<!DOCTYPE html> <meta charset=utf-8> <head> <title>Test for MakeCredential for W3C Web Authentication</title> <script src="/tests/SimpleTest/SimpleTest.js"></script> <script type="text/javascript" src="u2futil.js"></script> <script type="text/javascript" src="pkijs/common.js"></script> <script type="text/javascript" src="pkijs/asn1.js"></script> <script type="text/javascript" src="pkijs/x509_schema.js"></script> <script type="text/javascript" src="pkijs/x509_simpl.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> </head> <body> <h1>Test Same Origin Policy for W3C Web Authentication</h1> <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a> <script class="testbody" type="text/javascript"> "use strict"; // Execute the full-scope test SimpleTest.waitForExplicitFinish(); is(navigator.authentication, undefined, "navigator.authentication does not exist any longer"); isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist"); isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist"); isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist"); let credm; let chall; let user; let param; let gTrackedCredential; add_task(() => { credm = navigator.credentials; chall = new Uint8Array(16); window.crypto.getRandomValues(chall); user = {id: new Uint8Array(16), name: "none", icon: "none", displayName: "none"}; param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256}; gTrackedCredential = {}; }); add_task(test_basic_good); add_task(test_rp_id_unset); add_task(test_rp_name_unset); add_task(test_origin_with_optional_fields); add_task(test_blank_rp_id); add_task(test_subdomain); add_task(test_same_origin); add_task(test_etld); add_task(test_different_domain_same_tld); add_task(test_assertion_basic_good); add_task(test_assertion_rp_id_unset); add_task(test_assertion_origin_with_optional_fields); add_task(test_assertion_blank_rp_id); add_task(test_assertion_subdomain); add_task(test_assertion_same_origin); add_task(test_assertion_etld); add_task(test_assertion_different_domain_same_tld); add_task(test_basic_good_with_origin); add_task(test_assertion_basic_good_with_origin); add_task(test_assertion_invalid_rp_id); add_task(test_assertion_another_invalid_rp_id); function arrivingHereIsGood(aResult) { ok(true, "Good result! Received a: " + aResult); } function arrivingHereIsBad(aResult) { ok(false, "Bad result! Received a: " + aResult); } function expectSecurityError(aResult) { ok(aResult.toString().startsWith("SecurityError"), "Expecting a SecurityError"); } function expectTypeError(aResult) { ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError"); } function keepThisPublicKeyCredential(aIdentifier) { return function(aPublicKeyCredential) { gTrackedCredential[aIdentifier] = { type: "public-key", id: new Uint8Array(aPublicKeyCredential.rawId), transports: [ "usb" ], } return Promise.resolve(aPublicKeyCredential); } } function test_basic_good() { // Test basic good call let rp = {id: document.domain, name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(keepThisPublicKeyCredential("basic")) .then(arrivingHereIsGood) .catch(arrivingHereIsBad); } function test_rp_id_unset() { // Test rp.id being unset let makeCredentialOptions = { rp: {name: "none"}, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsGood) .catch(arrivingHereIsBad); } function test_rp_name_unset() { // Test rp.name being unset let makeCredentialOptions = { rp: {id: document.domain}, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectTypeError); } function test_origin_with_optional_fields() { // Test this origin with optional fields let rp = {id: "user:pass@" + document.domain + ":8888", name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_blank_rp_id() { // Test blank rp.id let rp = {id: "", name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_subdomain() { // Test subdomain of this origin let rp = {id: "subdomain." + document.domain, name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_same_origin() { // Test the same origin let rp = {id: "example.com", name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsGood) .catch(arrivingHereIsBad); } function test_etld() { // Test the eTLD let rp = {id: "com", name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_different_domain_same_tld() { // Test a different domain within the same TLD let rp = {id: "alt.test", name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_basic_good() { // Test basic good call let publicKeyCredentialRequestOptions = { challenge: chall, rpId: document.domain, allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsGood) .catch(arrivingHereIsBad); } function test_assertion_rp_id_unset() { // Test rpId being unset let publicKeyCredentialRequestOptions = { challenge: chall, allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsGood) .catch(arrivingHereIsBad); } function test_assertion_origin_with_optional_fields() { // Test this origin with optional fields let publicKeyCredentialRequestOptions = { challenge: chall, rpId: "user:pass@" + document.origin + ":8888", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_blank_rp_id() { // Test blank rpId let publicKeyCredentialRequestOptions = { challenge: chall, rpId: "", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_subdomain() { // Test subdomain of this origin let publicKeyCredentialRequestOptions = { challenge: chall, rpId: "subdomain." + document.domain, allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_same_origin() { // Test the same origin let publicKeyCredentialRequestOptions = { challenge: chall, rpId: "example.com", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsGood) .catch(arrivingHereIsBad); } function test_assertion_etld() { // Test the eTLD let publicKeyCredentialRequestOptions = { challenge: chall, rpId: "com", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_different_domain_same_tld() { // Test a different domain within the same TLD let publicKeyCredentialRequestOptions = { challenge: chall, rpId: "alt.test", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_basic_good_with_origin() { // Test basic good Create call but using an origin (Bug 1380421) let rp = {id: window.origin, name: "none"}; let makeCredentialOptions = { rp, user, challenge: chall, pubKeyCredParams: [param] }; return credm.create({publicKey: makeCredentialOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_basic_good_with_origin() { // Test basic good Get call but using an origin (Bug 1380421) let publicKeyCredentialRequestOptions = { challenge: chall, rpId: window.origin, allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(expectSecurityError); } function test_assertion_invalid_rp_id() { // Test with an rpId that is not a valid domain string let publicKeyCredentialRequestOptions = { challenge: chall, rpId: document.domain + ":somejunk", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(arrivingHereIsGood); } function test_assertion_another_invalid_rp_id() { // Test with another rpId that is not a valid domain string let publicKeyCredentialRequestOptions = { challenge: chall, rpId: document.domain + ":8888", allowCredentials: [gTrackedCredential.basic] }; return credm.get({publicKey: publicKeyCredentialRequestOptions}) .then(arrivingHereIsBad) .catch(arrivingHereIsGood); } </script> </body> </html>