tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_blob_data_schemes.html (2386B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1086999 - Wildcard should not match blob:, data:</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10  <iframe style="width:100%;" id="testframe"></iframe>
     11 
     12 <script class="testbody" type="text/javascript">
     13 
     14 /* Description of the test:
     15 * We load an image using a data: and a blob: scheme and make
     16 * sure a CSP containing a single ASTERISK (*) does not allowlist
     17 * those loads. The single ASTERISK character should not match a
     18 * URI's scheme of a type designating globally unique identifier
     19 * (such as blob:, data:, or filesystem:)
     20 */
     21 
     22 var tests = [
     23  {
     24    policy : "default-src 'unsafe-inline' blob: data:",
     25    expected : "allowed",
     26  },
     27  {
     28    policy : "default-src 'unsafe-inline' *",
     29    expected : "blocked"
     30  }
     31 ];
     32 
     33 var testIndex = 0;
     34 var messageCounter = 0;
     35 var curTest;
     36 
     37 // onError handler is over-reporting, hence we make sure that
     38 // we get an error for both testcases: data and blob before we
     39 // move on to the next test.
     40 var dataRan = false;
     41 var blobRan = false;
     42 
     43 // a postMessage handler to communicate the results back to the parent.
     44 window.addEventListener("message", receiveMessage);
     45 
     46 function receiveMessage(event)
     47 {
     48  is(event.data.result, curTest.expected, event.data.scheme + " should be " + curTest.expected);
     49 
     50  if (event.data.scheme === "data") {
     51    dataRan = true;
     52  }
     53  if (event.data.scheme === "blob") {
     54    blobRan = true;
     55  }
     56  if (dataRan && blobRan) {
     57    loadNextTest();
     58  }
     59 }
     60 
     61 function loadNextTest() {
     62  if (testIndex === tests.length) {
     63    window.removeEventListener("message", receiveMessage);
     64    SimpleTest.finish();
     65    return;
     66  }
     67 
     68  dataRan = false;
     69  blobRan = false;
     70 
     71  curTest = tests[testIndex++];
     72  // reset the messageCounter to make sure we receive all the postMessages from the iframe
     73  messageCounter = 0;
     74 
     75  var src = "file_testserver.sjs";
     76  // append the file that should be served
     77  src += "?file=" + escape("tests/dom/security/test/csp/file_blob_data_schemes.html");
     78  // append the CSP that should be used to serve the file
     79  src += "&csp=" + escape(curTest.policy);
     80 
     81  document.getElementById("testframe").src = src;
     82 }
     83 
     84 SimpleTest.waitForExplicitFinish();
     85 loadNextTest();
     86 
     87 </script>
     88 </body>
     89 </html>