Merge branch 'develop' into jacek/xcode15

* develop: (40 commits) Address Bar Spoofing Tests + Remediation (#2181) Update Sync e2e tests to fit the new UI (#2215) NetP waitlist final touches (#2209) NetP: Remove port from server address (#2214) NetP: Fix list row colours (#2213) Reset VPN waitlist T&C (#2212) Report macOS active/new user for netP (#2207) Sabrina/sync setup update (#2198) new pixels for toolbars and share sheet (#2208) Use design system fonts throughout NetP (#2211) moving the toggle to the top of the dashboard (#2166) Allow automated fetching of synced bookmarks' favicons (#2163) NetP Geoswitching Design Review feedback (#2206) update theme to use system colours (#2180) Release 7.99.0 (#2205) Update iOS privacy defaults (#2185) Remove disabled switches from VPN Settings screen (#2203) Update BSK for VPN settings (#2165) Fix migrating from Bookmarks V2 and older (#2196) Autofill pixel parameter removed (#2182) ...
duckduckgo · Dec 5, 2023 · 10ef86e · 10ef86e
2 parents 5aaf30d + f822b76
commit 10ef86e
Show file tree

Hide file tree

Showing 173 changed files with 6,991 additions and 2,219 deletions.
diff --git a/.maestro/release_tests/emailprotection.yaml b/.maestro/release_tests/emailprotection.yaml
@@ -17,7 +17,7 @@ tags:
 - scroll
 - scroll
 - assertVisible: Email Protection
-- tapOn: Email Protection, Block email trackers and hide your address
+- tapOn: Email Protection
 - assertVisible:
     id: searchEntry
 - assertVisible: https://duckduckgo.com/email/

