dom/webauthn/tests/test_webauthn_sameorigin.html

   1 <!DOCTYPE html>
   2 <meta charset=utf-8>
   3 <head>
   4   <title>Test for MakeCredential for W3C Web Authentication</title>
   5   <script src="/tests/SimpleTest/SimpleTest.js"></script>
   6   <script type="text/javascript" src="u2futil.js"></script>
   7   <script type="text/javascript" src="pkijs/common.js"></script>
   8   <script type="text/javascript" src="pkijs/asn1.js"></script>
   9   <script type="text/javascript" src="pkijs/x509_schema.js"></script>
  10   <script type="text/javascript" src="pkijs/x509_simpl.js"></script>
  11   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
  12 </head>
  13 <body>
  14
  15   <h1>Test Same Origin Policy for W3C Web Authentication</h1>
  16   <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a>
  17
  18   <script class="testbody" type="text/javascript">
  19     "use strict";
  20
  21     add_task(async () => {
  22       await addVirtualAuthenticator();
  23     });
  24
  25     is(navigator.authentication, undefined, "navigator.authentication does not exist any longer");
  26     isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist");
  27     isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist");
  28     isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist");
  29
  30     let credm;
  31     let chall;
  32     let user;
  33     let param;
  34     let gTrackedCredential;
  35     add_task(() => {
  36       credm = navigator.credentials;
  37
  38       chall = new Uint8Array(16);
  39       window.crypto.getRandomValues(chall);
  40
  41       user = {id: new Uint8Array(16), name: "none", displayName: "none"};
  42       param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256};
  43       gTrackedCredential = {};
  44     });
  45
  46     add_task(test_basic_good);
  47     add_task(test_rp_id_unset);
  48     add_task(test_rp_name_unset);
  49     add_task(test_origin_with_optional_fields);
  50     add_task(test_blank_rp_id);
  51     add_task(test_subdomain);
  52     add_task(test_same_origin);
  53     add_task(test_etld);
  54     add_task(test_different_domain_same_tld);
  55     add_task(test_assertion_basic_good);
  56     add_task(test_assertion_rp_id_unset);
  57     add_task(test_assertion_origin_with_optional_fields);
  58     add_task(test_assertion_blank_rp_id);
  59     add_task(test_assertion_subdomain);
  60     add_task(test_assertion_same_origin);
  61     add_task(test_assertion_etld);
  62     add_task(test_assertion_different_domain_same_tld);
  63     add_task(test_basic_good_with_origin);
  64     add_task(test_assertion_basic_good_with_origin);
  65     add_task(test_assertion_invalid_rp_id);
  66     add_task(test_assertion_another_invalid_rp_id);
  67
  68     function arrivingHereIsGood(aResult) {
  69       ok(true, "Good result! Received a: " + aResult);
  70     }
  71
  72     function arrivingHereIsBad(aResult) {
  73       ok(false, "Bad result! Received a: " + aResult);
  74     }
  75
  76     function expectSecurityError(aResult) {
  77       ok(aResult.toString().startsWith("SecurityError"), "Expecting a SecurityError");
  78     }
  79
  80     function expectTypeError(aResult) {
  81       ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError");
  82     }
  83
  84     function keepThisPublicKeyCredential(aIdentifier) {
  85       return function(aPublicKeyCredential) {
  86         gTrackedCredential[aIdentifier] = {
  87           type: "public-key",
  88           id: new Uint8Array(aPublicKeyCredential.rawId),
  89           transports: [ "usb" ],
  90         }
  91         return Promise.resolve(aPublicKeyCredential);
  92       }
  93     }
  94
  95     function test_basic_good() {
  96       // Test basic good call
  97       let rp = {id: document.domain, name: "none"};
  98       let makeCredentialOptions = {
  99         rp, user, challenge: chall, pubKeyCredParams: [param]
 100       };
 101       return credm.create({publicKey: makeCredentialOptions})
 102                   .then(keepThisPublicKeyCredential("basic"))
 103                   .then(arrivingHereIsGood)
 104                   .catch(arrivingHereIsBad);
 105     }
 106     function test_rp_id_unset() {
 107       // Test rp.id being unset
 108       let makeCredentialOptions = {
 109         rp: {name: "none"}, user, challenge: chall, pubKeyCredParams: [param]
 110       };
