Skip to content

Commit

Permalink
Bug 1870877 [wpt PR 43729] - [WebAuthn] Add tests for cross-origin cr…
Browse files Browse the repository at this point in the history
…eate(), a=testonly

Automatic update from web-platform-tests
[WebAuthn] Add tests for cross-origin create() (#43729)

See w3c/webauthn#1801
--

wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6
wpt-pr: 43729

UltraBlame original commit: 7533e06bd4f5950829eb0eb456a416b37d06e7bf
  • Loading branch information
marco-c committed Jan 22, 2024
1 parent f08a3d8 commit d9c641b
Show file tree
Hide file tree
Showing 2 changed files with 144 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>WebAuthn credential.create() in a cross-origin iframe tests</title>
<meta name="timeout" content="long">
<link rel="help" href="https://w3c.github.io/webauthn/#publickey-credentials-create-feature">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<script src=helpers.js></script>
<body></body>
<script>
standardSetup(function() {
"use strict";

const targetOrigin = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";

// Returns a |Promise| that gets resolved with |event.data| when |window|
// receives a "message" event whose |event.data.type| matches the string
// |message_data_type|.
function getMessageData(message_data_type) {
return new Promise(resolve => {
function waitAndRemove(e) {
if (!e.data || e.data.type != message_data_type)
return;
window.removeEventListener("message", waitAndRemove);
resolve(e.data);
}
window.addEventListener("message", waitAndRemove);
});
}

// Creates an iframe with the given `src` and (optional) allow attribute.
// Waits for the iframe to load, based on receiving a "subframe-loaded"
// message from the iframe.
async function createIframe(test, src, allow) {
const iframeElement = document.createElement("iframe");
document.body.appendChild(iframeElement);
test.add_cleanup(() => {
iframeElement.remove();
});

if (allow !== undefined) {
iframeElement.allow = allow;
}

const loadedPromise = getMessageData("subframe-loaded");
iframeElement.src = src;
await loadedPromise;

return iframeElement;
}

promise_test(async (test) => {
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`;
const iframe = await createIframe(test, src);

const resultPromise = getMessageData("result");
iframe.contentWindow.postMessage({type: "create-credential"}, {targetOrigin: targetOrigin});
const data = await resultPromise;

assert_equals(data.result, "failure");
assert_equals(data.error.name, "NotAllowedError");
}, "create() in cross-origin iframe fails without permissions policy");

promise_test(async (test) => {
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`;
const iframe = await createIframe(test, src, "publickey-credentials-create");

const resultPromise = getMessageData("result");
iframe.contentWindow.postMessage({type: "create-credential", addUserActivation: false}, {targetOrigin: targetOrigin});
const data = await resultPromise;

assert_equals(data.result, "failure");
assert_equals(data.error.name, "NotAllowedError");
}, "create() in cross-origin iframe fails with permissions policy but no user activation");

promise_test(async (test) => {
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`;
const iframe = await createIframe(test, src, "publickey-credentials-create");

const resultPromise = getMessageData("result");
iframe.contentWindow.postMessage({type: "create-credential", addUserActivation: true}, {targetOrigin: targetOrigin});
const data = await resultPromise;

assert_equals(data.result, "success", `Expected success but got error: "${data.errorMessage}"`);
}, "create() in cross-origin iframe succeeds with permissions policy and user activation");

promise_test(async (test) => {
const src = `${targetOrigin}/webauthn/resources/webauthn-subframe.sub.html`;
const iframe = await createIframe(test, src, "publickey-credentials-create");

// For this call, we have a user activation in this main frame, but not
// in the iframe. That shouldn't be sufficient - the user activation has
// to be on the iframe itself.
await test_driver.bless("create credential, main frame activation");
const resultPromise = getMessageData("result");
iframe.contentWindow.postMessage({type: "create-credential", addUserActivation: false}, {targetOrigin: targetOrigin});
const data = await resultPromise;

assert_equals(data.result, "failure");
assert_equals(data.error.name, "NotAllowedError");
}, "create() in cross-origin iframe requires user activation on the iframe, not the main frame");
});
</script>

Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>WebAuthn test subframe</title>
<script src=../helpers.js></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>

<script>
"use strict";

function reportResult(outcome, errorObj) {
window.top.postMessage({"type": "result", "result": outcome, "error": errorObj}, "*");
}

async function createCredentialAndReportResult(addUserActivation) {
if (addUserActivation) {
await test_driver.bless("create credential");
}

try {
await createCredential();
reportResult("success");
} catch (e) {
reportResult("failure", e);
}
}

window.addEventListener("message", e => {
if (e.data.type == "create-credential") {
createCredentialAndReportResult(e.data.addUserActivation);
return;
}
throw new Error(`Unrecognized message, e.data.type: ${e.data.type}`);
});

test_driver.set_test_context(window.top);
window.top.postMessage({"type": "subframe-loaded"}, "*");
</script>

0 comments on commit d9c641b

Please sign in to comment.