LayoutTests/fast/encoding/idn-security.html

   1 <html>
   2 <head>
   3 <script src="../js/resources/js-test-pre.js"></script>
   4 </head>
   5 <body>
   6 <script>
   7
   8 function testIDNEncode(charCode)
   9 {
  10     var str = String.fromCharCode(charCode);
  11     str = layoutTestController.encodeHostName(str);
  12     if (str.substr(0, 4) == "xn--")
  13         return "punycode";
  14     return escape(str);
  15 }
  16
  17 function testIDNEncodeNotFirstCharacter(charCode)
  18 {
  19     var str = String.fromCharCode(charCode);
  20     str = "a" + str;
  21     str = layoutTestController.encodeHostName(str);
  22     if (str.substr(0, 4) == "xn--")
  23         return "punycode";
  24     if (str.substr(0, 1) == "a")
  25         str = str.substr(1, str.length - 1);
  26     return escape(str);
  27 }
  28
  29 function testIDNRoundTrip(charCode)
  30 {
  31     var str = String.fromCharCode(charCode);
  32     str = layoutTestController.encodeHostName(str);
  33     str = layoutTestController.decodeHostName(str);
  34     if (str.substr(0, 4) == "xn--")
  35         return "punycode";
  36     return escape(str);
  37 }
  38
  39 function testIDNRoundTripNotFirstCharacter(charCode)
  40 {
  41     var str = String.fromCharCode(charCode);
  42     str = "a" + str;
  43     str = layoutTestController.encodeHostName(str);
  44     str = layoutTestController.decodeHostName(str);
  45     if (str.substr(0, 4) == "xn--")
  46         return "punycode";
  47     if (str.substr(0, 1) == "a")
  48         str = str.substr(1, str.length - 1);
  49     return escape(str);
  50 }
  51
  52 function testFunctionName(expected)
  53 {
  54     if (expected == "does not encode")
  55         return "testIDNEncode";
  56     return "testIDNRoundTrip";
  57 }
  58
  59 function expectedTestResult(charCode, expected)
  60 {
  61     if (expected == "disallowed")
  62         return "'punycode'";
  63     if (expected == "allowed" || expected == "does not encode")
  64         return "'" + escape(String.fromCharCode(charCode)) + "'";
  65     return "'" + expected + "'";
  66 }
  67
  68 function testIDNCharacter(charCode, expected, expectedNotFirstCharacter)
  69 {
  70     if (expectedNotFirstCharacter == null)
  71         expectedNotFirstCharacter = expected;
  72
  73     shouldBe(testFunctionName(expected) + "(0x" + charCode.toString(16) + ")",
  74         expectedTestResult(charCode, expected));
  75
  76     shouldBe(testFunctionName(expectedNotFirstCharacter) + "NotFirstCharacter(0x" + charCode.toString(16) + ")",
  77         expectedTestResult(charCode, expectedNotFirstCharacter));
  78 }
  79
  80 function testBecomesSpaceIDNCharacter(charCode)
  81 {
  82     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'%20'");
  83     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'%20'");
  84 }
  85
  86 function testBecomesASCIIIDNCharacter(charCode, expected)
  87 {
  88     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'" + expected + "'");
  89     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'" + expected + "'");
  90 }
  91
  92 function testDisallowedIDNCharacter(charCode)
  93 {
  94     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'punycode'");
  95     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'punycode'");
  96 }
  97
  98 function testAllowedIDNCharacter(charCode)
  99 {
 100     var expected = escape(String.fromCharCode(charCode));
 101     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 102     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 103 }
 104
 105 function testDoesNotEncodeIDNCharacter(charCode)
 106 {
 107     var expected = escape(String.fromCharCode(charCode));
