let iframe = content.document.createElement("iframe"); + + await new Promise(resolve => { + iframe.onload = () => { + resolve(); + }; + content.document.body.appendChild(iframe); + iframe.src = iframe_url; + }); + + await SpecialPowers.spawn( + iframe, + [url, token, partitioned], + async (url, token, partitioned) => { + const test_url = `${url}?token=${token}`; + + let response = await content.fetch( + new content.Request(test_url, { + mode: "cors", + method: "GET", + headers: [["x-test-header", "check"]], + }) + ); + + if (partitioned) { + is( + await response.text(), + "1", + "The preflight cache should be partitioned" + ); + } else { + is( + await response.text(), + "0", + "The preflight cache shouldn't be partitioned" + ); + } + } + ); + } + ); + + BrowserTestUtils.removeTab(tab); + } + } +}); diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.sjs b/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.sjs new file mode 100644 index 0000000000..f0665ea43c --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_CORS_preflight.sjs @@ -0,0 +1,39 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +'use strict'; + +Components.utils.importGlobalProperties(["URLSearchParams"]); + +function handleRequest(request, response) { + let query = new URLSearchParams(request.queryString); + let token = query.get("token"); + + response.setHeader("Content-Type", "text/plain", false); + response.setHeader("Access-Control-Allow-Origin", "*", false); + response.setHeader("Access-Control-Allow-Headers", "x-test-header", false); + + if (request.method == "OPTIONS") { + response.setHeader( + "Access-Control-Allow-Methods", + request.getHeader("Access-Control-Request-Method"), + false); + response.setHeader("Access-Control-Max-Age", "20", false); + + setState(token, token); + } else { + let test_op = request.getHeader("x-test-header"); + + if (test_op == "check") { + let value = getState(token); + + if (value) { + response.write("1"); + setState(token, ""); + } else { + response.write("0"); + } + } + } +} diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js new file mode 100644 index 0000000000..fad656f8d5 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js @@ -0,0 +1,203 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +var unsecureEmptyURL = + "http://example.org/browser/toolkit/components/antitracking/test/browser/empty.html"; +var secureEmptyURL = + "https://example.org/browser/toolkit/components/antitracking/test/browser/empty.html"; +var secureAnotherEmptyURL = + "https://example.com/browser/toolkit/components/antitracking/test/browser/empty.html"; +var secureURL = + "https://example.com/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs"; +var unsecureURL = + "http://example.com/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs"; +var secureImgURL = + "https://example.com/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs?image"; +var unsecureImgURL = + "http://example.com/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs?image"; + +function cleanupHSTS(aPartitionEnabled, aUseSite) { + // Ensure to remove example.com from the HSTS list. + let sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + + for (let origin of ["example.com", "example.org"]) { + let originAttributes = {}; + + if (aPartitionEnabled) { + if (aUseSite) { + originAttributes = { partitionKey: `(http,${origin})` }; + } else { + originAttributes = { partitionKey: origin }; + } + } + + sss.resetState( + Ci.nsISiteSecurityService.HEADER_HSTS, + NetUtil.newURI("http://example.com/"), + 0, + originAttributes + ); + } +} + +function promiseTabLoadEvent(aTab, aURL, aFinalURL) { + info("Wait for load tab event"); + BrowserTestUtils.loadURI(aTab.linkedBrowser, aURL); + return BrowserTestUtils.browserLoaded(aTab.linkedBrowser, false, aFinalURL); +} + +function waitFor(host, type) { + return new Promise(resolve => { + const observer = channel => { + if ( + channel instanceof Ci.nsIHttpChannel && + channel.URI.host === host && + channel.loadInfo.internalContentPolicyType === type + ) { + Services.obs.removeObserver(observer, "http-on-stop-request"); + resolve(channel.URI.spec); + } + }; + Services.obs.addObserver(observer, "http-on-stop-request"); + }); +} + +add_task(async function() { + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ["security.mixed_content.upgrade_display_content", false], + ], + }); + + let tab = (gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser)); + + // Let's load the secureURL as first-party in order to activate HSTS. + await promiseTabLoadEvent(tab, secureURL, secureURL); + + // Let's test HSTS: unsecure -> secure. + await promiseTabLoadEvent(tab, unsecureURL, secureURL); + ok(true, "unsecure -> secure, first-party works!"); + + // Let's load a first-party. + await promiseTabLoadEvent(tab, unsecureEmptyURL, unsecureEmptyURL); + + let finalURL = waitFor( + "example.com", + Ci.nsIContentPolicy.TYPE_INTERNAL_IFRAME + ); + + await SpecialPowers.spawn(tab.linkedBrowser, [unsecureURL], async url => { + let ifr = content.document.createElement("iframe"); + content.document.body.appendChild(ifr); + ifr.src = url; + }); + + if (networkIsolation) { + is(await finalURL, unsecureURL, "HSTS doesn't work for 3rd parties"); + } else { + is(await finalURL, secureURL, "HSTS works for 3rd parties"); + } + + gBrowser.removeCurrentTab(); + cleanupHSTS(networkIsolation, partitionPerSite); + } + } +}); + +add_task(async function test_subresource() { + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ["security.mixed_content.upgrade_display_content", false], + ], + }); + + let tab = (gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser)); + + // Load a secure page as first party. + await promiseTabLoadEvent(tab, secureEmptyURL, secureEmptyURL); + + let loadPromise = waitFor( + "example.com", + Ci.nsIContentPolicy.TYPE_INTERNAL_IMAGE + ); + + // Load a secure subresource to activate HSTS. + await SpecialPowers.spawn( + tab.linkedBrowser, + [secureImgURL], + async url => { + let ifr = content.document.createElement("img"); + content.document.body.appendChild(ifr); + ifr.src = url; + } + ); + + // Ensure the subresource is loaded. + await loadPromise; + + // Reload the secure page as first party. + await promiseTabLoadEvent(tab, secureEmptyURL, secureEmptyURL); + + let finalURL = waitFor( + "example.com", + Ci.nsIContentPolicy.TYPE_INTERNAL_IMAGE + ); + + // Load a unsecure subresource, this should be upgraded to https. + await SpecialPowers.spawn( + tab.linkedBrowser, + [unsecureImgURL], + async url => { + let ifr = content.document.createElement("img"); + content.document.body.appendChild(ifr); + ifr.src = url; + } + ); + + is(await finalURL, secureImgURL, "HSTS works for 3rd parties"); + + // Load the secure page with a different origin as first party. + await promiseTabLoadEvent( + tab, + secureAnotherEmptyURL, + secureAnotherEmptyURL + ); + + finalURL = waitFor( + "example.com", + Ci.nsIContentPolicy.TYPE_INTERNAL_IMAGE + ); + + // Load a unsecure subresource + await SpecialPowers.spawn( + tab.linkedBrowser, + [unsecureImgURL], + async url => { + let ifr = content.document.createElement("img"); + content.document.body.appendChild(ifr); + ifr.src = url; + } + ); + + if (networkIsolation) { + is(await finalURL, unsecureImgURL, "HSTS doesn't work for 3rd parties"); + } else { + is(await finalURL, secureImgURL, "HSTS works for 3rd parties"); + } + + gBrowser.removeCurrentTab(); + cleanupHSTS(networkIsolation, partitionPerSite); + } + } +}); diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs new file mode 100644 index 0000000000..0644cfa773 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs @@ -0,0 +1,25 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAA" + + "DUlEQVQImWNgY2P7DwABOgESJhRQtgAAAABJRU5ErkJggg=="); + +const PAGE = "<!DOCTYPE html><html><body><p>HSTS page</p></body></html>"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, "200", "OK"); + response.setHeader("Strict-Transport-Security", "max-age=60"); + + if (request.queryString == "image") { + response.setHeader("Content-Type", "image/png", false); + response.setHeader("Content-Length", IMG_BYTES.length + "", false); + response.write(IMG_BYTES); + return; + } + + response.setHeader("Content-Type", "text/html", false); + response.setHeader("Content-Length", PAGE.length + "", false); + response.write(PAGE); +} diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_cache.js b/toolkit/components/antitracking/test/browser/browser_staticPartition_cache.js new file mode 100644 index 0000000000..cd777f3ffa --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_cache.js @@ -0,0 +1,190 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +const cacheURL = + "http://example.org/browser/browser/components/originattributes/test/browser/file_cache.html"; + +function countMatchingCacheEntries(cacheEntries, domain, fileSuffix) { + return cacheEntries + .map(entry => entry.uri.asciiSpec) + .filter(spec => spec.includes(domain)) + .filter(spec => spec.includes("file_thirdPartyChild." + fileSuffix)).length; +} + +async function checkCache(suffixes, originAttributes) { + const loadContextInfo = Services.loadContextInfo.custom( + false, + originAttributes + ); + + const data = await new Promise(resolve => { + let cacheEntries = []; + let cacheVisitor = { + onCacheStorageInfo(num, consumption) {}, + onCacheEntryInfo(uri, idEnhance) { + cacheEntries.push({ uri, idEnhance }); + }, + onCacheEntryVisitCompleted() { + resolve(cacheEntries); + }, + QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]), + }; + // Visiting the disk cache also visits memory storage so we do not + // need to use Services.cache2.memoryCacheStorage() here. + let storage = Services.cache2.diskCacheStorage(loadContextInfo, false); + storage.asyncVisitStorage(cacheVisitor, true); + }); + + for (let suffix of suffixes) { + let foundEntryCount = countMatchingCacheEntries( + data, + "example.net", + suffix + ); + ok( + foundEntryCount > 0, + `Cache entries expected for ${suffix} and OA=${JSON.stringify( + originAttributes + )}` + ); + } +} + +add_task(async function() { + info("Disable predictor and accept all"); + await SpecialPowers.pushPrefEnv({ + set: [ + ["network.predictor.enabled", false], + ["network.predictor.enable-prefetch", false], + ["network.cookie.cookieBehavior", 0], + ], + }); + + const tests = [ + { + prefValue: true, + originAttributes: { partitionKey: "(http,example.org)" }, + }, + { + prefValue: false, + originAttributes: {}, + }, + ]; + + for (let test of tests) { + info("Clear image and network caches"); + let tools = SpecialPowers.Cc["@mozilla.org/image/tools;1"].getService( + SpecialPowers.Ci.imgITools + ); + let imageCache = tools.getImgCacheForDocument(window.document); + imageCache.clearCache(true); // true=chrome + imageCache.clearCache(false); // false=content + Services.cache2.clear(); + + info("Enabling network state partitioning"); + await SpecialPowers.pushPrefEnv({ + set: [["privacy.partition.network_state", test.prefValue]], + }); + + info("Let's load a page to populate some entries"); + let tab = (gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser)); + BrowserTestUtils.loadURI(tab.linkedBrowser, cacheURL); + await BrowserTestUtils.browserLoaded(tab.linkedBrowser, false, cacheURL); + + let argObj = { + randomSuffix: Math.random(), + urlPrefix: + "http://example.net/browser/browser/components/originattributes/test/browser/", + }; + + await SpecialPowers.spawn(tab.linkedBrowser, [argObj], async function(arg) { + // The CSS cache needs to be cleared in-process. + content.windowUtils.clearSharedStyleSheetCache(); + + let videoURL = arg.urlPrefix + "file_thirdPartyChild.video.ogv"; + let audioURL = arg.urlPrefix + "file_thirdPartyChild.audio.ogg"; + let URLSuffix = "?r=" + arg.randomSuffix; + + // Create the audio and video elements. + let audio = content.document.createElement("audio"); + let video = content.document.createElement("video"); + let audioSource = content.document.createElement("source"); + + // Append the audio element into the body, and wait until they're finished. + await new content.Promise(resolve => { + let audioLoaded = false; + + let audioListener = () => { + Assert.ok(true, `Audio suspended: ${audioURL + URLSuffix}`); + audio.removeEventListener("suspend", audioListener); + + audioLoaded = true; + if (audioLoaded) { + resolve(); + } + }; + + Assert.ok(true, `Loading audio: ${audioURL + URLSuffix}`); + + // Add the event listeners before everything in case we lose events. + audio.addEventListener("suspend", audioListener); + + // Assign attributes for the audio element. + audioSource.setAttribute("src", audioURL + URLSuffix); + audioSource.setAttribute("type", "audio/ogg"); + + audio.appendChild(audioSource); + audio.autoplay = true; + + content.document.body.appendChild(audio); + }); + + // Append the video element into the body, and wait until it's finished. + await new content.Promise(resolve => { + let listener = () => { + Assert.ok(true, `Video suspended: ${videoURL + URLSuffix}`); + video.removeEventListener("suspend", listener); + resolve(); + }; + + Assert.ok(true, `Loading video: ${videoURL + URLSuffix}`); + + // Add the event listener before everything in case we lose the event. + video.addEventListener("suspend", listener); + + // Assign attributes for the video element. + video.setAttribute("src", videoURL + URLSuffix); + video.setAttribute("type", "video/ogg"); + + content.document.body.appendChild(video); + }); + }); + + let maybePartitionedSuffixes = [ + "iframe.html", + "link.css", + "script.js", + "img.png", + "favicon.png", + "object.png", + "embed.png", + "xhr.html", + "worker.xhr.html", + "audio.ogg", + "video.ogv", + "fetch.html", + "worker.fetch.html", + "request.html", + "worker.request.html", + "import.js", + "worker.js", + "sharedworker.js", + ]; + + info("Query the cache (maybe) partitioned cache"); + await checkCache(maybePartitionedSuffixes, test.originAttributes); + + gBrowser.removeCurrentTab(); + } +}); diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_network.js b/toolkit/components/antitracking/test/browser/browser_staticPartition_network.js new file mode 100644 index 0000000000..e2570a804a --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_network.js @@ -0,0 +1,108 @@ +function altSvcCacheKeyIsolated(parsed) { + return parsed.length > 5 && parsed[5] == "I"; +} + +function altSvcPartitionKey(key) { + let parts = key.split(":"); + return parts[parts.length - 2]; +} + +const gHttpHandler = Cc["@mozilla.org/network/protocol;1?name=http"].getService( + Ci.nsIHttpProtocolHandler +); + +add_task(async function() { + info("Starting tlsSessionTickets test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["browser.cache.disk.enable", false], + ["browser.cache.memory.enable", false], + ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_ACCEPT], + ["network.http.altsvc.proxy_checks", false], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", false], + ["privacy.partition.network_state", true], + ["privacy.partition.network_state.connection_with_proxy", true], + ], + }); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + const thirdPartyURL = + "https://tlsresumptiontest.example.org/browser/toolkit/components/antitracking/test/browser/empty-altsvc.js"; + const partitionKey1 = "^partitionKey=%28http%2Cexample.net%29"; + const partitionKey2 = "^partitionKey=%28http%2Cmochi.test%29"; + + function checkAltSvcCache(keys) { + let arr = gHttpHandler.altSvcCacheKeys; + is( + arr.length, + keys.length, + "Found the expected number of items in the cache" + ); + for (let i = 0; i < arr.length; ++i) { + is( + altSvcPartitionKey(arr[i]), + keys[i], + "Expected top window origin found in the Alt-Svc cache key" + ); + } + } + + checkAltSvcCache([]); + + info("Loading something in the tab"); + await SpecialPowers.spawn(browser, [{ thirdPartyURL }], async function(obj) { + dump("AAA: " + content.window.location.href + "\n"); + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = obj.thirdPartyURL; + await p; + }); + + checkAltSvcCache([partitionKey1]); + + info("Creating a second tab"); + let tab2 = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE_6); + gBrowser.selectedTab = tab2; + + let browser2 = gBrowser.getBrowserForTab(tab2); + await BrowserTestUtils.browserLoaded(browser2); + + info("Loading something in the second tab"); + await SpecialPowers.spawn(browser2, [{ thirdPartyURL }], async function(obj) { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = obj.thirdPartyURL; + await p; + }); + + checkAltSvcCache([partitionKey1, partitionKey2]); + + info("Removing the tabs"); + BrowserTestUtils.removeTab(tab); + BrowserTestUtils.removeTab(tab2); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_saveAs.js b/toolkit/components/antitracking/test/browser/browser_staticPartition_saveAs.js new file mode 100644 index 0000000000..cceccc247e --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_saveAs.js @@ -0,0 +1,537 @@ +/** + * Bug 1641270 - A test case for ensuring the save channel will use the correct + * cookieJarSettings when doing the saving and the cache would + * work as expected. + */ + +"use strict"; + +/* import-globals-from ../../../../content/tests/browser/common/mockTransfer.js */ +Services.scriptloader.loadSubScript( + "chrome://mochitests/content/browser/toolkit/content/tests/browser/common/mockTransfer.js", + this +); + +const TEST_IMAGE_URL = TEST_DOMAIN + TEST_PATH + "file_saveAsImage.sjs"; +const TEST_VIDEO_URL = TEST_DOMAIN + TEST_PATH + "file_saveAsVideo.sjs"; +const TEST_PAGEINFO_URL = TEST_DOMAIN + TEST_PATH + "file_saveAsPageInfo.html"; + +let MockFilePicker = SpecialPowers.MockFilePicker; +MockFilePicker.init(window); + +const tempDir = createTemporarySaveDirectory(); +MockFilePicker.displayDirectory = tempDir; + +function createTemporarySaveDirectory() { + let saveDir = Services.dirsvc.get("TmpD", Ci.nsIFile); + saveDir.append("testsavedir"); + saveDir.createUnique(Ci.nsIFile.DIRECTORY_TYPE, 0o755); + return saveDir; +} + +function createPromiseForTransferComplete(aDesirableFileName) { + return new Promise(resolve => { + MockFilePicker.showCallback = fp => { + info("MockFilePicker showCallback"); + + let fileName = fp.defaultString; + let destFile = tempDir.clone(); + destFile.append(fileName); + + if (aDesirableFileName) { + is(fileName, aDesirableFileName, "The default file name is correct."); + } + + MockFilePicker.setFiles([destFile]); + MockFilePicker.filterIndex = 0; // kSaveAsType_Complete + + MockFilePicker.showCallback = null; + mockTransferCallback = function(downloadSuccess) { + ok(downloadSuccess, "File should have been downloaded successfully"); + mockTransferCallback = () => {}; + resolve(); + }; + }; + }); +} + +function createPromiseForObservingChannel(aURL, aPartitionKey) { + return new Promise(resolve => { + let observer = (aSubject, aTopic) => { + if (aTopic === "http-on-modify-request") { + let httpChannel = aSubject.QueryInterface(Ci.nsIHttpChannel); + let reqLoadInfo = httpChannel.loadInfo; + + // Make sure this is the request which we want to check. + if (!httpChannel.URI.spec.endsWith(aURL)) { + return; + } + + info(`Checking loadInfo for URI: ${httpChannel.URI.spec}\n`); + is( + reqLoadInfo.cookieJarSettings.partitionKey, + aPartitionKey, + "The loadInfo has the correct partition key" + ); + + Services.obs.removeObserver(observer, "http-on-modify-request"); + resolve(); + } + }; + + Services.obs.addObserver(observer, "http-on-modify-request"); + }); +} + +add_task(async function setup() { + info("Setting MockFilePicker."); + mockTransferRegisterer.register(); + + registerCleanupFunction(function() { + mockTransferRegisterer.unregister(); + MockFilePicker.cleanup(); + tempDir.remove(true); + }); +}); + +add_task(async function testContextMenuSaveImage() { + let uuidGenerator = Cc["@mozilla.org/uuid-generator;1"].getService( + Ci.nsIUUIDGenerator + ); + + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ], + }); + + // We use token to separate the caches. + let token = uuidGenerator.generateUUID().toString(); + const testImageURL = `${TEST_IMAGE_URL}?token=${token}`; + + info(`Open a new tab for testing "Save image as" in context menu.`); + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_TOP_PAGE + ); + + info(`Insert the testing image into the tab.`); + await SpecialPowers.spawn( + tab.linkedBrowser, + [testImageURL], + async url => { + let img = content.document.createElement("img"); + let loaded = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.setAttribute("id", "image1"); + img.src = url; + await loaded; + } + ); + + info("Open the context menu."); + let popupShownPromise = BrowserTestUtils.waitForEvent( + document, + "popupshown" + ); + + await BrowserTestUtils.synthesizeMouseAtCenter( + "#image1", + { + type: "contextmenu", + button: 2, + }, + tab.linkedBrowser + ); + + await popupShownPromise; + + let partitionKey = partitionPerSite + ? "(http,example.net)" + : "example.net"; + + let transferCompletePromise = createPromiseForTransferComplete(); + let observerPromise = createPromiseForObservingChannel( + testImageURL, + partitionKey + ); + + let saveElement = document.getElementById("context-saveimage"); + info("Triggering the save process."); + saveElement.doCommand(); + + info("Waiting for the channel."); + await observerPromise; + + info("Wait until the save is finished."); + await transferCompletePromise; + + info("Close the context menu."); + let contextMenu = document.getElementById("contentAreaContextMenu"); + let popupHiddenPromise = BrowserTestUtils.waitForEvent( + contextMenu, + "popuphidden" + ); + contextMenu.hidePopup(); + await popupHiddenPromise; + + // Check if there will be only one network request. The another one should + // be from cache. + let res = await fetch(`${TEST_IMAGE_URL}?token=${token}&result`); + let res_text = await res.text(); + is(res_text, "1", "The image should be loaded only once."); + + BrowserTestUtils.removeTab(tab); + } + } +}); + +add_task(async function testContextMenuSaveVideo() { + let uuidGenerator = Cc["@mozilla.org/uuid-generator;1"].getService( + Ci.nsIUUIDGenerator + ); + + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ], + }); + + // We use token to separate the caches. + let token = uuidGenerator.generateUUID().toString(); + const testVideoURL = `${TEST_VIDEO_URL}?token=${token}`; + + info(`Open a new tab for testing "Save Video as" in context menu.`); + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_TOP_PAGE + ); + + info(`Insert the testing video into the tab.`); + await SpecialPowers.spawn( + tab.linkedBrowser, + [testVideoURL], + async url => { + let video = content.document.createElement("video"); + let loaded = new content.Promise(resolve => { + video.onloadeddata = resolve; + }); + content.document.body.appendChild(video); + video.setAttribute("id", "video1"); + video.src = url; + await loaded; + } + ); + + info("Open the context menu."); + let popupShownPromise = BrowserTestUtils.waitForEvent( + document, + "popupshown" + ); + + await BrowserTestUtils.synthesizeMouseAtCenter( + "#video1", + { + type: "contextmenu", + button: 2, + }, + tab.linkedBrowser + ); + + await popupShownPromise; + + let partitionKey = partitionPerSite + ? "(http,example.net)" + : "example.net"; + + // We also check the default file name, see Bug 1679325. + let transferCompletePromise = createPromiseForTransferComplete( + "file_saveAsVideo.webm" + ); + let observerPromise = createPromiseForObservingChannel( + testVideoURL, + partitionKey + ); + + let saveElement = document.getElementById("context-savevideo"); + info("Triggering the save process."); + saveElement.doCommand(); + + info("Waiting for the channel."); + await observerPromise; + + info("Wait until the save is finished."); + await transferCompletePromise; + + info("Close the context menu."); + let contextMenu = document.getElementById("contentAreaContextMenu"); + let popupHiddenPromise = BrowserTestUtils.waitForEvent( + contextMenu, + "popuphidden" + ); + contextMenu.hidePopup(); + await popupHiddenPromise; + + // Check if there will be only one network request. The another one should + // be from cache. + let res = await fetch(`${TEST_VIDEO_URL}?token=${token}&result`); + let res_text = await res.text(); + is(res_text, "1", "The video should be loaded only once."); + + BrowserTestUtils.removeTab(tab); + } + } +}); + +add_task(async function testSavePageInOfflineMode() { + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ], + }); + + let partitionKey = partitionPerSite + ? "(http,example.net)" + : "example.net"; + + info(`Open a new tab which loads an image`); + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_IMAGE_URL + ); + + info("Toggle on the offline mode"); + BrowserOffline.toggleOfflineStatus(); + + info("Open file menu and trigger 'Save Page As'"); + let menubar = document.getElementById("main-menubar"); + let filePopup = document.getElementById("menu_FilePopup"); + + // We only use the shortcut keys to open the file menu in Windows and Linux. + // Mac doesn't have a shortcut to only open the file menu. Instead, we directly + // trigger the save in MAC without any UI interactions. + if (Services.appinfo.OS !== "Darwin") { + let menubarActive = BrowserTestUtils.waitForEvent( + menubar, + "DOMMenuBarActive" + ); + EventUtils.synthesizeKey("KEY_F10"); + await menubarActive; + + let popupShownPromise = BrowserTestUtils.waitForEvent( + filePopup, + "popupshown" + ); + // In window, it still needs one extra down key to open the file menu. + if (Services.appinfo.OS === "WINNT") { + EventUtils.synthesizeKey("KEY_ArrowDown"); + } + await popupShownPromise; + } + + let transferCompletePromise = createPromiseForTransferComplete(); + let observerPromise = createPromiseForObservingChannel( + TEST_IMAGE_URL, + partitionKey + ); + + info("Triggering the save process."); + let fileSavePageAsElement = document.getElementById("menu_savePage"); + fileSavePageAsElement.doCommand(); + + info("Waiting for the channel."); + await observerPromise; + + info("Wait until the save is finished."); + await transferCompletePromise; + + // Close the file menu. + if (Services.appinfo.OS !== "Darwin") { + let popupHiddenPromise = BrowserTestUtils.waitForEvent( + filePopup, + "popuphidden" + ); + filePopup.hidePopup(); + await popupHiddenPromise; + } + + info("Toggle off the offline mode"); + BrowserOffline.toggleOfflineStatus(); + + // Clean up + BrowserTestUtils.removeTab(tab); + + // Clean up the cache count on the server side. + await fetch(`${TEST_IMAGE_URL}?result`); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + } + } +}); + +add_task(async function testPageInfoMediaSaveAs() { + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ], + }); + + let partitionKey = partitionPerSite + ? "(http,example.net)" + : "example.net"; + + info( + `Open a new tab for testing "Save AS" in the media panel of the page info.` + ); + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_PAGEINFO_URL + ); + + info("Open the media panel of the pageinfo."); + let pageInfo = BrowserPageInfo( + gBrowser.selectedBrowser.currentURI.spec, + "mediaTab" + ); + + await BrowserTestUtils.waitForEvent(pageInfo, "page-info-init"); + + let imageTree = pageInfo.document.getElementById("imagetree"); + let imageRowsNum = imageTree.view.rowCount; + + is(imageRowsNum, 2, "There should be two media items here."); + + for (let i = 0; i < imageRowsNum; i++) { + imageTree.view.selection.select(i); + imageTree.ensureRowIsVisible(i); + imageTree.focus(); + + // Wait until the preview is loaded. + let preview = pageInfo.document.getElementById("thepreviewimage"); + let mediaType = pageInfo.gImageView.data[i][1]; // COL_IMAGE_TYPE + if (mediaType == "Image") { + await BrowserTestUtils.waitForEvent(preview, "loadend"); + } else if (mediaType == "Video") { + await BrowserTestUtils.waitForEvent(preview, "canplaythrough"); + } + + let url = pageInfo.gImageView.data[i][0]; // COL_IMAGE_ADDRESS + info(`Start to save the media item with URL: ${url}`); + + let transferCompletePromise = createPromiseForTransferComplete(); + + // Observe the channel and check if it has the correct partitionKey. + let observerPromise = createPromiseForObservingChannel( + url, + partitionKey + ); + + info("Triggering the save process."); + let saveElement = pageInfo.document.getElementById("imagesaveasbutton"); + saveElement.doCommand(); + + info("Waiting for the channel."); + await observerPromise; + + info("Wait until the save is finished."); + await transferCompletePromise; + } + + pageInfo.close(); + BrowserTestUtils.removeTab(tab); + } + } +}); + +add_task(async function testPageInfoMediaMultipleSelectedSaveAs() { + for (let networkIsolation of [true, false]) { + for (let partitionPerSite of [true, false]) { + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.partition.network_state", networkIsolation], + ["privacy.dynamic_firstparty.use_site", partitionPerSite], + ], + }); + + let partitionKey = partitionPerSite + ? "(http,example.net)" + : "example.net"; + + info( + `Open a new tab for testing "Save AS" in the media panel of the page info.` + ); + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + TEST_PAGEINFO_URL + ); + + info("Open the media panel of the pageinfo."); + let pageInfo = BrowserPageInfo( + gBrowser.selectedBrowser.currentURI.spec, + "mediaTab" + ); + + await BrowserTestUtils.waitForEvent(pageInfo, "page-info-init"); + + // Make sure the preview image is loaded in order to avoid interfering + // following tests. + let preview = pageInfo.document.getElementById("thepreviewimage"); + await BrowserTestUtils.waitForCondition(() => { + return preview.complete; + }); + + let imageTree = pageInfo.document.getElementById("imagetree"); + let imageRowsNum = imageTree.view.rowCount; + + is(imageRowsNum, 2, "There should be two media items here."); + + imageTree.view.selection.selectAll(); + imageTree.focus(); + + let url = pageInfo.gImageView.data[0][0]; // COL_IMAGE_ADDRESS + info(`Start to save the media item with URL: ${url}`); + + let transferCompletePromise = createPromiseForTransferComplete(); + let observerPromises = []; + + // Observe all channels and check if they have the correct partitionKey. + for (let i = 0; i < imageRowsNum; ++i) { + let observerPromise = createPromiseForObservingChannel( + url, + partitionKey + ); + observerPromises.push(observerPromise); + } + + info("Triggering the save process."); + let saveElement = pageInfo.document.getElementById("imagesaveasbutton"); + saveElement.doCommand(); + + info("Waiting for the all channels."); + await Promise.all(observerPromises); + + info("Wait until the save is finished."); + await transferCompletePromise; + + pageInfo.close(); + BrowserTestUtils.removeTab(tab); + } + } +}); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessDoorHanger.js b/toolkit/components/antitracking/test/browser/browser_storageAccessDoorHanger.js new file mode 100644 index 0000000000..d0385eb76b --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessDoorHanger.js @@ -0,0 +1,325 @@ +/* eslint-disable mozilla/no-arbitrary-setTimeout */ +const CHROME_BASE = + "chrome://mochitests/content/browser/browser/modules/test/browser/"; +Services.scriptloader.loadSubScript(CHROME_BASE + "head.js", this); +/* import-globals-from ../../../../../browser/modules/test/browser/head.js */ + +const BLOCK = 0; +const ALLOW = 1; + +async function testDoorHanger( + choice, + showPrompt, + useEscape, + topPage, + maxConcurrent +) { + info( + `Running doorhanger test with choice #${choice}, showPrompt: ${showPrompt} and ` + + `useEscape: ${useEscape}, topPage: ${topPage}, maxConcurrent: ${maxConcurrent}` + ); + + if (!showPrompt) { + is(choice, ALLOW, "When not showing a prompt, we can only auto-grant"); + ok( + !useEscape, + "When not showing a prompt, we should not be trying to use the Esc key" + ); + } + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.auto_grants", true], + ["dom.storage_access.auto_grants.delayed", false], + ["dom.storage_access.enabled", true], + ["dom.storage_access.max_concurrent_auto_grants", maxConcurrent], + ["dom.storage_access.prompt.testing", false], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ["browser.contentblocking.state-partitioning.mvp.ui.enabled", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + let tab = BrowserTestUtils.addTab(gBrowser, topPage); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + async function runChecks() { + // We need to repeat this constant here since runChecks is stringified + // and sent to the content process. + const BLOCK = 0; + + await new Promise(resolve => { + addEventListener( + "message", + function onMessage(e) { + if (e.data.startsWith("choice:")) { + window.choice = e.data.split(":")[1]; + window.useEscape = e.data.split(":")[3]; + removeEventListener("message", onMessage); + resolve(); + } + }, + false + ); + parent.postMessage("getchoice", "*"); + }); + + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + is(document.cookie, "", "No cookies for me"); + document.cookie = "name=value"; + is(document.cookie, "", "No cookies for me"); + + await fetch("server.sjs") + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + // Let's do it twice. + await fetch("server.sjs") + .then(r => r.text()) + .then(text => { + is(text, "cookie-not-present", "We should not have cookies"); + }); + + is(document.cookie, "", "Still no cookies for me"); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + if (choice == BLOCK) { + // We've said no, so cookies are still blocked + is(document.cookie, "", "Still no cookies for me"); + document.cookie = "name=value"; + is(document.cookie, "", "No cookies for me"); + } else { + // We've said yes, so cookies are allowed now + is(document.cookie, "", "No cookies for me"); + document.cookie = "name=value"; + is(document.cookie, "name=value", "I have the cookies!"); + } + } + + let permChanged; + // Only create the promise when we're going to click one of the allow buttons. + if (choice != BLOCK) { + permChanged = TestUtils.topicObserved("perm-changed", (subject, data) => { + let result; + if (choice == ALLOW) { + result = + subject && + subject + .QueryInterface(Ci.nsIPermission) + .type.startsWith("3rdPartyStorage^") && + subject.principal.origin == new URL(topPage).origin && + data == "added"; + } + return result; + }); + } + let shownPromise = BrowserTestUtils.waitForEvent( + PopupNotifications.panel, + "popupshown" + ); + shownPromise.then(async _ => { + if (topPage != gBrowser.currentURI.spec) { + return; + } + ok(showPrompt, "We shouldn't show the prompt when we don't intend to"); + let notification = await new Promise(function poll(resolve) { + let notification = PopupNotifications.getNotification( + "storage-access", + browser + ); + if (notification) { + resolve(notification); + return; + } + setTimeout(poll, 10); + }); + Assert.ok(notification, "Should have gotten the notification"); + + if (choice == BLOCK) { + if (useEscape) { + EventUtils.synthesizeKey("KEY_Escape", {}, window); + } else { + await clickSecondaryAction(); + } + } else if (choice == ALLOW) { + await clickMainAction(); + } + if (choice != BLOCK) { + await permChanged; + } + }); + + let url = TEST_3RD_PARTY_PAGE + "?disableWaitUntilPermission"; + let ct = SpecialPowers.spawn( + browser, + [{ page: url, callback: runChecks.toString(), choice, useEscape }], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj.callback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + if (event.data == "getchoice") { + ifr.contentWindow.postMessage( + "choice:" + obj.choice + ":useEscape:" + obj.useEscape, + "*" + ); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + if (showPrompt) { + await Promise.all([ct, shownPromise]); + } else { + await Promise.all([ct, permChanged]); + } + if (choice != BLOCK) { + let identityPopupPromise = BrowserTestUtils.waitForEvent( + window, + "popupshown", + true, + event => event.target == gIdentityHandler._identityPopup + ); + gIdentityHandler._identityBox.click(); + await identityPopupPromise; + let permissionItem = document.getElementById( + `identity-popup-permission-label-3rdPartyStorage^https://tracking.example.org` + ); + ok(permissionItem, "Permission item exists"); + ok( + BrowserTestUtils.is_visible(permissionItem), + "Permission item visible in the identity panel" + ); + identityPopupPromise = BrowserTestUtils.waitForEvent( + gIdentityHandler._identityPopup, + "popuphidden" + ); + gIdentityHandler._identityPopup.hidePopup(); + await identityPopupPromise; + } + + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +} + +async function preparePermissionsFromOtherSites(topPage) { + info("Faking permissions from other sites"); + let type = "3rdPartyStorage^https://tracking.example.org"; + let permission = Services.perms.ALLOW_ACTION; + let expireType = Services.perms.EXPIRE_SESSION; + if (topPage == TEST_TOP_PAGE) { + // For the first page, don't do anything + } else if (topPage == TEST_TOP_PAGE_2) { + // For the second page, only add the permission from the first page + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + } else if (topPage == TEST_TOP_PAGE_3) { + // For the third page, add the permissions from the first two pages + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_2, type, permission, expireType, 0); + } else if (topPage == TEST_TOP_PAGE_4) { + // For the fourth page, add the permissions from the first three pages + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_2, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_3, type, permission, expireType, 0); + } else if (topPage == TEST_TOP_PAGE_5) { + // For the fifth page, add the permissions from the first four pages + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_2, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_3, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_4, type, permission, expireType, 0); + } else if (topPage == TEST_TOP_PAGE_6) { + // For the sixth page, add the permissions from the first five pages + PermissionTestUtils.add(TEST_DOMAIN, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_2, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_3, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_4, type, permission, expireType, 0); + PermissionTestUtils.add(TEST_DOMAIN_5, type, permission, expireType, 0); + } else { + ok(false, "Unexpected top page: " + topPage); + } +} + +async function cleanUp() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +} + +async function runRound(topPage, showPrompt, maxConcurrent) { + if (showPrompt) { + await preparePermissionsFromOtherSites(topPage); + await testDoorHanger(BLOCK, showPrompt, true, topPage, maxConcurrent); + await cleanUp(); + await preparePermissionsFromOtherSites(topPage); + await testDoorHanger(BLOCK, showPrompt, false, topPage, maxConcurrent); + await cleanUp(); + await preparePermissionsFromOtherSites(topPage); + await testDoorHanger(ALLOW, showPrompt, false, topPage, maxConcurrent); + await cleanUp(); + } else { + await preparePermissionsFromOtherSites(topPage); + await testDoorHanger(ALLOW, showPrompt, false, topPage, maxConcurrent); + } + await cleanUp(); +} + +add_task(async function() { + await runRound(TEST_TOP_PAGE, false, 1); + await runRound(TEST_TOP_PAGE_2, true, 1); + await runRound(TEST_TOP_PAGE, false, 5); + await runRound(TEST_TOP_PAGE_2, false, 5); + await runRound(TEST_TOP_PAGE_3, false, 5); + await runRound(TEST_TOP_PAGE_4, false, 5); + await runRound(TEST_TOP_PAGE_5, false, 5); + await runRound(TEST_TOP_PAGE_6, true, 5); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessPromiseRejectHandlerUserInteraction.js b/toolkit/components/antitracking/test/browser/browser_storageAccessPromiseRejectHandlerUserInteraction.js new file mode 100644 index 0000000000..1146f79515 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessPromiseRejectHandlerUserInteraction.js @@ -0,0 +1,33 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Storage Access API returns promises that maintain user activation for calling its reject handler", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + let [threw, rejected] = await callRequestStorageAccess(dwu => { + ok( + dwu.isHandlingUserInput, + "Promise reject handler must run as if we're handling user input" + ); + }, true); + ok(!threw, "requestStorageAccess should not throw"); + ok(rejected, "requestStorageAccess should not be available"); + }, + + null, // non-blocking callback + // cleanup function + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // extra prefs + false, // no window open test + false, // no user-interaction test + 0, // expected blocking notifications + false, // private window + "allow-scripts allow-same-origin allow-popups" // iframe sandbox +); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessPromiseResolveHandlerUserInteraction.js b/toolkit/components/antitracking/test/browser/browser_storageAccessPromiseResolveHandlerUserInteraction.js new file mode 100644 index 0000000000..09d00fd121 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessPromiseResolveHandlerUserInteraction.js @@ -0,0 +1,46 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Storage Access API returns promises that maintain user activation", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + let [threw, rejected] = await callRequestStorageAccess(dwu => { + ok( + dwu.isHandlingUserInput, + "Promise handler must run as if we're handling user input" + ); + }); + ok(!threw, "requestStorageAccess should not throw"); + ok(!rejected, "requestStorageAccess should be available"); + + let dwu = SpecialPowers.getDOMWindowUtils(window); + let helper = dwu.setHandlingUserInput(true); + + let promise; + try { + promise = document.hasStorageAccess(); + } finally { + helper.destruct(); + } + await promise.then(_ => { + ok( + dwu.isHandlingUserInput, + "Promise handler must run as if we're handling user input" + ); + }); + }, + + null, // non-blocking callback + // cleanup function + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // extra prefs + false, // no window open test + false // no user-interaction test +); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessRemovalNavigateSubframe.js b/toolkit/components/antitracking/test/browser/browser_storageAccessRemovalNavigateSubframe.js new file mode 100644 index 0000000000..91606b68ef --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessRemovalNavigateSubframe.js @@ -0,0 +1,43 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Storage Access is removed when subframe navigates", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }, + + // non-blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + /* import-globals-from storageAccessAPIHelpers.js */ + let [threw, rejected] = await callRequestStorageAccess(); + ok(!threw, "requestStorageAccess should not throw"); + ok(!rejected, "requestStorageAccess should be available"); + }, + // cleanup function + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // extra prefs + false, // no window open test + false, // no user-interaction test + 0, // no blocking notifications + false, // run in normal window + null, // no iframe sandbox + "navigate-subframe", // access removal type + // after-removal callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + // TODO: this is just a temporarily fixed, we should update the testcase + // in Bug 1649399 + await hasStorageAccessInitially(); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessRemovalNavigateTopframe.js b/toolkit/components/antitracking/test/browser/browser_storageAccessRemovalNavigateTopframe.js new file mode 100644 index 0000000000..22ec99ad07 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessRemovalNavigateTopframe.js @@ -0,0 +1,41 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Storage Access is removed when topframe navigates", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }, + + // non-blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + /* import-globals-from storageAccessAPIHelpers.js */ + let [threw, rejected] = await callRequestStorageAccess(); + ok(!threw, "requestStorageAccess should not throw"); + ok(!rejected, "requestStorageAccess should be available"); + }, + // cleanup function + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + null, // extra prefs + false, // no window open test + false, // no user-interaction test + 0, // no blocking notifications + false, // run in normal window + null, // no iframe sandbox + "navigate-topframe", // access removal type + // after-removal callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + } +); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessSandboxed.js b/toolkit/components/antitracking/test/browser/browser_storageAccessSandboxed.js new file mode 100644 index 0000000000..2c9b7e3df8 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessSandboxed.js @@ -0,0 +1,155 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking.runTest( + "Storage Access API called in a sandboxed iframe", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + let [threw, rejected] = await callRequestStorageAccess(); + ok(!threw, "requestStorageAccess should not throw"); + ok(rejected, "requestStorageAccess shouldn't be available"); + }, + + null, // non-blocking callback + // cleanup function + async _ => { + // Only clear the user-interaction permissions for the tracker here so that + // the next test has a clean slate. + await new Promise(resolve => { + Services.clearData.deleteDataFromHost( + Services.io.newURI(TEST_3RD_PARTY_DOMAIN).host, + true, + Ci.nsIClearDataService.CLEAR_PERMISSIONS, + value => resolve() + ); + }); + }, + [["dom.storage_access.enabled", true]], // extra prefs + false, // no window open test + false, // no user-interaction test + 0, // no blocking notifications + false, // run in normal window + "allow-scripts allow-same-origin allow-popups" +); + +AntiTracking.runTest( + "Storage Access API called in a sandboxed iframe with" + + " allow-storage-access-by-user-activation", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + let [threw, rejected] = await callRequestStorageAccess(); + ok(!threw, "requestStorageAccess should not throw"); + ok(!rejected, "requestStorageAccess should be available"); + }, + + null, // non-blocking callback + null, // cleanup function + [["dom.storage_access.enabled", true]], // extra prefs + false, // no window open test + false, // no user-interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + false, // run in normal window + "allow-scripts allow-same-origin allow-popups allow-storage-access-by-user-activation" +); + +AntiTracking.runTest( + "Verify that sandboxed contexts don't get the saved permission", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + + null, // non-blocking callback + null, // cleanup function + [["dom.storage_access.enabled", true]], // extra prefs + false, // no window open test + false, // no user-interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + false, // run in normal window + "allow-scripts allow-same-origin allow-popups" +); + +AntiTracking.runTest( + "Verify that sandboxed contexts with" + + " allow-storage-access-by-user-activation get the" + + " saved permission", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + localStorage.foo = 42; + ok(true, "LocalStorage can be used!"); + }, + + null, // non-blocking callback + null, // cleanup function + [["dom.storage_access.enabled", true]], // extra prefs + false, // no window open test + false, // no user-interaction test + 0, // no blocking notifications + false, // run in normal window + "allow-scripts allow-same-origin allow-popups allow-storage-access-by-user-activation" +); + +AntiTracking.runTest( + "Verify that private browsing contexts don't get the saved permission", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + try { + localStorage.foo = 42; + ok(false, "LocalStorage cannot be used!"); + } catch (e) { + ok(true, "LocalStorage cannot be used!"); + is(e.name, "SecurityError", "We want a security error message."); + } + }, + + null, // non-blocking callback + null, // cleanup function + [["dom.storage_access.enabled", true]], // extra prefs + false, // no window open test + false, // no user-interaction test + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, // expect blocking notifications + true, // run in private window + null // iframe sandbox +); + +AntiTracking.runTest( + "Verify that non-sandboxed contexts get the saved permission", + // blocking callback + async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + + localStorage.foo = 42; + ok(true, "LocalStorage can be used!"); + }, + + null, // non-blocking callback + // cleanup function + async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + }, + [["dom.storage_access.enabled", true]], // extra prefs + false, // no window open test + false, // no user-interaction test + 0 // no blocking notifications +); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessThirdPartyChecks.js b/toolkit/components/antitracking/test/browser/browser_storageAccessThirdPartyChecks.js new file mode 100644 index 0000000000..a7849d74c9 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessThirdPartyChecks.js @@ -0,0 +1,63 @@ +/* import-globals-from antitracking_head.js */ + +AntiTracking._createTask({ + name: + "Test that after a storage access grant we have full first-party access", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: true, + allowList: false, + callback: async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + + await callRequestStorageAccess(); + + const TRACKING_PAGE = + "http://another-tracking.example.net/browser/browser/base/content/test/protectionsUI/trackingPage.html"; + async function runChecks(name) { + let iframe = document.createElement("iframe"); + iframe.src = TRACKING_PAGE; + document.body.appendChild(iframe); + await new Promise(resolve => { + iframe.onload = resolve; + }); + + await SpecialPowers.spawn(iframe, [name], name => { + content.postMessage(name, "*"); + }); + + await new Promise(resolve => { + onmessage = e => { + if (e.data == "done") { + resolve(); + } + }; + }); + } + + await runChecks("image"); + }, + extraPrefs: null, + expectedBlockingNotifications: + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + thirdPartyPage: TEST_3RD_PARTY_PAGE_HTTP, + errorMessageDomains: [ + "http://tracking.example.org", + "http://tracking.example.org", + "http://tracking.example.org", + "http://tracking.example.org", + "http://tracking.example.org", + ], +}); + +add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessWithDynamicFpi.js b/toolkit/components/antitracking/test/browser/browser_storageAccessWithDynamicFpi.js new file mode 100644 index 0000000000..8928bb7f16 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessWithDynamicFpi.js @@ -0,0 +1,531 @@ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* import-globals-from head.js */ + +"use strict"; + +const { RemoteSettings } = ChromeUtils.import( + "resource://services-settings/remote-settings.js" +); + +XPCOMUtils.defineLazyServiceGetter( + this, + "peuService", + "@mozilla.org/partitioning/exception-list-service;1", + "nsIPartitioningExceptionListService" +); + +const TEST_REDIRECT_TOP_PAGE = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "redirect.sjs?" + TEST_TOP_PAGE; +const TEST_REDIRECT_3RD_PARTY_PAGE = + TEST_DOMAIN + TEST_PATH + "redirect.sjs?" + TEST_3RD_PARTY_PARTITIONED_PAGE; + +const COLLECTION_NAME = "partitioning-exempt-urls"; +const EXCEPTION_LIST_PREF_NAME = "privacy.restrict3rdpartystorage.skip_list"; + +async function cleanup() { + Services.prefs.clearUserPref(EXCEPTION_LIST_PREF_NAME); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +} + +add_task(async function setup() { + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ], + ["privacy.restrict3rdpartystorage.heuristic.redirect", false], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + registerCleanupFunction(cleanup); +}); + +function executeContentScript(browser, callback, options = {}) { + return SpecialPowers.spawn( + browser, + [ + { + callback: callback.toString(), + ...options, + }, + ], + obj => { + return new content.Promise(async resolve => { + if (obj.page) { + // third-party + let ifr = content.document.createElement("iframe"); + ifr.onload = async () => { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage( + { cb: obj.callback, value: obj.value }, + "*" + ); + }; + + content.addEventListener("message", event => resolve(event.data), { + once: true, + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + } else { + // first-party + let runnableStr = `(() => {return (${obj.callback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + resolve(await runnable.call(content, content, obj.value)); + } + }); + } + ); +} + +function readNetworkCookie(win) { + return win + .fetch("cookies.sjs") + .then(r => r.text()) + .then(text => { + return text.substring("cookie:foopy=".length); + }); +} + +async function writeNetworkCookie(win, value) { + await win.fetch("cookies.sjs?" + value).then(r => r.text()); + return true; +} + +function createDataInFirstParty(browser, value) { + return executeContentScript(browser, writeNetworkCookie, { value }); +} +function getDataFromFirstParty(browser) { + return executeContentScript(browser, readNetworkCookie, {}); +} +function createDataInThirdParty(browser, value) { + return executeContentScript(browser, writeNetworkCookie, { + page: TEST_3RD_PARTY_PARTITIONED_PAGE, + value, + }); +} +function