The Tor Browser / file diff

diff: dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html

dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,211 @@
     1.4 +<!DOCTYPE html>
     1.5 +<html>
     1.6 +<head>
     1.7 +  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
     1.8 +  <title>Setting document.domain and IDN</title>
     1.9 +  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
    1.10 +  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
    1.11 +</head>
    1.12 +<body>
    1.13 +<p id="display"></p>
    1.14 +<div id="content" style="display: none">
    1.15 +  
    1.16 +</div>
    1.17 +
    1.18 +<!--
    1.19 +
    1.20 +This testing all gets a bit complicated here; the problem is that our
    1.21 +document.domain implementation will do a suffix comparison of the value to which
    1.22 +it's being set against the current URI's base domain (where "base domain" is
    1.23 +defined as the effective TLD plus one; see nsIEffectiveTLDService.idl).  Seems
    1.24 +simple enough, right?  Wrong.
    1.25 +
    1.26 +The problem, as usual, is IDN.  Our current, wholly-inadequate solution to
    1.27 +preventing Unicode domain-name spoofing is done at the level of the URL
    1.28 +implementation, not at the presentation level.  However, the value of the
    1.29 +base domain for the current URI is always calculated in punycode; if the
    1.30 +provided domain is one which is whitelisted, we'll get an IDN name and the
    1.31 +suffix-comparison will fail.  Nice great big mess, huh?
    1.32 +
    1.33 +Anyway: "test" currently fits the bill as a TLD which is not whitelisted, while
    1.34 +"δοκιμή" (the Greek IDN TLD for "test") fits the bill as a TLD which is
    1.35 +whitelisted.  RFC 2606 reserves "test" for DNS testing, so nobody's going to
    1.36 +clamor for it to be whitelisted any time soon.  The latter is as of February
    1.37 +2008 undergoing testing for IDN TLDs, and it's at least temporarily whitelisted
    1.38 +for now.  Once the testing period ends the latter's probably going to be
    1.39 +un-whitelisted, so we're going to have to do a careful bit of stepping to ensure
    1.40 +that in the future this test tests what it was intended to test (and, until
    1.41 +bug 414090 is fixed, that it doesn't break when the Greek TLD is
    1.42 +un-whitelisted).
    1.43 +
    1.44 +After bug 722299 the IDN whitelist is expected to go away (bug
    1.45 +843689), but bug 414090 still applies, mutatis mutandis. The test has
    1.46 +been changed to use exaмple.test instead (with a Cyrillic м), which
    1.47 +will fail the mixed-script tests and use punycode.
    1.48 +-->
    1.49 +
    1.50 +<div>
    1.51 +<h2>Whitelisted</h2>
    1.52 +<iframe name="idnKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-whitelist"></iframe>
    1.53 +<iframe name="punycodeKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-whitelist"></iframe>
    1.54 +</div>
    1.55 +
    1.56 +<div>
    1.57 +<h2>Not whitelisted</h2>
    1.58 +<iframe name="idnKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-nowhitelist"></iframe>
    1.59 +<iframe name="punycodeKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-nowhitelist"></iframe>
    1.60 +</div>
    1.61 +
    1.62 +<pre id="test">
    1.63 +<script class="testbody" type="application/javascript">
    1.64 +
    1.65 +SimpleTest.waitForExplicitFinish();
    1.66 +
    1.67 +var gotIDNNoWhitelist = false;
    1.68 +var gotPunycodeNoWhitelist = false;
    1.69 +var gotIDNWhitelist = false;
    1.70 +var gotPunycodeWhitelist = false;
    1.71 +
    1.72 +var whitelistRegex =
    1.73 +  new RegExp("^http://sub1\\.παράδειγμα\\.δοκιμή/tests/dom/tests/" +
    1.74 +             "mochitest/dom-level0/idn_child\\.html\\?(.+)$");
    1.75 +
    1.76 +var noWhitelistRegex =
    1.77 +  new RegExp("^http://sub1\\.exaмple\\.test/tests/dom/tests/" +
    1.78 +             "mochitest/dom-level0/idn_child\\.html\\?(.+)$");
    1.79 +
    1.80 +var state = 0;
    1.81 +
    1.82 +var messages =
    1.83 +  [
    1.84 +   "idn-whitelist",
    1.85 +   "punycode-whitelist",
    1.86 +   "idn-nowhitelist",
    1.87 +   "punycode-nowhitelist",
    1.88 +  ];
    1.89 +
    1.90 +
    1.91 +function receiveMessage(evt)
    1.92 +{
    1.93 +  var origin = evt.origin;
    1.94 +  var match;
    1.95 +  if (/test$/.test(origin))
    1.96 +  {
    1.97 +    // XXX bug 414090
    1.98 +    // The value of MessageEvent.origin with postMessage *should* always be IDN;
    1.99 +    // unfortunately, given our current setup for dealing with Unicode-based
   1.100 +    // domain-name spoofing, whether a domain is in the safe-for-IDN whitelist
   1.101 +    // affects the value of this property (likewise for window.location,
   1.102 +    // document.location, document.domain, and probably a slew of other
   1.103 +    // things).  :-(
   1.104 +    //
   1.105 +    // These two tests should illustrate what currently happens and what should
   1.106 +    // happen once bug 414090 is fixed.
