• file
• revisions
• annotate
• diff
• comparison
• raw

dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html@6474c204b198 (annotated)

dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html

Wed, 31 Dec 2014 06:09:35 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Wed, 31 Dec 2014 06:09:35 +0100

changeset 0

6474c204b198

permissions

-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0	1	<!DOCTYPE html>
michael@0	2	<html>
michael@0	3	<head>
michael@0	4	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
michael@0	5	<title>Setting document.domain and IDN</title>
michael@0	6	<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
michael@0	7	<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
michael@0	8	</head>
michael@0	9	<body>
michael@0	10	<p id="display"></p>
michael@0	11	<div id="content" style="display: none">
michael@0	12
michael@0	13	</div>
michael@0	14
michael@0	15	<!--
michael@0	16
michael@0	17	This testing all gets a bit complicated here; the problem is that our
michael@0	18	document.domain implementation will do a suffix comparison of the value to which
michael@0	19	it's being set against the current URI's base domain (where "base domain" is
michael@0	20	defined as the effective TLD plus one; see nsIEffectiveTLDService.idl). Seems
michael@0	21	simple enough, right? Wrong.
michael@0	22
michael@0	23	The problem, as usual, is IDN. Our current, wholly-inadequate solution to
michael@0	24	preventing Unicode domain-name spoofing is done at the level of the URL
michael@0	25	implementation, not at the presentation level. However, the value of the
michael@0	26	base domain for the current URI is always calculated in punycode; if the
michael@0	27	provided domain is one which is whitelisted, we'll get an IDN name and the
michael@0	28	suffix-comparison will fail. Nice great big mess, huh?
michael@0	29
michael@0	30	Anyway: "test" currently fits the bill as a TLD which is not whitelisted, while
michael@0	31	"δοκιμή" (the Greek IDN TLD for "test") fits the bill as a TLD which is
michael@0	32	whitelisted. RFC 2606 reserves "test" for DNS testing, so nobody's going to
michael@0	33	clamor for it to be whitelisted any time soon. The latter is as of February
michael@0	34	2008 undergoing testing for IDN TLDs, and it's at least temporarily whitelisted
michael@0	35	for now. Once the testing period ends the latter's probably going to be
michael@0	36	un-whitelisted, so we're going to have to do a careful bit of stepping to ensure
michael@0	37	that in the future this test tests what it was intended to test (and, until
michael@0	38	bug 414090 is fixed, that it doesn't break when the Greek TLD is
michael@0	39	un-whitelisted).
michael@0	40
michael@0	41	After bug 722299 the IDN whitelist is expected to go away (bug
michael@0	42	843689), but bug 414090 still applies, mutatis mutandis. The test has
michael@0	43	been changed to use exaмple.test instead (with a Cyrillic м), which
michael@0	44	will fail the mixed-script tests and use punycode.
michael@0	45	-->
michael@0	46
michael@0	47	<div>
michael@0	48	<h2>Whitelisted</h2>
michael@0	49	<iframe name="idnKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-whitelist"></iframe>
michael@0	50	<iframe name="punycodeKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-whitelist"></iframe>
michael@0	51	</div>
michael@0	52
michael@0	53	<div>
michael@0	54	<h2>Not whitelisted</h2>
michael@0	55	<iframe name="idnKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-nowhitelist"></iframe>
michael@0	56	<iframe name="punycodeKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-nowhitelist"></iframe>
michael@0	57	</div>
michael@0	58
michael@0	59	<pre id="test">
michael@0	60	<script class="testbody" type="application/javascript">
michael@0	61
michael@0	62	SimpleTest.waitForExplicitFinish();
michael@0	63
michael@0	64	var gotIDNNoWhitelist = false;
michael@0	65	var gotPunycodeNoWhitelist = false;
michael@0	66	var gotIDNWhitelist = false;
michael@0	67	var gotPunycodeWhitelist = false;
michael@0	68
michael@0	69	var whitelistRegex =
michael@0	70	new RegExp("^http://sub1\\.παράδειγμα\\.δοκιμή/tests/dom/tests/" +
michael@0	71	"mochitest/dom-level0/idn_child\\.html\\?(.+)$");
michael@0	72
michael@0	73	var noWhitelistRegex =
michael@0	74	new RegExp("^http://sub1\\.exaмple\\.test/tests/dom/tests/" +
michael@0	75	"mochitest/dom-level0/idn_child\\.html\\?(.+)$");
michael@0	76
michael@0	77	var state = 0;
michael@0	78
michael@0	79	var messages =
michael@0	80	[
michael@0	81	"idn-whitelist",
michael@0	82	"punycode-whitelist",
michael@0	83	"idn-nowhitelist",
michael@0	84	"punycode-nowhitelist",
michael@0	85	];
michael@0	86
michael@0	87
michael@0	88	function receiveMessage(evt)
michael@0	89	{
michael@0	90	var origin = evt.origin;
michael@0	91	var match;
michael@0	92	if (/test$/.test(origin))
michael@0	93	{
