-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1870877 [wpt PR 43729] - [WebAuthn] Add tests for cross-origin cr…
…eate(), a=testonly Automatic update from web-platform-tests [WebAuthn] Add tests for cross-origin create() (#43729) See w3c/webauthn#1801 -- wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6 wpt-pr: 43729 UltraBlame original commit: 7533e06bd4f5950829eb0eb456a416b37d06e7bf
- Loading branch information
Showing
2 changed files
with
144 additions
and
0 deletions.
There are no files selected for viewing
106 changes: 106 additions & 0 deletions
106
testing/web-platform/tests/webauthn/createcredential-cross-origin-iframe.https.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<title>WebAuthn credential.create() in a cross-origin iframe tests</title> | ||
<meta name="timeout" content="long"> | ||
<link rel="help" href="https://w3c.github.io/webauthn/#publickey-credentials-create-feature"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/resources/testdriver.js"></script> | ||
<script src="/resources/testdriver-vendor.js"></script> | ||
<script src=helpers.js></script> | ||
<body></body> | ||
<script> | ||
standardSetup(function() { | ||
"use strict"; | ||
|
||
const targetOrigin = "https://{{hosts[alt][www]}}:{{ports[https][0]}}"; | ||
|
||
// Returns a |Promise| that gets resolved with |event.data| when |window| | ||
// receives a "message" event whose |event.data.type| matches the string | ||
// |message_data_type|. | ||
function getMessageData(message_data_type) { | ||
return new Promise(resolve => { | ||
function waitAndRemove(e) { | ||
if (!e.data || e.data.type != message_data_type) | ||
return; | ||
window.removeEventListener("message", waitAndRemove); | ||
resolve(e.data); | ||
} | ||
window.addEventListener("message", waitAndRemove); | ||
}); | ||
} | ||
|
||
// Creates an iframe with the given `src` and (optional) allow attribute. | ||
// Waits for the iframe to load, based on receiving a "subframe-loaded" | ||
// message from the iframe. | ||
async function createIframe(test, src, allow) { | ||
const iframeElement = document.createElement("iframe"); | ||
document.body.appendChild(iframeElement); | ||
test.add_cleanup(() => { | ||
iframeElement.remove(); | ||
}); | ||
|
||
if (allow !== undefined) { | ||
iframeElement.allow = allow; | ||
} | ||
|
||
const loadedPromise = getMessageData("subframe-loaded"); | ||
iframeElement.src = src; | ||
await loadedPromise; | ||
|
||
return iframeElement; | ||
} | ||
|
||
promise_test(async (test) => { | ||
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`; | ||
const iframe = await createIframe(test, src); | ||
|
||
const resultPromise = getMessageData("result"); | ||
iframe.contentWindow.postMessage({type: "create-credential"}, {targetOrigin: targetOrigin}); | ||
const data = await resultPromise; | ||
|
||
assert_equals(data.result, "failure"); | ||
assert_equals(data.error.name, "NotAllowedError"); | ||
}, "create() in cross-origin iframe fails without permissions policy"); | ||
|
||
promise_test(async (test) => { | ||
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`; | ||
const iframe = await createIframe(test, src, "publickey-credentials-create"); | ||
|
||
const resultPromise = getMessageData("result"); | ||
iframe.contentWindow.postMessage({type: "create-credential", addUserActivation: false}, {targetOrigin: targetOrigin}); | ||
const data = await resultPromise; | ||
|
||
assert_equals(data.result, "failure"); | ||
assert_equals(data.error.name, "NotAllowedError"); | ||
}, "create() in cross-origin iframe fails with permissions policy but no user activation"); | ||
|
||
promise_test(async (test) => { | ||
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`; | ||
const iframe = await createIframe(test, src, "publickey-credentials-create"); | ||
|
||
const resultPromise = getMessageData("result"); | ||
iframe.contentWindow.postMessage({type: "create-credential", addUserActivation: true}, {targetOrigin: targetOrigin}); | ||
const data = await resultPromise; | ||
|
||
assert_equals(data.result, "success", `Expected success but got error: "${data.errorMessage}"`); | ||
}, "create() in cross-origin iframe succeeds with permissions policy and user activation"); | ||
|
||
promise_test(async (test) => { | ||
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`; | ||
const iframe = await createIframe(test, src, "publickey-credentials-create"); | ||
|
||
// For this call, we have a user activation in this main frame, but not | ||
// in the iframe. That shouldn't be sufficient - the user activation has | ||
// to be on the iframe itself. | ||
await test_driver.bless("create credential, main frame activation"); | ||
const resultPromise = getMessageData("result"); | ||
iframe.contentWindow.postMessage({type: "create-credential", addUserActivation: false}, {targetOrigin: targetOrigin}); | ||
const data = await resultPromise; | ||
|
||
assert_equals(data.result, "failure"); | ||
assert_equals(data.error.name, "NotAllowedError"); | ||
}, "create() in cross-origin iframe requires user activation on the iframe, not the main frame"); | ||
}); | ||
</script> | ||
|
38 changes: 38 additions & 0 deletions
38
testing/web-platform/tests/webauthn/resources/webauthn-subframe.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<title>WebAuthn test subframe</title> | ||
<script src=../helpers.js></script> | ||
<script src="/resources/testdriver.js"></script> | ||
<script src="/resources/testdriver-vendor.js"></script> | ||
|
||
<script> | ||
"use strict"; | ||
|
||
function reportResult(outcome, errorObj) { | ||
window.top.postMessage({"type": "result", "result": outcome, "error": errorObj}, "*"); | ||
} | ||
|
||
async function createCredentialAndReportResult(addUserActivation) { | ||
if (addUserActivation) { | ||
await test_driver.bless("create credential"); | ||
} | ||
|
||
try { | ||
await createCredential(); | ||
reportResult("success"); | ||
} catch (e) { | ||
reportResult("failure", e); | ||
} | ||
} | ||
|
||
window.addEventListener("message", e => { | ||
if (e.data.type == "create-credential") { | ||
createCredentialAndReportResult(e.data.addUserActivation); | ||
return; | ||
} | ||
throw new Error(`Unrecognized message, e.data.type: ${e.data.type}`); | ||
}); | ||
|
||
test_driver.set_test_context(window.top); | ||
window.top.postMessage({"type": "subframe-loaded"}, "*"); | ||
</script> |