1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
/**
* Bug 1492607 - Test for assuring that postMessage cannot go across OAs.
*/
const FPD_ONE = "http://example.com";
const FPD_TWO = "http://example.org";
const TEST_BASE = "/browser/browser/components/originattributes/test/browser/";
add_setup(async function () {
// Make sure first party isolation is enabled.
await SpecialPowers.pushPrefEnv({
set: [
["privacy.firstparty.isolate", true],
["dom.security.https_first", false],
],
});
});
async function runTestWithOptions(
aDifferentFPD,
aStarTargetOrigin,
aBlockAcrossFPD
) {
let testPageURL = aDifferentFPD
? FPD_ONE + TEST_BASE + "file_postMessage.html"
: FPD_TWO + TEST_BASE + "file_postMessage.html";
// Deciding the targetOrigin according to the test setting.
let targetOrigin;
if (aStarTargetOrigin) {
targetOrigin = "*";
} else {
targetOrigin = aDifferentFPD ? FPD_ONE : FPD_TWO;
}
let senderURL =
FPD_TWO + TEST_BASE + `file_postMessageSender.html?${targetOrigin}`;
// Open a tab to listen messages.
let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, testPageURL);
// Use window.open() in the tab to open the sender tab. The sender tab
// will send a message through postMessage to window.opener.
let senderTabPromise = BrowserTestUtils.waitForNewTab(
gBrowser,
senderURL,
true
);
SpecialPowers.spawn(tab.linkedBrowser, [senderURL], aSenderPath => {
content.open(aSenderPath, "_blank");
});
// Wait and get the tab of the sender tab.
let senderTab = await senderTabPromise;
// The postMessage should be blocked when the first parties are different with
// the following two cases. First, it is using a non-star target origin.
// Second, it is using the star target origin and the pref
// 'privacy.firstparty.isolate.block_post_message' is true.
let shouldBlock = aDifferentFPD && (!aStarTargetOrigin || aBlockAcrossFPD);
await SpecialPowers.spawn(tab.linkedBrowser, [shouldBlock], async aValue => {
await new Promise(resolve => {
content.addEventListener("message", async function eventHandler(aEvent) {
if (aEvent.data === "Self") {
let display = content.document.getElementById("display");
if (aValue) {
Assert.equal(
display.innerHTML,
"",
"It should not get a message from other OA."
);
} else {
await ContentTaskUtils.waitForCondition(
() => display.innerHTML == "Message",
"Wait for message to arrive"
);
Assert.equal(
display.innerHTML,
"Message",
"It should get a message from the same OA."
);
}
content.removeEventListener("message", eventHandler);
resolve();
}
});
// Trigger the content to send a postMessage to itself.
content.document.getElementById("button").click();
});
});
BrowserTestUtils.removeTab(tab);
BrowserTestUtils.removeTab(senderTab);
}
add_task(async function runTests() {
for (let useDifferentFPD of [true, false]) {
for (let useStarTargetOrigin of [true, false]) {
for (let enableBlocking of [true, false]) {
if (enableBlocking) {
await SpecialPowers.pushPrefEnv({
set: [["privacy.firstparty.isolate.block_post_message", true]],
});
}
await runTestWithOptions(
useDifferentFPD,
useStarTargetOrigin,
enableBlocking
);
if (enableBlocking) {
await SpecialPowers.popPrefEnv();
}
}
}
}
});
|