getDataFromThirdParty(browser) { + return executeContentScript(browser, readNetworkCookie, { + page: TEST_3RD_PARTY_PARTITIONED_PAGE, + }); +} + +async function redirectWithUserInteraction(browser, url, wait = null) { + await executeContentScript( + browser, + (content, value) => { + content.document.userInteractionForTesting(); + + let link = content.document.createElement("a"); + link.appendChild(content.document.createTextNode("click me!")); + link.href = value; + content.document.body.appendChild(link); + link.click(); + }, + { + value: url, + } + ); + await BrowserTestUtils.browserLoaded(browser, false, wait || url); +} + +async function checkData(browser, options) { + if ("firstParty" in options) { + is( + await getDataFromFirstParty(browser), + options.firstParty, + "correct first-party data" + ); + } + if ("thirdParty" in options) { + is( + await getDataFromThirdParty(browser), + options.thirdParty, + "correct third-party data" + ); + } +} + +add_task(async function testRedirectHeuristic() { + info("Starting Dynamic FPI Redirect Heuristic test..."); + + await SpecialPowers.pushPrefEnv({ + set: [["privacy.restrict3rdpartystorage.heuristic.recently_visited", true]], + }); + + // mark third-party as tracker + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("initializing..."); + await checkData(browser, { firstParty: "", thirdParty: "" }); + + await Promise.all([ + createDataInFirstParty(browser, "firstParty"), + createDataInThirdParty(browser, "thirdParty"), + ]); + + await checkData(browser, { + firstParty: "firstParty", + thirdParty: "", + }); + + info("load third-party content as first-party"); + await redirectWithUserInteraction( + browser, + TEST_REDIRECT_3RD_PARTY_PAGE, + TEST_3RD_PARTY_PARTITIONED_PAGE + ); + + await checkData(browser, { firstParty: "" }); + await createDataInFirstParty(browser, "heuristicFirstParty"); + await checkData(browser, { firstParty: "heuristicFirstParty" }); + + info("redirect back to first-party page"); + await redirectWithUserInteraction( + browser, + TEST_REDIRECT_TOP_PAGE, + TEST_TOP_PAGE + ); + + info("third-party tracker should NOT able to access first-party data"); + await checkData(browser, { + firstParty: "firstParty", + thirdParty: "", + }); + + // remove third-party from tracker + await UrlClassifierTestUtils.cleanupTestTrackers(); + + info("load third-party content as first-party"); + await redirectWithUserInteraction( + browser, + TEST_REDIRECT_3RD_PARTY_PAGE, + TEST_3RD_PARTY_PARTITIONED_PAGE + ); + + await checkData(browser, { + firstParty: "heuristicFirstParty", + }); + + info("redirect back to first-party page"); + await redirectWithUserInteraction( + browser, + TEST_REDIRECT_TOP_PAGE, + TEST_TOP_PAGE + ); + + info("third-party page should able to access first-party data"); + await checkData(browser, { + firstParty: "firstParty", + thirdParty: "heuristicFirstParty", + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + await cleanup(); +}); + +class UpdateEvent extends EventTarget {} +function waitForEvent(element, eventName) { + return new Promise(function(resolve) { + element.addEventListener(eventName, e => resolve(e.detail), { once: true }); + }); +} + +add_task(async function testExceptionListPref() { + info("Starting Dynamic FPI exception list test pref"); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.restrict3rdpartystorage.heuristic.recently_visited", false], + ], + }); + + info("Creating new tabs"); + let tabThirdParty = BrowserTestUtils.addTab( + gBrowser, + TEST_3RD_PARTY_PARTITIONED_PAGE + ); + gBrowser.selectedTab = tabThirdParty; + + let browserThirdParty = gBrowser.getBrowserForTab(tabThirdParty); + await BrowserTestUtils.browserLoaded(browserThirdParty); + + let tabFirstParty = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tabFirstParty; + + let browserFirstParty = gBrowser.getBrowserForTab(tabFirstParty); + await BrowserTestUtils.browserLoaded(browserFirstParty); + + info("initializing..."); + await Promise.all([ + checkData(browserFirstParty, { firstParty: "", thirdParty: "" }), + checkData(browserThirdParty, { firstParty: "" }), + ]); + + info("fill default data"); + await Promise.all([ + createDataInFirstParty(browserFirstParty, "firstParty"), + createDataInThirdParty(browserFirstParty, "thirdParty"), + createDataInFirstParty(browserThirdParty, "ExceptionListFirstParty"), + ]); + + info("check data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "thirdParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("set exception list pref"); + Services.prefs.setStringPref( + EXCEPTION_LIST_PREF_NAME, + `${TEST_DOMAIN},${TEST_3RD_PARTY_DOMAIN}` + ); + + info("check data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "ExceptionListFirstParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tabFirstParty); + BrowserTestUtils.removeTab(tabThirdParty); + + await cleanup(); +}); + +add_task(async function testExceptionListRemoteSettings() { + info("Starting Dynamic FPI exception list test (remote settings)"); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.restrict3rdpartystorage.heuristic.recently_visited", false], + ], + }); + + // Make sure we have a pref initially, since the exception list service + // requires it. + Services.prefs.setStringPref(EXCEPTION_LIST_PREF_NAME, ""); + + // Add some initial data + let db = await RemoteSettings(COLLECTION_NAME).db; + await db.importChanges({}, 42, []); + + // make peuSerivce start working by calling + // registerAndRunExceptionListObserver + let updateEvent = new UpdateEvent(); + let obs = data => { + let event = new CustomEvent("update", { detail: data }); + updateEvent.dispatchEvent(event); + }; + let promise = waitForEvent(updateEvent, "update"); + peuService.registerAndRunExceptionListObserver(obs); + await promise; + + info("Creating new tabs"); + let tabThirdParty = BrowserTestUtils.addTab( + gBrowser, + TEST_3RD_PARTY_PARTITIONED_PAGE + ); + gBrowser.selectedTab = tabThirdParty; + + let browserThirdParty = gBrowser.getBrowserForTab(tabThirdParty); + await BrowserTestUtils.browserLoaded(browserThirdParty); + + let tabFirstParty = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tabFirstParty; + + let browserFirstParty = gBrowser.getBrowserForTab(tabFirstParty); + await BrowserTestUtils.browserLoaded(browserFirstParty); + + info("initializing..."); + await Promise.all([ + checkData(browserFirstParty, { firstParty: "", thirdParty: "" }), + checkData(browserThirdParty, { firstParty: "" }), + ]); + + info("fill default data"); + await Promise.all([ + createDataInFirstParty(browserFirstParty, "firstParty"), + createDataInThirdParty(browserFirstParty, "thirdParty"), + createDataInFirstParty(browserThirdParty, "ExceptionListFirstParty"), + ]); + + info("check data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "thirdParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("set exception list remote settings"); + + // set records + promise = waitForEvent(updateEvent, "update"); + await RemoteSettings(COLLECTION_NAME).emit("sync", { + data: { + current: [ + { + id: "1", + last_modified: 100000000000000000001, + firstPartyOrigin: TEST_DOMAIN, + thirdPartyOrigin: TEST_3RD_PARTY_DOMAIN, + }, + ], + }, + }); + + let list = await promise; + is( + list, + `${TEST_DOMAIN},${TEST_3RD_PARTY_DOMAIN}`, + "exception list is correctly set" + ); + + info("check data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "ExceptionListFirstParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tabFirstParty); + BrowserTestUtils.removeTab(tabThirdParty); + + promise = waitForEvent(updateEvent, "update"); + await RemoteSettings(COLLECTION_NAME).emit("sync", { + data: { + current: [], + }, + }); + is(await promise, "", "Exception list is cleared"); + + peuService.unregisterExceptionListObserver(obs); + await cleanup(); +}); + +add_task(async function testWildcardExceptionListPref() { + info("Starting Dynamic FPI wirdcard exception list test pref"); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.restrict3rdpartystorage.heuristic.recently_visited", false], + ], + }); + + info("Creating new tabs"); + let tabThirdParty = BrowserTestUtils.addTab( + gBrowser, + TEST_3RD_PARTY_PARTITIONED_PAGE + ); + gBrowser.selectedTab = tabThirdParty; + + let browserThirdParty = gBrowser.getBrowserForTab(tabThirdParty); + await BrowserTestUtils.browserLoaded(browserThirdParty); + + let tabFirstParty = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tabFirstParty; + + let browserFirstParty = gBrowser.getBrowserForTab(tabFirstParty); + await BrowserTestUtils.browserLoaded(browserFirstParty); + + info("initializing..."); + await Promise.all([ + checkData(browserFirstParty, { firstParty: "", thirdParty: "" }), + checkData(browserThirdParty, { firstParty: "" }), + ]); + + info("fill default data"); + await Promise.all([ + createDataInFirstParty(browserFirstParty, "firstParty"), + createDataInThirdParty(browserFirstParty, "thirdParty"), + createDataInFirstParty(browserThirdParty, "ExceptionListFirstParty"), + ]); + + info("check initial data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "thirdParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("set wildcard (1st-party) pref"); + Services.prefs.setStringPref( + EXCEPTION_LIST_PREF_NAME, + `*,${TEST_3RD_PARTY_DOMAIN}` + ); + + info("check wildcard (1st-party) data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "ExceptionListFirstParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("set invalid exception list pref"); + Services.prefs.setStringPref(EXCEPTION_LIST_PREF_NAME, "*,*"); + + info("check initial data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "thirdParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("set wildcard (3rd-party) pref"); + Services.prefs.setStringPref(EXCEPTION_LIST_PREF_NAME, `${TEST_DOMAIN},*`); + + info("check wildcard (3rd-party) data"); + await Promise.all([ + checkData(browserFirstParty, { + firstParty: "firstParty", + thirdParty: "ExceptionListFirstParty", + }), + checkData(browserThirdParty, { firstParty: "ExceptionListFirstParty" }), + ]); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tabFirstParty); + BrowserTestUtils.removeTab(tabThirdParty); + + await cleanup(); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_storageAccessWithHeuristics.js b/toolkit/components/antitracking/test/browser/browser_storageAccessWithHeuristics.js new file mode 100644 index 0000000000..a1a83f74f3 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_storageAccessWithHeuristics.js @@ -0,0 +1,829 @@ +/* import-globals-from antitracking_head.js */ + +function waitStoragePermission() { + return new Promise(resolve => { + let id = setInterval(async _ => { + if ( + await SpecialPowers.testPermission( + `3rdPartyStorage^${TEST_3RD_PARTY_DOMAIN.slice(0, -1)}`, + SpecialPowers.Services.perms.ALLOW_ACTION, + TEST_DOMAIN + ) + ) { + clearInterval(id); + resolve(); + } + }, 0); + }); +} + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); +}); + +add_task(async function testWindowOpenHeuristic() { + info("Starting window.open() heuristic test..."); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_WO, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + info("Checking if storage access is denied"); + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(msg, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +add_task(async function testDoublyNestedWindowOpenHeuristic() { + info("Starting doubly nested window.open() heuristic test..."); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_RELAY + "?" + TEST_3RD_PARTY_PAGE_WO, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + info("Checking if storage access is denied"); + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(msg, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +add_task(async function testUserInteractionHeuristic() { + info("Starting user interaction heuristic test..."); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }).toString(); + + info("Checking if storage access is denied"); + + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info( + "The 3rd party content should not have access to first party storage." + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage({ callback: msg.blockingCallback }, "*"); + }); + + info("Opening a window from the iframe."); + await SpecialPowers.spawn(ifr, [obj.popup], async popup => { + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + // We need to check the document URI for Fission. It's because the + // 'domwindowclosed' would be triggered twice, one for the + // 'about:blank' page and another for the tracker page. + if ( + aTopic == "domwindowclosed" && + aSubject.document.documentURI == + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html" + ) { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + content.open(popup); + + info("Let's wait for the window to be closed"); + await windowClosed; + }); + + info("The 3rd party content should have access to first party storage."); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage({ callback: msg.blockingCallback }, "*"); + }); + } + ); + + await AntiTracking.interactWithTracker(); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + await noStorageAccessInitially(); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + info("Checking if storage access is denied"); + + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info( + "The 3rd party content should not have access to first party storage." + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage({ callback: msg.blockingCallback }, "*"); + }); + + info("Opening a window from the iframe."); + await SpecialPowers.spawn(ifr, [obj.popup], async popup => { + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + // We need to check the document URI here as well for the same + // reason above. + if ( + aTopic == "domwindowclosed" && + aSubject.document.documentURI == + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html" + ) { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + content.open(popup); + + info("Let's wait for the window to be closed"); + await windowClosed; + }); + + info("The 3rd party content should have access to first party storage."); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage( + { callback: msg.nonBlockingCallback }, + "*" + ); + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); +}); + +add_task(async function() { + info("Wait until the storage permission is ready before cleaning up."); + await waitStoragePermission(); + + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +add_task(async function testDoublyNestedUserInteractionHeuristic() { + info("Starting doubly nested user interaction heuristic test..."); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_RELAY + "?" + TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + }).toString(); + + msg.openWindowCallback = (async url => { + open(url); + }).toString(); + + info("Checking if storage access is denied"); + + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info( + "The 3rd party content should not have access to first party storage." + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage({ callback: msg.blockingCallback }, "*"); + }); + + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + if (aTopic == "domwindowclosed") { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + info("Opening a window from the iframe."); + ifr.contentWindow.postMessage( + { callback: msg.openWindowCallback, arg: obj.popup }, + "*" + ); + + info("Let's wait for the window to be closed"); + await windowClosed; + + info("The 3rd party content should have access to first party storage."); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage({ callback: msg.blockingCallback }, "*"); + }); + } + ); + + await AntiTracking.interactWithTracker(); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_RELAY + "?" + TEST_3RD_PARTY_PAGE_UI, + popup: TEST_POPUP_PAGE, + }, + ], + async obj => { + let msg = {}; + msg.blockingCallback = (async _ => { + await noStorageAccessInitially(); + }).toString(); + + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + msg.openWindowCallback = (async url => { + open(url); + }).toString(); + + info("Checking if storage access is denied"); + + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info( + "The 3rd party content should not have access to first party storage." + ); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage({ callback: msg.blockingCallback }, "*"); + }); + + let windowClosed = new content.Promise(resolve => { + Services.ww.registerNotification(function notification( + aSubject, + aTopic, + aData + ) { + if (aTopic == "domwindowclosed") { + Services.ww.unregisterNotification(notification); + resolve(); + } + }); + }); + + info("Opening a window from the iframe."); + ifr.contentWindow.postMessage( + { callback: msg.openWindowCallback, arg: obj.popup }, + "*" + ); + + info("Let's wait for the window to be closed"); + await windowClosed; + + info("The 3rd party content should have access to first party storage."); + await new content.Promise(resolve => { + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + ifr.contentWindow.postMessage( + { callback: msg.nonBlockingCallback }, + "*" + ); + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); +}); + +add_task(async function() { + info("Wait until the storage permission is ready before cleaning up."); + await waitStoragePermission(); + + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +add_task(async function testFirstPartyWindowOpenHeuristic() { + info("Starting first-party window.open() heuristic test..."); + + // Interact with the tracker first before testing window.open heuristic + await AntiTracking.interactWithTracker(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE, + }, + ], + async obj => { + info("Tracker shouldn't have storage access initially"); + let msg = {}; + msg.blockingCallback = (async _ => { + await noStorageAccessInitially(); + }).toString(); + + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(msg.blockingCallback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.id = "ifr"; + ifr.src = obj.page; + }); + } + ); + + info("Calling window.open in a first-party iframe"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_IFRAME_PAGE, + popup: TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyOpen.html", + }, + ], + async obj => { + let ifr = content.document.createElement("iframe"); + let loading = new content.Promise(resolve => { + ifr.onload = resolve; + }); + content.document.body.appendChild(ifr); + ifr.src = obj.page; + await loading; + + info("Opening a window from the iframe."); + await SpecialPowers.spawn(ifr, [obj.popup], async popup => { + await new content.Promise(resolve => { + content.open(popup); + content.addEventListener("message", function msg(event) { + if (event.data == "hello!") { + resolve(); + } + }); + }); + }); + } + ); + + await SpecialPowers.spawn(browser, [], async obj => { + info("Tracker should have storage access now"); + let msg = {}; + msg.nonBlockingCallback = (async _ => { + /* import-globals-from storageAccessAPIHelpers.js */ + await hasStorageAccessInitially(); + }).toString(); + + await new content.Promise(resolve => { + let ifr = content.document.getElementById("ifr"); + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(msg.nonBlockingCallback, "*"); + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + }); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_subResources.js b/toolkit/components/antitracking/test/browser/browser_subResources.js new file mode 100644 index 0000000000..3c044dad3d --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_subResources.js @@ -0,0 +1,270 @@ +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["privacy.partition.network_state", false], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading tracking scripts and tracking images"); + await SpecialPowers.spawn(browser, [], async function() { + // Let's load the script twice here. + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + + // Let's load an image twice here. + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, "0", "Cookies received for images"); + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + is(text, "0", "Cookies received for scripts"); + }); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_WO, + blockingCallback: (async _ => {}).toString(), + nonBlockingCallback: (async _ => {}).toString(), + }, + ], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Loading tracking scripts and tracking images again"); + await SpecialPowers.spawn(browser, [], async function() { + // Let's load the script twice here. + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + + // Let's load an image twice here. + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + is(text, "1", "One cookie received for images."); + }); + + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + is(text, "1", "One cookie received received for scripts."); + }); + + let expectTrackerBlocked = (item, blocked) => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, + "Correct blocking type reported" + ); + is(item[1], blocked, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let expectTrackerFound = item => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_LOADED_LEVEL_1_TRACKING_CONTENT, + "Correct blocking type reported" + ); + is(item[1], true, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let expectCookiesLoaded = item => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_COOKIES_LOADED, + "Correct blocking type reported" + ); + is(item[1], true, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let expectTrackerCookiesLoaded = item => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_COOKIES_LOADED_TRACKER, + "Correct blocking type reported" + ); + is(item[1], true, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let log = JSON.parse(await browser.getContentBlockingLog()); + for (let trackerOrigin in log) { + is( + trackerOrigin + "/", + TEST_3RD_PARTY_DOMAIN, + "Correct tracker origin must be reported" + ); + let originLog = log[trackerOrigin]; + is(originLog.length, 5, "We should have 4 entries in the compressed log"); + expectTrackerFound(originLog[0]); + expectCookiesLoaded(originLog[1]); + expectTrackerCookiesLoaded(originLog[2]); + expectTrackerBlocked(originLog[3], true); + expectTrackerBlocked(originLog[4], false); + } + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_subResourcesPartitioned.js b/toolkit/components/antitracking/test/browser/browser_subResourcesPartitioned.js new file mode 100644 index 0000000000..920f81c6aa --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_subResourcesPartitioned.js @@ -0,0 +1,297 @@ +async function runTests(topPage, limitForeignContexts) { + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, topPage); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Loading scripts and images"); + await SpecialPowers.spawn(browser, [], async function() { + // Let's load the script twice here. + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + + // Let's load an image twice here. + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + }); + + await fetch( + "https://example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + if (limitForeignContexts) { + is(text, "0", "No cookie received for images."); + } else { + is(text, "1", "One cookie received for images."); + } + }); + + await fetch( + "https://example.org/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + if (limitForeignContexts) { + is(text, "0", "No cookie received received for scripts."); + } else { + is(text, "1", "One cookie received received for scripts."); + } + }); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_PAGE_WO, + blockingCallback: (async _ => {}).toString(), + nonBlockingCallback: (async _ => {}).toString(), + }, + ], + async function(obj) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = function() { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Loading scripts and images again"); + await SpecialPowers.spawn(browser, [], async function() { + // Let's load the script twice here. + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + { + let src = content.document.createElement("script"); + let p = new content.Promise(resolve => { + src.onload = resolve; + }); + content.document.body.appendChild(src); + src.src = + "https://example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=script"; + await p; + } + + // Let's load an image twice here. + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + { + let img = content.document.createElement("img"); + let p = new content.Promise(resolve => { + img.onload = resolve; + }); + content.document.body.appendChild(img); + img.src = + "https://example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?what=image"; + await p; + } + }); + + await fetch( + "https://example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=image" + ) + .then(r => r.text()) + .then(text => { + if (limitForeignContexts) { + is(text, "0", "No cookie received for images."); + } else { + is(text, "1", "One cookie received for images."); + } + }); + + await fetch( + "https://example.com/browser/toolkit/components/antitracking/test/browser/subResources.sjs?result&what=script" + ) + .then(r => r.text()) + .then(text => { + if (limitForeignContexts) { + is(text, "0", "No cookie received received for scripts."); + } else { + is(text, "1", "One cookie received received for scripts."); + } + }); + + let expectTrackerBlocked = (item, blocked) => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, + "Correct blocking type reported" + ); + is(item[1], blocked, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let expectCookiesLoaded = item => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_COOKIES_LOADED, + "Correct blocking type reported" + ); + is(item[1], true, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let expectCookiesBlockedForeign = item => { + is( + item[0], + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_FOREIGN, + "Correct blocking type reported" + ); + is(item[1], true, "Correct blocking status reported"); + ok(item[2] >= 1, "Correct repeat count reported"); + }; + + let log = JSON.parse(await browser.getContentBlockingLog()); + for (let trackerOrigin in log) { + let originLog = log[trackerOrigin]; + info(trackerOrigin); + switch (trackerOrigin) { + case "https://example.org": + case "https://example.com": + let numEntries = 1; + if (limitForeignContexts) { + ++numEntries; + } + is( + originLog.length, + numEntries, + `We should have ${numEntries} entries in the compressed log` + ); + expectCookiesLoaded(originLog[0]); + if (limitForeignContexts) { + expectCookiesBlockedForeign(originLog[1]); + } + break; + case "https://tracking.example.org": + is( + originLog.length, + 1, + "We should have 1 entries in the compressed log" + ); + expectTrackerBlocked(originLog[0], false); + break; + } + } + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); +} + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + for (let limitForeignContexts of [false, true]) { + SpecialPowers.setBoolPref( + "privacy.dynamic_firstparty.limitForeign", + limitForeignContexts + ); + for (let page of [TEST_TOP_PAGE, TEST_TOP_PAGE_2, TEST_TOP_PAGE_3]) { + await runTests(page, limitForeignContexts); + } + } + + SpecialPowers.clearUserPref("privacy.dynamic_firstparty.limitForeign"); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_thirdPartyStorageRejectionForCORS.js b/toolkit/components/antitracking/test/browser/browser_thirdPartyStorageRejectionForCORS.js new file mode 100644 index 0000000000..8289c1edaa --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_thirdPartyStorageRejectionForCORS.js @@ -0,0 +1,98 @@ +// This test works by setting up an exception for the tracker domain, which +// disables all the anti-tracking tests. + +/* import-globals-from antitracking_head.js */ + +add_task(async _ => { + PermissionTestUtils.add( + "http://example.net", + "cookie", + Services.perms.ALLOW_ACTION + ); + + registerCleanupFunction(_ => { + Services.perms.removeAll(); + }); +}); + +AntiTracking._createTask({ + name: "Test that we don't store 3P cookies from non-anonymous CORS XHR", + cookieBehavior: BEHAVIOR_REJECT_FOREIGN, + blockingByContentBlockingRTUI: false, + allowList: false, + thirdPartyPage: TEST_DOMAIN + TEST_PATH + "3rdParty.html", + callback: async _ => { + await new Promise(resolve => { + const xhr = new XMLHttpRequest(); + xhr.open( + "GET", + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/cookiesCORS.sjs?some;max-age=999999", + true + ); + xhr.withCredentials = true; + xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); + xhr.onreadystatechange = _ => { + if (4 === xhr.readyState && 200 === xhr.status) { + resolve(); + } + }; + xhr.send(); + }); + }, + extraPrefs: [["network.cookie.rejectForeignWithExceptions.enabled", true]], + expectedBlockingNotifications: + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_FOREIGN, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, +}); + +add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); + +AntiTracking._createTask({ + name: "Test that we don't store 3P cookies from non-anonymous CORS XHR", + cookieBehavior: BEHAVIOR_REJECT_FOREIGN, + blockingByContentBlockingRTUI: false, + allowList: false, + thirdPartyPage: TEST_DOMAIN + TEST_PATH + "3rdParty.html", + callback: async _ => { + await new Promise(resolve => { + const xhr = new XMLHttpRequest(); + xhr.open( + "GET", + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/cookiesCORS.sjs?some;max-age=999999", + true + ); + xhr.withCredentials = true; + xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); + xhr.onreadystatechange = _ => { + if (4 === xhr.readyState && 200 === xhr.status) { + resolve(); + } + }; + xhr.send(); + }); + }, + extraPrefs: [["network.cookie.rejectForeignWithExceptions.enabled", false]], + expectedBlockingNotifications: + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_FOREIGN, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, +}); + +add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_urlDecorationStripping.js b/toolkit/components/antitracking/test/browser/browser_urlDecorationStripping.js new file mode 100644 index 0000000000..8434324be3 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_urlDecorationStripping.js @@ -0,0 +1,245 @@ +// This test ensures that the URL decoration annotations service works as +// expected, and also we successfully downgrade document.referrer to the +// eTLD+1 URL when tracking identifiers controlled by this service are +// present in the referrer URI. + +/* import-globals-from antitracking_head.js */ + +"use strict"; + +const { RemoteSettings } = ChromeUtils.import( + "resource://services-settings/remote-settings.js" +); +const { Preferences } = ChromeUtils.import( + "resource://gre/modules/Preferences.jsm" +); +const { XPCOMUtils } = ChromeUtils.import( + "resource://gre/modules/XPCOMUtils.jsm" +); + +const COLLECTION_NAME = "anti-tracking-url-decoration"; +const PREF_NAME = "privacy.restrict3rdpartystorage.url_decorations"; +const TOKEN_1 = "fooBar"; +const TOKEN_2 = "foobaz"; +const TOKEN_3 = "fooqux"; +const TOKEN_4 = "bazqux"; + +const token_1 = TOKEN_1.toLowerCase(); + +const DOMAIN = TEST_DOMAIN_3; +const SUB_DOMAIN = "https://sub1.xn--hxajbheg2az3al.xn--jxalpdlp/"; +const TOP_PAGE_WITHOUT_TRACKING_IDENTIFIER = + SUB_DOMAIN + TEST_PATH + "page.html"; +const TOP_PAGE_WITH_TRACKING_IDENTIFIER = + TOP_PAGE_WITHOUT_TRACKING_IDENTIFIER + "?" + TOKEN_1 + "=123"; + +add_task(async _ => { + let uds = Cc["@mozilla.org/tracking-url-decoration-service;1"].getService( + Ci.nsIURLDecorationAnnotationsService + ); + + let records = [ + { + id: "1", + last_modified: 100000000000000000001, + schema: Date.now(), + token: TOKEN_1, + }, + ]; + + // Add some initial data + async function emitSync() { + await RemoteSettings(COLLECTION_NAME).emit("sync", { + data: { current: records }, + }); + } + let db = await RemoteSettings(COLLECTION_NAME).db; + await db.importChanges({}, 42, [records[0]]); + await emitSync(); + + await uds.ensureUpdated(); + + let list = Preferences.get(PREF_NAME).split(" "); + ok(list.includes(TOKEN_1), "Token must now be available in " + PREF_NAME); + ok(Preferences.locked(PREF_NAME), PREF_NAME + " must be locked"); + + async function verifyList(array, not_array) { + await emitSync(); + + await uds.ensureUpdated(); + + list = Preferences.get(PREF_NAME).split(" "); + for (let token of array) { + ok( + list.includes(token), + token + " must now be available in " + PREF_NAME + ); + } + for (let token of not_array) { + ok( + !list.includes(token), + token + " must not be available in " + PREF_NAME + ); + } + ok(Preferences.locked(PREF_NAME), PREF_NAME + " must be locked"); + } + + records.push( + { + id: "2", + last_modified: 100000000000000000002, + schema: Date.now(), + token: TOKEN_2, + }, + { + id: "3", + last_modified: 100000000000000000003, + schema: Date.now(), + token: TOKEN_3, + }, + { + id: "4", + last_modified: 100000000000000000004, + schema: Date.now(), + token: TOKEN_4, + } + ); + + await verifyList([TOKEN_1, TOKEN_2, TOKEN_3, TOKEN_4], []); + + records.pop(); + + await verifyList([TOKEN_1, TOKEN_2, TOKEN_3], [TOKEN_4]); + + is( + Services.eTLD.getBaseDomain(Services.io.newURI(DOMAIN)), + Services.eTLD.getBaseDomain(Services.io.newURI(SUB_DOMAIN)), + "Sanity check" + ); + + registerCleanupFunction(async _ => { + records = []; + await db.clear(); + await emitSync(); + }); +}); + +AntiTracking._createTask({ + name: + "Test that we do not downgrade document.referrer when it does not contain a tracking identifier", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: true, + allowList: false, + callback: async _ => { + let ref = new URL(document.referrer); + is( + ref.hostname, + "sub1.xn--hxajbheg2az3al.xn--jxalpdlp", + "Hostname shouldn't be stripped" + ); + ok(ref.pathname.length > 1, "Path must not be trimmed"); + // eslint-disable-next-line no-unused-vars + for (let entry of ref.searchParams.entries()) { + ok(false, "No query parameters should be found"); + } + }, + extraPrefs: [["network.http.referer.defaultPolicy.trackers", 3]], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + topPage: TOP_PAGE_WITHOUT_TRACKING_IDENTIFIER, +}); + +AntiTracking._createTask({ + name: + "Test that we do not downgrade document.referrer when it does not contain a tracking identifier even though it gets downgraded to origin only due to the default referrer policy", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: true, + allowList: false, + callback: async _ => { + let ref = new URL(document.referrer); + is( + ref.hostname, + "sub1.xn--hxajbheg2az3al.xn--jxalpdlp", + "Hostname shouldn't be stripped" + ); + is(ref.pathname.length, 1, "Path must be trimmed"); + // eslint-disable-next-line no-unused-vars + for (let entry of ref.searchParams.entries()) { + ok(false, "No query parameters should be found"); + } + }, + extraPrefs: [["network.http.referer.defaultPolicy.trackers", 2]], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + topPage: TOP_PAGE_WITHOUT_TRACKING_IDENTIFIER, +}); + +AntiTracking._createTask({ + name: + "Test that we downgrade document.referrer when it contains a tracking identifier", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: true, + allowList: false, + callback: async _ => { + let ref = new URL(document.referrer); + is( + ref.hostname, + "xn--hxajbheg2az3al.xn--jxalpdlp", + "Hostname should be stripped" + ); + is(ref.pathname.length, 1, "Path must be trimmed"); + // eslint-disable-next-line no-unused-vars + for (let entry of ref.searchParams.entries()) { + ok(false, "No query parameters should be found"); + } + }, + extraPrefs: [["network.http.referer.defaultPolicy.trackers", 3]], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + topPage: TOP_PAGE_WITH_TRACKING_IDENTIFIER, +}); + +AntiTracking._createTask({ + name: + "Test that we don't downgrade document.referrer when it contains a tracking identifier if it gets downgraded to origin only due to the default referrer policy because the tracking identifier wouldn't be present in the referrer any more", + cookieBehavior: BEHAVIOR_REJECT_TRACKER, + blockingByContentBlockingRTUI: true, + allowList: false, + callback: async _ => { + let ref = new URL(document.referrer); + is( + ref.hostname, + "sub1.xn--hxajbheg2az3al.xn--jxalpdlp", + "Hostname shouldn't be stripped" + ); + is(ref.pathname.length, 1, "Path must be trimmed"); + // eslint-disable-next-line no-unused-vars + for (let entry of ref.searchParams.entries()) { + ok(false, "No query parameters should be found"); + } + }, + extraPrefs: [["network.http.referer.defaultPolicy.trackers", 2]], + expectedBlockingNotifications: 0, + runInPrivateWindow: false, + iframeSandbox: null, + accessRemoval: null, + callbackAfterRemoval: null, + topPage: TOP_PAGE_WITH_TRACKING_IDENTIFIER, +}); + +add_task(async _ => { + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_userInteraction.js b/toolkit/components/antitracking/test/browser/browser_userInteraction.js new file mode 100644 index 0000000000..99b801f14c --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_userInteraction.js @@ -0,0 +1,120 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +/* eslint-disable mozilla/no-arbitrary-setTimeout */ + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.userInteraction.document.interval", 1], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + let uri = Services.io.newURI(TEST_DOMAIN); + is( + PermissionTestUtils.testPermission(uri, "storageAccessAPI"), + Services.perms.UNKNOWN_ACTION, + "Before user-interaction we don't have a permission" + ); + + let promise = TestUtils.topicObserved("perm-changed", (aSubject, aData) => { + let permission = aSubject.QueryInterface(Ci.nsIPermission); + return ( + permission.type == "storageAccessAPI" && + permission.principal.equalsURI(uri) + ); + }); + + info("Simulating user-interaction."); + await SpecialPowers.spawn(browser, [], async function() { + content.document.userInteractionForTesting(); + }); + + info("Waiting to have a permissions set."); + await promise; + + // Let's see if the document is able to update the permission correctly. + for (var i = 0; i < 3; ++i) { + // Another perm-changed event should be triggered by the timer. + promise = TestUtils.topicObserved("perm-changed", (aSubject, aData) => { + let permission = aSubject.QueryInterface(Ci.nsIPermission); + return ( + permission.type == "storageAccessAPI" && + permission.principal.equalsURI(uri) + ); + }); + + info("Simulating another user-interaction."); + await SpecialPowers.spawn(browser, [], async function() { + content.document.userInteractionForTesting(); + }); + + info("Waiting to have a permissions set."); + await promise; + } + + // Let's disable the document.interval. + await SpecialPowers.pushPrefEnv({ + set: [["privacy.userInteraction.document.interval", 0]], + }); + + promise = new Promise(resolve => { + let id; + + function observer(subject, topic, data) { + ok(false, "Notification received!"); + Services.obs.removeObserver(observer, "perm-changed"); + clearTimeout(id); + resolve(); + } + + Services.obs.addObserver(observer, "perm-changed"); + + id = setTimeout(() => { + ok(true, "No notification received!"); + Services.obs.removeObserver(observer, "perm-changed"); + resolve(); + }, 2000); + }); + + info("Simulating another user-interaction."); + await SpecialPowers.spawn(browser, [], async function() { + content.document.userInteractionForTesting(); + }); + + info("Waiting to have a permissions set."); + await promise; + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/browser_workerPropagation.js b/toolkit/components/antitracking/test/browser/browser_workerPropagation.js new file mode 100644 index 0000000000..13e102a631 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/browser_workerPropagation.js @@ -0,0 +1,83 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +/* eslint-disable mozilla/no-arbitrary-setTimeout */ + +add_task(async function() { + info("Starting subResources test"); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.auto_grants", true], + ["dom.storage_access.auto_grants.delayed", false], + ["dom.storage_access.enabled", true], + ["dom.storage_access.prompt.testing", false], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.com,tracking.example.org", + ], + ], + }); + + await UrlClassifierTestUtils.addTestTrackers(); + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE); + gBrowser.selectedTab = tab; + + let browser = gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + // Let's create an iframe and run the test there. + let page = TEST_3RD_PARTY_DOMAIN + TEST_PATH + "workerIframe.html"; + await SpecialPowers.spawn(browser, [page], async function(page) { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.id = "test"; + + content.addEventListener("message", e => { + if (e.data.type == "finish") { + resolve(); + return; + } + + if (e.data.type == "info") { + info(e.data.msg); + return; + } + + if (e.data.type == "ok") { + ok(e.data.what, e.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = page; + }); + }); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +add_task(async function() { + info("Cleaning up."); + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/clearSiteData.sjs b/toolkit/components/antitracking/test/browser/clearSiteData.sjs new file mode 100644 index 0000000000..374f03a474 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/clearSiteData.sjs @@ -0,0 +1,6 @@ +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + aResponse.setHeader("Clear-Site-Data", '"*"'); + aResponse.setHeader("Content-Type", "text/plain"); + aResponse.write("Clear-Site-Data"); +} diff --git a/toolkit/components/antitracking/test/browser/container.html b/toolkit/components/antitracking/test/browser/container.html new file mode 100644 index 0000000000..24daa80113 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/container.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<html> +<body> +<iframe src="embedder.html"></iframe> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/container2.html b/toolkit/components/antitracking/test/browser/container2.html new file mode 100644 index 0000000000..c2591ad7fc --- /dev/null +++ b/toolkit/components/antitracking/test/browser/container2.html @@ -0,0 +1,11 @@ +<!DOCTYPE html> +<html> +<body> +<script> + onmessage = function(e) { + parent.postMessage(e.data, "*"); + }; +</script> +<iframe src="embedder2.html"></iframe> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/cookies.sjs b/toolkit/components/antitracking/test/browser/cookies.sjs new file mode 100644 index 0000000000..1267a69d8c --- /dev/null +++ b/toolkit/components/antitracking/test/browser/cookies.sjs @@ -0,0 +1,12 @@ +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + let cookie = ""; + if (aRequest.hasHeader("Cookie")) { + cookie = aRequest.getHeader("Cookie"); + } + aResponse.write("cookie:" + cookie); + + if (aRequest.queryString) { + aResponse.setHeader("Set-Cookie", "foopy=" + aRequest.queryString); + } +} diff --git a/toolkit/components/antitracking/test/browser/cookiesCORS.sjs b/toolkit/components/antitracking/test/browser/cookiesCORS.sjs new file mode 100644 index 0000000000..2cfdca2700 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/cookiesCORS.sjs @@ -0,0 +1,9 @@ +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + aResponse.setHeader("Access-Control-Allow-Origin", "http://example.net"); + aResponse.setHeader("Access-Control-Allow-Credentials", "true"); + + if (aRequest.queryString) { + aResponse.setHeader("Set-Cookie", "foopy=" + aRequest.queryString); + } +} diff --git a/toolkit/components/antitracking/test/browser/dynamicfpi_head.js b/toolkit/components/antitracking/test/browser/dynamicfpi_head.js new file mode 100644 index 0000000000..a3fc1618c1 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/dynamicfpi_head.js @@ -0,0 +1,150 @@ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* import-globals-from head.js */ + +"use strict"; + +this.DynamicFPIHelper = { + runTest(name, callback, cleanupFunction, extraPrefs, runInPrivateWindow) { + add_task(async _ => { + info( + "Starting test `" + + name + + "' with dynamic FPI running in a " + + (runInPrivateWindow ? "private" : "normal") + + " window..." + ); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["privacy.storagePrincipal.enabledForTrackers", false], + ["privacy.dynamic_firstparty.use_site", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "not-tracking.example.com", + ], + ], + }); + + if (extraPrefs && Array.isArray(extraPrefs) && extraPrefs.length) { + await SpecialPowers.pushPrefEnv({ set: extraPrefs }); + } + + let win = window; + if (runInPrivateWindow) { + win = OpenBrowserWindow({ private: true }); + await TestUtils.topicObserved("browser-delayed-startup-finished"); + } + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE); + win.gBrowser.selectedTab = tab; + + let browser = win.gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Check the cookieJarSettings of the browser object"); + ok( + browser.cookieJarSettings, + "The browser object has the cookieJarSettings." + ); + is( + browser.cookieJarSettings.cookieBehavior, + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + "The cookieJarSettings has the correct cookieBehavior" + ); + is( + browser.cookieJarSettings.partitionKey, + "(http,example.net)", + "The cookieJarSettings has the correct partitionKey" + ); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_4TH_PARTY_STORAGE_PAGE, + callback: callback.toString(), + }, + ], + async obj => { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = async _ => { + await SpecialPowers.spawn(ifr, [], async _ => { + is( + content.document.nodePrincipal.originAttributes.partitionKey, + "", + "We don't have first-party set on nodePrincipal" + ); + is( + content.document.effectiveStoragePrincipal.originAttributes + .partitionKey, + "(http,example.net)", + "We have first-party set on storagePrincipal" + ); + }); + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj.callback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + if (runInPrivateWindow) { + win.close(); + } + }); + + add_task(async _ => { + info("Cleaning up."); + if (cleanupFunction) { + await cleanupFunction(); + } + + // While running these tests we typically do not have enough idle time to do + // GC reliably, so force it here. + /* import-globals-from antitracking_head.js */ + forceGC(); + }); + }, +}; diff --git a/toolkit/components/antitracking/test/browser/embedder.html b/toolkit/components/antitracking/test/browser/embedder.html new file mode 100644 index 0000000000..1a517079e0 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/embedder.html @@ -0,0 +1,4 @@ +<!DOCTYPE html> +<script src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/empty.js"></script> +<script src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/empty.js?redirect"></script> +<script src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/empty.js?redirect2"></script> diff --git a/toolkit/components/antitracking/test/browser/embedder2.html b/toolkit/components/antitracking/test/browser/embedder2.html new file mode 100644 index 0000000000..b1441894a4 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/embedder2.html @@ -0,0 +1,9 @@ +<!DOCTYPE html> +<html> +<head> +<script src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/empty.js"></script> +<script src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/empty.js?redirect"></script> +<script src="https://tracking.example.com/browser/toolkit/components/antitracking/test/browser/empty.js?redirect2"></script> +</head> +<body onload="parent.postMessage({data:document.querySelectorAll('script').length}, '*');"></body> +</html> diff --git a/toolkit/components/antitracking/test/browser/empty-altsvc.js b/toolkit/components/antitracking/test/browser/empty-altsvc.js new file mode 100644 index 0000000000..3053583c76 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/empty-altsvc.js @@ -0,0 +1 @@ +/* nothing here */ diff --git a/toolkit/components/antitracking/test/browser/empty-altsvc.js^headers^ b/toolkit/components/antitracking/test/browser/empty-altsvc.js^headers^ new file mode 100644 index 0000000000..70592d2f93 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/empty-altsvc.js^headers^ @@ -0,0 +1 @@ +Alt-Svc: h2=":12345"; ma=60 diff --git a/toolkit/components/antitracking/test/browser/empty.html b/toolkit/components/antitracking/test/browser/empty.html new file mode 100644 index 0000000000..e20d67db57 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/empty.html @@ -0,0 +1 @@ +<h1>Empty</h1> diff --git a/toolkit/components/antitracking/test/browser/empty.js b/toolkit/components/antitracking/test/browser/empty.js new file mode 100644 index 0000000000..3053583c76 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/empty.js @@ -0,0 +1 @@ +/* nothing here */ diff --git a/toolkit/components/antitracking/test/browser/file_localStorage.html b/toolkit/components/antitracking/test/browser/file_localStorage.html new file mode 100644 index 0000000000..54bad94bc9 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/file_localStorage.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> + <title>Bug 1663192 - Accessing localStorage in a file urls</title> +</head> +<script> + window.addEventListener("DOMContentLoaded", () => { + let result = document.getElementById("result"); + + try { + window.localStorage.setItem("foo", "bar"); + result.textContent = "PASS"; + } catch (e) { + result.textContent = "FAIL"; + } + }, { once: true }); +</script> +<body> +<a id="result"></a> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/file_saveAsImage.sjs b/toolkit/components/antitracking/test/browser/file_saveAsImage.sjs new file mode 100644 index 0000000000..ffa608411a --- /dev/null +++ b/toolkit/components/antitracking/test/browser/file_saveAsImage.sjs @@ -0,0 +1,19 @@ +// small red image +const IMAGE = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="); + +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + + if (aRequest.queryString.includes("result")) { + aResponse.write(getState("hints") || 0); + setState("hints", "0"); + } else { + let hints = parseInt(getState("hints") || 0) + 1; + setState("hints", hints.toString()); + + aResponse.setHeader("Content-Type", "image/png", false); + aResponse.write(IMAGE); + } +} diff --git a/toolkit/components/antitracking/test/browser/file_saveAsPageInfo.html b/toolkit/components/antitracking/test/browser/file_saveAsPageInfo.html new file mode 100644 index 0000000000..aa3de2a555 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/file_saveAsPageInfo.html @@ -0,0 +1,6 @@ +<html> +<body> + <img src="http://example.net/browser/toolkit/components/antitracking/test/browser/raptor.jpg" id="image1"> + <video src="http://example.net/browser/toolkit/components/antitracking/test/browser/file_video.ogv" id="video1"> </video> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/file_saveAsVideo.sjs b/toolkit/components/antitracking/test/browser/file_saveAsVideo.sjs new file mode 100644 index 0000000000..8c0696f966 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/file_saveAsVideo.sjs @@ -0,0 +1,36 @@ +const VIDEO = atob( + "GkXfo49CgoR3ZWJtQoeBAkKFgQIYU4BnI0nOEU2bdKpNu" + + "4tTq4QVSalmU6yBL027i1OrhBZUrmtTrIGmTbuLU6uEHF" + + "O7a1OsgdEVSalm8k2ApWxpYmVibWwyIHYwLjkuNyArIGx" + + "pYm1hdHJvc2thMiB2MC45LjhXQZ5ta2NsZWFuIDAuMi41" + + "IGZyb20gTGF2ZjUyLjU3LjFzpJC/CoyJjSbckmOytS9Se" + + "y3cRImIQK9AAAAAAABEYYgEHiZDUAHwABZUrmumrqTXgQ" + + "FzxYEBnIEAIrWcg3VuZIaFVl9WUDiDgQHgh7CCAUC6gfA" + + "cU7trzbuMs4EAt4f3gQHxggEju42zggMgt4f3gQHxgrZd" + + "u46zggZAt4j3gQHxgwFba7uOs4IJYLeI94EB8YMCAR+7j" + + "rOCDIC3iPeBAfGDAqggH0O2dSBibueBAKNbiYEAAIDQdw" + + "CdASpAAfAAAAcIhYWIhYSIAIIb347n/c/Z0BPBfjv7f+I" + + "/6df275Wbh/XPuZ+qv9k58KrftA9tvkP+efiN/ovmd/if" + + "9L/ef2z+Xv+H/rv+39xD/N/zL+nfid71363e9X+pf6/+q" + + "+x7+W/0P/H/233Zf6n/Wv696APuDf0b+YdcL+2HsUfxr+" + + "gfP/91P+F/yH9K+H79Z/7j/Xvhj/VjVsvwHXt/n/qz9U/" + + "w749+c/g="); + +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + + if (aRequest.queryString.includes("result")) { + aResponse.write(getState("hints") || 0); + setState("hints", "0"); + } else { + let hints = parseInt(getState("hints") || 0) + 1; + setState("hints", hints.toString()); + + aResponse.setHeader("Content-Type", "video/webm", false); + aResponse.setHeader( + "Cache-Control", + "public, max-age=604800, immutable", + false); + aResponse.write(VIDEO); + } +} diff --git a/toolkit/components/antitracking/test/browser/file_video.ogv b/toolkit/components/antitracking/test/browser/file_video.ogv Binary files differnew file mode 100644 index 0000000000..68dee3cf2b --- /dev/null +++ b/toolkit/components/antitracking/test/browser/file_video.ogv diff --git a/toolkit/components/antitracking/test/browser/head.js b/toolkit/components/antitracking/test/browser/head.js new file mode 100644 index 0000000000..ffa0bb48a7 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/head.js @@ -0,0 +1,99 @@ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +const TEST_DOMAIN = "http://example.net/"; +const TEST_DOMAIN_2 = "http://xn--exmple-cua.test/"; +const TEST_DOMAIN_3 = "https://xn--hxajbheg2az3al.xn--jxalpdlp/"; +const TEST_DOMAIN_4 = "http://prefixexample.com/"; +const TEST_DOMAIN_5 = "http://test/"; +const TEST_DOMAIN_6 = "http://mochi.test:8888/"; +const TEST_3RD_PARTY_DOMAIN = "https://tracking.example.org/"; +const TEST_3RD_PARTY_DOMAIN_HTTP = "http://tracking.example.org/"; +const TEST_3RD_PARTY_DOMAIN_TP = "https://tracking.example.com/"; +const TEST_3RD_PARTY_DOMAIN_STP = "https://social-tracking.example.org/"; +const TEST_4TH_PARTY_DOMAIN = "http://not-tracking.example.com/"; +const TEST_ANOTHER_3RD_PARTY_DOMAIN_HTTP = + "http://another-tracking.example.net/"; +const TEST_ANOTHER_3RD_PARTY_DOMAIN_HTTPS = + "https://another-tracking.example.net/"; +const TEST_ANOTHER_3RD_PARTY_DOMAIN = SpecialPowers.useRemoteSubframes + ? TEST_ANOTHER_3RD_PARTY_DOMAIN_HTTP + : TEST_ANOTHER_3RD_PARTY_DOMAIN_HTTPS; + +const TEST_PATH = "browser/toolkit/components/antitracking/test/browser/"; + +const TEST_TOP_PAGE = TEST_DOMAIN + TEST_PATH + "page.html"; +const TEST_TOP_PAGE_2 = TEST_DOMAIN_2 + TEST_PATH + "page.html"; +const TEST_TOP_PAGE_3 = TEST_DOMAIN_3 + TEST_PATH + "page.html"; +const TEST_TOP_PAGE_4 = TEST_DOMAIN_4 + TEST_PATH + "page.html"; +const TEST_TOP_PAGE_5 = TEST_DOMAIN_5 + TEST_PATH + "page.html"; +const TEST_TOP_PAGE_6 = TEST_DOMAIN_6 + TEST_PATH + "page.html"; +const TEST_EMBEDDER_PAGE = TEST_DOMAIN + TEST_PATH + "embedder.html"; +const TEST_POPUP_PAGE = TEST_DOMAIN + TEST_PATH + "popup.html"; +const TEST_IFRAME_PAGE = TEST_DOMAIN + TEST_PATH + "iframe.html"; +const TEST_3RD_PARTY_PAGE = TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdParty.html"; +const TEST_3RD_PARTY_PAGE_HTTP = + TEST_3RD_PARTY_DOMAIN_HTTP + TEST_PATH + "3rdParty.html"; +const TEST_3RD_PARTY_PAGE_WO = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyWO.html"; +const TEST_3RD_PARTY_PAGE_UI = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyUI.html"; +const TEST_3RD_PARTY_PAGE_WITH_SVG = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartySVG.html"; +const TEST_3RD_PARTY_PAGE_RELAY = + TEST_4TH_PARTY_DOMAIN + TEST_PATH + "3rdPartyRelay.html"; +const TEST_4TH_PARTY_PAGE = TEST_4TH_PARTY_DOMAIN + TEST_PATH + "3rdParty.html"; +const TEST_ANOTHER_3RD_PARTY_PAGE = + TEST_ANOTHER_3RD_PARTY_DOMAIN + TEST_PATH + "3rdParty.html"; +const TEST_ANOTHER_3RD_PARTY_PAGE_HTTPS = + TEST_ANOTHER_3RD_PARTY_DOMAIN_HTTPS + TEST_PATH + "3rdParty.html"; +const TEST_3RD_PARTY_STORAGE_PAGE = + TEST_3RD_PARTY_DOMAIN_HTTP + TEST_PATH + "3rdPartyStorage.html"; +const TEST_3RD_PARTY_PAGE_WORKER = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyWorker.html"; +const TEST_3RD_PARTY_PARTITIONED_PAGE = + TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyPartitioned.html"; +const TEST_4TH_PARTY_STORAGE_PAGE = + TEST_4TH_PARTY_DOMAIN + TEST_PATH + "3rdPartyStorage.html"; +const TEST_4TH_PARTY_PARTITIONED_PAGE = + TEST_4TH_PARTY_DOMAIN + TEST_PATH + "3rdPartyPartitioned.html"; + +const BEHAVIOR_ACCEPT = Ci.nsICookieService.BEHAVIOR_ACCEPT; +const BEHAVIOR_REJECT = Ci.nsICookieService.BEHAVIOR_REJECT; +const BEHAVIOR_LIMIT_FOREIGN = Ci.nsICookieService.BEHAVIOR_LIMIT_FOREIGN; +const BEHAVIOR_REJECT_FOREIGN = Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN; +const BEHAVIOR_REJECT_TRACKER = Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER; +const BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN = + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN; + +let originalRequestLongerTimeout = requestLongerTimeout; +// eslint-disable-next-line no-global-assign +requestLongerTimeout = function AntiTrackingRequestLongerTimeout(factor) { + let ccovMultiplier = AppConstants.MOZ_CODE_COVERAGE ? 