   1.107 +    todo_is(evt.origin, "http://sub1.exaмple.test", "wrong sender");
   1.108 +    todo_isnot(evt.origin, "http://sub1.xn--exaple-kqf.test", "wrong sender");
   1.109 +  }
   1.110 +  else
   1.111 +  {
   1.112 +    // We're receiving data from the Greek IDN name; since that TLD is
   1.113 +    // whitelisted for now, the domain we get isn't going to be punycoded.
   1.114 +    is(evt.origin, "http://sub1.παράδειγμα.δοκιμή", "wrong sender");
   1.115 +  }
   1.116 +
   1.117 +  is(messages[state] + "-response", evt.data.split(" ")[0],
   1.118 +     "unexpected data: " + evt.data);
   1.119 +
   1.120 +  switch (messages[state])
   1.121 +  {
   1.122 +    case "idn-whitelist":
   1.123 +      gotIDNWhitelist = true;
   1.124 +      ok(evt.source === window.frames.idnKidWhitelist, "wrong source");
   1.125 +      is(evt.data, "idn-whitelist-response", "wrong response for IDN");
   1.126 +      break;
   1.127 +
   1.128 +    case "punycode-whitelist":
   1.129 +      gotPunycodeWhitelist = true;
   1.130 +      ok(evt.source === window.frames.punycodeKidWhitelist, "wrong source");
   1.131 +      is(evt.data, "punycode-whitelist-response", "wrong response for punycode");
   1.132 +      break;
   1.133 +
   1.134 +    case "idn-nowhitelist":
   1.135 +      gotIDNNoWhitelist = true;
   1.136 +      ok(evt.source === window.frames.idnKidNoWhitelist, "wrong source");
   1.137 +      is(evt.data, "idn-nowhitelist-response", "wrong response for IDN");
   1.138 +      break;
   1.139 +
   1.140 +    case "punycode-nowhitelist":
   1.141 +      gotPunycodeNoWhitelist = true;
   1.142 +      ok(evt.source === window.frames.punycodeKidNoWhitelist, "wrong source");
   1.143 +      is(evt.data, "punycode-nowhitelist-response", "wrong response for punycode");
   1.144 +      break;
   1.145 +
   1.146 +    default:
   1.147 +      ok(false, "unreached");
   1.148 +      break;
   1.149 +  }
   1.150 +
   1.151 +  state++;
   1.152 +}
   1.153 +
   1.154 +function run()
   1.155 +{
   1.156 +  var target = window.frames.idnKidWhitelist;
   1.157 +  target.postMessage("idn-whitelist", "http://sub1.παράδειγμα.δοκιμή");
   1.158 +
   1.159 +  // Double-timeouts account for 1) delay for message to be received by target
   1.160 +  // window and 2) delay for response from target window to be received by this
   1.161 +  // window.
   1.162 +
   1.163 +  setTimeout(function()
   1.164 +  {
   1.165 +    setTimeout(function()
   1.166 +    {
   1.167 +      ok(gotIDNWhitelist, "IDN whitelist message not received");
   1.168 +
   1.169 +      var target = window.frames.punycodeKidWhitelist;
   1.170 +      target.postMessage("punycode-whitelist", "http://sub1.παράδειγμα.δοκιμή");
   1.171 +
   1.172 +      setTimeout(function()
   1.173 +      {
   1.174 +        setTimeout(function()
   1.175 +        {
   1.176 +          ok(gotPunycodeWhitelist, "punycode whitelist message not received");
   1.177 +
   1.178 +          var target = window.frames.idnKidNoWhitelist;
   1.179 +          target.postMessage("idn-nowhitelist", "http://sub1.exaмple.test");
   1.180 +
   1.181 +          setTimeout(function()
   1.182 +          {
   1.183 +            setTimeout(function()
   1.184 +            {
   1.185 +              ok(gotIDNNoWhitelist, "IDN no-whitelist message not received");
   1.186 +    
   1.187 +              var target = window.frames.punycodeKidNoWhitelist;
   1.188 +              target.postMessage("punycode-nowhitelist",
   1.189 +                                 "http://sub1.exaмple.test");
   1.190 +
   1.191 +              setTimeout(function()
   1.192 +              {
   1.193 +                setTimeout(function()
   1.194 +                {
   1.195 +                  ok(gotPunycodeNoWhitelist,
   1.196 +                     "punycode no-whitelist message not received");
   1.197 +
   1.198 +                  SimpleTest.finish();
   1.199 +                }, 0);
   1.200 +              }, 0);
   1.201 +            }, 0);
   1.202 +          }, 0);
   1.203 +        }, 0);
   1.204 +      }, 0);
   1.205 +    }, 0);
   1.206 +  }, 0);
   1.207 +}
   1.208 +
   1.209 +window.addEventListener("message", receiveMessage, false);
   1.210 +window.addEventListener("load", run, false);
   1.211 +</script>
   1.212 +</pre>
   1.213 +</body>
   1.214 +</html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial