tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

file_evalscript_main_allowed.js (4624B)

      1 /* eslint-disable no-eval */
      2 // some javascript for the CSP eval() tests
      3 // all of these evals should succeed, as the document loading this script
      4 // has script-src 'self' 'unsafe-eval'
      5 
      6 function logResult(str, passed) {
      7  var elt = document.createElement("div");
      8  var color = passed ? "#cfc;" : "#fcc";
      9  elt.setAttribute(
     10    "style",
     11    "background-color:" +
     12      color +
     13      "; width:100%; border:1px solid black; padding:3px; margin:4px;"
     14  );
     15  elt.innerHTML = str;
     16  document.body.appendChild(elt);
     17 }
     18 
     19 // callback for when stuff is allowed by CSP
     20 var onevalexecuted = (function (window) {
     21  return function (shouldrun, what, data) {
     22    window.parent.scriptRan(shouldrun, what, data);
     23    logResult(
     24      (shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data,
     25      shouldrun
     26    );
     27  };
     28 })(window);
     29 
     30 // callback for when stuff is blocked
     31 var onevalblocked = (function (window) {
     32  return function (shouldrun, what, data) {
     33    window.parent.scriptBlocked(shouldrun, what, data);
     34    logResult(
     35      (shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data,
     36      !shouldrun
     37    );
     38  };
     39 })(window);
     40 
     41 // Defer until document is loaded so that we can write the pretty result boxes
     42 // out.
     43 addEventListener(
     44  "load",
     45  function () {
     46    // setTimeout(String) test  -- should pass
     47    try {
     48      // eslint-disable-next-line no-implied-eval
     49      setTimeout(
     50        'onevalexecuted(true, "setTimeout(String)", "setTimeout with a string was enabled.");',
     51        10
     52      );
     53    } catch (e) {
     54      onevalblocked(
     55        true,
     56        "setTimeout(String)",
     57        "setTimeout with a string was blocked"
     58      );
     59    }
     60 
     61    // setTimeout(function) test  -- should pass
     62    try {
     63      setTimeout(function () {
     64        onevalexecuted(
     65          true,
     66          "setTimeout(function)",
     67          "setTimeout with a function was enabled."
     68        );
     69      }, 10);
     70    } catch (e) {
     71      onevalblocked(
     72        true,
     73        "setTimeout(function)",
     74        "setTimeout with a function was blocked"
     75      );
     76    }
     77 
     78    // eval() test
     79    try {
     80      eval('onevalexecuted(true, "eval(String)", "eval() was enabled.");');
     81    } catch (e) {
     82      onevalblocked(true, "eval(String)", "eval() was blocked");
     83    }
     84 
     85    // eval(foo,bar) test
     86    try {
     87      eval(
     88        'onevalexecuted(true, "eval(String,scope)", "eval() was enabled.");',
     89        1
     90      );
     91    } catch (e) {
     92      onevalblocked(
     93        true,
     94        "eval(String,object)",
     95        "eval() with scope was blocked"
     96      );
     97    }
     98 
     99    // [foo,bar].sort(eval) test
    100    try {
    101      [
    102        'onevalexecuted(true, "[String, obj].sort(eval)", "eval() was enabled.");',
    103        1,
    104      ].sort(eval);
    105    } catch (e) {
    106      onevalblocked(
    107        true,
    108        "[String, obj].sort(eval)",
    109        "eval() with scope via sort was blocked"
    110      );
    111    }
    112 
    113    // [].sort.call([foo,bar], eval) test
    114    try {
    115      [].sort.call(
    116        [
    117          'onevalexecuted(true, "[String, obj].sort(eval)", "eval() was enabled.");',
    118          1,
    119        ],
    120        eval
    121      );
    122    } catch (e) {
    123      onevalblocked(
    124        true,
    125        "[].sort.call([String, obj], eval)",
    126        "eval() with scope via sort/call was blocked"
    127      );
    128    }
    129 
    130    // new Function() test
    131    try {
    132      var fcn = new Function(
    133        'onevalexecuted(true, "new Function(String)", "new Function(String) was enabled.");'
    134      );
    135      fcn();
    136    } catch (e) {
    137      onevalblocked(
    138        true,
    139        "new Function(String)",
    140        "new Function(String) was blocked."
    141      );
    142    }
    143 
    144    // ShadowRealm.prototype.evaluate
    145    try {
    146      var sr = new ShadowRealm();
    147      sr.evaluate("var x = 10");
    148      onevalexecuted(
    149        true,
    150        "ShadowRealm.prototype.evaluate(String)",
    151        "ShadowRealm.prototype.evaluate(String) was enabled."
    152      );
    153    } catch (e) {
    154      onevalblocked(
    155        true,
    156        "ShadowRealm.prototype.evaluate(String)",
    157        "ShadowRealm.prototype.evaluate(String) was blocked."
    158      );
    159    }
    160 
    161    function checkResult() {
    162      //alert(bar);
    163      if (bar) {
    164        onevalexecuted(
    165          true,
    166          "setTimeout(eval, 0, str)",
    167          "setTimeout(eval, 0, string) was enabled."
    168        );
    169      } else {
    170        onevalblocked(
    171          true,
    172          "setTimeout(eval, 0, str)",
    173          "setTimeout(eval, 0, str) was blocked."
    174        );
    175      }
    176    }
    177 
    178    var bar = false;
    179 
    180    function foo() {
    181      bar = true;
    182    }
    183 
    184    window.foo = foo;
    185 
    186    // setTimeout(eval, 0, str)
    187 
    188    // error is not catchable here
    189 
    190    setTimeout(eval, 0, "window.foo();");
    191 
    192    setTimeout(checkResult.bind(this), 0);
    193  },
    194  false
    195 );