2 : 1; + let fissionMultiplier = SpecialPowers.useRemoteSubframes ? 2 : 1; + originalRequestLongerTimeout(ccovMultiplier * fissionMultiplier * factor); +}; + +requestLongerTimeout(3); + +const { UrlClassifierTestUtils } = ChromeUtils.import( + "resource://testing-common/UrlClassifierTestUtils.jsm" +); + +const { PermissionTestUtils } = ChromeUtils.import( + "resource://testing-common/PermissionTestUtils.jsm" +); + +Services.scriptloader.loadSubScript( + "chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/antitracking_head.js", + this +); + +Services.scriptloader.loadSubScript( + "chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/partitionedstorage_head.js", + this +); diff --git a/toolkit/components/antitracking/test/browser/iframe.html b/toolkit/components/antitracking/test/browser/iframe.html new file mode 100644 index 0000000000..85d37ed7fa --- /dev/null +++ b/toolkit/components/antitracking/test/browser/iframe.html @@ -0,0 +1,8 @@ +<html> +<head> + <title>Just a first-level iframe</title> +</head> +<body> + <h1>This is the first-level iframe</h1> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/image.sjs b/toolkit/components/antitracking/test/browser/image.sjs new file mode 100644 index 0000000000..ad00264bfa --- /dev/null +++ b/toolkit/components/antitracking/test/browser/image.sjs @@ -0,0 +1,20 @@ +// A 1x1 PNG image. +// Source: https://commons.wikimedia.org/wiki/File:1x1.png (Public Domain) +const IMAGE = atob("iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAA" + + "ACnej3aAAAAAXRSTlMAQObYZgAAAApJREFUCNdjYAAAAAIAAeIhvDMAAAAASUVORK5CYII="); + +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + + if (aRequest.queryString.includes("result")) { + aResponse.write(getState("hints") || 0); + setState("hints", "0"); + } else { + let hints = parseInt(getState("hints") || 0) + 1; + setState("hints", hints.toString()); + + aResponse.setHeader("Set-Cookie", "foopy=1"); + aResponse.setHeader("Content-Type", "image/png", false); + aResponse.write(IMAGE); + } +} diff --git a/toolkit/components/antitracking/test/browser/imageCacheWorker.js b/toolkit/components/antitracking/test/browser/imageCacheWorker.js new file mode 100644 index 0000000000..d11221112c --- /dev/null +++ b/toolkit/components/antitracking/test/browser/imageCacheWorker.js @@ -0,0 +1,78 @@ +/* import-globals-from head.js */ +/* import-globals-from antitracking_head.js */ +/* import-globals-from browser_imageCache4.js */ + +AntiTracking.runTest( + "Image cache - should load the image three times.", + // blocking callback + async _ => { + // Let's load the image twice here. + let img = document.createElement("img"); + document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/image.sjs"; + await new Promise(resolve => { + img.onload = resolve; + }); + ok(true, "Image 1 loaded"); + + img = document.createElement("img"); + document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/image.sjs"; + await new Promise(resolve => { + img.onload = resolve; + }); + ok(true, "Image 2 loaded"); + }, + + // non-blocking callback + { + runExtraTests: false, + cookieBehavior, + blockingByAllowList, + expectedBlockingNotifications, + callback: async _ => { + // Let's load the image twice here as well. + let img = document.createElement("img"); + document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/image.sjs"; + await new Promise(resolve => { + img.onload = resolve; + }); + ok(true, "Image 3 loaded"); + + img = document.createElement("img"); + document.body.appendChild(img); + img.src = + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/image.sjs"; + await new Promise(resolve => { + img.onload = resolve; + }); + ok(true, "Image 4 loaded"); + }, + }, + null, // cleanup function + null, // no extra prefs + false, // no window open test + false, // no user-interaction test + expectedBlockingNotifications +); + +// We still want to see just expected requests. +add_task(async _ => { + await fetch( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/image.sjs?result" + ) + .then(r => r.text()) + .then(text => { + is(text, "2", "The image should be loaded correctly."); + }); + + await new Promise(resolve => { + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value => + resolve() + ); + }); +}); diff --git a/toolkit/components/antitracking/test/browser/localStorage.html b/toolkit/components/antitracking/test/browser/localStorage.html new file mode 100644 index 0000000000..e08c25f2c4 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/localStorage.html @@ -0,0 +1,68 @@ +<h1>Here a tracker!</h1> +<script> + +if (window.opener) { + SpecialPowers.wrap(document).userInteractionForTesting(); + localStorage.foo = "opener" + Math.random(); + // Don't call window.close immediatelly. It can happen that adding the + // "storage" event listener below takes more time than usual (it may need to + // synchronously subscribe in the parent process to receive storage + // notifications). Spending more time in the initial script can prevent + // the "load" event from being fired for the window opened by "open and test". + setTimeout(() => { + window.close(); + }, 0); +} + +if (parent) { + window.onmessage = e => { + if (e.data == "test") { + let status; + try { + localStorage.foo = "value" + Math.random(); + status = true; + } catch (e) { + status = false; + } + + parent.postMessage({type: "test", status }, "*"); + return; + } + + if (e.data == "open") { + window.open("localStorage.html"); + return; + } + + if (e.data == "open and test") { + let w = window.open("localStorage.html"); + w.addEventListener("load", _ => { + let status; + try { + localStorage.foo = "value" + Math.random(); + status = true; + } catch (e) { + status = false; + } + + parent.postMessage({type: "test", status }, "*"); + }, {once: true}); + } + }; + + window.addEventListener("storage", e => { + let fromOpener = localStorage.foo.startsWith("opener"); + + let status; + try { + localStorage.foo = "value" + Math.random(); + status = true; + } catch (e) { + status = false; + } + + parent.postMessage({type: "test", status: status && fromOpener }, "*"); + }); +} + +</script> diff --git a/toolkit/components/antitracking/test/browser/localStorageEvents.html b/toolkit/components/antitracking/test/browser/localStorageEvents.html new file mode 100644 index 0000000000..737d1e0cab --- /dev/null +++ b/toolkit/components/antitracking/test/browser/localStorageEvents.html @@ -0,0 +1,30 @@ +<script> + +let eventCounter = 0; + +onmessage = e => { + if (e.data == "getValue") { + parent.postMessage(localStorage.foo, "*"); + return; + } + + if (e.data == "setValue") { + localStorage.foo = "tracker-" + Math.random(); + return; + } + + if (e.data == "getEvents") { + parent.postMessage(eventCounter, "*"); + return; + } + + if (e.data == "reload") { + window.location.reload(); + } +}; + +addEventListener("storage", _ => { + ++eventCounter; +}); + +</script> diff --git a/toolkit/components/antitracking/test/browser/matchAll.js b/toolkit/components/antitracking/test/browser/matchAll.js new file mode 100644 index 0000000000..8f112b0804 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/matchAll.js @@ -0,0 +1,16 @@ +self.addEventListener("message", async e => { + let clients = await self.clients.matchAll({ + type: "window", + includeUncontrolled: true, + }); + + let hasWindow = false; + for (let client of clients) { + if (e.data == client.url) { + hasWindow = true; + break; + } + } + + e.source.postMessage(hasWindow); +}); diff --git a/toolkit/components/antitracking/test/browser/page.html b/toolkit/components/antitracking/test/browser/page.html new file mode 100644 index 0000000000..a99e8be179 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/page.html @@ -0,0 +1,8 @@ +<html> +<head> + <title>Just a top-level page</title> +</head> +<body> + <h1>This is the top-level page</h1> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/partitionedSharedWorker.js b/toolkit/components/antitracking/test/browser/partitionedSharedWorker.js new file mode 100644 index 0000000000..5ac4ec9f27 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/partitionedSharedWorker.js @@ -0,0 +1,17 @@ +let value = ""; +self.onconnect = e => { + e.ports[0].onmessage = event => { + if (event.data.what === "get") { + e.ports[0].postMessage(value); + return; + } + + if (event.data.what === "put") { + value = event.data.value; + return; + } + + // Error. + e.ports[0].postMessage(-1); + }; +}; diff --git a/toolkit/components/antitracking/test/browser/partitionedstorage_head.js b/toolkit/components/antitracking/test/browser/partitionedstorage_head.js new file mode 100644 index 0000000000..3cdc82e076 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/partitionedstorage_head.js @@ -0,0 +1,397 @@ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* import-globals-from head.js */ + +"use strict"; + +/* import-globals-from dynamicfpi_head.js */ +Services.scriptloader.loadSubScript( + "chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/dynamicfpi_head.js", + this +); + +/* import-globals-from storageprincipal_head.js */ +Services.scriptloader.loadSubScript( + "chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/storageprincipal_head.js", + this +); + +this.PartitionedStorageHelper = { + runTestInNormalAndPrivateMode(name, callback, cleanupFunction, extraPrefs) { + // Normal mode + this.runTest(name, callback, cleanupFunction, extraPrefs, false); + + // Private mode + this.runTest(name, callback, cleanupFunction, extraPrefs, true); + }, + + runTest( + name, + callback, + cleanupFunction, + extraPrefs, + runInPrivateWindow = false + ) { + DynamicFPIHelper.runTest( + name, + callback, + cleanupFunction, + extraPrefs, + runInPrivateWindow + ); + StoragePrincipalHelper.runTest( + name, + callback, + cleanupFunction, + extraPrefs, + runInPrivateWindow + ); + }, + + runPartitioningTestInNormalAndPrivateMode( + name, + testCategory, + getDataCallback, + addDataCallback, + cleanupFunction + ) { + // Normal mode + this.runPartitioningTest( + name, + testCategory, + getDataCallback, + addDataCallback, + cleanupFunction, + false + ); + + // Private mode + this.runPartitioningTest( + name, + testCategory, + getDataCallback, + addDataCallback, + cleanupFunction, + true + ); + }, + + runPartitioningTest( + name, + testCategory, + getDataCallback, + addDataCallback, + cleanupFunction, + runInPrivateWindow = false + ) { + for (let variant of ["normal", "initial-aboutblank"]) { + for (let limitForeignContexts of [false, true]) { + this.runPartitioningTestInner( + name, + testCategory, + getDataCallback, + addDataCallback, + cleanupFunction, + variant, + runInPrivateWindow, + limitForeignContexts + ); + } + } + }, + + runPartitioningTestInner( + name, + testCategory, + getDataCallback, + addDataCallback, + cleanupFunction, + variant, + runInPrivateWindow, + limitForeignContexts + ) { + add_task(async _ => { + info( + "Starting test `" + + name + + "' testCategory `" + + testCategory + + "' variant `" + + variant + + "' in a " + + (runInPrivateWindow ? "private" : "normal") + + " window " + + (limitForeignContexts ? "with" : "without") + + " limitForeignContexts to check that 2 tabs are correctly partititioned" + ); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ], + ["privacy.dynamic_firstparty.limitForeign", limitForeignContexts], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["privacy.storagePrincipal.enabledForTrackers", false], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "not-tracking.example.com", + ], + ], + }); + + let win = window; + if (runInPrivateWindow) { + win = OpenBrowserWindow({ private: true }); + await TestUtils.topicObserved("browser-delayed-startup-finished"); + } + + info("Creating the first tab"); + let tab1 = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE); + win.gBrowser.selectedTab = tab1; + + let browser1 = win.gBrowser.getBrowserForTab(tab1); + await BrowserTestUtils.browserLoaded(browser1); + + info("Creating the second tab"); + let tab2 = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE_6); + win.gBrowser.selectedTab = tab2; + + let browser2 = win.gBrowser.getBrowserForTab(tab2); + await BrowserTestUtils.browserLoaded(browser2); + + info("Creating the third tab"); + let tab3 = BrowserTestUtils.addTab( + win.gBrowser, + TEST_4TH_PARTY_PARTITIONED_PAGE + ); + win.gBrowser.selectedTab = tab3; + + let browser3 = win.gBrowser.getBrowserForTab(tab3); + await BrowserTestUtils.browserLoaded(browser3); + + // Use the same URL as first tab to check partitioned data + info("Creating the forth tab"); + let tab4 = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE); + win.gBrowser.selectedTab = tab4; + + let browser4 = win.gBrowser.getBrowserForTab(tab4); + await BrowserTestUtils.browserLoaded(browser4); + + async function getDataFromThirdParty(browser, result) { + // Overwrite the special case here since third party cookies are not + // avilable when `limitForeignContexts` is enabled. + if (testCategory === "cookies" && limitForeignContexts) { + info("overwrite result to empty"); + result = ""; + } + + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_4TH_PARTY_PARTITIONED_PAGE + "?variant=" + variant, + getDataCallback: getDataCallback.toString(), + result, + }, + ], + async obj => { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = __ => { + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage({ cb: obj.getDataCallback }, "*"); + }; + + content.addEventListener( + "message", + function msg(event) { + is( + event.data, + obj.result, + "Partitioned cookie jar has value: " + obj.result + ); + resolve(); + }, + { once: true } + ); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + } + + async function getDataFromFirstParty(browser, result) { + await SpecialPowers.spawn( + browser, + [ + { + getDataCallback: getDataCallback.toString(), + result, + variant, + }, + ], + async obj => { + let runnableStr = `(() => {return (${obj.getDataCallback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + let win = content; + if (obj.variant == "initial-aboutblank") { + let i = win.document.createElement("iframe"); + i.src = "about:blank"; + win.document.body.appendChild(i); + // override win to make it point to the initial about:blank window + win = i.contentWindow; + } + + let result = await runnable.call(content, win); + is( + result, + obj.result, + "Partitioned cookie jar is empty: " + obj.result + ); + } + ); + } + + info("Checking 3rd party has an empty cookie jar in first tab"); + await getDataFromThirdParty(browser1, ""); + + info("Checking 3rd party has an empty cookie jar in second tab"); + await getDataFromThirdParty(browser2, ""); + + info("Checking first party has an empty cookie jar in third tab"); + await getDataFromFirstParty(browser3, ""); + + info("Checking 3rd party has an empty cookie jar in forth tab"); + await getDataFromThirdParty(browser4, ""); + + async function createDataInThirdParty(browser, value) { + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_4TH_PARTY_PARTITIONED_PAGE + "?variant=" + variant, + addDataCallback: addDataCallback.toString(), + value, + }, + ], + async obj => { + await new content.Promise(resolve => { + let ifr = content.document.getElementsByTagName("iframe")[0]; + content.addEventListener( + "message", + function msg(event) { + ok(event.data, "Data created"); + resolve(); + }, + { once: true } + ); + + ifr.contentWindow.postMessage( + { + cb: obj.addDataCallback, + value: obj.value, + }, + "*" + ); + }); + } + ); + } + + async function createDataInFirstParty(browser, value) { + await SpecialPowers.spawn( + browser, + [ + { + addDataCallback: addDataCallback.toString(), + value, + variant, + }, + ], + async obj => { + let runnableStr = `(() => {return (${obj.addDataCallback});})();`; + let runnable = eval(runnableStr); // eslint-disable-line no-eval + let win = content; + if (obj.variant == "initial-aboutblank") { + let i = win.document.createElement("iframe"); + i.src = "about:blank"; + win.document.body.appendChild(i); + // override win to make it point to the initial about:blank window + win = i.contentWindow; + } + + let result = await runnable.call(content, win, obj.value); + ok(result, "Data created"); + } + ); + } + + info("Creating data in the first tab"); + await createDataInThirdParty(browser1, "A"); + + info("Creating data in the second tab"); + await createDataInThirdParty(browser2, "B"); + + // Before writing browser4, check data written by browser1 + info("First tab should still have just 'A'"); + await getDataFromThirdParty(browser1, "A"); + info("Forth tab should still have just 'A'"); + await getDataFromThirdParty(browser4, "A"); + + // Ensure to create data in the forth tab before the third tab, + // otherwise cookie will be written successfully due to prior cookie + // of the base domain exists. + info("Creating data in the forth tab"); + await createDataInThirdParty(browser4, "D"); + + info("Creating data in the third tab"); + await createDataInFirstParty(browser3, "C"); + + // read all tabs + info("First tab should be changed to 'D'"); + await getDataFromThirdParty(browser1, "D"); + + info("Second tab should still have just 'B'"); + await getDataFromThirdParty(browser2, "B"); + + info("Third tab should still have just 'C'"); + await getDataFromFirstParty(browser3, "C"); + + info("Forth tab should still have just 'D'"); + await getDataFromThirdParty(browser4, "D"); + + info("Removing the tabs"); + BrowserTestUtils.removeTab(tab1); + BrowserTestUtils.removeTab(tab2); + BrowserTestUtils.removeTab(tab3); + BrowserTestUtils.removeTab(tab4); + + if (runInPrivateWindow) { + win.close(); + } + }); + + add_task(async _ => { + info("Cleaning up."); + if (cleanupFunction) { + await cleanupFunction(); + } + + // While running these tests we typically do not have enough idle time to do + // GC reliably, so force it here. + /* import-globals-from antitracking_head.js */ + forceGC(); + }); + }, +}; diff --git a/toolkit/components/antitracking/test/browser/popup.html b/toolkit/components/antitracking/test/browser/popup.html new file mode 100644 index 0000000000..f195add788 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/popup.html @@ -0,0 +1,11 @@ +<html> +<head> + <title>Just a popup that does a redirect</title> +</head> +<body> + <h1>Just a popup that does a redirect</h1> + <script> + window.location = "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html"; + </script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/browser/raptor.jpg b/toolkit/components/antitracking/test/browser/raptor.jpg Binary files differnew file mode 100644 index 0000000000..243ba9e2d4 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/raptor.jpg diff --git a/toolkit/components/antitracking/test/browser/redirect.sjs b/toolkit/components/antitracking/test/browser/redirect.sjs new file mode 100644 index 0000000000..18cf4adfc6 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/redirect.sjs @@ -0,0 +1,4 @@ +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 302); + aResponse.setHeader("Location", aRequest.queryString); +} diff --git a/toolkit/components/antitracking/test/browser/referrer.sjs b/toolkit/components/antitracking/test/browser/referrer.sjs new file mode 100644 index 0000000000..b511e232b2 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/referrer.sjs @@ -0,0 +1,40 @@ +// A 1x1 PNG image. +// Source: https://commons.wikimedia.org/wiki/File:1x1.png (Public Domain) +const IMAGE = atob("iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAA" + + "ACnej3aAAAAAXRSTlMAQObYZgAAAApJREFUCNdjYAAAAAIAAeIhvDMAAAAASUVORK5CYII="); + +const IFRAME = "<!DOCTYPE html>\n" + + "<script>\n" + + "onmessage = event => {\n" + + "parent.postMessage(document.referrer, '*');\n" + + "};\n" + + "</script>"; + +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + + let key = aRequest.queryString.includes("what=script") ? "script" : + (aRequest.queryString.includes("what=image") ? "image" : "iframe"); + + if (aRequest.queryString.includes("result")) { + aResponse.write(getState(key)); + setState(key, ""); + return; + } + + if (aRequest.hasHeader('Referer')) { + let referrer = aRequest.getHeader('Referer'); + setState(key, referrer); + } + + if (key == "script") { + aResponse.setHeader("Content-Type", "text/javascript", false); + aResponse.write("42;"); + } else if (key == "image") { + aResponse.setHeader("Content-Type", "image/png", false); + aResponse.write(IMAGE); + } else { + aResponse.setHeader("Content-Type", "text/html", false); + aResponse.write(IFRAME); + } +} diff --git a/toolkit/components/antitracking/test/browser/sandboxed.html b/toolkit/components/antitracking/test/browser/sandboxed.html new file mode 100644 index 0000000000..a359ae0aa3 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/sandboxed.html @@ -0,0 +1,12 @@ +<!DOCTYPE HTML> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<html dir="ltr" xml:lang="en-US" lang="en-US"> + <head> + <meta charset="utf8"> + </head> + <body> + <p>Hello, World!</p> + </body> +</html> diff --git a/toolkit/components/antitracking/test/browser/sandboxed.html^headers^ b/toolkit/components/antitracking/test/browser/sandboxed.html^headers^ new file mode 100644 index 0000000000..4705ce9ded --- /dev/null +++ b/toolkit/components/antitracking/test/browser/sandboxed.html^headers^ @@ -0,0 +1 @@ +Content-Security-Policy: sandbox allow-scripts; diff --git a/toolkit/components/antitracking/test/browser/server.sjs b/toolkit/components/antitracking/test/browser/server.sjs new file mode 100644 index 0000000000..6368c47640 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/server.sjs @@ -0,0 +1,20 @@ +function handleRequest(aRequest, aResponse) { + if (aRequest.queryString.includes("redirect")) { + aResponse.setStatusLine(aRequest.httpVersion, 302); + if (aRequest.queryString.includes("redirect-checkonly")) { + aResponse.setHeader("Location", "server.sjs?checkonly"); + } else { + aResponse.setHeader("Location", "server.sjs"); + } + return; + } + aResponse.setStatusLine(aRequest.httpVersion, 200); + if (aRequest.hasHeader('Cookie')) { + aResponse.write("cookie-present"); + } else { + if (!aRequest.queryString.includes("checkonly")) { + aResponse.setHeader("Set-Cookie", "foopy=1"); + } + aResponse.write("cookie-not-present"); + } +} diff --git a/toolkit/components/antitracking/test/browser/sharedWorker.js b/toolkit/components/antitracking/test/browser/sharedWorker.js new file mode 100644 index 0000000000..01188ed10a --- /dev/null +++ b/toolkit/components/antitracking/test/browser/sharedWorker.js @@ -0,0 +1,18 @@ +let ports = 0; +self.onconnect = e => { + ++ports; + e.ports[0].onmessage = event => { + if (event.data === "count") { + e.ports[0].postMessage(ports); + return; + } + + if (event.data === "close") { + self.close(); + return; + } + + // Error. + e.ports[0].postMessage(-1); + }; +}; diff --git a/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js b/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js new file mode 100644 index 0000000000..2837cf68a2 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js @@ -0,0 +1,197 @@ +/* global allowListed */ + +async function hasStorageAccessInitially() { + let hasAccess = await document.hasStorageAccess(); + ok(hasAccess, "Has storage access"); +} + +async function noStorageAccessInitially() { + let hasAccess = await document.hasStorageAccess(); + ok(!hasAccess, "Doesn't yet have storage access"); +} + +async function callRequestStorageAccess(callback, expectFail) { + let dwu = SpecialPowers.getDOMWindowUtils(window); + let helper = dwu.setHandlingUserInput(true); + + let origin = new URL(location.href).origin; + + let success = true; + // We only grant storage exceptions when the reject tracker behavior is enabled. + let rejectTrackers = + [ + SpecialPowers.Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + SpecialPowers.Ci.nsICookieService + .BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ].includes( + SpecialPowers.Services.prefs.getIntPref("network.cookie.cookieBehavior") + ) && !isOnContentBlockingAllowList(); + const TEST_ANOTHER_3RD_PARTY_ORIGIN = SpecialPowers.useRemoteSubframes + ? "http://another-tracking.example.net" + : "https://another-tracking.example.net"; + // With another-tracking.example.net, we're same-eTLD+1, so the first try succeeds. + if (origin != TEST_ANOTHER_3RD_PARTY_ORIGIN) { + if (rejectTrackers) { + let p; + let threw = false; + try { + p = document.requestStorageAccess(); + } catch (e) { + threw = true; + } finally { + helper.destruct(); + } + ok(!threw, "requestStorageAccess should not throw"); + try { + if (callback) { + if (expectFail) { + await p.catch(_ => callback(dwu)); + success = false; + } else { + await p.then(_ => callback(dwu)); + } + } else { + await p; + } + } catch (e) { + success = false; + } + ok(!success, "Should not have worked without user interaction"); + + await noStorageAccessInitially(); + + await interactWithTracker(); + + helper = dwu.setHandlingUserInput(true); + } + if ( + SpecialPowers.Services.prefs.getIntPref( + "network.cookie.cookieBehavior" + ) == SpecialPowers.Ci.nsICookieService.BEHAVIOR_ACCEPT && + !isOnContentBlockingAllowList() + ) { + try { + if (callback) { + if (expectFail) { + await document.requestStorageAccess().catch(_ => callback(dwu)); + success = false; + } else { + await document.requestStorageAccess().then(_ => callback(dwu)); + } + } else { + await document.requestStorageAccess(); + } + } catch (e) { + success = false; + } finally { + helper.destruct(); + } + ok(success, "Should not have thrown"); + + await hasStorageAccessInitially(); + + await interactWithTracker(); + + helper = dwu.setHandlingUserInput(true); + } + } + + let p; + let threw = false; + try { + p = document.requestStorageAccess(); + } catch (e) { + threw = true; + } finally { + helper.destruct(); + } + let rejected = false; + try { + if (callback) { + if (expectFail) { + await p.catch(_ => callback(dwu)); + rejected = true; + } else { + await p.then(_ => callback(dwu)); + } + } else { + await p; + } + } catch (e) { + rejected = true; + } + + success = !threw && !rejected; + let hasAccess = await document.hasStorageAccess(); + is( + hasAccess, + success, + "Should " + (success ? "" : "not ") + "have storage access now" + ); + if ( + success && + rejectTrackers && + window.location.search != "?disableWaitUntilPermission" && + origin != TEST_ANOTHER_3RD_PARTY_ORIGIN + ) { + // Wait until the permission is visible in parent process to avoid race + // conditions. We don't need to wait the permission to be visible in content + // processes since the content process doesn't rely on the permission to + // know the storage access is updated. + await waitUntilPermission( + "http://example.net/browser/toolkit/components/antitracking/test/browser/page.html", + "3rdPartyStorage^" + window.origin + ); + } + + return [threw, rejected]; +} + +async function waitUntilPermission(url, name) { + let originAttributes = SpecialPowers.isContentWindowPrivate(window) + ? { privateBrowsingId: 1 } + : {}; + await new Promise(resolve => { + let id = setInterval(async _ => { + if ( + await SpecialPowers.testPermission( + name, + SpecialPowers.Services.perms.ALLOW_ACTION, + { + url, + originAttributes, + } + ) + ) { + clearInterval(id); + resolve(); + } + }, 0); + }); +} + +async function interactWithTracker() { + await new Promise(resolve => { + let orionmessage = onmessage; + onmessage = _ => { + onmessage = orionmessage; + resolve(); + }; + + info("Let's interact with the tracker"); + window.open( + "/browser/toolkit/components/antitracking/test/browser/3rdPartyOpenUI.html?messageme" + ); + }); + + // Wait until the user interaction permission becomes visible in our process + await waitUntilPermission(window.origin, "storageAccessAPI"); +} + +function isOnContentBlockingAllowList() { + // We directly check the window.allowListed here instead of checking the + // permission. The allow list permission might not be available since it is + // not in the preload list. + + return window.allowListed; +} diff --git a/toolkit/components/antitracking/test/browser/storageprincipal_head.js b/toolkit/components/antitracking/test/browser/storageprincipal_head.js new file mode 100644 index 0000000000..f32bde6b4f --- /dev/null +++ b/toolkit/components/antitracking/test/browser/storageprincipal_head.js @@ -0,0 +1,153 @@ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* import-globals-from head.js */ + +"use strict"; + +this.StoragePrincipalHelper = { + runTest(name, callback, cleanupFunction, extraPrefs, runInPrivateWindow) { + add_task(async _ => { + info( + "Starting test `" + + name + + "' with storage principal running in a " + + (runInPrivateWindow ? "private" : "normal") + + " window..." + ); + + await SpecialPowers.flushPrefEnv(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.storage_access.enabled", true], + [ + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + ], + ["privacy.trackingprotection.enabled", false], + ["privacy.trackingprotection.pbmode.enabled", false], + ["privacy.trackingprotection.annotate_channels", true], + ["privacy.storagePrincipal.enabledForTrackers", true], + ["privacy.dynamic_firstparty.use_site", true], + [ + "privacy.restrict3rdpartystorage.userInteractionRequiredForHosts", + "tracking.example.org", + ], + ], + }); + + if (extraPrefs && Array.isArray(extraPrefs) && extraPrefs.length) { + await SpecialPowers.pushPrefEnv({ set: extraPrefs }); + } + + await UrlClassifierTestUtils.addTestTrackers(); + + let win = window; + if (runInPrivateWindow) { + win = OpenBrowserWindow({ private: true }); + await TestUtils.topicObserved("browser-delayed-startup-finished"); + } + + info("Creating a new tab"); + let tab = BrowserTestUtils.addTab(win.gBrowser, TEST_TOP_PAGE); + win.gBrowser.selectedTab = tab; + + let browser = win.gBrowser.getBrowserForTab(tab); + await BrowserTestUtils.browserLoaded(browser); + + info("Check the cookieJarSettings of the browser object"); + ok( + browser.cookieJarSettings, + "The browser object has the cookieJarSettings." + ); + is( + browser.cookieJarSettings.cookieBehavior, + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + "The cookieJarSettings has the correct cookieBehavior" + ); + is( + browser.cookieJarSettings.partitionKey, + "(http,example.net)", + "The cookieJarSettings has the correct partitionKey" + ); + + info("Creating a 3rd party content"); + await SpecialPowers.spawn( + browser, + [ + { + page: TEST_3RD_PARTY_STORAGE_PAGE, + callback: callback.toString(), + }, + ], + async obj => { + await new content.Promise(resolve => { + let ifr = content.document.createElement("iframe"); + ifr.onload = async _ => { + await SpecialPowers.spawn(ifr, [], async _ => { + is( + content.document.nodePrincipal.originAttributes.partitionKey, + "", + "We don't have first-party set on nodePrincipal" + ); + is( + content.document.effectiveStoragePrincipal.originAttributes + .partitionKey, + "(http,example.net)", + "We have first-party set on storagePrincipal" + ); + }); + info("Sending code to the 3rd party content"); + ifr.contentWindow.postMessage(obj.callback, "*"); + }; + + content.addEventListener("message", function msg(event) { + if (event.data.type == "finish") { + content.removeEventListener("message", msg); + resolve(); + return; + } + + if (event.data.type == "ok") { + ok(event.data.what, event.data.msg); + return; + } + + if (event.data.type == "info") { + info(event.data.msg); + return; + } + + ok(false, "Unknown message"); + }); + + content.document.body.appendChild(ifr); + ifr.src = obj.page; + }); + } + ); + + info("Removing the tab"); + BrowserTestUtils.removeTab(tab); + + if (runInPrivateWindow) { + win.close(); + } + }); + + add_task(async _ => { + info("Cleaning up."); + if (cleanupFunction) { + await cleanupFunction(); + } + UrlClassifierTestUtils.cleanupTestTrackers(); + + // While running these tests we typically do not have enough idle time to do + // GC reliably, so force it here. + /* import-globals-from antitracking_head.js */ + forceGC(); + }); + }, +}; diff --git a/toolkit/components/antitracking/test/browser/subResources.sjs b/toolkit/components/antitracking/test/browser/subResources.sjs new file mode 100644 index 0000000000..de50d2ae26 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/subResources.sjs @@ -0,0 +1,31 @@ +// A 1x1 PNG image. +// Source: https://commons.wikimedia.org/wiki/File:1x1.png (Public Domain) +const IMAGE = atob("iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAA" + + "ACnej3aAAAAAXRSTlMAQObYZgAAAApJREFUCNdjYAAAAAIAAeIhvDMAAAAASUVORK5CYII="); + +function handleRequest(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200); + + let key = aRequest.queryString.includes("what=script") ? "script" : "image"; + + if (aRequest.queryString.includes("result")) { + aResponse.write(getState(key) || 0); + setState(key, "0"); + return; + } + + if (aRequest.hasHeader('Cookie')) { + let hints = parseInt(getState(key) || 0) + 1; + setState(key, hints.toString()); + } + + aResponse.setHeader("Set-Cookie", "foopy=1"); + + if (key == "script") { + aResponse.setHeader("Content-Type", "text/javascript", false); + aResponse.write("42;"); + } else { + aResponse.setHeader("Content-Type", "image/png", false); + aResponse.write(IMAGE); + } +} diff --git a/toolkit/components/antitracking/test/browser/tracker.js b/toolkit/components/antitracking/test/browser/tracker.js new file mode 100644 index 0000000000..85e943f7c4 --- /dev/null +++ b/toolkit/components/antitracking/test/browser/tracker.js @@ -0,0 +1,7 @@ +window.addEventListener("message", e => { + let bc = new BroadcastChannel("a"); + bc.postMessage("ready!"); +}); +window.open( + "https://tracking.example.org/browser/toolkit/components/antitracking/test/browser/3rdPartyOpen.html" +); diff --git a/toolkit/components/antitracking/test/browser/workerIframe.html b/toolkit/components/antitracking/test/browser/workerIframe.html new file mode 100644 index 0000000000..37aa5d7c0d --- /dev/null +++ b/toolkit/components/antitracking/test/browser/workerIframe.html @@ -0,0 +1,71 @@ +<html> +<head> + <title>3rd party content!</title> + <script type="text/javascript" src="https://example.com/browser/toolkit/components/antitracking/test/browser/storageAccessAPIHelpers.js"></script> +</head> +<body> +<h1>Here the 3rd party content!</h1> +<script> + +function info(msg) { + parent.postMessage({ type: "info", msg }, "*"); +} + +function ok(what, msg) { + parent.postMessage({ type: "ok", what: !!what, msg }, "*"); +} + +function is(a, b, msg) { + ok(a === b, msg); +} + +async function runTest() { + function workerCode() { + onmessage = e => { + try { + indexedDB.open("test", "1"); + postMessage(true); + } catch (e) { + postMessage(false); + } + }; + } + + /* import-globals-from storageAccessAPIHelpers.js */ + await noStorageAccessInitially(); + info("Initialized"); + + let blob = new Blob([workerCode.toString() + "; workerCode();"]); + let blobURL = URL.createObjectURL(blob); + info("Blob created"); + + let w = new Worker(blobURL); + info("Worker created"); + + await new Promise(resolve => { + w.addEventListener("message", e => { + ok(!e.data, "IDB is disabled"); + resolve(); + }, { once: true }); + w.postMessage("go"); + }); + + /* import-globals-from storageAccessAPIHelpers.js */ + await callRequestStorageAccess(); + + await new Promise(resolve => { + w.addEventListener("message", e => { + ok(e.data, "IDB is enabled"); + resolve(); + }, { once: true }); + w.postMessage("go"); + }); + + parent.postMessage({ type: "finish" }, "*"); +} + +runTest(); + +</script> +</body> +</html> diff --git a/toolkit/components/antitracking/test/xpcshell/data/font.woff b/toolkit/components/antitracking/test/xpcshell/data/font.woff Binary files differnew file mode 100644 index 0000000000..acda4f3d9f --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/data/font.woff diff --git a/toolkit/components/antitracking/test/xpcshell/head.js b/toolkit/components/antitracking/test/xpcshell/head.js new file mode 100644 index 0000000000..77c86f4466 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/head.js @@ -0,0 +1,11 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +/* import-globals-from ../../../../components/url-classifier/tests/unit/head_urlclassifier.js */ + +const { XPCOMUtils } = ChromeUtils.import( + "resource://gre/modules/XPCOMUtils.jsm" +); +const { TestUtils } = ChromeUtils.import( + "resource://testing-common/TestUtils.jsm" +); diff --git a/toolkit/components/antitracking/test/xpcshell/test_ExceptionListService.js b/toolkit/components/antitracking/test/xpcshell/test_ExceptionListService.js new file mode 100644 index 0000000000..d9601a3f0a --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_ExceptionListService.js @@ -0,0 +1,109 @@ +// This test ensures that the URL decoration annotations service works as +// expected, and also we successfully downgrade document.referrer to the +// eTLD+1 URL when tracking identifiers controlled by this service are +// present in the referrer URI. + +"use strict"; + +/* Unit tests for the nsIPartitioningExceptionListService implementation. */ + +const { RemoteSettings } = ChromeUtils.import( + "resource://services-settings/remote-settings.js" +); + +const COLLECTION_NAME = "partitioning-exempt-urls"; +const PREF_NAME = "privacy.restrict3rdpartystorage.skip_list"; + +XPCOMUtils.defineLazyGlobalGetters(this, ["EventTarget"]); + +do_get_profile(); + +class UpdateEvent extends EventTarget {} +function waitForEvent(element, eventName) { + return new Promise(function(resolve) { + element.addEventListener(eventName, e => resolve(e.detail), { once: true }); + }); +} + +add_task(async _ => { + let peuService = Cc[ + "@mozilla.org/partitioning/exception-list-service;1" + ].getService(Ci.nsIPartitioningExceptionListService); + + // Make sure we have a pref initially, since the exception list service + // requires it. + Services.prefs.setStringPref(PREF_NAME, ""); + + let updateEvent = new UpdateEvent(); + let records = [ + { + id: "1", + last_modified: 100000000000000000001, + firstPartyOrigin: "https://example.org", + thirdPartyOrigin: "https://tracking.example.com", + }, + ]; + + // Add some initial data + let db = await RemoteSettings(COLLECTION_NAME).db; + await db.importChanges({}, 42, records); + + let promise = waitForEvent(updateEvent, "update"); + let obs = data => { + let event = new CustomEvent("update", { detail: data }); + updateEvent.dispatchEvent(event); + }; + peuService.registerAndRunExceptionListObserver(obs); + let list = await promise; + Assert.equal(list, "", "No items in the list"); + + // Second event is from the RemoteSettings record. + list = await waitForEvent(updateEvent, "update"); + Assert.equal( + list, + "https://example.org,https://tracking.example.com", + "Has one item in the list" + ); + + records.push({ + id: "2", + last_modified: 100000000000000000002, + firstPartyOrigin: "https://foo.org", + thirdPartyOrigin: "https://bar.com", + }); + + promise = waitForEvent(updateEvent, "update"); + await RemoteSettings(COLLECTION_NAME).emit("sync", { + data: { current: records }, + }); + list = await promise; + Assert.equal( + list, + "https://example.org,https://tracking.example.com;https://foo.org,https://bar.com", + "Has several items in the list" + ); + + promise = waitForEvent(updateEvent, "update"); + Services.prefs.setStringPref(PREF_NAME, "https://test.com,https://test3.com"); + list = await promise; + Assert.equal( + list, + "https://test.com,https://test3.com;https://example.org,https://tracking.example.com;https://foo.org,https://bar.com", + "Has several items in the list" + ); + + promise = waitForEvent(updateEvent, "update"); + Services.prefs.setStringPref( + PREF_NAME, + "https://test.com,https://test3.com;https://abc.com,https://def.com" + ); + list = await promise; + Assert.equal( + list, + "https://test.com,https://test3.com;https://abc.com,https://def.com;https://example.org,https://tracking.example.com;https://foo.org,https://bar.com", + "Has several items in the list" + ); + + peuService.unregisterExceptionListObserver(obs); + await db.clear(); +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_cookie_behavior.js b/toolkit/components/antitracking/test/xpcshell/test_cookie_behavior.js new file mode 100644 index 0000000000..76dcc8375d --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_cookie_behavior.js @@ -0,0 +1,40 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Note: This test may cause intermittents if run at exactly midnight. + +"use strict"; + +const PREF_FPI = "privacy.firstparty.isolate"; +const PREF_COOKIE_BEHAVIOR = "network.cookie.cookieBehavior"; + +registerCleanupFunction(() => { + Services.prefs.clearUserPref(PREF_FPI); + Services.prefs.clearUserPref(PREF_COOKIE_BEHAVIOR); +}); + +add_task(function test_FPI_off() { + Services.prefs.setBoolPref(PREF_FPI, false); + + for (let i = 0; i <= Ci.nsICookieService.BEHAVIOR_LAST; ++i) { + Services.prefs.setIntPref(PREF_COOKIE_BEHAVIOR, i); + equal(Services.prefs.getIntPref(PREF_COOKIE_BEHAVIOR), i); + equal(Services.cookies.cookieBehavior, i); + } +}); + +add_task(function test_FPI_on() { + Services.prefs.setBoolPref(PREF_FPI, true); + + for (let i = 0; i <= Ci.nsICookieService.BEHAVIOR_LAST; ++i) { + Services.prefs.setIntPref(PREF_COOKIE_BEHAVIOR, i); + equal(Services.prefs.getIntPref(PREF_COOKIE_BEHAVIOR), i); + equal( + Services.cookies.cookieBehavior, + i == Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN + ? Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER + : i + ); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_purge_trackers.js b/toolkit/components/antitracking/test/xpcshell/test_purge_trackers.js new file mode 100644 index 0000000000..9db1683111 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_purge_trackers.js @@ -0,0 +1,519 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +const TRACKING_PAGE = "https://tracking.example.org"; +const TRACKING_PAGE2 = + "https://tracking.example.org^partitionKey=(https,example.com)"; +const BENIGN_PAGE = "https://example.com"; +const FOREIGN_PAGE = "https://example.net"; +const FOREIGN_PAGE2 = "https://example.net^partitionKey=(https,example.com)"; +const FOREIGN_PAGE3 = "https://example.net^partitionKey=(https,example.org)"; + +const { UrlClassifierTestUtils } = ChromeUtils.import( + "resource://testing-common/UrlClassifierTestUtils.jsm" +); +const { SiteDataTestUtils } = ChromeUtils.import( + "resource://testing-common/SiteDataTestUtils.jsm" +); +const { PermissionTestUtils } = ChromeUtils.import( + "resource://testing-common/PermissionTestUtils.jsm" +); +const { setTimeout } = ChromeUtils.import("resource://gre/modules/Timer.jsm"); + +XPCOMUtils.defineLazyServiceGetter( + this, + "PurgeTrackerService", + "@mozilla.org/purge-tracker-service;1", + "nsIPurgeTrackerService" +); + +async function setupTest(aCookieBehavior) { + Services.prefs.setIntPref("network.cookie.cookieBehavior", aCookieBehavior); + Services.prefs.setBoolPref("privacy.purge_trackers.enabled", true); + Services.prefs.setCharPref("privacy.purge_trackers.logging.level", "Debug"); + Services.prefs.setStringPref( + "urlclassifier.trackingAnnotationTable.testEntries", + "tracking.example.org" + ); + + // Enables us to test localStorage in xpcshell. + Services.prefs.setBoolPref("dom.storage.client_validation", false); +} + +/** + * Test that purging doesn't happen when it shouldn't happen. + */ +add_task(async function testNotPurging() { + await UrlClassifierTestUtils.addTestTrackers(); + setupTest(Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN); + SiteDataTestUtils.addToCookies(TRACKING_PAGE); + + Services.prefs.setIntPref( + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_ACCEPT + ); + await PurgeTrackerService.purgeTrackingCookieJars(); + ok(SiteDataTestUtils.hasCookies(TRACKING_PAGE), "cookie remains."); + Services.prefs.setIntPref( + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN + ); + + Services.prefs.setBoolPref("privacy.purge_trackers.enabled", false); + await PurgeTrackerService.purgeTrackingCookieJars(); + ok(SiteDataTestUtils.hasCookies(TRACKING_PAGE), "cookie remains."); + Services.prefs.setBoolPref("privacy.purge_trackers.enabled", true); + + Services.prefs.setBoolPref("privacy.sanitize.sanitizeOnShutdown", true); + Services.prefs.setBoolPref("privacy.clearOnShutdown.history", true); + await PurgeTrackerService.purgeTrackingCookieJars(); + ok(SiteDataTestUtils.hasCookies(TRACKING_PAGE), "cookie remains."); + Services.prefs.clearUserPref("privacy.sanitize.sanitizeOnShutdown"); + Services.prefs.clearUserPref("privacy.clearOnShutdown.history"); + + await PurgeTrackerService.purgeTrackingCookieJars(); + ok(!SiteDataTestUtils.hasCookies(TRACKING_PAGE), "cookie cleared."); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +/** + * Test that cookies indexedDB and localStorage are purged if the cookie is found + * on the tracking list and does not have an Interaction Permission. + */ +async function testIndexedDBAndLocalStorage() { + await UrlClassifierTestUtils.addTestTrackers(); + + PermissionTestUtils.add( + TRACKING_PAGE, + "storageAccessAPI", + Services.perms.ALLOW_ACTION + ); + + SiteDataTestUtils.addToCookies(BENIGN_PAGE); + for (let url of [ + TRACKING_PAGE, + TRACKING_PAGE2, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + SiteDataTestUtils.addToLocalStorage(url); + SiteDataTestUtils.addToCookies(url); + await SiteDataTestUtils.addToIndexedDB(url); + } + + // Purge while storage access permission exists. + await PurgeTrackerService.purgeTrackingCookieJars(); + + for (let url of [TRACKING_PAGE, TRACKING_PAGE2]) { + ok( + SiteDataTestUtils.hasCookies(url), + "cookie remains while storage access permission exists." + ); + ok( + SiteDataTestUtils.hasLocalStorage(url), + "localStorage should not have been removed while storage access permission exists." + ); + Assert.greater( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + `We have data for ${url}` + ); + } + + // Run purge after storage access permission has been removed. + PermissionTestUtils.remove(TRACKING_PAGE, "storageAccessAPI"); + await PurgeTrackerService.purgeTrackingCookieJars(); + + ok( + SiteDataTestUtils.hasCookies(BENIGN_PAGE), + "A non-tracking page should retain cookies after purging" + ); + + for (let url of [FOREIGN_PAGE, FOREIGN_PAGE2, FOREIGN_PAGE3]) { + ok( + SiteDataTestUtils.hasCookies(url), + `A non-tracking foreign page should retain cookies after purging` + ); + ok( + SiteDataTestUtils.hasLocalStorage(url), + `localStorage for ${url} should not have been removed.` + ); + Assert.greater( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + `We have data for ${url}` + ); + } + + // Cookie should have been removed. + + for (let url of [TRACKING_PAGE, TRACKING_PAGE2]) { + ok( + !SiteDataTestUtils.hasCookies(url), + "cookie is removed after purge with no storage access permission." + ); + ok( + !SiteDataTestUtils.hasLocalStorage(url), + "localStorage should have been removed" + ); + Assert.equal( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + "quota storage was deleted" + ); + } + + UrlClassifierTestUtils.cleanupTestTrackers(); +} + +/** + * Test that trackers are treated based on their base domain, not origin. + */ +async function testBaseDomain() { + await UrlClassifierTestUtils.addTestTrackers(); + + let associatedOrigins = [ + "https://itisatracker.org", + "https://sub.itisatracker.org", + "https://www.itisatracker.org", + "https://sub.sub.sub.itisatracker.org", + "http://itisatracker.org", + "http://sub.itisatracker.org", + ]; + + for (let permissionOrigin of associatedOrigins) { + // Only one of the associated origins gets permission, but + // all should be exempt from purging. + PermissionTestUtils.add( + permissionOrigin, + "storageAccessAPI", + Services.perms.ALLOW_ACTION + ); + + for (let origin of associatedOrigins) { + SiteDataTestUtils.addToCookies(origin); + } + + // Add another tracker to verify we're actually purging. + SiteDataTestUtils.addToCookies(TRACKING_PAGE); + + await PurgeTrackerService.purgeTrackingCookieJars(); + + for (let origin of associatedOrigins) { + ok( + SiteDataTestUtils.hasCookies(origin), + `${origin} should have retained its cookies when permission is set for ${permissionOrigin}.` + ); + } + + ok( + !SiteDataTestUtils.hasCookies(TRACKING_PAGE), + "cookie is removed after purge with no storage access permission." + ); + + PermissionTestUtils.remove(permissionOrigin, "storageAccessAPI"); + await SiteDataTestUtils.clear(); + } + + UrlClassifierTestUtils.cleanupTestTrackers(); +} + +/** + * Test that trackers are not cleared if they are associated + * with an entry on the entity list that has user interaction. + */ +async function testUserInteraction(ownerPage) { + Services.prefs.setBoolPref( + "privacy.purge_trackers.consider_entity_list", + true + ); + // The test URL for the entity list for annotation is + // itisatrap.org/?resource=example.org, so we need to + // add example.org as a tracker. + Services.prefs.setCharPref( + "urlclassifier.trackingAnnotationTable.testEntries", + "example.org" + ); + await UrlClassifierTestUtils.addTestTrackers(); + + // example.org and itisatrap.org are hard coded test values on the entity list. + const RESOURCE_PAGE = "https://example.org"; + + PermissionTestUtils.add( + ownerPage, + "storageAccessAPI", + Services.perms.ALLOW_ACTION + ); + + SiteDataTestUtils.addToCookies(RESOURCE_PAGE); + + // Add another tracker to verify we're actually purging. + SiteDataTestUtils.addToCookies("https://another-tracking.example.net"); + + await PurgeTrackerService.purgeTrackingCookieJars(); + + ok( + SiteDataTestUtils.hasCookies(RESOURCE_PAGE), + `${RESOURCE_PAGE} should have retained its cookies when permission is set for ${ownerPage}.` + ); + + ok( + !SiteDataTestUtils.hasCookies("https://another-tracking.example.net"), + "cookie is removed after purge with no storage access permission." + ); + + Services.prefs.setBoolPref( + "privacy.purge_trackers.consider_entity_list", + false + ); + + await PurgeTrackerService.purgeTrackingCookieJars(); + + ok( + !SiteDataTestUtils.hasCookies(RESOURCE_PAGE), + `${RESOURCE_PAGE} should not have retained its cookies when permission is set for ${ownerPage} and the entity list pref is off.