Merge branch 'tespach/download-redirect' of https://github.com/duckdu…

…ckgo/privacy-test-pages into tespach/download-redirect

autofill/password-update.html

@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width">
+  <title>Password update flows</title>
+  <link rel="stylesheet" href="./style.css" />
+</head>
+
+<body>
+
+<p><a href="../index.html">[Home]</a></p>
+
+<div class="dialog">
+  <form action="/change-password" id="change">
+    <h2>Change password (with hidden username field)</h2>
+    <fieldset>
+      <input id="email" type="hidden" value="[email protected]">
+      <label for="password-current">Current Password</label>
+      <input id="password-current" name="password-current" type="password" autocomplete="current-password">
+      <label for="password-new">New Password</label>
+      <input id="password-new" name="password-new" type="password" autocomplete="new-password">
+      <label for="password-new-confirm">Confirm Password</label>
+      <input id="password-new-confirm" name="password-new-confirm" type="password" autocomplete="new-password">
+      <button type="submit">Change password</button>
+    </fieldset>
+  </form>
+  <hr />
+  <form action="/change-password" id="change-no-user">
+    <h2>Change password (without username)</h2>
+    <fieldset>
+      <label for="password-current-no-user">Current Password</label>
+      <input id="password-current-no-user" name="password-current" type="password" autocomplete="current-password">
+      <label for="password-new-no-user">New Password</label>
+      <input id="password-new-no-user" name="password-new" type="password" autocomplete="new-password">
+      <label for="password-new-confirm-no-user">Confirm Password</label>
+      <input id="password-new-confirm-no-user" name="password-new-confirm" type="password" autocomplete="new-password">
+      <button type="submit">Change password</button>
+    </fieldset>
+  </form>
+  <hr />
+  <form action="/change-password" id="change-2">
+    <h2>Change password (without current password)</h2>
+    <fieldset>
+      <label for="password-new-2">New Password</label>
+      <input id="password-new-2" name="password-new-2" type="password" autocomplete="new-password">
+      <label for="password-new-confirm-2">Confirm Password</label>
+      <input id="password-new-confirm-2" name="password-new-confirm-2" type="password" autocomplete="new-password">
+      <button type="submit">Change password</button>
+    </fieldset>
+  </form>
+  <hr />
+  <form action="/change-password" id="change-3">
+    <h2>Change password (without autocomplete attributes)</h2>
+    <fieldset>
+      <label for="password-current-3">Current Password</label>
+      <input id="password-current-3" name="password-current-3" type="password">
+      <label for="password-new-3">New Password</label>
+      <input id="password-new-3" name="password-new-3" type="password">
+      <label for="password-new-confirm-3">Confirm Password</label>
+      <input id="password-new-confirm-3" name="password-new-confirm-3" type="password">
+      <button type="submit">Save changes</button>
+    </fieldset>
+  </form>
+</div>
+<script type="module">
+  [...document.forms].forEach((form) => {
+      form.addEventListener('submit', (e) => {
+          e.preventDefault();
+          const formData = new FormData(e.target);
+          const dl = document.createElement('dl');
+          formData.forEach((value, key) => {
+              const dt = document.createElement('dt');
+              const dd = document.createElement('dd');
+              dt.innerText = key;
+              dd.innerText = value;
+              dl.append(dt, dd);
+          });
+          form.after(dl);
+          form.remove();
+      });
+  });
+</script>
+</body>
+
+</html>

autofill/style.css

@@ -56,8 +56,10 @@ hr {
 
 fieldset {
   display: grid;
-  grid-template-columns: max-content minmax(80px, 1fr);
+  grid-template-columns: 1fr 1fr;
   grid-gap: 1em;
+  width: 410px;
+  max-width: 100%;
   max-width: 100%;
   padding: 0;
   border: none;
@@ -117,3 +119,19 @@ button,
   align-items: center;
   z-index: 1000;
 }
+
+dl {
+  text-align: left;
+  width: 80%;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+dt {
+  font-weight: bold;
+  margin-top: 1em;
+}
+
+dt::after {
+  content: ':'
+}

index.html

@@ -90,6 +90,7 @@ <h2>Autofill</h2>
 	<li><a href="./autofill/form-submission.html">Form submission detection and autofill</a></li>
 	<li><a href="./autofill/frame-form-submission-parent.html">Form submission detection and autofill within an iframe</a></li>
 	<li><a href="./autofill/signup.html">Password generation during signup</a></li>
+	<li><a href="./autofill/password-update.html">Password update/reset forms</a></li>
 	<li>
 		Autoprompt credentials autofill when a login form is front and center
 		<ul>

privacy-protections/surrogates/index.html

@@ -28,7 +28,7 @@
 </head>
 <p><a href="../../">[Home]</a> ↣ <a href="../">[Privacy Protections Tests]</a> ↣ <strong>[Surrogates Test Page]</strong></p>
 
