browser_postMessage.js

Enable keyboard shortcuts

/**

 * Bug 1492607 - Test for assuring that postMessage cannot go across OAs.

*/

const FPD_ONE = "http://example.com";

const FPD_TWO = "http://example.org";

const TEST_BASE = "/browser/browser/components/originattributes/test/browser/";

add_setup(async function () {

  // Make sure first party isolation is enabled.

  await SpecialPowers.pushPrefEnv({

    set: [

      ["privacy.firstparty.isolate", true],

      ["dom.security.https_first", false],

],

});

});

async function runTestWithOptions(

  aDifferentFPD,

  aStarTargetOrigin,

  aBlockAcrossFPD

) {

  let testPageURL = aDifferentFPD

    ? FPD_ONE + TEST_BASE + "file_postMessage.html"

    : FPD_TWO + TEST_BASE + "file_postMessage.html";

  // Deciding the targetOrigin according to the test setting.

  let targetOrigin;

  if (aStarTargetOrigin) {

    targetOrigin = "*";

  } else {

    targetOrigin = aDifferentFPD ? FPD_ONE : FPD_TWO;

  let senderURL =

    FPD_TWO + TEST_BASE + `file_postMessageSender.html?${targetOrigin}`;

  // Open a tab to listen messages.

  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, testPageURL);

  // Use window.open() in the tab to open the sender tab. The sender tab

  // will send a message through postMessage to window.opener.

  let senderTabPromise = BrowserTestUtils.waitForNewTab(

    gBrowser,

    senderURL,

    true

);

  SpecialPowers.spawn(tab.linkedBrowser, [senderURL], aSenderPath => {

    content.open(aSenderPath, "_blank");

});

  // Wait and get the tab of the sender tab.

  let senderTab = await senderTabPromise;

  // The postMessage should be blocked when the first parties are different with

  // the following two cases. First, it is using a non-star target origin.

  // Second, it is using the star target origin and the pref

  // 'privacy.firstparty.isolate.block_post_message' is true.

  let shouldBlock = aDifferentFPD && (!aStarTargetOrigin || aBlockAcrossFPD);

  await SpecialPowers.spawn(tab.linkedBrowser, [shouldBlock], async aValue => {

    await new Promise(resolve => {

      content.addEventListener("message", async function eventHandler(aEvent) {

        if (aEvent.data === "Self") {

          let display = content.document.getElementById("display");

          if (aValue) {

            Assert.equal(

              display.innerHTML,

"",

              "It should not get a message from other OA."

);

          } else {

            await ContentTaskUtils.waitForCondition(

              () => display.innerHTML == "Message",

              "Wait for message to arrive"

);

            Assert.equal(

              display.innerHTML,

              "Message",

              "It should get a message from the same OA."

);

          content.removeEventListener("message", eventHandler);

          resolve();

});

      // Trigger the content to send a postMessage to itself.

      content.document.getElementById("button").click();

});

});

  BrowserTestUtils.removeTab(tab);

  BrowserTestUtils.removeTab(senderTab);

add_task(async function runTests() {

  for (let useDifferentFPD of [true, false]) {

    for (let useStarTargetOrigin of [true, false]) {

      for (let enableBlocking of [true, false]) {

        if (enableBlocking) {

          await SpecialPowers.pushPrefEnv({

            set: [["privacy.firstparty.isolate.block_post_message", true]],

});

        await runTestWithOptions(

          useDifferentFPD,

          useStarTargetOrigin,

          enableBlocking

);

        if (enableBlocking) {

          await SpecialPowers.popPrefEnv();

});