dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html@97036ab72558
dom/tests/mochitest/dom-level0/test_setting_document.domain_idn.html
Tue, 06 Jan 2015 21:39:09 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Tue, 06 Jan 2015 21:39:09 +0100
- branch
- TOR_BUG_9701
- changeset 8
- 97036ab72558
- permissions
- -rw-r--r--
Conditionally force memory storage according to privacy.thirdparty.isolate;
This solves Tor bug #9701, complying with disk avoidance documented in
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance.
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
5 <title>Setting document.domain and IDN</title>
6 <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
8 </head>
9 <body>
10 <p id="display"></p>
11 <div id="content" style="display: none">
13 </div>
15 <!--
17 This testing all gets a bit complicated here; the problem is that our
18 document.domain implementation will do a suffix comparison of the value to which
19 it's being set against the current URI's base domain (where "base domain" is
20 defined as the effective TLD plus one; see nsIEffectiveTLDService.idl). Seems
21 simple enough, right? Wrong.
23 The problem, as usual, is IDN. Our current, wholly-inadequate solution to
24 preventing Unicode domain-name spoofing is done at the level of the URL
25 implementation, not at the presentation level. However, the value of the
26 base domain for the current URI is always calculated in punycode; if the
27 provided domain is one which is whitelisted, we'll get an IDN name and the
28 suffix-comparison will fail. Nice great big mess, huh?
30 Anyway: "test" currently fits the bill as a TLD which is not whitelisted, while
31 "δοκιμή" (the Greek IDN TLD for "test") fits the bill as a TLD which is
32 whitelisted. RFC 2606 reserves "test" for DNS testing, so nobody's going to
33 clamor for it to be whitelisted any time soon. The latter is as of February
34 2008 undergoing testing for IDN TLDs, and it's at least temporarily whitelisted
35 for now. Once the testing period ends the latter's probably going to be
36 un-whitelisted, so we're going to have to do a careful bit of stepping to ensure
37 that in the future this test tests what it was intended to test (and, until
38 bug 414090 is fixed, that it doesn't break when the Greek TLD is
39 un-whitelisted).
41 After bug 722299 the IDN whitelist is expected to go away (bug
42 843689), but bug 414090 still applies, mutatis mutandis. The test has
43 been changed to use exaмple.test instead (with a Cyrillic м), which
44 will fail the mixed-script tests and use punycode.
45 -->
47 <div>
48 <h2>Whitelisted</h2>
49 <iframe name="idnKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-whitelist"></iframe>
50 <iframe name="punycodeKidWhitelist" src="http://sub1.παράδειγμα.δοκιμή/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-whitelist"></iframe>
51 </div>
53 <div>
54 <h2>Not whitelisted</h2>
55 <iframe name="idnKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?idn-nowhitelist"></iframe>
56 <iframe name="punycodeKidNoWhitelist" src="http://sub1.exaмple.test/tests/dom/tests/mochitest/dom-level0/idn_child.html?punycode-nowhitelist"></iframe>
57 </div>
59 <pre id="test">
60 <script class="testbody" type="application/javascript">
62 SimpleTest.waitForExplicitFinish();
64 var gotIDNNoWhitelist = false;
65 var gotPunycodeNoWhitelist = false;
66 var gotIDNWhitelist = false;
67 var gotPunycodeWhitelist = false;
69 var whitelistRegex =
70 new RegExp("^http://sub1\\.παράδειγμα\\.δοκιμή/tests/dom/tests/" +
71 "mochitest/dom-level0/idn_child\\.html\\?(.+)$");
73 var noWhitelistRegex =
74 new RegExp("^http://sub1\\.exaмple\\.test/tests/dom/tests/" +
75 "mochitest/dom-level0/idn_child\\.html\\?(.+)$");
77 var state = 0;
79 var messages =
80 [
81 "idn-whitelist",
82 "punycode-whitelist",
83 "idn-nowhitelist",
84 "punycode-nowhitelist",
85 ];
88 function receiveMessage(evt)
89 {
90 var origin = evt.origin;
91 var match;
92 if (/test$/.test(origin))
93 {
94 // XXX bug 414090
95 // The value of MessageEvent.origin with postMessage *should* always be IDN;
96 // unfortunately, given our current setup for dealing with Unicode-based
97 // domain-name spoofing, whether a domain is in the safe-for-IDN whitelist
98 // affects the value of this property (likewise for window.location,
99 // document.location, document.domain, and probably a slew of other
100 // things). :-(
101 //
102 // These two tests should illustrate what currently happens and what should
103 // happen once bug 414090 is fixed.