-<p>This page tests if surrogate script for google-analytics.com/analytics.js is being loaded. This page expects <a href='https://github.com/duckduckgo/tracker-surrogates/blob/main/surrogates/analytics.js'>specific surrogate</a> to be loaded.</p>
+<p>This page tests that requests to google-analytics.com/analytics.js are redirected to the <a href='https://github.com/duckduckgo/tracker-surrogates/blob/main/surrogates/analytics.js'>analytics.js surrogate script</a>. The page also tests some related edge-cases. Note: "request failed" is expected for some test cases, but green always indicates a test success and red a test failure.</p>
 <table id='results-table'>
     <tr><th>Description</th><th>Loaded</th></tr>
 </table>

privacy-protections/surrogates/main.js

@@ -1,3 +1,6 @@
+const GREEN = '#71bf69';
+const RED = '#f97268';
+
 const results = {
     page: 'surrogates',
     date: (new Date()).toUTCString(),
@@ -11,10 +14,14 @@ function updateTable ({ name, testData, error }) {
     const descriptionCell = row.insertCell(0);
     const testCell = row.insertCell(1);
 
+    const requestFailExpected = testData.expectedResult === 'failed';
+    const requestLoadedColor = requestFailExpected ? RED : GREEN;
+    const requestFailedColor = requestFailExpected ? GREEN : RED;
+
     // set default values and colors
     descriptionCell.innerText = testData.notes;
     testCell.innerText = 'request failed';
-    testCell.style.backgroundColor = '#f97268';
+    testCell.style.backgroundColor = requestFailedColor;
 
     const result = {
         id: name,
@@ -27,7 +34,7 @@ function updateTable ({ name, testData, error }) {
         if (testResult) {
             result.loaded = true;
             testCell.innerText = 'surrogate loaded';
-            testCell.style.backgroundColor = '#71bf69';
+            testCell.style.backgroundColor = requestLoadedColor;
         } else {
             testCell.innerText = 'surrogate not loaded';
         }
@@ -61,13 +68,15 @@ const surrogates = {
         url: 'https://google-analytics.com/analytics.js',
         notes: 'Loading surrogate in the main frame.',
         test: checkSurrogate,
+        expectedResult: 'loaded',
         cleanUp: () => { delete window.ga; }
     },
     'cross-origin': {
         url: 'https://google-analytics.com/analytics.js',
         crossOrigin: 'anonymous',
         notes: 'Loading surrogate with crossOrigin=anonymous set.',
         test: checkSurrogate,
+        expectedResult: 'loaded',
         cleanUp: () => { delete window.ga; }
     },
     'integrity-check': {
@@ -76,12 +85,14 @@ const surrogates = {
         integrity: 'sha512-1xNTXD/ZeaKg/Xjb6De9la7CXo5gC1lMk+beyKo691KJrjlj0HbZG6frzK0Wo6bm96i9Cp6w/WB4vSN/8zDBLQ==',
         notes: 'Loading surrogate with integrity=sha512-… set.',
         test: checkSurrogate,
+        expectedResult: 'failed',
         cleanUp: () => { delete window.ga; }
     },
     'direct-access': {
         url: 'chrome-extension://bkdgflcldnnnapblkhphbgpggdiikppg/web_accessible_resources/analytics.js',
         notes: 'Chromium only - it should not be possible to access local surrogate file',
-        test: () => { return true; }
+        test: () => { return true; },
+        expectedResult: 'failed'
     },
     'sub-frame': {
         notes: 'Loading surrogate in an iframe.',
@@ -115,7 +126,8 @@ const surrogates = {
             });
 
             return promise;
-        }
+        },
+        expectedResult: 'loaded'
     },
     'delayed-set': {
         notes: 'Set script src after insert',

security/address-bar-spoofing/spoof-js-download-url.html

@@ -18,8 +18,12 @@
 
 <body>
   <p><a href="./index.html">[Back]</a></p>
-  This test uses a download URL for downloading a file to spoof the browser into displaying the download
-  URL as the current origin while rewriting the document content to spoof the address bar.
+  This test uses a download URL that performs a HTTP redirect for downloading a file to trick the
+  browser into displaying the download URL as the current origin while rewriting the document content
+  resulting in a spoofed address bar.
+  The expected result is that the redirect should be followed and the file should be downloaded 
+  in the about:blank context instead of in the context of the download URL where the document might
+  be spoofed by the previous page.
   <button onclick="run()">Start</button>
 </body>