File: securecontext.http.html

package info (click to toggle)
firefox-esr 140.5.0esr-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,538,920 kB
  • sloc: cpp: 7,381,527; javascript: 6,388,905; ansic: 3,710,087; python: 1,393,776; xml: 628,165; asm: 426,916; java: 184,004; sh: 65,744; makefile: 19,302; objc: 13,059; perl: 12,912; yacc: 4,583; cs: 3,846; pascal: 3,352; lex: 1,720; ruby: 1,226; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10
file content (46 lines) | stat: -rw-r--r-- 2,498 bytes parent folder | download | duplicates (26) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
<!DOCTYPE html>
<meta charset="utf-8">
<title>WebAuthn Secure Context Tests</title>
<link rel="author" title="Adam Powers" href="mailto:adam@fidoalliance.org">
<link rel="help" href="https://w3c.github.io/webauthn/#iface-credential">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src=helpers.js></script>
<body></body>
<script>
"use strict";

// See https://www.w3.org/TR/secure-contexts/
// Section 1.1 - 1.4 for list of examples referenced below

// Example 1
// http://example.com/ opened in a top-level browsing context is not a secure context, as it was not delivered over an authenticated and encrypted channel.
test (() => {
    assert_false (typeof navigator.credentials === "object" && typeof navigator.credentials.create === "function");
}, "no navigator.credentials.create in non-secure context");

// Example 4: TODO
// If a non-secure context opens https://example.com/ in a new window, then things are more complicated. The new window’s status depends on how it was opened. If the non-secure context can obtain a reference to the secure context, or vice-versa, then the new window is not a secure context.
//
// This means that the following will both produce non-secure contexts:
//<a href="https://example.com/" target="_blank">Link!</a>
// <script>
//     var w = window.open("https://example.com/");
// < /script>

// Example 6: TODO
// If https://example.com/ was somehow able to frame http://non-secure.example.com/ (perhaps the user has overridden mixed content checking?), the top-level frame would remain secure, but the framed content is not a secure context.

// Example 7: TODO
// If, on the other hand, https://example.com/ is framed inside of http://non-secure.example.com/, then it is not a secure context, as its ancestor is not delivered over an authenticated and encrypted channel.

// Example 9: TODO
// If http://non-secure.example.com/ in a top-level browsing context frames https://example.com/, which runs https://example.com/worker.js, then neither the framed document nor the worker are secure contexts.

// Example 12: TODO
// https://example.com/ nested in http://non-secure.example.com/ may not connect to the secure worker, as it is not a secure context.

// Example 13: TODO
// Likewise, if https://example.com/ nested in http://non-secure.example.com/ runs https://example.com/worker.js as a Shared Worker, then both the document and the worker are considered non-secure.

</script>