third_party/blink/web_tests/http/tests/credentialmanager/credentialscontainer-get-from-nested-frame.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <title>Credential Manager: Call get() across browsing contexts.</title>
 <script src="../resources/testharness.js"></script>
 <script src="../resources/testharnessreport.js"></script>
 <script src="/gen/layout_test_data/mojo/public/js/mojo_bindings_lite.js"></script>
 <script src="/gen/mojo/public/mojom/base/time.mojom-lite.js"></script>
 <script src="/gen/mojo/public/mojom/base/unguessable_token.mojom-lite.js"></script>
 <script src="/gen/url/mojom/url.mojom-lite.js"></script>
 <script src="/gen/third_party/blink/public/mojom/webauthn/authenticator.mojom-lite.js"></script>
 <script src="/gen/third_party/blink/public/mojom/webauthn/virtual_authenticator.mojom-lite.js"></script>
 <script src="/gen/third_party/blink/public/mojom/frame/document_interface_broker.mojom-lite.js"></script>
 <script src="resources/test-inputs.js"></script>
 <script src="resources/virtual-navigator-credentials.js"></script>
 <body>
 <script>

 if (document.location.host != "subdomain.example.test:8443") {
   document.location = "https://subdomain.example.test:8443/credentialmanager/credentialscontainer-get-from-nested-frame.html";
   promise_test(_ => new Promise(_ => {}), "Stall tests on the wrong host.");
 }

 promise_test(async _ => {
   let authenticators = await navigator.credentials.test.authenticators();
   assert_equals(authenticators.length, 0);
   let testAuthenticator = await navigator.credentials.test.createAuthenticator();
   assert_true(await testAuthenticator.generateAndRegisterKey(ACCEPTABLE_CREDENTIAL_ID, "subdomain.example.test"));
 }, "Set up the testing environment.");

 promise_test(t => {
   let PROBE_CREDENTIALS = "window.parent.postMessage(String(navigator.credentials), '*');";

   let frame = document.createElement("iframe");
   frame.src = "data:text/html," + encloseInScriptTag(PROBE_CREDENTIALS);
   window.setTimeout(_ => document.body.append(frame));

   let eventWatcher = new EventWatcher(t, window, "message");
   return eventWatcher.wait_for("message").then(message => {
     assert_equals(message.data, "undefined");
   });
 }, "navigator.credentials should be undefined in documents generated from `data:` URLs.");

 promise_test(t => {
   let frame = document.createElement("iframe");
   frame.src = "resources/nested-document-with-test-inputs.html";
   window.setTimeout(_ => document.body.append(frame));

   let loadWatcher = new EventWatcher(t, frame, "load");
   loadWatcher.wait_for("load").then(_ =>
       frame.contentWindow.location = "javascript:" + GET_CREDENTIAL);

   let messageWatcher = new EventWatcher(t, window, "message");
   return messageWatcher.wait_for("message").then(message => {
     assert_equals(message.data, "[object PublicKeyCredential]");
   });
 }, "navigator.credentials.get({publicKey}) in a javascript url should should succeed.");

 promise_test(t => {
   let frame = document.createElement("iframe");
   frame.srcdoc = HTML_WITH_TEST_INPUTS;
   window.setTimeout(_ => document.body.append(frame));

   let loadWatcher = new EventWatcher(t, frame, "load");
   loadWatcher.wait_for("load").then(_ => {
     frame.contentWindow.eval(GET_CREDENTIAL);
   });

   let eventWatcher = new EventWatcher(t, window, "message");
   return eventWatcher.wait_for("message").then(message => {
     assert_equals(message.data, "[object PublicKeyCredential]");
   });
 }, "navigator.credentials.get({publicKey}) in srcdoc should succeed.");

 promise_test(t => {
   let frame = document.createElement("iframe");
   frame.src = "about:blank";
   window.setTimeout(_ => document.body.append(frame));

   let loadWatcher = new EventWatcher(t, frame, "load");
   loadWatcher.wait_for("load").then(_ => {
     frame.contentDocument.write(HTML_WITH_TEST_INPUTS);
     frame.contentDocument.write(encloseInScriptTag(GET_CREDENTIAL));
   });

   let eventWatcher = new EventWatcher(t, window, "message");
   return eventWatcher.wait_for("message").then(message => {
     assert_equals(message.data, "[object PublicKeyCredential]");
   });
 }, "navigator.credentials.get({publicKey}) in about:blank embedded in a secure context should succeed.");