 111       return credm.create({publicKey: makeCredentialOptions})
 112                   .then(arrivingHereIsGood)
 113                   .catch(arrivingHereIsBad);
 114     }
 115     function test_rp_name_unset() {
 116       // Test rp.name being unset
 117       let makeCredentialOptions = {
 118         rp: {id: document.domain}, user, challenge: chall, pubKeyCredParams: [param]
 119       };
 120       return credm.create({publicKey: makeCredentialOptions})
 121                   .then(arrivingHereIsBad)
 122                   .catch(expectTypeError);
 123     }
 124     function test_origin_with_optional_fields() {
 125       // Test this origin with optional fields
 126       let rp = {id: "user:pass@" + document.domain + ":8888", name: "none"};
 127       let makeCredentialOptions = {
 128         rp, user, challenge: chall, pubKeyCredParams: [param]
 129       };
 130       return credm.create({publicKey: makeCredentialOptions})
 131                   .then(arrivingHereIsBad)
 132                   .catch(expectSecurityError);
 133     }
 134     function test_blank_rp_id() {
 135       // Test blank rp.id
 136       let rp = {id: "", name: "none"};
 137       let makeCredentialOptions = {
 138         rp, user, challenge: chall, pubKeyCredParams: [param]
 139       };
 140       return credm.create({publicKey: makeCredentialOptions})
 141                   .then(arrivingHereIsBad)
 142                   .catch(expectSecurityError);
 143     }
 144     function test_subdomain() {
 145       // Test subdomain of this origin
 146       let rp = {id: "subdomain." + document.domain, name: "none"};
 147       let makeCredentialOptions = {
 148         rp, user, challenge: chall, pubKeyCredParams: [param]
 149       };
 150       return credm.create({publicKey: makeCredentialOptions})
 151                   .then(arrivingHereIsBad)
 152                   .catch(expectSecurityError);
 153     }
 154     function test_same_origin() {
 155       // Test the same origin
 156       let rp = {id: "example.com", name: "none"};
 157       let makeCredentialOptions = {
 158         rp, user, challenge: chall, pubKeyCredParams: [param]
 159       };
 160       return credm.create({publicKey: makeCredentialOptions})
 161                   .then(arrivingHereIsGood)
 162                   .catch(arrivingHereIsBad);
 163     }
 164     function test_etld() {
 165       // Test the eTLD
 166       let rp = {id: "com", name: "none"};
 167       let makeCredentialOptions = {
 168         rp, user, challenge: chall, pubKeyCredParams: [param]
 169       };
 170       return credm.create({publicKey: makeCredentialOptions})
 171                   .then(arrivingHereIsBad)
 172                   .catch(expectSecurityError);
 173     }
 174     function test_different_domain_same_tld() {
 175       // Test a different domain within the same TLD
 176       let rp = {id: "alt.test", name: "none"};
 177       let makeCredentialOptions = {
 178         rp, user, challenge: chall, pubKeyCredParams: [param]
 179       };
 180       return credm.create({publicKey: makeCredentialOptions})
 181                   .then(arrivingHereIsBad)
 182                   .catch(expectSecurityError);
 183     }
 184     function test_assertion_basic_good() {
 185       // Test basic good call
 186       let publicKeyCredentialRequestOptions = {
 187         challenge: chall,
 188         rpId: document.domain,
 189         allowCredentials: [gTrackedCredential.basic]
 190       };
 191       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 192                   .then(arrivingHereIsGood)
 193                   .catch(arrivingHereIsBad);
 194     }
 195     function test_assertion_rp_id_unset() {
 196       // Test rpId being unset
 197       let publicKeyCredentialRequestOptions = {
 198         challenge: chall,
 199         allowCredentials: [gTrackedCredential.basic]
 200       };
 201       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 202                   .then(arrivingHereIsGood)
 203                   .catch(arrivingHereIsBad);
 204     }
 205     function test_assertion_origin_with_optional_fields() {
 206       // Test this origin with optional fields
 207       let publicKeyCredentialRequestOptions = {
 208         challenge: chall,
 209         rpId: "user:pass@" + document.origin + ":8888",
 210         allowCredentials: [gTrackedCredential.basic]
 211       };