` + ); + + PermissionTestUtils.remove(ownerPage, "storageAccessAPI"); + await SiteDataTestUtils.clear(); + + Services.prefs.clearUserPref("privacy.purge_trackers.consider_entity_list"); + UrlClassifierTestUtils.cleanupTestTrackers(); +} + +/** + * Test that quota storage (even without cookies) is considered when purging trackers. + */ +async function testQuotaStorage() { + await UrlClassifierTestUtils.addTestTrackers(); + + let testCases = [ + { localStorage: true, indexedDB: true }, + { localStorage: false, indexedDB: true }, + { localStorage: true, indexedDB: false }, + ]; + + for (let { localStorage, indexedDB } of testCases) { + PermissionTestUtils.add( + TRACKING_PAGE, + "storageAccessAPI", + Services.perms.ALLOW_ACTION + ); + + if (localStorage) { + for (let url of [ + TRACKING_PAGE, + TRACKING_PAGE2, + BENIGN_PAGE, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + SiteDataTestUtils.addToLocalStorage(url); + } + } + + if (indexedDB) { + for (let url of [ + TRACKING_PAGE, + TRACKING_PAGE2, + BENIGN_PAGE, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + await SiteDataTestUtils.addToIndexedDB(url); + } + } + + // Purge while storage access permission exists. + await PurgeTrackerService.purgeTrackingCookieJars(); + + if (localStorage) { + ok( + SiteDataTestUtils.hasLocalStorage(TRACKING_PAGE), + "localStorage should not have been removed while storage access permission exists." + ); + } + + if (indexedDB) { + for (let url of [ + TRACKING_PAGE, + TRACKING_PAGE2, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + Assert.greater( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + `We have data for ${url}` + ); + } + } + + // Run purge after storage access permission has been removed. + PermissionTestUtils.remove(TRACKING_PAGE, "storageAccessAPI"); + await PurgeTrackerService.purgeTrackingCookieJars(); + + if (localStorage) { + for (let url of [ + BENIGN_PAGE, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + ok( + SiteDataTestUtils.hasLocalStorage(url), + "localStorage should not have been removed for non-tracking page." + ); + } + for (let url of [TRACKING_PAGE, TRACKING_PAGE2]) { + ok( + !SiteDataTestUtils.hasLocalStorage(url), + "localStorage should have been removed." + ); + } + } + + if (indexedDB) { + for (let url of [ + BENIGN_PAGE, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + Assert.greater( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + "quota storage for non-tracking page was not deleted" + ); + } + + for (let url of [TRACKING_PAGE, TRACKING_PAGE2]) { + Assert.equal( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + "quota storage was deleted" + ); + } + } + + await SiteDataTestUtils.clear(); + } + + UrlClassifierTestUtils.cleanupTestTrackers(); +} + +/** + * Test that we correctly delete cookies and storage for sites + * with an expired interaction permission. + */ +async function testExpiredInteractionPermission() { + await UrlClassifierTestUtils.addTestTrackers(); + + PermissionTestUtils.add( + TRACKING_PAGE, + "storageAccessAPI", + Services.perms.ALLOW_ACTION, + Services.perms.EXPIRE_TIME, + Date.now() + 500 + ); + + for (let url of [ + TRACKING_PAGE, + TRACKING_PAGE2, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + SiteDataTestUtils.addToLocalStorage(url); + SiteDataTestUtils.addToCookies(url); + await SiteDataTestUtils.addToIndexedDB(url); + } + + // Purge while storage access permission exists. + await PurgeTrackerService.purgeTrackingCookieJars(); + + for (let url of [ + TRACKING_PAGE, + TRACKING_PAGE2, + FOREIGN_PAGE, + FOREIGN_PAGE2, + FOREIGN_PAGE3, + ]) { + ok( + SiteDataTestUtils.hasCookies(url), + "cookie remains while storage access permission exists." + ); + ok( + SiteDataTestUtils.hasLocalStorage(url), + "localStorage should not have been removed while storage access permission exists." + ); + Assert.greater( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + `We have data for ${url}` + ); + } + + // Run purge after storage access permission has been removed. + // eslint-disable-next-line mozilla/no-arbitrary-setTimeout + await new Promise(c => setTimeout(c, 500)); + await PurgeTrackerService.purgeTrackingCookieJars(); + + // Cookie should have been removed. + for (let url of [TRACKING_PAGE, TRACKING_PAGE2]) { + ok( + !SiteDataTestUtils.hasCookies(url), + "cookie is removed after purge with no storage access permission." + ); + ok( + !SiteDataTestUtils.hasLocalStorage(url), + "localStorage should not have been removed while storage access permission exists." + ); + Assert.equal( + await SiteDataTestUtils.getQuotaUsage(url), + 0, + "quota storage was deleted" + ); + } + + // Cookie should not have been removed. + for (let url of [FOREIGN_PAGE, FOREIGN_PAGE2, FOREIGN_PAGE3]) { + ok( + SiteDataTestUtils.hasCookies(url), + "cookie remains while storage access permission exists." + ); + ok( + SiteDataTestUtils.hasLocalStorage(url), + "localStorage should not have been removed while storage access permission exists." + ); + } + + UrlClassifierTestUtils.cleanupTestTrackers(); +} + +add_task(async function() { + const cookieBehaviors = [ + Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, + Ci.nsICookieService.BEHAVIOR_LIMIT_FOREIGN, + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, + ]; + + for (let cookieBehavior of cookieBehaviors) { + await setupTest(cookieBehavior); + await testIndexedDBAndLocalStorage(); + await testBaseDomain(); + // example.org and itisatrap.org are hard coded test values on the entity list. + await testUserInteraction("https://itisatrap.org"); + await testUserInteraction( + "https://itisatrap.org^firstPartyDomain=example.net" + ); + await testQuotaStorage(); + await testExpiredInteractionPermission(); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_purge_trackers_telemetry.js b/toolkit/components/antitracking/test/xpcshell/test_purge_trackers_telemetry.js new file mode 100644 index 0000000000..145c311e33 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_purge_trackers_telemetry.js @@ -0,0 +1,175 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +const TRACKING_PAGE = "https://tracking.example.org"; +const BENIGN_PAGE = "https://example.com"; + +const { UrlClassifierTestUtils } = ChromeUtils.import( + "resource://testing-common/UrlClassifierTestUtils.jsm" +); +const { SiteDataTestUtils } = ChromeUtils.import( + "resource://testing-common/SiteDataTestUtils.jsm" +); +const { PermissionTestUtils } = ChromeUtils.import( + "resource://testing-common/PermissionTestUtils.jsm" +); +const { TelemetryTestUtils } = ChromeUtils.import( + "resource://testing-common/TelemetryTestUtils.jsm" +); + +XPCOMUtils.defineLazyServiceGetter( + this, + "PurgeTrackerService", + "@mozilla.org/purge-tracker-service;1", + "nsIPurgeTrackerService" +); + +add_task(async function setup() { + Services.prefs.setIntPref( + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER + ); + Services.prefs.setBoolPref("privacy.purge_trackers.enabled", true); + Services.prefs.setStringPref( + "urlclassifier.trackingAnnotationTable.testEntries", + "tracking.example.org" + ); + Services.prefs.setBoolPref( + "toolkit.telemetry.testing.overrideProductsCheck", + true + ); + + // Enables us to test localStorage in xpcshell. + Services.prefs.setBoolPref("dom.storage.client_validation", false); +}); + +/** + * Test telemetry for cookie purging. + */ +add_task(async function() { + await UrlClassifierTestUtils.addTestTrackers(); + + let FIVE_DAYS = 5 * 24 * 60 * 60 * 1000; + + PermissionTestUtils.add( + TRACKING_PAGE, + "storageAccessAPI", + Services.perms.ALLOW_ACTION, + Services.perms.EXPIRE_TIME, + Date.now() + FIVE_DAYS + ); + + SiteDataTestUtils.addToLocalStorage(TRACKING_PAGE); + SiteDataTestUtils.addToCookies(BENIGN_PAGE); + SiteDataTestUtils.addToCookies(TRACKING_PAGE); + await SiteDataTestUtils.addToIndexedDB(TRACKING_PAGE); + + let purgedHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_ORIGINS_PURGED" + ); + let notPurgedHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_TRACKERS_WITH_USER_INTERACTION" + ); + let remainingDaysHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_TRACKERS_USER_INTERACTION_REMAINING_DAYS" + ); + let intervalHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_INTERVAL_HOURS" + ); + + // Purge while storage access permission exists. + await PurgeTrackerService.purgeTrackingCookieJars(); + + ok( + SiteDataTestUtils.hasCookies(TRACKING_PAGE), + "cookie remains while storage access permission exists." + ); + ok( + SiteDataTestUtils.hasLocalStorage(TRACKING_PAGE), + "localStorage should not have been removed while storage access permission exists." + ); + Assert.greater( + await SiteDataTestUtils.getQuotaUsage(TRACKING_PAGE), + 0, + `We have data for ${TRACKING_PAGE}` + ); + + TelemetryTestUtils.assertHistogram(purgedHistogram, 0, 1); + TelemetryTestUtils.assertHistogram(notPurgedHistogram, 1, 1); + TelemetryTestUtils.assertHistogram(remainingDaysHistogram, 4, 2); + TelemetryTestUtils.assertHistogram(intervalHistogram, 0, 1); + + purgedHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_ORIGINS_PURGED" + ); + notPurgedHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_TRACKERS_WITH_USER_INTERACTION" + ); + intervalHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_INTERVAL_HOURS" + ); + + // Run purge after storage access permission has been removed. + PermissionTestUtils.remove(TRACKING_PAGE, "storageAccessAPI"); + await PurgeTrackerService.purgeTrackingCookieJars(); + + ok( + SiteDataTestUtils.hasCookies(BENIGN_PAGE), + "A non-tracking page should retain cookies after purging" + ); + + // Cookie should have been removed. + ok( + !SiteDataTestUtils.hasCookies(TRACKING_PAGE), + "cookie is removed after purge with no storage access permission." + ); + ok( + !SiteDataTestUtils.hasLocalStorage(TRACKING_PAGE), + "localStorage should not have been removed while storage access permission exists." + ); + Assert.equal( + await SiteDataTestUtils.getQuotaUsage(TRACKING_PAGE), + 0, + "quota storage was deleted" + ); + + TelemetryTestUtils.assertHistogram(purgedHistogram, 1, 1); + Assert.equal( + notPurgedHistogram.snapshot().sum, + 0, + "no origins with user interaction" + ); + TelemetryTestUtils.assertHistogram(intervalHistogram, 0, 1); + + UrlClassifierTestUtils.cleanupTestTrackers(); +}); + +/** + * Test counting correctly across cookies batches + */ +add_task(async function() { + await UrlClassifierTestUtils.addTestTrackers(); + + // Enforce deleting the same origin twice by adding two cookies and setting + // the max number of cookies per batch to 1. + SiteDataTestUtils.addToCookies(TRACKING_PAGE, "cookie1"); + SiteDataTestUtils.addToCookies(TRACKING_PAGE, "cookie2"); + Services.prefs.setIntPref("privacy.purge_trackers.max_purge_count", 1); + + let purgedHistogram = TelemetryTestUtils.getAndClearHistogram( + "COOKIE_PURGING_ORIGINS_PURGED" + ); + + await PurgeTrackerService.purgeTrackingCookieJars(); + + // Cookie should have been removed. + await TestUtils.waitForCondition( + () => !SiteDataTestUtils.hasCookies(TRACKING_PAGE), + "cookie is removed after purge." + ); + + TelemetryTestUtils.assertHistogram(purgedHistogram, 1, 1); + + Services.prefs.clearUserPref("privacy.purge_trackers.max_purge_count"); + UrlClassifierTestUtils.cleanupTestTrackers(); +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_rejectForeignAllowList.js b/toolkit/components/antitracking/test/xpcshell/test_rejectForeignAllowList.js new file mode 100644 index 0000000000..e2aa4b1f01 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_rejectForeignAllowList.js @@ -0,0 +1,128 @@ +"use strict"; + +var { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm"); + +const { RemoteSettings } = ChromeUtils.import( + "resource://services-settings/remote-settings.js" +); + +do_get_profile(); + +// Let's use AddonTestUtils and ExtensionTestUtils to open/close tabs. +var { AddonTestUtils, MockAsyncShutdown } = ChromeUtils.import( + "resource://testing-common/AddonTestUtils.jsm" +); + +// eslint-disable-next-line no-unused-vars +XPCOMUtils.defineLazyModuleGetters(this, { + ExtensionTestUtils: "resource://testing-common/ExtensionXPCShellUtils.jsm", +}); + +ExtensionTestUtils.init(this); + +var createHttpServer = (...args) => { + AddonTestUtils.maybeInit(this); + return AddonTestUtils.createHttpServer(...args); +}; + +const server = createHttpServer({ + hosts: ["3rdparty.org", "4thparty.org", "foobar.com"], +}); + +async function testThings(prefValue, expected) { + await new Promise(resolve => + Services.clearData.deleteData( + Ci.nsIClearDataService.CLEAR_ALL_CACHES, + resolve + ) + ); + + Services.prefs.setCharPref("privacy.rejectForeign.allowList", prefValue); + + let cookiePromise = new Promise(resolve => { + server.registerPathHandler("/test3rdPartyChannel", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html; charset=utf-8", false); + response.write(`<html><img src="http://3rdparty.org/img" /></html>`); + }); + + server.registerPathHandler("/img", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + resolve(request.hasHeader("Cookie") ? request.getHeader("Cookie") : ""); + response.setHeader("Content-Type", "image/png", false); + response.write("Not an image"); + }); + }); + + // Let's load 3rdparty.org as a 3rd-party. + let contentPage = await ExtensionTestUtils.loadContentPage( + "http://foobar.com/test3rdPartyChannel" + ); + Assert.equal(await cookiePromise, expected, "Cookies received?"); + await contentPage.close(); + + cookiePromise = new Promise(resolve => { + server.registerPathHandler("/test3rdPartyDocument", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html; charset=utf-8", false); + response.write( + `<html><iframe src="http://3rdparty.org/iframe" /></html>` + ); + }); + + server.registerPathHandler("/iframe", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + resolve(request.hasHeader("Cookie") ? request.getHeader("Cookie") : ""); + response.setHeader("Content-Type", "text/html; charset=utf-8", false); + response.write(`<html><img src="http://4thparty.org/img" /></html>`); + }); + + server.registerPathHandler("/img", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + resolve(request.hasHeader("Cookie") ? request.getHeader("Cookie") : ""); + response.setHeader("Content-Type", "image/png", false); + response.write("Not an image"); + }); + }); + + // Let's load 3rdparty.org loading a 4th-party. + contentPage = await ExtensionTestUtils.loadContentPage( + "http://foobar.com/test3rdPartyDocument" + ); + Assert.equal(await cookiePromise, expected, "Cookies received?"); + await contentPage.close(); +} + +add_task(async function test_rejectForeignAllowList() { + Services.prefs.setIntPref("network.cookie.cookieBehavior", 1); + Services.prefs.setBoolPref( + "network.cookie.rejectForeignWithExceptions.enabled", + true + ); + + // We don't want to have 'secure' cookies because our test http server doesn't run in https. + Services.prefs.setBoolPref( + "network.cookie.sameSite.noneRequiresSecure", + false + ); + + server.registerPathHandler("/setCookies", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html; charset=utf-8", false); + response.setHeader("Set-Cookie", "cookie=wow; sameSite=none", true); + response.write("<html></html>"); + }); + + // Let's set a cookie. + let contentPage = await ExtensionTestUtils.loadContentPage( + "http://3rdparty.org/setCookies" + ); + await contentPage.close(); + Assert.equal(Services.cookies.cookies.length, 1); + + // Without exceptionlisting, no cookies should be shared. + await testThings("", ""); + + // Let's exceptionlist 3rdparty.org + await testThings("3rdparty.org", "cookie=wow"); +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_staticPartition_authhttp.js b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_authhttp.js new file mode 100644 index 0000000000..563f16969b --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_authhttp.js @@ -0,0 +1,140 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +"use strict"; + +const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm"); + +const { CookieXPCShellUtils } = ChromeUtils.import( + "resource://testing-common/CookieXPCShellUtils.jsm" +); + +CookieXPCShellUtils.init(this); + +function Requestor() {} +Requestor.prototype = { + QueryInterface: ChromeUtils.generateQI([ + "nsIInterfaceRequestor", + "nsIAuthPrompt2", + ]), + + getInterface(iid) { + if (iid.equals(Ci.nsIAuthPrompt2)) { + return this; + } + + throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE); + }, + + promptAuth(channel, level, authInfo) { + Assert.equal("secret", authInfo.realm); + // No passwords in the URL -> nothing should be prefilled + Assert.equal(authInfo.username, ""); + Assert.equal(authInfo.password, ""); + Assert.equal(authInfo.domain, ""); + + authInfo.username = "guest"; + authInfo.password = "guest"; + + return true; + }, + + asyncPromptAuth(chan, cb, ctx, lvl, info) { + throw Components.Exception("", Cr.NS_ERROR_NOT_IMPLEMENTED); + }, +}; + +let observer = channel => { + if ( + !(channel instanceof Ci.nsIHttpChannel && channel.URI.host === "localhost") + ) { + return; + } + channel.notificationCallbacks = new Requestor(); +}; +Services.obs.addObserver(observer, "http-on-modify-request"); + +function makeChan(url, loadingUrl) { + var principal = Services.scriptSecurityManager.createContentPrincipal( + Services.io.newURI(loadingUrl), + {} + ); + return NetUtil.newChannel({ + uri: url, + loadingPrincipal: principal, + securityFlags: Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL, + contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER, + }); +} + +add_task(async () => { + do_get_profile(); + + Services.prefs.setBoolPref("network.predictor.enabled", false); + Services.prefs.setBoolPref("network.predictor.enable-prefetch", false); + Services.prefs.setBoolPref("network.http.rcwn.enabled", false); + Services.prefs.setIntPref("network.cookie.cookieBehavior", 0); + Services.prefs.setIntPref("network.auth.subresource-http-auth-allow", 2); + + for (let test of [true, false]) { + Cc["@mozilla.org/network/http-auth-manager;1"] + .getService(Ci.nsIHttpAuthManager) + .clearAll(); + + await new Promise(resolve => + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, resolve) + ); + + info("Enabling network state partitioning"); + Services.prefs.setBoolPref("privacy.partition.network_state", test); + + const httpserv = new HttpServer(); + httpserv.registerPathHandler("/auth", (metadata, response) => { + // btoa("guest:guest"), but that function is not available here + const expectedHeader = "Basic Z3Vlc3Q6Z3Vlc3Q="; + + let body; + if ( + metadata.hasHeader("Authorization") && + metadata.getHeader("Authorization") == expectedHeader + ) { + response.setStatusLine(metadata.httpVersion, 200, "OK, authorized"); + response.setHeader("WWW-Authenticate", 'Basic realm="secret"', false); + + body = "success"; + } else { + // didn't know guest:guest, failure + response.setStatusLine(metadata.httpVersion, 401, "Unauthorized"); + response.setHeader("WWW-Authenticate", 'Basic realm="secret"', false); + + body = "failed"; + } + + response.bodyOutputStream.write(body, body.length); + }); + + httpserv.start(-1); + const URL = "http://localhost:" + httpserv.identity.primaryPort; + + const httpHandler = Cc[ + "@mozilla.org/network/protocol;1?name=http" + ].getService(Ci.nsIHttpProtocolHandler); + + const contentPage = await CookieXPCShellUtils.loadContentPage( + URL + "/auth?r=" + Math.random() + ); + await contentPage.close(); + + let key; + if (test) { + key = `^partitionKey=%28http%2Clocalhost%2C${httpserv.identity.primaryPort}%29:http://localhost:${httpserv.identity.primaryPort}`; + } else { + key = `:http://localhost:${httpserv.identity.primaryPort}`; + } + + Assert.equal(httpHandler.authCacheKeys.includes(key), true, "Key found!"); + + await new Promise(resolve => httpserv.stop(resolve)); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_staticPartition_font.js b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_font.js new file mode 100644 index 0000000000..721f50e7dc --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_font.js @@ -0,0 +1,112 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +const { CookieXPCShellUtils } = ChromeUtils.import( + "resource://testing-common/CookieXPCShellUtils.jsm" +); + +CookieXPCShellUtils.init(this); + +let gHits = 0; + +add_task(async function() { + do_get_profile(); + + info("Disable predictor and accept all"); + Services.prefs.setBoolPref("network.predictor.enabled", false); + Services.prefs.setBoolPref("network.predictor.enable-prefetch", false); + Services.prefs.setBoolPref("network.http.rcwn.enabled", false); + Services.prefs.setIntPref("network.cookie.cookieBehavior", 0); + + const server = CookieXPCShellUtils.createServer({ + hosts: ["example.org", "foo.com", "bar.com"], + }); + + server.registerFile( + "/font.woff", + do_get_file("data/font.woff"), + (_, response) => { + response.setHeader("Access-Control-Allow-Origin", "*", false); + gHits++; + } + ); + + server.registerPathHandler("/font", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + let body = ` + <style type="text/css"> + @font-face { + font-family: foo; + src: url("http://example.org/font.woff") format('woff'); + } + body { font-family: foo } + </style> + <iframe src="http://example.org/font-iframe"> + </iframe>`; + response.bodyOutputStream.write(body, body.length); + }); + + server.registerPathHandler("/font-iframe", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + let body = ` + <style type="text/css"> + @font-face { + font-family: foo; + src: url("http://example.org/font.woff") format('woff'); + } + body { font-family: foo } + </style>`; + response.bodyOutputStream.write(body, body.length); + }); + + const tests = [ + { + prefValue: true, + hitsCount: 5, + }, + { + prefValue: false, + // The font in page B/C is CORS, the channel will be flagged with + // nsIRequest::LOAD_ANONYMOUS. + // The flag makes the font in A and B/C use different cache key. + hitsCount: 2, + }, + ]; + + for (let test of tests) { + info("Clear network caches"); + Services.cache2.clear(); + + info("Reset the hits count"); + gHits = 0; + + info("Enabling network state partitioning"); + Services.prefs.setBoolPref( + "privacy.partition.network_state", + test.prefValue + ); + + info("Let's load a page with origin A"); + let contentPage = await CookieXPCShellUtils.loadContentPage( + "http://example.org/font" + ); + await contentPage.close(); + + info("Let's load a page with origin B"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "http://foo.com/font" + ); + await contentPage.close(); + + info("Let's load a page with origin C"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "http://bar.com/font" + ); + await contentPage.close(); + + Assert.equal(gHits, test.hitsCount, "The number of hits match"); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_staticPartition_image.js b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_image.js new file mode 100644 index 0000000000..c8a8238cc2 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_image.js @@ -0,0 +1,85 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +const { CookieXPCShellUtils } = ChromeUtils.import( + "resource://testing-common/CookieXPCShellUtils.jsm" +); + +CookieXPCShellUtils.init(this); + +let gHits = 0; + +add_task(async function() { + do_get_profile(); + + info("Disable predictor and accept all"); + Services.prefs.setBoolPref("network.predictor.enabled", false); + Services.prefs.setBoolPref("network.predictor.enable-prefetch", false); + Services.prefs.setBoolPref("network.http.rcwn.enabled", false); + Services.prefs.setIntPref("network.cookie.cookieBehavior", 0); + + const server = CookieXPCShellUtils.createServer({ + hosts: ["example.org", "foo.com"], + }); + server.registerPathHandler("/image.png", (metadata, response) => { + gHits++; + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "image/png", false); + var body = + "iVBORw0KGgoAAAANSUhEUgAAAAMAAAADCAIAAADZSiLoAAAAEUlEQVQImWP4z8AAQTAamQkAhpcI+DeMzFcAAAAASUVORK5CYII="; + response.bodyOutputStream.write(body, body.length); + }); + + server.registerPathHandler("/image", (metadata, response) => { + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = `<img src="http://example.org/image.png">`; + response.bodyOutputStream.write(body, body.length); + }); + + const tests = [ + { + prefValue: true, + hitsCount: 2, + }, + { + prefValue: false, + hitsCount: 1, + }, + ]; + + for (let test of tests) { + info("Clear image and network caches"); + let imageCache = Cc["@mozilla.org/image/tools;1"] + .getService(Ci.imgITools) + .getImgCacheForDocument(null); + imageCache.clearCache(true); // true=chrome + imageCache.clearCache(false); // false=content + Services.cache2.clear(); + + info("Reset the hits count"); + gHits = 0; + + info("Enabling network state partitioning"); + Services.prefs.setBoolPref( + "privacy.partition.network_state", + test.prefValue + ); + + info("Let's load a page with origin A"); + let contentPage = await CookieXPCShellUtils.loadContentPage( + "http://example.org/image" + ); + await contentPage.close(); + + info("Let's load a page with origin B"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "http://foo.com/image" + ); + await contentPage.close(); + + Assert.equal(gHits, test.hitsCount, "The number of hits match"); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_staticPartition_prefetch.js b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_prefetch.js new file mode 100644 index 0000000000..a786a7e1ce --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_prefetch.js @@ -0,0 +1,175 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +"use strict"; + +const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm"); + +const { CookieXPCShellUtils } = ChromeUtils.import( + "resource://testing-common/CookieXPCShellUtils.jsm" +); + +let gHints = 0; + +CookieXPCShellUtils.init(this); + +function countMatchingCacheEntries(cacheEntries, domain, path) { + return cacheEntries + .map(entry => entry.uri.asciiSpec) + .filter(spec => spec.includes(domain)) + .filter(spec => spec.includes(path)).length; +} + +async function checkCache(originAttributes) { + const loadContextInfo = Services.loadContextInfo.custom( + false, + originAttributes + ); + + const data = await new Promise(resolve => { + let cacheEntries = []; + let cacheVisitor = { + onCacheStorageInfo(num, consumption) {}, + onCacheEntryInfo(uri, idEnhance) { + cacheEntries.push({ uri, idEnhance }); + }, + onCacheEntryVisitCompleted() { + resolve(cacheEntries); + }, + QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]), + }; + // Visiting