 promise_test(t => {
   let frame = document.createElement("iframe");
   frame.src = "about:blank";
   window.setTimeout(_ => document.body.append(frame));

   let loadWatcher = new EventWatcher(t, frame, "load");
   loadWatcher.wait_for("load").then(_ => {
     frame.contentWindow.eval(getScriptThatLoadsTestInputsAndRuns(GET_CREDENTIAL));
   });

   let eventWatcher = new EventWatcher(t, window, "message");
   return eventWatcher.wait_for("message").then(message => {
     assert_equals(message.data, "[object PublicKeyCredential]");
   });
 }, "navigator.credentials.get({publicKey}) in an about:blank page embedded in a secure context should pass rpID checks.");

 promise_test(async t => {
   let testAuthenticator = await navigator.credentials.test.createAuthenticator();
   assert_true(await testAuthenticator.generateAndRegisterKey(ACCEPTABLE_CREDENTIAL_ID, "subdomain.example.test"));
   let keys = await testAuthenticator.registeredKeys();
   assert_equals(keys.length, 1);
   var customGetAssertionOptions = deepCopy(GET_CREDENTIAL_OPTIONS);
   var someOtherCredential = deepCopy(ACCEPTABLE_CREDENTIAL);
   someOtherCredential.id = new TextEncoder().encode("someOtherCredential");
   customGetAssertionOptions.allowCredentials = [someOtherCredential];

   return promise_rejects(t, "NotAllowedError",
     navigator.credentials.get({ publicKey : customGetAssertionOptions}));
 }, "navigator.credentials.get() for unregistered device returns NotAllowedError");

 promise_test(async t => {
   var customGetAssertionOptions = deepCopy(GET_CREDENTIAL_OPTIONS);
   var someOtherCredential = deepCopy(ACCEPTABLE_CREDENTIAL);
   someOtherCredential.id = new TextEncoder().encode("someOtherCredential");
   delete customGetAssertionOptions.allowCredentials;

   return promise_rejects(t, "NotSupportedError",
     navigator.credentials.get({ publicKey : customGetAssertionOptions}));
 }, "navigator.credentials.get() with empty allowCredentials is disabled");

 promise_test(t => {
   return navigator.credentials.test.clearAuthenticators();
 }, "Clean up testing environment.");

 </script>
	<!DOCTYPE html>
	<title>Credential Manager: Call get() across browsing contexts.</title>
	<script src="../resources/testharness.js"></script>
	<script src="../resources/testharnessreport.js"></script>
	<script src="/gen/layout_test_data/mojo/public/js/mojo_bindings_lite.js"></script>
	<script src="/gen/mojo/public/mojom/base/time.mojom-lite.js"></script>
	<script src="/gen/mojo/public/mojom/base/unguessable_token.mojom-lite.js"></script>
	<script src="/gen/url/mojom/url.mojom-lite.js"></script>
	<script src="/gen/third_party/blink/public/mojom/webauthn/authenticator.mojom-lite.js"></script>
	<script src="/gen/third_party/blink/public/mojom/webauthn/virtual_authenticator.mojom-lite.js"></script>
	<script src="/gen/third_party/blink/public/mojom/frame/document_interface_broker.mojom-lite.js"></script>
	<script src="resources/test-inputs.js"></script>
	<script src="resources/virtual-navigator-credentials.js"></script>
	<body>
	<script>

	if (document.location.host != "subdomain.example.test:8443") {
	document.location = "https://subdomain.example.test:8443/credentialmanager/credentialscontainer-get-from-nested-frame.html";
	promise_test(_ => new Promise(_ => {}), "Stall tests on the wrong host.");
	}

	promise_test(async _ => {
	let authenticators = await navigator.credentials.test.authenticators();
	assert_equals(authenticators.length, 0);
	let testAuthenticator = await navigator.credentials.test.createAuthenticator();
	assert_true(await testAuthenticator.generateAndRegisterKey(ACCEPTABLE_CREDENTIAL_ID, "subdomain.example.test"));
	}, "Set up the testing environment.");

	promise_test(t => {
	let PROBE_CREDENTIALS = "window.parent.postMessage(String(navigator.credentials), '*');";

	let frame = document.createElement("iframe");
	frame.src = "data:text/html," + encloseInScriptTag(PROBE_CREDENTIALS);
	window.setTimeout(_ => document.body.append(frame));

	let eventWatcher = new EventWatcher(t, window, "message");
	return eventWatcher.wait_for("message").then(message => {
	assert_equals(message.data, "undefined");
	});
	}, "navigator.credentials should be undefined in documents generated from `data:` URLs.");