 212       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 213                   .then(arrivingHereIsBad)
 214                   .catch(expectSecurityError);
 215     }
 216     function test_assertion_blank_rp_id() {
 217       // Test blank rpId
 218       let publicKeyCredentialRequestOptions = {
 219         challenge: chall,
 220         rpId: "",
 221         allowCredentials: [gTrackedCredential.basic]
 222       };
 223       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 224                   .then(arrivingHereIsBad)
 225                   .catch(expectSecurityError);
 226     }
 227     function test_assertion_subdomain() {
 228       // Test subdomain of this origin
 229       let publicKeyCredentialRequestOptions = {
 230         challenge: chall,
 231         rpId: "subdomain." + document.domain,
 232         allowCredentials: [gTrackedCredential.basic]
 233       };
 234       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 235                   .then(arrivingHereIsBad)
 236                   .catch(expectSecurityError);
 237     }
 238     function test_assertion_same_origin() {
 239       // Test the same origin
 240       let publicKeyCredentialRequestOptions = {
 241         challenge: chall,
 242         rpId: "example.com",
 243         allowCredentials: [gTrackedCredential.basic]
 244       };
 245       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 246                   .then(arrivingHereIsGood)
 247                   .catch(arrivingHereIsBad);
 248     }
 249     function test_assertion_etld() {
 250       // Test the eTLD
 251       let publicKeyCredentialRequestOptions = {
 252         challenge: chall,
 253         rpId: "com",
 254         allowCredentials: [gTrackedCredential.basic]
 255       };
 256       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 257                   .then(arrivingHereIsBad)
 258                   .catch(expectSecurityError);
 259     }
 260     function test_assertion_different_domain_same_tld() {
 261       // Test a different domain within the same TLD
 262       let publicKeyCredentialRequestOptions = {
 263         challenge: chall,
 264         rpId: "alt.test",
 265         allowCredentials: [gTrackedCredential.basic]
 266       };
 267       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 268                   .then(arrivingHereIsBad)
 269                   .catch(expectSecurityError);
 270     }
 271     function test_basic_good_with_origin() {
 272       // Test basic good Create call but using an origin (Bug 1380421)
 273       let rp = {id: window.origin, name: "none"};
 274       let makeCredentialOptions = {
 275         rp, user, challenge: chall, pubKeyCredParams: [param]
 276       };
 277       return credm.create({publicKey: makeCredentialOptions})
 278                   .then(arrivingHereIsBad)
 279                   .catch(expectSecurityError);
 280     }
 281     function test_assertion_basic_good_with_origin() {
 282       // Test basic good Get call but using an origin (Bug 1380421)
 283       let publicKeyCredentialRequestOptions = {
 284         challenge: chall,
 285         rpId: window.origin,
 286         allowCredentials: [gTrackedCredential.basic]
 287       };
 288       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 289                   .then(arrivingHereIsBad)
 290                   .catch(expectSecurityError);
 291     }
 292     function test_assertion_invalid_rp_id() {
 293       // Test with an rpId that is not a valid domain string
 294       let publicKeyCredentialRequestOptions = {
 295         challenge: chall,
 296         rpId: document.domain + ":somejunk",
 297         allowCredentials: [gTrackedCredential.basic]
 298       };
 299       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 300                   .then(arrivingHereIsBad)
 301                   .catch(arrivingHereIsGood);
 302     }
 303     function test_assertion_another_invalid_rp_id() {
 304       // Test with another rpId that is not a valid domain string
 305       let publicKeyCredentialRequestOptions = {
 306         challenge: chall,
 307         rpId: document.domain + ":8888",
 308         allowCredentials: [gTrackedCredential.basic]
 309       };
 310       return credm.get({publicKey: publicKeyCredentialRequestOptions})
 311                   .then(arrivingHereIsBad)
 312                   .catch(arrivingHereIsGood);
 313     }
 314   </script>
 315
 316 </body>
 317 </html>