Bug 1694639 - Add DOM:Web Authentication tests for sameOriginWithAncestors false r=dveditz
authorR. Martinho Fernandes <bugs@rmf.io>
Sat, 12 Jun 2021 23:42:37 +0000
changeset 582910 f092d76bde6ed523386f39c7ef340be72e06a0ff
parent 582909 75f418e5e6a545dd28b2f323e85afe6c574a1966
child 582911 30c1f5e41d17d943baed2d3aa9c0c462ef9de46d
push id38535
push userimoraru@mozilla.com
push dateSun, 13 Jun 2021 09:20:33 +0000
treeherdermozilla-central@f092d76bde6e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs1694639
milestone91.0a1
first release with
nightly linux32
f092d76bde6e / 91.0a1 / 20210613092033 / files
nightly linux64
f092d76bde6e / 91.0a1 / 20210613092033 / files
nightly mac
f092d76bde6e / 91.0a1 / 20210613092033 / files
nightly win32
f092d76bde6e / 91.0a1 / 20210613092033 / files
nightly win64
f092d76bde6e / 91.0a1 / 20210613092033 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1694639 - Add DOM:Web Authentication tests for sameOriginWithAncestors false r=dveditz Differential Revision: https://phabricator.services.mozilla.com/D105315
dom/webauthn/tests/mochitest.ini
dom/webauthn/tests/test_webauthn_sameoriginwithancestors.html
--- a/dom/webauthn/tests/mochitest.ini
+++ b/dom/webauthn/tests/mochitest.ini
@@ -1,14 +1,15 @@
 [DEFAULT]
 support-files =
   cbor.js
   u2futil.js
   pkijs/*
   get_assertion_dead_object.html
+fail-if = xorigin # NotAllowedError
 skip-if = !e10s
   os == 'android'
 scheme = https
 
 [test_webauthn_abort_signal.html]
 fail-if = xorigin
 [test_webauthn_attestation_conveyance.html]
 fail-if = xorigin # NotAllowedError
@@ -25,10 +26,12 @@ fail-if = xorigin # NotAllowedError
 [test_webauthn_get_assertion.html]
 fail-if = xorigin # NotAllowedError
 [test_webauthn_get_assertion_dead_object.html]
 [test_webauthn_override_request.html]
 [test_webauthn_store_credential.html]
 fail-if = xorigin # NotAllowedError
 [test_webauthn_sameorigin.html]
 fail-if = xorigin # NotAllowedError
+[test_webauthn_sameoriginwithancestors.html]
+skip-if = xorigin
 [test_webauthn_isplatformauthenticatoravailable.html]
 [test_webauthn_isexternalctap2securitykeysupported.html]
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/tests/test_webauthn_sameoriginwithancestors.html
@@ -0,0 +1,115 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<head>
+  <title>Test for MakeCredential for W3C Web Authentication (sameOriginWithAncestors = false)</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="u2futil.js"></script>
+  <script type="text/javascript" src="pkijs/common.js"></script>
+  <script type="text/javascript" src="pkijs/asn1.js"></script>
+  <script type="text/javascript" src="pkijs/x509_schema.js"></script>
+  <script type="text/javascript" src="pkijs/x509_simpl.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+  <h1>Test Same Origin Policy for W3C Web Authentication (sameOriginWithAncestors = false)</h1>
+  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1694639">Mozilla Bug 1694639</a>
+
+  <script class="testbody" type="text/javascript">
+    "use strict";
+
+    // Execute the full-scope test
+    SimpleTest.waitForExplicitFinish();
+
+    var gTrackedCredential = {};
+
+    function arrivingHereIsGood(aResult) {
+      ok(true, "Good result! Received a: " + aResult);
+    }
+
+    function arrivingHereIsBad(aResult) {
+      ok(false, "Bad result! Received a: " + aResult);
+    }
+
+    function expectNotAllowedError(aResult) {
+      ok(aResult == "NotAllowedError", "Expecting a NotAllowedError, got " + aResult);
+    }
+
+    function keepThisPublicKeyCredential(aIdentifier) {
+      return function(aPublicKeyCredential) {
+        gTrackedCredential[aIdentifier] = {
+          type: "public-key",
+          id: new Uint8Array(aPublicKeyCredential.rawId),
+          transports: [ "usb" ],
+        }
+        return Promise.resolve(aPublicKeyCredential);
+      }
+    }
+
+    async function runTests() {
+      let iframe = document.createElement("iframe");
+      iframe.src = "https://example.org";
+      document.body.appendChild(iframe);
+      await new Promise(resolve => iframe.addEventListener("load", resolve, {once: true}));
+
+      is(navigator.authentication, undefined, "navigator.authentication does not exist any longer");
+      isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist");
+      isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist");
+      isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist");
+
+      let credm = navigator.credentials;
+
+      let chall = new Uint8Array(16);
+      window.crypto.getRandomValues(chall);
+
+      let user = {id: new Uint8Array(16), name: "none", icon: "none", displayName: "none"};
+      let param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256};
+
+      let rp = {id: document.domain, name: "none"};
+      let makeCredentialOptions = {
+        rp, user, challenge: chall, pubKeyCredParams: [param]
+      };
+      await credm.create({publicKey: makeCredentialOptions})
+        .then(keepThisPublicKeyCredential("basic"))
+        .catch(arrivingHereIsBad);
+
+      var testFuncs = [
+        function (args) {
+          // Test create when sameOriginWithAncestors = false
+          let credentialOptions = {
+            rp: args.rp, user: args.user, challenge: args.challenge, pubKeyCredParams: [args.param]
+          };
+          return this.content.window.navigator.credentials.create({publicKey: credentialOptions})
+            .catch(e => Promise.reject(e.name));
+        },
+        function (args) {
+          // Test get when sameOriginWithAncestors = false
+          let publicKeyCredentialRequestOptions = {
+            challenge: args.challenge,
+            rpId: args.rp.id,
+            allowCredentials: [args.trackedCredential.basic]
+          };
+          return this.content.window.navigator.credentials.get({publicKey: publicKeyCredentialRequestOptions})
+            .catch(e => Promise.reject(e.name));
+        },
+      ];
+
+      let args = { user, param, rp, challenge: chall, trackedCredential: gTrackedCredential }
+      for(let func of testFuncs) {
+        await SpecialPowers.spawn(iframe, [args], func)
+          .then(arrivingHereIsBad)
+          .catch(expectNotAllowedError);
+      }
+      SimpleTest.finish();
+    };
+
+    SpecialPowers.pushPrefEnv({"set": [["security.webauth.webauthn", true],
+                                       ["security.webauth.webauthn_enable_softtoken", true],
+                                       ["security.webauth.webauthn_enable_android_fido2", false],
+                                       ["security.webauth.webauthn_enable_usbtoken", false]]},
+                              runTests);
+
+  </script>
+
+</body>
+</html>