	promise_test(t => {
	let frame = document.createElement("iframe");
	frame.src = "resources/nested-document-with-test-inputs.html";
	window.setTimeout(_ => document.body.append(frame));

	let loadWatcher = new EventWatcher(t, frame, "load");
	loadWatcher.wait_for("load").then(_ =>
	frame.contentWindow.location = "javascript:" + GET_CREDENTIAL);

	let messageWatcher = new EventWatcher(t, window, "message");
	return messageWatcher.wait_for("message").then(message => {
	assert_equals(message.data, "[object PublicKeyCredential]");
	});
	}, "navigator.credentials.get({publicKey}) in a javascript url should should succeed.");

	promise_test(t => {
	let frame = document.createElement("iframe");
	frame.srcdoc = HTML_WITH_TEST_INPUTS;
	window.setTimeout(_ => document.body.append(frame));

	let loadWatcher = new EventWatcher(t, frame, "load");
	loadWatcher.wait_for("load").then(_ => {
	frame.contentWindow.eval(GET_CREDENTIAL);
	});

	let eventWatcher = new EventWatcher(t, window, "message");
	return eventWatcher.wait_for("message").then(message => {
	assert_equals(message.data, "[object PublicKeyCredential]");
	});
	}, "navigator.credentials.get({publicKey}) in srcdoc should succeed.");

	promise_test(t => {
	let frame = document.createElement("iframe");
	frame.src = "about:blank";
	window.setTimeout(_ => document.body.append(frame));

	let loadWatcher = new EventWatcher(t, frame, "load");
	loadWatcher.wait_for("load").then(_ => {
	frame.contentDocument.write(HTML_WITH_TEST_INPUTS);
	frame.contentDocument.write(encloseInScriptTag(GET_CREDENTIAL));
	});

	let eventWatcher = new EventWatcher(t, window, "message");
	return eventWatcher.wait_for("message").then(message => {
	assert_equals(message.data, "[object PublicKeyCredential]");
	});
	}, "navigator.credentials.get({publicKey}) in about:blank embedded in a secure context should succeed.");

	promise_test(t => {
	let frame = document.createElement("iframe");
	frame.src = "about:blank";
	window.setTimeout(_ => document.body.append(frame));

	let loadWatcher = new EventWatcher(t, frame, "load");
	loadWatcher.wait_for("load").then(_ => {
	frame.contentWindow.eval(getScriptThatLoadsTestInputsAndRuns(GET_CREDENTIAL));
	});

	let eventWatcher = new EventWatcher(t, window, "message");
	return eventWatcher.wait_for("message").then(message => {
	assert_equals(message.data, "[object PublicKeyCredential]");
	});
	}, "navigator.credentials.get({publicKey}) in an about:blank page embedded in a secure context should pass rpID checks.");

	promise_test(async t => {
	let testAuthenticator = await navigator.credentials.test.createAuthenticator();
	assert_true(await testAuthenticator.generateAndRegisterKey(ACCEPTABLE_CREDENTIAL_ID, "subdomain.example.test"));
	let keys = await testAuthenticator.registeredKeys();
	assert_equals(keys.length, 1);
	var customGetAssertionOptions = deepCopy(GET_CREDENTIAL_OPTIONS);
	var someOtherCredential = deepCopy(ACCEPTABLE_CREDENTIAL);
	someOtherCredential.id = new TextEncoder().encode("someOtherCredential");
	customGetAssertionOptions.allowCredentials = [someOtherCredential];

	return promise_rejects(t, "NotAllowedError",
	navigator.credentials.get({ publicKey : customGetAssertionOptions}));
	}, "navigator.credentials.get() for unregistered device returns NotAllowedError");

	promise_test(async t => {
	var customGetAssertionOptions = deepCopy(GET_CREDENTIAL_OPTIONS);
	var someOtherCredential = deepCopy(ACCEPTABLE_CREDENTIAL);
	someOtherCredential.id = new TextEncoder().encode("someOtherCredential");
	delete customGetAssertionOptions.allowCredentials;

	return promise_rejects(t, "NotSupportedError",
	navigator.credentials.get({ publicKey : customGetAssertionOptions}));
	}, "navigator.credentials.get() with empty allowCredentials is disabled");

	promise_test(t => {
	return navigator.credentials.test.clearAuthenticators();
	}, "Clean up testing environment.");

	</script>