 108     shouldBe("testIDNEncode(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 109     shouldBe("testIDNEncodeTripFirstCharacter(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 110 }
 111
 112 var isOlderICU = testIDNEncode(0x3002) == ".";
 113
 114 /* Allowed Characters - dot and slash */
 115 testIDNCharacter(".".charCodeAt(0), "allowed");
 116 testIDNCharacter("/".charCodeAt(0), "allowed");
 117
 118 /* Allowed Characters - one character for each script in the default IDN whitelist*/
 119 testIDNCharacter(0x0061, "allowed");
 120 testIDNCharacter(0x0633, "allowed");
 121 testIDNCharacter(0x0561, "allowed");
 122 testIDNCharacter(0x3105, "allowed");
 123 testIDNCharacter(0x1613, "allowed");
 124 testIDNCharacter(0x0905, "allowed");
 125 testIDNCharacter(0x0A85, "allowed");
 126 testIDNCharacter(0x0A05, "allowed");
 127 testIDNCharacter(0x1115, "allowed");
 128 testIDNCharacter(0x4E2D, "allowed");
 129 testIDNCharacter(0x05D0, "allowed");
 130 testIDNCharacter(0x3041, "allowed");
 131 testIDNCharacter(0x30A1, "allowed");
 132 testIDNCharacter(0x0B94, "allowed");
 133 testIDNCharacter(0x0E01, "allowed");
 134 testIDNCharacter(0xA000, "allowed");
 135
 136 /* ICU converts these to other allowed characters, so the original character can't be used to get to a phishy domain name */
 137 testIDNCharacter(0x2024, ".");
 138 testIDNCharacter(0xFE52, ".");
 139 testIDNCharacter(0xFF0F, "/");
 140
 141 /* ICU converts these characters to backslash, so the original character can't be used to get to a phishy domain name */
 142 testIDNCharacter(0xFE68, "%5C");
 143 testIDNCharacter(0xFF3C, "%5C");
 144
 145 /* ICU converts these characters to space, so the original character can't be used to get to a phishy domain name */
 146 testIDNCharacter(0x00A0, "%20");
 147 testIDNCharacter(0x2000, "%20");
 148 testIDNCharacter(0x2001, "%20");
 149 testIDNCharacter(0x2002, "%20");
 150 testIDNCharacter(0x2003, "%20");
 151 testIDNCharacter(0x2004, "%20");
 152 testIDNCharacter(0x2005, "%20");
 153 testIDNCharacter(0x2006, "%20");
 154 testIDNCharacter(0x2007, "%20");
 155 testIDNCharacter(0x2008, "%20");
 156 testIDNCharacter(0x2009, "%20");
 157 testIDNCharacter(0x200A, "%20");
 158 testIDNCharacter(0x202F, "%20");
 159 testIDNCharacter(0x205F, "%20");
 160 testIDNCharacter(0x3000, "%20");
 161
 162 /* Disallow these characters.  Some of these are known lookalike characters for dot and slash.
 163    A lot of these are from Mozilla's blacklist: http://kb.mozillazine.org/Network.IDN.blacklist_chars
 164 */
 165 testIDNCharacter(0x00BC, "disallowed");
 166 testIDNCharacter(0x00BD, "disallowed");
 167 testIDNCharacter(0x00ED, "disallowed");
 168 testIDNCharacter(0x01C3, "disallowed");
 169 testIDNCharacter(0x0251, "disallowed");
 170 testIDNCharacter(0x0261, "disallowed");
 171 testIDNCharacter(0x0337, "disallowed");
 172 testIDNCharacter(0x0337, "disallowed");
 173 testIDNCharacter(0x0338, "disallowed");
 174 testIDNCharacter(0x0338, "disallowed");
 175 testIDNCharacter(0x05B4, "disallowed");
 176 testIDNCharacter(0x05BC, "disallowed");
 177 testIDNCharacter(0x0660, "disallowed");
 178 testIDNCharacter(0x06F0, "disallowed");
 179 testIDNCharacter(0x115F, "disallowed");
 180 testIDNCharacter(0x1160, "disallowed");
 181 testIDNCharacter(0x2027, "disallowed");
 182 testIDNCharacter(0x2039, "disallowed");
 183 testIDNCharacter(0x203A, "disallowed");
 184 testIDNCharacter(0x2044, "disallowed");
 185 testIDNCharacter(0x2044, "disallowed");
 186 testIDNCharacter(0x2154, "disallowed");
 187 testIDNCharacter(0x2155, "disallowed");
 188 testIDNCharacter(0x2156, "disallowed");
 189 testIDNCharacter(0x2159, "disallowed");
 190 testIDNCharacter(0x215A, "disallowed");
 191 testIDNCharacter(0x215B, "disallowed");
 192 testIDNCharacter(0x215F, "disallowed");
 193 testIDNCharacter(0x2215, "disallowed");
 194 testIDNCharacter(0x2216, "disallowed");
 195 testIDNCharacter(0x233F, "disallowed");
 196 testIDNCharacter(0x23AE, "disallowed");
 197 testIDNCharacter(0x244A, "disallowed");
 198 testIDNCharacter(0x2571, "disallowed");
 199 testIDNCharacter(0x2572, "disallowed");
 200 testIDNCharacter(0x29F6, "disallowed");
 201 testIDNCharacter(0x29F8, "disallowed");
 202 testIDNCharacter(0x29F8, "disallowed");
 203 testIDNCharacter(0x2AFB, "disallowed");
 204 testIDNCharacter(0x2AFD, "disallowed");
 205 testIDNCharacter(0x3014, "disallowed");
 206 testIDNCharacter(0x3015, "disallowed");
 207 testIDNCharacter(0x3033, "disallowed");
 208 testIDNCharacter(0x3035, "disallowed");
 209 testIDNCharacter(0x3164, "disallowed");
 210 testIDNCharacter(0x321D, "disallowed");
 211 testIDNCharacter(0x321E, "disallowed");
 212 testIDNCharacter(0x33AE, "disallowed");
 213 testIDNCharacter(0x33AF, "disallowed");
 214 testIDNCharacter(0x33C6, "disallowed");
 215 testIDNCharacter(0x33DF, "disallowed");
 216 testIDNCharacter(0xFE14, "disallowed");
 217 testIDNCharacter(0xFE15, "disallowed");
 218 testIDNCharacter(0xFE3F, "disallowed");
 219 testIDNCharacter(0xFE5D, "disallowed");
 220 testIDNCharacter(0xFE5E, "disallowed");
 221 testIDNCharacter(0xFFA0, "disallowed");
 222
 223 /* ICU won't encode these characters in IDN, thus we should always get 'host not found'. */
 224 testIDNCharacter(0x2028, "does not encode");
 225 testIDNCharacter(0x2029, "does not encode");
 226 testIDNCharacter(0x2FF0, "does not encode");
 227 testIDNCharacter(0x2FF1, "does not encode");
 228 testIDNCharacter(0x2FF2, "does not encode");
 229 testIDNCharacter(0x2FF3, "does not encode");
 230 testIDNCharacter(0x2FF4, "does not encode");
 231 testIDNCharacter(0x2FF5, "does not encode");
 232 testIDNCharacter(0x2FF6, "does not encode");
 233 testIDNCharacter(0x2FF7, "does not encode");
 234 testIDNCharacter(0x2FF8, "does not encode");
 235 testIDNCharacter(0x2FF9, "does not encode");
 236 testIDNCharacter(0x2FFA, "does not encode");
 237 testIDNCharacter(0x2FFB, "does not encode");
 238 testIDNCharacter(0xFFF9, "does not encode");
 239 testIDNCharacter(0xFFFA, "does not encode");
 240 testIDNCharacter(0xFFFB, "does not encode");
 241 testIDNCharacter(0xFFFC, "does not encode");
 242 testIDNCharacter(0xFFFD, "does not encode");
 243
 244 /* ICU won't encode these characters if they're not the first character in the host name.
 245    If the character does get encoded as the first character, then we will disallow it */
 246
 247 testIDNCharacter(0x05C3, "disallowed", "does not encode");
 248 testIDNCharacter(0x05F4, "disallowed", "does not encode");
 249 testIDNCharacter(0x06D4, "disallowed", "does not encode");
 250 testIDNCharacter(0x0702, "disallowed", "does not encode");
 251
 252 /* ICU won't encode these characters if they're the first character in the host name.
 253    If the character does get encoded as the first character, then ICU converts it to another allowed character */
 254
 255 if (isOlderICU) {
 256     testIDNCharacter(0x200B, "");
 257     testIDNCharacter(0x3002, ".");
 258     testIDNCharacter(0xFF0E, ".");
 259     testIDNCharacter(0xFF61, ".");
 260     testIDNCharacter(0xFEFF, "");
 261 } else {
 262     testIDNCharacter(0x200B, "does not encode", "");
 263     testIDNCharacter(0x3002, "does not encode", ".");
 264     testIDNCharacter(0xFF0E, "does not encode", ".");
 265     testIDNCharacter(0xFF61, "does not encode", ".");
 266     testIDNCharacter(0xFEFF, "does not encode", "");
 267 }
 268
 269 </script>
 270 </body>
 271 </html>