1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
<!DOCTYPE html>
<html>
<head>
<title>Embedded Frame for Credential Management: Prohibit use in cross-origin iframes</title>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
<meta charset=utf-8>
</head>
<body>
<script class="testbody" type="text/javascript">
"use strict";
const cose_alg_ECDSA_w_SHA256 = -7;
var _parentOrigin = "https://example.com/";
function log(msg) {
console.log(msg);
let logBox = document.getElementById("log");
if (logBox) {
logBox.textContent += "\n" + msg;
}
}
function local_finished() {
parent.postMessage({"done": true}, _parentOrigin);
log("Done.");
}
function local_ok(expression, message) {
let body = {"test": expression, "status": expression, "msg": message};
parent.postMessage(body, _parentOrigin);
log(expression + ": " + message);
}
function testSameOrigin() {
log("Same origin: " + document.domain);
navigator.credentials.create({publicKey: makeCredentialOptions})
.then(function sameOriginCreateThen(aResult) {
local_ok(aResult != undefined, "Create worked " + aResult);
})
.catch(function sameOriginCatch(aResult) {
local_ok(false, "Should not have failed " + aResult);
})
.then(function sameOriginPreventSilentAccess() {
return navigator.credentials.preventSilentAccess();
})
.then(function sameOriginPreventSilentAccessThen(aResult) {
local_ok(aResult == undefined, "PreventSilentAccess worked " + aResult);
})
.catch(function sameOriginPreventSilentAccessCatch(aResult) {
local_ok(false, "Should not have failed " + aResult);
})
.then(function() {
local_finished();
});
}
function testCrossOrigin() {
log("Cross-origin: " + document.domain);
navigator.credentials.create({publicKey: makeCredentialOptions})
.then(function crossOriginThen(aBad) {
local_ok(false, "Should not have succeeded " + aBad);
})
.catch(function crossOriginCatch(aResult) {
local_ok(aResult.toString().startsWith("NotAllowedError"),
"Expecting a NotAllowedError, received " + aResult);
})
.then(function crossOriginPreventSilentAccess() {
return navigator.credentials.preventSilentAccess();
})
.then(function crossOriginPreventSilentAccessThen(aResult) {
local_ok(aResult == undefined, "PreventSilentAccess worked " + aResult);
})
.catch(function crossOriginPreventSilentAccessCatch(aResult) {
local_ok(false, "Should not have failed " + aResult);
})
.then(function() {
local_finished();
});
}
let rp = {id: document.domain, name: "none", icon: "none"};
let user = {
id: crypto.getRandomValues(new Uint8Array(16)),
name: "none", icon: "none", displayName: "none",
};
let param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256};
let makeCredentialOptions = {
rp, user, challenge: new Uint8Array(), pubKeyCredParams: [param],
};
if (document.domain == "example.com") {
testSameOrigin();
} else {
testCrossOrigin();
}
</script>
<div id="log"></div>
</body>
</html>
|
