summaryrefslogtreecommitdiffstats
path: root/dom/webauthn/tests/test_webauthn_sameorigin.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/webauthn/tests/test_webauthn_sameorigin.html')
-rw-r--r--dom/webauthn/tests/test_webauthn_sameorigin.html317
1 files changed, 317 insertions, 0 deletions
diff --git a/dom/webauthn/tests/test_webauthn_sameorigin.html b/dom/webauthn/tests/test_webauthn_sameorigin.html
new file mode 100644
index 0000000000..61a6430e87
--- /dev/null
+++ b/dom/webauthn/tests/test_webauthn_sameorigin.html
@@ -0,0 +1,317 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<head>
+ <title>Test for MakeCredential for W3C Web Authentication</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="u2futil.js"></script>
+ <script type="text/javascript" src="pkijs/common.js"></script>
+ <script type="text/javascript" src="pkijs/asn1.js"></script>
+ <script type="text/javascript" src="pkijs/x509_schema.js"></script>
+ <script type="text/javascript" src="pkijs/x509_simpl.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+ <h1>Test Same Origin Policy for W3C Web Authentication</h1>
+ <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a>
+
+ <script class="testbody" type="text/javascript">
+ "use strict";
+
+ add_task(async () => {
+ await addVirtualAuthenticator();
+ });
+
+ is(navigator.authentication, undefined, "navigator.authentication does not exist any longer");
+ isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist");
+ isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist");
+ isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist");
+
+ let credm;
+ let chall;
+ let user;
+ let param;
+ let gTrackedCredential;
+ add_task(() => {
+ credm = navigator.credentials;
+
+ chall = new Uint8Array(16);
+ window.crypto.getRandomValues(chall);
+
+ user = {id: new Uint8Array(16), name: "none", displayName: "none"};
+ param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256};
+ gTrackedCredential = {};
+ });
+
+ add_task(test_basic_good);
+ add_task(test_rp_id_unset);
+ add_task(test_rp_name_unset);
+ add_task(test_origin_with_optional_fields);
+ add_task(test_blank_rp_id);
+ add_task(test_subdomain);
+ add_task(test_same_origin);
+ add_task(test_etld);
+ add_task(test_different_domain_same_tld);
+ add_task(test_assertion_basic_good);
+ add_task(test_assertion_rp_id_unset);
+ add_task(test_assertion_origin_with_optional_fields);
+ add_task(test_assertion_blank_rp_id);
+ add_task(test_assertion_subdomain);
+ add_task(test_assertion_same_origin);
+ add_task(test_assertion_etld);
+ add_task(test_assertion_different_domain_same_tld);
+ add_task(test_basic_good_with_origin);
+ add_task(test_assertion_basic_good_with_origin);
+ add_task(test_assertion_invalid_rp_id);
+ add_task(test_assertion_another_invalid_rp_id);
+
+ function arrivingHereIsGood(aResult) {
+ ok(true, "Good result! Received a: " + aResult);
+ }
+
+ function arrivingHereIsBad(aResult) {
+ ok(false, "Bad result! Received a: " + aResult);
+ }
+
+ function expectSecurityError(aResult) {
+ ok(aResult.toString().startsWith("SecurityError"), "Expecting a SecurityError");
+ }
+
+ function expectTypeError(aResult) {
+ ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError");
+ }
+
+ function keepThisPublicKeyCredential(aIdentifier) {
+ return function(aPublicKeyCredential) {
+ gTrackedCredential[aIdentifier] = {
+ type: "public-key",
+ id: new Uint8Array(aPublicKeyCredential.rawId),
+ transports: [ "usb" ],
+ }
+ return Promise.resolve(aPublicKeyCredential);
+ }
+ }
+
+ function test_basic_good() {
+ // Test basic good call
+ let rp = {id: document.domain, name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(keepThisPublicKeyCredential("basic"))
+ .then(arrivingHereIsGood)
+ .catch(arrivingHereIsBad);
+ }
+ function test_rp_id_unset() {
+ // Test rp.id being unset
+ let makeCredentialOptions = {
+ rp: {name: "none"}, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsGood)
+ .catch(arrivingHereIsBad);
+ }
+ function test_rp_name_unset() {
+ // Test rp.name being unset
+ let makeCredentialOptions = {
+ rp: {id: document.domain}, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectTypeError);
+ }
+ function test_origin_with_optional_fields() {
+ // Test this origin with optional fields
+ let rp = {id: "user:pass@" + document.domain + ":8888", name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_blank_rp_id() {
+ // Test blank rp.id
+ let rp = {id: "", name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_subdomain() {
+ // Test subdomain of this origin
+ let rp = {id: "subdomain." + document.domain, name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_same_origin() {
+ // Test the same origin
+ let rp = {id: "example.com", name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsGood)
+ .catch(arrivingHereIsBad);
+ }
+ function test_etld() {
+ // Test the eTLD
+ let rp = {id: "com", name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_different_domain_same_tld() {
+ // Test a different domain within the same TLD
+ let rp = {id: "alt.test", name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_basic_good() {
+ // Test basic good call
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: document.domain,
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsGood)
+ .catch(arrivingHereIsBad);
+ }
+ function test_assertion_rp_id_unset() {
+ // Test rpId being unset
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsGood)
+ .catch(arrivingHereIsBad);
+ }
+ function test_assertion_origin_with_optional_fields() {
+ // Test this origin with optional fields
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: "user:pass@" + document.origin + ":8888",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_blank_rp_id() {
+ // Test blank rpId
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: "",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_subdomain() {
+ // Test subdomain of this origin
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: "subdomain." + document.domain,
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_same_origin() {
+ // Test the same origin
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: "example.com",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsGood)
+ .catch(arrivingHereIsBad);
+ }
+ function test_assertion_etld() {
+ // Test the eTLD
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: "com",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_different_domain_same_tld() {
+ // Test a different domain within the same TLD
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: "alt.test",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_basic_good_with_origin() {
+ // Test basic good Create call but using an origin (Bug 1380421)
+ let rp = {id: window.origin, name: "none"};
+ let makeCredentialOptions = {
+ rp, user, challenge: chall, pubKeyCredParams: [param]
+ };
+ return credm.create({publicKey: makeCredentialOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_basic_good_with_origin() {
+ // Test basic good Get call but using an origin (Bug 1380421)
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: window.origin,
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(expectSecurityError);
+ }
+ function test_assertion_invalid_rp_id() {
+ // Test with an rpId that is not a valid domain string
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: document.domain + ":somejunk",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(arrivingHereIsGood);
+ }
+ function test_assertion_another_invalid_rp_id() {
+ // Test with another rpId that is not a valid domain string
+ let publicKeyCredentialRequestOptions = {
+ challenge: chall,
+ rpId: document.domain + ":8888",
+ allowCredentials: [gTrackedCredential.basic]
+ };
+ return credm.get({publicKey: publicKeyCredentialRequestOptions})
+ .then(arrivingHereIsBad)
+ .catch(arrivingHereIsGood);
+ }
+ </script>
+
+</body>
+</html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-11 13:35:07 +0000