104 todo_is(evt.origin, "http://sub1.exaмple.test", "wrong sender");
105 todo_isnot(evt.origin, "http://sub1.xn--exaple-kqf.test", "wrong sender");
106 }
107 else
108 {
109 // We're receiving data from the Greek IDN name; since that TLD is
110 // whitelisted for now, the domain we get isn't going to be punycoded.
111 is(evt.origin, "http://sub1.παράδειγμα.δοκιμή", "wrong sender");
112 }
114 is(messages[state] + "-response", evt.data.split(" ")[0],
115 "unexpected data: " + evt.data);
117 switch (messages[state])
118 {
119 case "idn-whitelist":
120 gotIDNWhitelist = true;
121 ok(evt.source === window.frames.idnKidWhitelist, "wrong source");
122 is(evt.data, "idn-whitelist-response", "wrong response for IDN");
123 break;
125 case "punycode-whitelist":
126 gotPunycodeWhitelist = true;
127 ok(evt.source === window.frames.punycodeKidWhitelist, "wrong source");
128 is(evt.data, "punycode-whitelist-response", "wrong response for punycode");
129 break;
131 case "idn-nowhitelist":
132 gotIDNNoWhitelist = true;
133 ok(evt.source === window.frames.idnKidNoWhitelist, "wrong source");
134 is(evt.data, "idn-nowhitelist-response", "wrong response for IDN");
135 break;
137 case "punycode-nowhitelist":
138 gotPunycodeNoWhitelist = true;
139 ok(evt.source === window.frames.punycodeKidNoWhitelist, "wrong source");
140 is(evt.data, "punycode-nowhitelist-response", "wrong response for punycode");
141 break;
143 default:
144 ok(false, "unreached");
145 break;
146 }
148 state++;
149 }
151 function run()
152 {
153 var target = window.frames.idnKidWhitelist;
154 target.postMessage("idn-whitelist", "http://sub1.παράδειγμα.δοκιμή");
156 // Double-timeouts account for 1) delay for message to be received by target
157 // window and 2) delay for response from target window to be received by this
158 // window.
160 setTimeout(function()
161 {
162 setTimeout(function()
163 {
164 ok(gotIDNWhitelist, "IDN whitelist message not received");
166 var target = window.frames.punycodeKidWhitelist;
167 target.postMessage("punycode-whitelist", "http://sub1.παράδειγμα.δοκιμή");
169 setTimeout(function()
170 {
171 setTimeout(function()
172 {
173 ok(gotPunycodeWhitelist, "punycode whitelist message not received");
175 var target = window.frames.idnKidNoWhitelist;
176 target.postMessage("idn-nowhitelist", "http://sub1.exaмple.test");
178 setTimeout(function()
179 {
180 setTimeout(function()
181 {
182 ok(gotIDNNoWhitelist, "IDN no-whitelist message not received");
184 var target = window.frames.punycodeKidNoWhitelist;
185 target.postMessage("punycode-nowhitelist",
186 "http://sub1.exaмple.test");
188 setTimeout(function()
189 {
190 setTimeout(function()
191 {
192 ok(gotPunycodeNoWhitelist,
193 "punycode no-whitelist message not received");
195 SimpleTest.finish();
196 }, 0);
197 }, 0);
198 }, 0);
199 }, 0);
200 }, 0);
201 }, 0);
202 }, 0);
203 }, 0);
204 }
206 window.addEventListener("message", receiveMessage, false);
207 window.addEventListener("load", run, false);
208 </script>
209 </pre>
210 </body>
211 </html>