diff --git a/.maestro/security_tests/0_all.yaml b/.maestro/security_tests/0_all.yaml
@@ -0,0 +1,39 @@
+# all.yaml
+
+appId: com.duckduckgo.mobile.ios
+---
+
+# Set up 
+- clearState
+- launchApp
+- runFlow: 
+    when: 
+      visible: 
+        text: "Let’s Do It!"
+        index: 0
+    file: ../shared/onboarding.yaml
+
+# Load Site
+- assertVisible:
+    id: "searchEntry"
+- tapOn: 
+    id: "searchEntry"
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/"
+- pressKey: Enter
+
+# Manage onboarding
+- runFlow:
+    when:
+      visible:
+        text: "Got It"
+        index: 0
+    file: ../shared/onboarding_browsing.yaml
+
+# Run AddressBarSpoofing tests
+- runFlow: ./1_-_AddressBarSpoof,_basicauth.yaml
+- runFlow: ./2_-_AddressBarSpoof,_aboutblank.yaml
+- runFlow: ./3_-_AddressBarSpoof,_appschemes.yaml
+- runFlow: ./4_-_AddressBarSpoof,_b64_html.yaml
+- runFlow: ./5_-_AddressBarSpoof,_downloadpath.yaml
+- runFlow: ./6_-_AddressBarSpoof,_formaction.yaml
+- runFlow: ./7_-_AddressBarSpoof,_pagerewrite.yaml
diff --git a/.maestro/security_tests/1_-_AddressBarSpoof,_basicauth.yaml b/.maestro/security_tests/1_-_AddressBarSpoof,_basicauth.yaml
@@ -0,0 +1,35 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+- doubleTapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+# Test 1 - using \u2028 character
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-basicauth-2028.html"
+- pressKey: Enter
+- tapOn: "run"
+- assertVisible: "Example Domain"
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText.indexOf("https://www.google.com") != 0}
+- tapOn:
+    id: "searchEntry"
+# Test 2 - using \u2029 character
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-basicauth-2029.html"
+- pressKey: Enter
+- tapOn: "run"
+- assertVisible: "Example Domain"
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText.indexOf("https://www.google.com") != 0}
+- tapOn:
+    id: "searchEntry"
+# Test 3 - using repeated " " space character
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-basicauth-whitespace.html"
+- pressKey: Enter
+- tapOn: "run"
+- assertVisible: "Example Domain"
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText.indexOf("https://www.google.com") != 0}
diff --git a/.maestro/security_tests/2_-_AddressBarSpoof,_aboutblank.yaml b/.maestro/security_tests/2_-_AddressBarSpoof,_aboutblank.yaml
@@ -0,0 +1,17 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+- doubleTapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-about-blank-rewrite.html"
+- pressKey: Enter
+- tapOn: "Start"
+# This test is expected to load "about:blank" not spoof the address bar with duckduckgo.com with the spoofed content.
+- extendedWaitUntil:
+    visible: "Not DDG."  # Spoofed content is visible
+    timeout: 10000
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "about:blank"}
diff --git a/.maestro/security_tests/3_-_AddressBarSpoof,_appschemes.yaml b/.maestro/security_tests/3_-_AddressBarSpoof,_appschemes.yaml
@@ -0,0 +1,30 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+# Test 1
+- tapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-application-scheme.html"
+- pressKey: Enter
+- tapOn: "Start"
+# This will try to open another app
+- assertVisible: "Cancel"
+- tapOn: "Cancel"
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "https://duckduckgo.com/"} # Should navigate directly here.
+- assertNotVisible: "Not DDG." # HTML content shouldn't be spoofed.
+- tapOn:
+    id: "searchEntry"
+# Test 2
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-unsupported-scheme.html"
+- pressKey: Enter
+- tapOn: "Start"
+# This will try to open another app
+- assertVisible: "Cancel"
+- tapOn: "Cancel"
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-unsupported-scheme.html"}
diff --git a/.maestro/security_tests/4_-_AddressBarSpoof,_b64_html.yaml b/.maestro/security_tests/4_-_AddressBarSpoof,_b64_html.yaml
@@ -0,0 +1,15 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+# Test 1
+- doubleTapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-open-b64-html.html"
+- pressKey: Enter
+- tapOn: "Start"
+# This test is expected to do nothing: loading base64 encoded HTML content in a new tab is blocked.
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-open-b64-html.html"}
diff --git a/.maestro/security_tests/5_-_AddressBarSpoof,_downloadpath.yaml b/.maestro/security_tests/5_-_AddressBarSpoof,_downloadpath.yaml
@@ -0,0 +1,39 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+# Test 1
+- doubleTapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html"
+- pressKey: Enter
+- tapOn: "Start"
+# Download Acceptance Flow:
+- extendedWaitUntil:
+    visible: "Save to Downloads"
+    timeout: 10000
+- tapOn: "Save to Downloads"
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "about:blank"} # Downloads should occur in empty origin.
+# Restart
+- tapOn:
+    id: "searchEntry"
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html"
+- pressKey: Enter
+# Download Cancel Flow:
+- tapOn: "Start"
+- extendedWaitUntil:
+    visible: "Cancel"  
+    timeout: 10000
+- tapOn: "Cancel"
+# Should be on about:blank
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "about:blank"}
+# Return to last test page
+- tapOn:
+    id: "searchEntry"
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html"
+- pressKey: Enter
diff --git a/.maestro/security_tests/6_-_AddressBarSpoof,_formaction.yaml b/.maestro/security_tests/6_-_AddressBarSpoof,_formaction.yaml
@@ -0,0 +1,16 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+# Test 1
+- doubleTapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-form-action.html"
+- pressKey: Enter
+- tapOn: "run"
+# Should navigate to duckduckgo.com without any spoofed HTML document content.
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "https://duckduckgo.com/"}
+- assertNotVisible: "Not DDG."
diff --git a/.maestro/security_tests/7_-_AddressBarSpoof,_pagerewrite.yaml b/.maestro/security_tests/7_-_AddressBarSpoof,_pagerewrite.yaml
@@ -0,0 +1,16 @@
+appId: com.duckduckgo.mobile.ios
+tags:
+    - securityTest
+---
+# Test 1
+- doubleTapOn:
+    id: "searchEntry"
+- pressKey: Backspace
+- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-page-rewrite.html"
+- pressKey: Enter
+- tapOn: "Start"
+# Now check the address bar hasn't been updated too early resulting in spoofed content
+- copyTextFrom:
+    id: "searchEntry"
+- assertTrue: ${maestro.copiedText == "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-page-rewrite.html"}
+- assertNotVisible: "DDG." 
diff --git a/.maestro/shared/sync_create.yaml b/.maestro/shared/sync_create.yaml
@@ -1,10 +1,14 @@
 appId: com.duckduckgo.mobile.ios
 ---
 
-- assertVisible: Sync & Back Up
-- tapOn: Sync & Back Up
-- assertVisible: Sync & Back Up 
-- tapOn: Start Sync & Back Up
-- assertVisible: All Set!
+- assertVisible: Sync & Backup
+- tapOn: Sync & Backup
+- assertVisible: Sync & Backup 
+- tapOn: Sync and Back Up This Device
+- assertVisible: You can sync with your other devices later.
+- tapOn: Turn on Sync & Backup
+- assertVisible: Save Recovery Code
+- tapOn: Copy Code
 - tapOn: Next
-- assertVisible: Save Recovery Code?
+- assertVisible: Your Data is Synced!
+- tapOn: Done
diff --git a/.maestro/shared/sync_delete.yaml b/.maestro/shared/sync_delete.yaml
@@ -1,9 +1,10 @@
 appId: com.duckduckgo.mobile.ios
 ---
 