michael@0	94	// XXX bug 414090
michael@0	95	// The value of MessageEvent.origin with postMessage *should* always be IDN;
michael@0	96	// unfortunately, given our current setup for dealing with Unicode-based
michael@0	97	// domain-name spoofing, whether a domain is in the safe-for-IDN whitelist
michael@0	98	// affects the value of this property (likewise for window.location,
michael@0	99	// document.location, document.domain, and probably a slew of other
michael@0	100	// things). :-(
michael@0	101	//
michael@0	102	// These two tests should illustrate what currently happens and what should
michael@0	103	// happen once bug 414090 is fixed.
michael@0	104	todo_is(evt.origin, "http://sub1.exaмple.test", "wrong sender");
michael@0	105	todo_isnot(evt.origin, "http://sub1.xn--exaple-kqf.test", "wrong sender");
michael@0	106	}
michael@0	107	else
michael@0	108	{
michael@0	109	// We're receiving data from the Greek IDN name; since that TLD is
michael@0	110	// whitelisted for now, the domain we get isn't going to be punycoded.
michael@0	111	is(evt.origin, "http://sub1.παράδειγμα.δοκιμή", "wrong sender");
michael@0	112	}
michael@0	113
michael@0	114	is(messages[state] + "-response", evt.data.split(" ")[0],
michael@0	115	"unexpected data: " + evt.data);
michael@0	116
michael@0	117	switch (messages[state])
michael@0	118	{
michael@0	119	case "idn-whitelist":
michael@0	120	gotIDNWhitelist = true;
michael@0	121	ok(evt.source === window.frames.idnKidWhitelist, "wrong source");
michael@0	122	is(evt.data, "idn-whitelist-response", "wrong response for IDN");
michael@0	123	break;
michael@0	124
michael@0	125	case "punycode-whitelist":
michael@0	126	gotPunycodeWhitelist = true;
michael@0	127	ok(evt.source === window.frames.punycodeKidWhitelist, "wrong source");
michael@0	128	is(evt.data, "punycode-whitelist-response", "wrong response for punycode");
michael@0	129	break;
michael@0	130
michael@0	131	case "idn-nowhitelist":
michael@0	132	gotIDNNoWhitelist = true;
michael@0	133	ok(evt.source === window.frames.idnKidNoWhitelist, "wrong source");
michael@0	134	is(evt.data, "idn-nowhitelist-response", "wrong response for IDN");
michael@0	135	break;
michael@0	136
michael@0	137	case "punycode-nowhitelist":
michael@0	138	gotPunycodeNoWhitelist = true;
michael@0	139	ok(evt.source === window.frames.punycodeKidNoWhitelist, "wrong source");
michael@0	140	is(evt.data, "punycode-nowhitelist-response", "wrong response for punycode");
michael@0	141	break;
michael@0	142
michael@0	143	default:
michael@0	144	ok(false, "unreached");
michael@0	145	break;
michael@0	146	}
michael@0	147
michael@0	148	state++;
michael@0	149	}
michael@0	150
michael@0	151	function run()
michael@0	152	{
michael@0	153	var target = window.frames.idnKidWhitelist;
michael@0	154	target.postMessage("idn-whitelist", "http://sub1.παράδειγμα.δοκιμή");
michael@0	155
michael@0	156	// Double-timeouts account for 1) delay for message to be received by target
michael@0	157	// window and 2) delay for response from target window to be received by this
michael@0	158	// window.
michael@0	159
michael@0	160	setTimeout(function()
michael@0	161	{
michael@0	162	setTimeout(function()
michael@0	163	{
michael@0	164	ok(gotIDNWhitelist, "IDN whitelist message not received");
michael@0	165
michael@0	166	var target = window.frames.punycodeKidWhitelist;
michael@0	167	target.postMessage("punycode-whitelist", "http://sub1.παράδειγμα.δοκιμή");
michael@0	168
michael@0	169	setTimeout(function()
michael@0	170	{
michael@0	171	setTimeout(function()
michael@0	172	{
michael@0	173	ok(gotPunycodeWhitelist, "punycode whitelist message not received");
michael@0	174
michael@0	175	var target = window.frames.idnKidNoWhitelist;
michael@0	176	target.postMessage("idn-nowhitelist", "http://sub1.exaмple.test");
michael@0	177
michael@0	178	setTimeout(function()
michael@0	179	{
michael@0	180	setTimeout(function()
michael@0	181	{
michael@0	182	ok(gotIDNNoWhitelist, "IDN no-whitelist message not received");
michael@0	183
michael@0	184	var target = window.frames.punycodeKidNoWhitelist;
michael@0	185	target.postMessage("punycode-nowhitelist",
michael@0	186	"http://sub1.exaмple.test");
michael@0	187
michael@0	188	setTimeout(function()
michael@0	189	{
michael@0	190	setTimeout(function()
michael@0	191	{
michael@0	192	ok(gotPunycodeNoWhitelist,
michael@0	193	"punycode no-whitelist message not received");
michael@0	194
michael@0	195	SimpleTest.finish();
michael@0	196	}, 0);
michael@0	197	}, 0);
michael@0	198	}, 0);
michael@0	199	}, 0);
michael@0	200	}, 0);
michael@0	201	}, 0);
michael@0	202	}, 0);
michael@0	203	}, 0);
michael@0	204	}
michael@0	205
michael@0	206	window.addEventListener("message", receiveMessage, false);
michael@0	207	window.addEventListener("load", run, false);
michael@0	208	</script>
michael@0	209	</pre>
michael@0	210	</body>
michael@0	211	</html>