the disk cache also visits memory storage so we do not + // need to use Services.cache2.memoryCacheStorage() here. + let storage = Services.cache2.diskCacheStorage(loadContextInfo, false); + storage.asyncVisitStorage(cacheVisitor, true); + }); + + let foundEntryCount = countMatchingCacheEntries( + data, + "example.org", + "image.png" + ); + ok( + foundEntryCount > 0, + `Cache entries expected for image.png and OA=${originAttributes}` + ); +} + +add_task(async () => { + do_get_profile(); + + Services.prefs.setBoolPref("network.prefetch-next", true); + Services.prefs.setIntPref("network.cookie.cookieBehavior", 0); + + const server = CookieXPCShellUtils.createServer({ + hosts: ["example.org", "foo.com"], + }); + + server.registerPathHandler("/image.png", (metadata, response) => { + gHints++; + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "image/png", false); + var body = + "iVBORw0KGgoAAAANSUhEUgAAAAMAAAADCAIAAADZSiLoAAAAEUlEQVQImWP4z8AAQTAamQkAhpcI+DeMzFcAAAAASUVORK5CYII="; + response.bodyOutputStream.write(body, body.length); + }); + + server.registerPathHandler("/prefetch", (metadata, response) => { + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = `<html><head></head><body><script> + const link = document.createElement("link") + link.setAttribute("rel", "prefetch"); + link.setAttribute("href", "http://example.org/image.png"); + document.head.appendChild(link); + link.onload = () => { + const img = document.createElement("IMG"); + img.src = "http://example.org/image.png"; + document.body.appendChild(img); + fetch("/done").then(() => {}); + } + </script></body></html>`; + response.bodyOutputStream.write(body, body.length); + }); + + const tests = [ + { + // 2 hints because we have 2 different top-level origins, loading the + // same resource. This will end up creating 2 separate cache entries. + hints: 2, + originAttributes: { partitionKey: "(http,example.org)" }, + prefValue: true, + }, + { + // 1 hint because, with network-state isolation, the cache entry will be + // reused for the second loading, even if the top-level origins are + // different. + hints: 1, + originAttributes: {}, + prefValue: false, + }, + ]; + + for (let test of tests) { + await new Promise(resolve => + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, resolve) + ); + + info("Reset the counter"); + gHints = 0; + + info("Enabling network state partitioning"); + Services.prefs.setBoolPref( + "privacy.partition.network_state", + test.prefValue + ); + + let complete = new Promise(resolve => { + server.registerPathHandler("/done", (metadata, response) => { + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = "OK"; + response.bodyOutputStream.write(body, body.length); + resolve(); + }); + }); + + info("Let's load a page with origin A"); + let contentPage = await CookieXPCShellUtils.loadContentPage( + "http://example.org/prefetch" + ); + + await complete; + await checkCache(test.originAttributes); + await contentPage.close(); + + complete = new Promise(resolve => { + server.registerPathHandler("/done", (metadata, response) => { + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = "OK"; + response.bodyOutputStream.write(body, body.length); + resolve(); + }); + }); + + info("Let's load a page with origin B"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "http://foo.com/prefetch" + ); + + await complete; + await checkCache(test.originAttributes); + await contentPage.close(); + + Assert.equal( + gHints, + test.hints, + "We have the current number of requests with pref " + test.prefValue + ); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_staticPartition_preload.js b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_preload.js new file mode 100644 index 0000000000..da6dcc7ef4 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_staticPartition_preload.js @@ -0,0 +1,189 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +"use strict"; + +const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm"); + +const { CookieXPCShellUtils } = ChromeUtils.import( + "resource://testing-common/CookieXPCShellUtils.jsm" +); + +let gHints = 0; + +CookieXPCShellUtils.init(this); + +function countMatchingCacheEntries(cacheEntries, domain, path) { + return cacheEntries + .map(entry => entry.uri.asciiSpec) + .filter(spec => spec.includes(domain)) + .filter(spec => spec.includes(path)).length; +} + +async function checkCache(originAttributes) { + const loadContextInfo = Services.loadContextInfo.custom( + false, + originAttributes + ); + + const data = await new Promise(resolve => { + let cacheEntries = []; + let cacheVisitor = { + onCacheStorageInfo(num, consumption) {}, + onCacheEntryInfo(uri, idEnhance) { + cacheEntries.push({ uri, idEnhance }); + }, + onCacheEntryVisitCompleted() { + resolve(cacheEntries); + }, + QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]), + }; + // Visiting the disk cache also visits memory storage so we do not + // need to use Services.cache2.memoryCacheStorage() here. + let storage = Services.cache2.diskCacheStorage(loadContextInfo, false); + storage.asyncVisitStorage(cacheVisitor, true); + }); + + let foundEntryCount = countMatchingCacheEntries( + data, + "example.org", + "style.css" + ); + ok( + foundEntryCount > 0, + `Cache entries expected for style.css and OA=${originAttributes}` + ); +} + +add_task(async () => { + do_get_profile(); + + Services.prefs.setBoolPref("network.preload", true); + Services.prefs.setIntPref("network.cookie.cookieBehavior", 0); + + const server = CookieXPCShellUtils.createServer({ + hosts: ["example.org", "foo.com"], + }); + + server.registerPathHandler("/empty", (metadata, response) => { + var body = "<h1>Hello!</h1>"; + response.bodyOutputStream.write(body, body.length); + }); + + server.registerPathHandler("/style.css", (metadata, response) => { + gHints++; + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Access-Control-Allow-Origin", "*", false); + var body = "* { color: red }"; + response.bodyOutputStream.write(body, body.length); + }); + + server.registerPathHandler("/preload", (metadata, response) => { + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = `<html><head></head><body><script> + const link = document.createElement("link") + link.setAttribute("rel", "preload"); + link.setAttribute("as", "style"); + link.setAttribute("href", "http://example.org/style.css"); + document.head.appendChild(link); + link.onload = () => { + fetch("/done").then(() => {}); + }; + </script></body></html>`; + response.bodyOutputStream.write(body, body.length); + }); + + const tests = [ + { + // 2 hints because we have 2 different top-level origins, loading the + // same resource. This will end up creating 2 separate cache entries. + hints: 2, + prefValue: true, + originAttributes: { partitionKey: "(http,example.org)" }, + }, + { + // 1 hint because, with network-state isolation, the cache entry will be + // reused for the second loading, even if the top-level origins are + // different. + hints: 1, + originAttributes: {}, + prefValue: false, + }, + ]; + + for (let test of tests) { + await new Promise(resolve => + Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, resolve) + ); + + info("Reset the shared sheets"); + let contentPage = await CookieXPCShellUtils.loadContentPage( + "http://example.org/empty" + ); + + await contentPage.spawn(null, () => + // eslint-disable-next-line no-undef + content.windowUtils.clearSharedStyleSheetCache() + ); + + await contentPage.close(); + + info("Reset the counter"); + gHints = 0; + + info("Enabling network state partitioning"); + Services.prefs.setBoolPref( + "privacy.partition.network_state", + test.prefValue + ); + + let complete = new Promise(resolve => { + server.registerPathHandler("/done", (metadata, response) => { + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = "OK"; + response.bodyOutputStream.write(body, body.length); + resolve(); + }); + }); + + info("Let's load a page with origin A"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "http://example.org/preload" + ); + + await complete; + await checkCache(test.originAttributes); + await contentPage.close(); + + complete = new Promise(resolve => { + server.registerPathHandler("/done", (metadata, response) => { + response.setHeader("Cache-Control", "max-age=10000", false); + response.setStatusLine(metadata.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + var body = "OK"; + response.bodyOutputStream.write(body, body.length); + resolve(); + }); + }); + + info("Let's load a page with origin B"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "http://foo.com/preload" + ); + + await complete; + await checkCache(test.originAttributes); + await contentPage.close(); + + Assert.equal( + gHints, + test.hints, + "We have the current number of requests with pref " + test.prefValue + ); + } +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_tracking_db_service.js b/toolkit/components/antitracking/test/xpcshell/test_tracking_db_service.js new file mode 100644 index 0000000000..2c7e0011d6 --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_tracking_db_service.js @@ -0,0 +1,476 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Note: This test may cause intermittents if run at exactly midnight. + +"use strict"; + +const { OS } = ChromeUtils.import("resource://gre/modules/osfile.jsm"); +const { Sqlite } = ChromeUtils.import("resource://gre/modules/Sqlite.jsm"); +XPCOMUtils.defineLazyServiceGetter( + this, + "TrackingDBService", + "@mozilla.org/tracking-db-service;1", + "nsITrackingDBService" +); + +XPCOMUtils.defineLazyGetter(this, "DB_PATH", function() { + return OS.Path.join(OS.Constants.Path.profileDir, "protections.sqlite"); +}); + +const SQL = { + insertCustomTimeEvent: + "INSERT INTO events (type, count, timestamp)" + + "VALUES (:type, :count, date(:timestamp));", + + selectAllEntriesOfType: "SELECT * FROM events WHERE type = :type;", + + selectAll: "SELECT * FROM events", +}; + +// Emulate the content blocking log. We do not record the url key, nor +// do we use the aggregated event number (the last element in the array). +const LOG = { + "https://1.example.com": [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_TRACKING_CONTENT, true, 1], + ], + "https://2.example.com": [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_FINGERPRINTING_CONTENT, true, 1], + ], + "https://3.example.com": [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_CRYPTOMINING_CONTENT, true, 2], + ], + "https://4.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, true, 3], + ], + "https://5.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER, true, 1], + ], + // Cookie blocked for other reason, then identified as a tracker + "https://6.example.com": [ + [ + Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_ALL | + Ci.nsIWebProgressListener.STATE_LOADED_LEVEL_1_TRACKING_CONTENT, + true, + 4, + ], + ], + "https://7.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_SOCIALTRACKER, true, 1], + ], + "https://8.example.com": [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_SOCIALTRACKING_CONTENT, true, 1], + ], + + // The contents below should not add to the database. + // Cookie loaded but not blocked. + "https://10.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED, true, 1], + ], + // Tracker cookie loaded but not blocked. + "https://11.unblocked.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED_TRACKER, true, 1], + ], + // Social tracker cookie loaded but not blocked. + "https://12.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_LOADED_SOCIALTRACKER, true, 1], + ], + // Cookie blocked for other reason (not a tracker) + "https://13.example.com": [ + [Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_BY_PERMISSION, true, 2], + ], + // Fingerprinters set to block, but this one has an exception + "https://14.example.com": [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_FINGERPRINTING_CONTENT, false, 1], + ], +}; + +do_get_profile(); + +Services.prefs.setBoolPref("browser.contentblocking.database.enabled", true); +Services.prefs.setBoolPref( + "privacy.socialtracking.block_cookies.enabled", + true +); +Services.prefs.setBoolPref( + "browser.contentblocking.cfr-milestone.enabled", + true +); +Services.prefs.setIntPref( + "browser.contentblocking.cfr-milestone.update-interval", + 0 +); +Services.prefs.setStringPref( + "browser.contentblocking.cfr-milestone.milestones", + "[1000, 5000, 10000, 25000, 100000, 500000]" +); + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("browser.contentblocking.database.enabled"); + Services.prefs.clearUserPref("privacy.socialtracking.block_cookies.enabled"); + Services.prefs.clearUserPref("browser.contentblocking.cfr-milestone.enabled"); + Services.prefs.clearUserPref( + "browser.contentblocking.cfr-milestone.update-interval" + ); + Services.prefs.clearUserPref( + "browser.contentblocking.cfr-milestone.milestones" + ); +}); + +// This tests that data is added successfully, different types of events should get +// their own entries, when the type is the same they should be aggregated. Events +// that are not blocking events should not be recorded. Cookie blocking events +// should only be recorded if we can identify the cookie as a tracking cookie. +add_task(async function test_save_and_delete() { + await TrackingDBService.saveEvents(JSON.stringify(LOG)); + + // Peek in the DB to make sure we have the right data. + let db = await Sqlite.openConnection({ path: DB_PATH }); + // Make sure the items table was created. + ok(await db.tableExists("events"), "events table exists"); + + // make sure we have the correct contents in the database + let rows = await db.execute(SQL.selectAll); + equal( + rows.length, + 5, + "Events that should not be saved have not been, length is 4" + ); + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.TRACKERS_ID, + }); + equal(rows.length, 1, "Only one day has had tracker entries, length is 1"); + let count = rows[0].getResultByName("count"); + equal(count, 1, "there is only one tracker entry"); + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.TRACKING_COOKIES_ID, + }); + equal(rows.length, 1, "Only one day has had cookies entries, length is 1"); + count = rows[0].getResultByName("count"); + equal(count, 3, "Cookie entries were aggregated"); + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.CRYPTOMINERS_ID, + }); + equal( + rows.length, + 1, + "Only one day has had cryptominer entries, length is 1" + ); + count = rows[0].getResultByName("count"); + equal(count, 1, "there is only one cryptominer entry"); + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.FINGERPRINTERS_ID, + }); + equal( + rows.length, + 1, + "Only one day has had fingerprinters entries, length is 1" + ); + count = rows[0].getResultByName("count"); + equal(count, 1, "there is only one fingerprinter entry"); + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.SOCIAL_ID, + }); + equal(rows.length, 1, "Only one day has had social entries, length is 1"); + count = rows[0].getResultByName("count"); + equal(count, 2, "there are two social entries"); + + // Use the TrackingDBService API to delete the data. + await TrackingDBService.clearAll(); + // Make sure the data was deleted. + rows = await db.execute(SQL.selectAll); + equal(rows.length, 0, "length is 0"); + await db.close(); +}); + +// This tests that content blocking events encountered on the same day get aggregated, +// and those on different days get seperate entries +add_task(async function test_timestamp_aggragation() { + // This creates the schema. + await TrackingDBService.saveEvents(JSON.stringify({})); + let db = await Sqlite.openConnection({ path: DB_PATH }); + + let yesterday = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); + let today = new Date().toISOString(); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKERS_ID, + count: 4, + timestamp: yesterday, + }); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.CRYPTOMINERS_ID, + count: 3, + timestamp: yesterday, + }); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.FINGERPRINTERS_ID, + count: 2, + timestamp: yesterday, + }); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKING_COOKIES_ID, + count: 1, + timestamp: yesterday, + }); + + // Add some events for today which must get aggregated + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKERS_ID, + count: 2, + timestamp: today, + }); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.CRYPTOMINERS_ID, + count: 2, + timestamp: today, + }); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.FINGERPRINTERS_ID, + count: 2, + timestamp: today, + }); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKING_COOKIES_ID, + count: 2, + timestamp: today, + }); + + // Add new events, they will have today's timestamp. + await TrackingDBService.saveEvents(JSON.stringify(LOG)); + + // Ensure events that are inserted today are not aggregated with past events. + let rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.TRACKERS_ID, + }); + equal(rows.length, 2, "Tracker entries for today and yesterday, length is 2"); + for (let i = 0; i < rows.length; i++) { + let count = rows[i].getResultByName("count"); + if (i == 0) { + equal(count, 4, "Yesterday's count is 4"); + } else if (i == 1) { + equal(count, 3, "Today's count is 3, new entries were aggregated"); + } + } + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.CRYPTOMINERS_ID, + }); + equal( + rows.length, + 2, + "Cryptominer entries for today and yesterday, length is 2" + ); + for (let i = 0; i < rows.length; i++) { + let count = rows[i].getResultByName("count"); + if (i == 0) { + equal(count, 3, "Yesterday's count is 3"); + } else if (i == 1) { + equal(count, 3, "Today's count is 3, new entries were aggregated"); + } + } + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.FINGERPRINTERS_ID, + }); + equal( + rows.length, + 2, + "Fingerprinter entries for today and yesterday, length is 2" + ); + for (let i = 0; i < rows.length; i++) { + let count = rows[i].getResultByName("count"); + if (i == 0) { + equal(count, 2, "Yesterday's count is 2"); + } else if (i == 1) { + equal(count, 3, "Today's count is 3, new entries were aggregated"); + } + } + + rows = await db.execute(SQL.selectAllEntriesOfType, { + type: TrackingDBService.TRACKING_COOKIES_ID, + }); + equal( + rows.length, + 2, + "Tracking Cookies entries for today and yesterday, length is 2" + ); + for (let i = 0; i < rows.length; i++) { + let count = rows[i].getResultByName("count"); + if (i == 0) { + equal(count, 1, "Yesterday's count is 1"); + } else if (i == 1) { + equal(count, 5, "Today's count is 5, new entries were aggregated"); + } + } + + // Use the TrackingDBService API to delete the data. + await TrackingDBService.clearAll(); + // Make sure the data was deleted. + rows = await db.execute(SQL.selectAll); + equal(rows.length, 0, "length is 0"); + await db.close(); +}); + +let addEventsToDB = async db => { + let d = new Date(1521009000000); + let date = d.toISOString(); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.CRYPTOMINERS_ID, + count: 3, + timestamp: date, + }); + + date = new Date(d - 2 * 24 * 60 * 60 * 1000).toISOString(); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKERS_ID, + count: 2, + timestamp: date, + }); + + date = new Date(d - 3 * 24 * 60 * 60 * 1000).toISOString(); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKING_COOKIES_ID, + count: 2, + timestamp: date, + }); + + date = new Date(d - 4 * 24 * 60 * 60 * 1000).toISOString(); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.TRACKING_COOKIES_ID, + count: 2, + timestamp: date, + }); + + date = new Date(d - 9 * 24 * 60 * 60 * 1000).toISOString(); + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.FINGERPRINTERS_ID, + count: 2, + timestamp: date, + }); +}; + +// This tests that TrackingDBService.getEventsByDateRange can accept two timestamps in unix epoch time +// and return entries that occur within the timestamps, rounded to the nearest day and inclusive. +add_task(async function test_getEventsByDateRange() { + // This creates the schema. + await TrackingDBService.saveEvents(JSON.stringify({})); + let db = await Sqlite.openConnection({ path: DB_PATH }); + await addEventsToDB(db); + + let d = new Date(1521009000000); + let daysBefore1 = new Date(d - 24 * 60 * 60 * 1000); + let daysBefore4 = new Date(d - 4 * 24 * 60 * 60 * 1000); + let daysBefore9 = new Date(d - 9 * 24 * 60 * 60 * 1000); + + let events = await TrackingDBService.getEventsByDateRange(daysBefore1, d); + equal( + events.length, + 1, + "There is 1 event entry between the date and one day before, inclusive" + ); + + events = await TrackingDBService.getEventsByDateRange(daysBefore4, d); + equal( + events.length, + 4, + "There is 4 event entries between the date and four days before, inclusive" + ); + + events = await TrackingDBService.getEventsByDateRange( + daysBefore9, + daysBefore4 + ); + equal( + events.length, + 2, + "There is 2 event entries between nine and four days before, inclusive" + ); + + await TrackingDBService.clearAll(); + await db.close(); +}); + +// This tests that TrackingDBService.sumAllEvents returns the number of +// tracking events in the database, and can handle 0 entries. +add_task(async function test_sumAllEvents() { + // This creates the schema. + await TrackingDBService.saveEvents(JSON.stringify({})); + let db = await Sqlite.openConnection({ path: DB_PATH }); + + let sum = await TrackingDBService.sumAllEvents(); + equal(sum, 0, "There have been 0 events recorded"); + + // populate the database + await addEventsToDB(db); + + sum = await TrackingDBService.sumAllEvents(); + equal(sum, 11, "There have been 11 events recorded"); + + await TrackingDBService.clearAll(); + await db.close(); +}); + +// This tests that TrackingDBService.getEarliestRecordedDate returns the +// earliest date recorded and can handle 0 entries. +add_task(async function test_getEarliestRecordedDate() { + // This creates the schema. + await TrackingDBService.saveEvents(JSON.stringify({})); + let db = await Sqlite.openConnection({ path: DB_PATH }); + + let timestamp = await TrackingDBService.getEarliestRecordedDate(); + equal(timestamp, null, "There is no earliest recorded date"); + + // populate the database + await addEventsToDB(db); + let d = new Date(1521009000000); + let daysBefore9 = new Date(d - 9 * 24 * 60 * 60 * 1000) + .toISOString() + .split("T")[0]; + + timestamp = await TrackingDBService.getEarliestRecordedDate(); + let date = new Date(timestamp).toISOString().split("T")[0]; + equal(date, daysBefore9, "The earliest recorded event is nine days before."); + + await TrackingDBService.clearAll(); + await db.close(); +}); + +// This tests that a message to CFR is sent when the amount of saved trackers meets a milestone +add_task(async function test_sendMilestoneNotification() { + let milestones = JSON.parse( + Services.prefs.getStringPref( + "browser.contentblocking.cfr-milestone.milestones" + ) + ); + // This creates the schema. + await TrackingDBService.saveEvents(JSON.stringify({})); + let db = await Sqlite.openConnection({ path: DB_PATH }); + // save number of trackers equal to the first milestone + await db.execute(SQL.insertCustomTimeEvent, { + type: TrackingDBService.CRYPTOMINERS_ID, + count: milestones[0], + timestamp: new Date().toISOString(), + }); + + let awaitNotification = TestUtils.topicObserved( + "SiteProtection:ContentBlockingMilestone" + ); + + // trigger a "save" event to compare the trackers with the milestone. + await TrackingDBService.saveEvents( + JSON.stringify({ + "https://1.example.com": [ + [Ci.nsIWebProgressListener.STATE_BLOCKED_TRACKING_CONTENT, true, 1], + ], + }) + ); + await awaitNotification; + + await TrackingDBService.clearAll(); + await db.close(); +}); diff --git a/toolkit/components/antitracking/test/xpcshell/test_view_source.js b/toolkit/components/antitracking/test/xpcshell/test_view_source.js new file mode 100644 index 0000000000..df651fa2ec --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/test_view_source.js @@ -0,0 +1,61 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +const { CookieXPCShellUtils } = ChromeUtils.import( + "resource://testing-common/CookieXPCShellUtils.jsm" +); + +CookieXPCShellUtils.init(this); + +let gHits = 0; + +add_task(async function() { + do_get_profile(); + + info("Disable predictor and accept all"); + Services.prefs.setBoolPref("network.predictor.enabled", false); + Services.prefs.setBoolPref("network.predictor.enable-prefetch", false); + Services.prefs.setBoolPref("network.http.rcwn.enabled", false); + Services.prefs.setIntPref( + "network.cookie.cookieBehavior", + Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN + ); + + const server = CookieXPCShellUtils.createServer({ + hosts: ["example.org"], + }); + server.registerPathHandler("/test", (request, response) => { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "text/html", false); + if ( + request.hasHeader("Cookie") && + request.getHeader("Cookie") == "foo=bar" + ) { + gHits++; + } else { + response.setHeader("Set-Cookie", "foo=bar"); + } + var body = "<html></html>"; + response.bodyOutputStream.write(body, body.length); + }); + + info("Reset the hits count"); + gHits = 0; + + info("Let's load a page"); + let contentPage = await CookieXPCShellUtils.loadContentPage( + "http://example.org/test?1" + ); + await contentPage.close(); + + Assert.equal(gHits, 0, "The number of hits match"); + + info("Let's load the source of the page"); + contentPage = await CookieXPCShellUtils.loadContentPage( + "view-source:http://example.org/test?2" + ); + await contentPage.close(); + + Assert.equal(gHits, 1, "The number of hits match"); +}); diff --git a/toolkit/components/antitracking/test/xpcshell/xpcshell.ini b/toolkit/components/antitracking/test/xpcshell/xpcshell.ini new file mode 100644 index 0000000000..d53879f06d --- /dev/null +++ b/toolkit/components/antitracking/test/xpcshell/xpcshell.ini @@ -0,0 +1,23 @@ +[DEFAULT] +head = head.js ../../../../components/url-classifier/tests/unit/head_urlclassifier.js + +[test_cookie_behavior.js] +[test_purge_trackers.js] +[test_purge_trackers_telemetry.js] +[test_tracking_db_service.js] +[test_rejectForeignAllowList.js] +skip-if = toolkit == 'android' # Bug 1567341 +[test_staticPartition_font.js] +support-files = + data/font.woff +skip-if = toolkit == 'android' # Bug 1567341 +[test_staticPartition_image.js] +skip-if = toolkit == 'android' # Bug 1567341 +[test_staticPartition_authhttp.js] +skip-if = toolkit == 'android' # Bug 1567341 +[test_staticPartition_prefetch.js] +skip-if = toolkit == 'android' # Bug 1567341 +[test_staticPartition_preload.js] +skip-if = toolkit == 'android' # Bug 1567341 +[test_ExceptionListService.js] +[test_view_source.js] |