1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
<!DOCTYPE html>
<meta charset=utf-8>
<head>
<script type="text/javascript" src="frame_utils.js"></script>
<script type="text/javascript" src="u2futil.js"></script>
</head>
<body>
<p>Insecure AppID / FacetID behavior check</p>
<script class="testbody" type="text/javascript">
"use strict";
local_setParentOrigin("http://mochi.test:8888");
async function doTests() {
var version = "U2F_V2";
var challenge = new Uint8Array(16);
local_is(window.location.origin, "http://test2.example.com", "Is loaded correctly");
local_is('u2f' in window, false, "window.u2f must be undefined when accessed from an insecure origin");
local_is('U2F' in window, false, "window.U2F must be undefined when accessed from an insecure origin");
try {
u2f.register(null, [], [], function(res) {
local_ok(false, "Callbacks should not be called.");
});
} catch (err) {
local_ok(err == "ReferenceError: u2f is not defined", "calling u2f should have thrown from an insecure origin");
}
try {
window.u2f.register(null, [], [], function(res) {
local_ok(false, "Callbacks should not be called.");
});
} catch (err) {
local_is(err.constructor.name, 'TypeError',
"accessing window.u2f should have thrown from an insecure origin");
local_ok(err.message.endsWith("window.u2f is undefined"),
"accessing window.u2f should have thrown from an insecure origin");
}
try {
await promiseU2FRegister(null, [{
version,
challenge: bytesToBase64UrlSafe(challenge),
}], [], function(res){
local_ok(false, "Shouldn't have gotten here on an insecure origin");
});
} catch (err) {
local_ok(err == "ReferenceError: u2f is not defined", "Should have thrown from an insecure origin");
}
local_finished();
};
doTests();
</script>
</body>
</html>
|