-- assertVisible: Sync & Back Up
+- assertVisible: Sync & Backup
 - scroll
 - tapOn:
     point: 50%,91% # TODO: Revisit after new setup flow has been implemented. 
 - assertVisible: Delete Server Data?
-- tapOn: Delete Server Data
+- tapOn: Delete Server Data
+- assertVisible: Begin Syncing
diff --git a/.maestro/sync_tests/01_create_account.yaml b/.maestro/sync_tests/01_create_account.yaml
@@ -21,7 +21,6 @@ tags:
 
 
 # Clean up
-- tapOn: Not Now
-- assertVisible: Sync & Back Up
+- assertVisible: Sync & Backup
 - runFlow:
     file: ../shared/sync_delete.yaml
diff --git a/.maestro/sync_tests/02_login_account.yaml b/.maestro/sync_tests/02_login_account.yaml
@@ -20,23 +20,24 @@ tags:
 - runFlow:
     file: ../shared/sync_create.yaml
 
-# Copy Sync Code and Log Out
-- tapOn: Copy Code
-- tapOn: Not Now
-- assertVisible: Sync & Back Up
-- tapOn: Turn Off Sync & Back Up
+# Log Out
+- assertVisible: Sync & Backup
+- tapOn: Turn Off Sync & Backup...
 - assertVisible: Turn Off Sync?
 - tapOn: Remove
 
 # Login
-- assertVisible: Sync & Back Up
-- tapOn: Enter Text Code
+- assertVisible: Sync & Backup
+- tapOn: Sync with Another Device
+- assertVisible: Scan QR Code
+- tapOn: Manually Enter Code
 - tapOn: Paste
-- assertVisible: Device Synced!
+- assertVisible: Save Recovery Code
 - tapOn: Next
-- tapOn: Not Now
+- assertVisible: Your Data is Synced!
+- tapOn: Done
 
 # Clean up
-- assertVisible: Sync & Back Up
+- assertVisible: Sync & Backup
 - runFlow:
     file: ../shared/sync_delete.yaml
diff --git a/.maestro/sync_tests/03_recover_account.yaml b/.maestro/sync_tests/03_recover_account.yaml
@@ -19,34 +19,55 @@ tags:
 - tapOn:
     id: searchEntry
 - inputText: ${CODE}
+
+- evalScript: ${output.counter = 0}
 - repeat:
     while:
-      notVisible: "Select All"
+      true: ${output.counter < 3}
+      notVisible: Select All
     commands:
-      - tapOn:
-            id: searchEntry
-- tapOn: Select All
+      - longPressOn: 
+          id: "searchEntry"
+      - evalScript: ${output.counter = output.counter + 1}
+
+- tapOn: 'Select All'
 - tapOn: Cut
-- tapOn:
-    id: searchEntry
-- longPressOn:
-    id: searchEntry
+- evalScript: ${output.counter = 0}
+- repeat:
+    while:
+      true: ${output.counter < 3}
+      notVisible: Paste
+    commands:
+      - tapOn: 
+          id: "searchEntry"
+      - evalScript: ${output.counter = output.counter + 1}
 - tapOn: Paste
 - tapOn: Cancel
+
+- tapOn: Close Tabs and Clear Data
+- tapOn: Close Tabs and Clear Data
+- runFlow:
+    when:
+      visible:
+        text: Cancel
+    commands:
+      - tapOn: Cancel
 #</WORKAROUND>
 
 # Recover Account test
 - tapOn: Settings
 - runFlow:
     file: ../shared/set_internal_user.yaml
-- assertVisible: Sync & Back Up
-- tapOn: Sync & Back Up
-- assertVisible: Sync & Back up
-- tapOn: Recover Your Data
-- tapOn: Enter Text Code
+- assertVisible: Sync & Backup
+- tapOn: Sync & Backup
+- assertVisible: Begin Syncing
+- tapOn: Recover Synced Data
+- assertVisible: Recover Synced Data
+- assertVisible: Get Started
+- tapOn: Get Started
+- tapOn: Enter Text Code Manually
 - tapOn: Paste
-- assertVisible: Device Synced!
+- assertVisible: Save Recovery Code
 - tapOn: Next
-- tapOn: Not Now
-- tapOn: Settings
+- assertVisible: Your Data is Synced!
 - tapOn: Done