tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_bug888172.html (3092B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 888172 - CSP 1.0 does not process 'unsafe-inline' or 'unsafe-eval' for default-src</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      7 </head>
      8 <body>
      9 <p id="display"></p>
     10 <div id="content" style="display: none">
     11 </div>
     12 
     13 <iframe style="width:100%;" id='testframe1'></iframe>
     14 <iframe style="width:100%;" id='testframe2'></iframe>
     15 <iframe style="width:100%;" id='testframe3'></iframe>
     16 <script class="testbody" type="text/javascript">
     17 
     18 //////////////////////////////////////////////////////////////////////
     19 // set up and go
     20 SimpleTest.waitForExplicitFinish();
     21 
     22 // utilities for check functions
     23 // black means the style wasn't applied, applied styles are green
     24 var green = 'rgb(0, 128, 0)';
     25 var black = 'rgb(0, 0, 0)';
     26 
     27 function getElementColorById(doc, id) {
     28  return window.getComputedStyle(doc.contentDocument.getElementById(id)).color;
     29 }
     30 
     31 // We test both script and style execution by observing changes in computed styles
     32 function checkDefaultSrcOnly() {
     33  var testframe = document.getElementById('testframe1');
     34 
     35  ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed");
     36  ok(getElementColorById(testframe, 'unsafe-eval-script')  === green, "Eval should be allowed");
     37  ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed");
     38 
     39  document.getElementById('testframe2').src = 'file_bug888172.sjs?csp=' +
     40    escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self'");
     41  document.getElementById('testframe2').addEventListener('load', checkDefaultSrcWithScriptSrc);
     42 }
     43 
     44 function checkDefaultSrcWithScriptSrc() {
     45  var testframe = document.getElementById('testframe2');
     46 
     47  ok(getElementColorById(testframe, 'unsafe-inline-script') === black, "Inline script should be blocked");
     48  ok(getElementColorById(testframe, 'unsafe-eval-script')  === black, "Eval should be blocked");
     49  ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed");
     50 
     51  document.getElementById('testframe3').src = 'file_bug888172.sjs?csp=' +
     52    escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self'");
     53  document.getElementById('testframe3').addEventListener('load', checkDefaultSrcWithStyleSrc);
     54 }
     55 
     56 function checkDefaultSrcWithStyleSrc() {
     57  var testframe = document.getElementById('testframe3');
     58 
     59  ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed");
     60  ok(getElementColorById(testframe, 'unsafe-eval-script')  === green, "Eval should be allowed");
     61  ok(getElementColorById(testframe, 'unsafe-inline-style') === black, "Inline style should be blocked");
     62 
     63  // last test calls finish
     64  SimpleTest.finish();
     65 }
     66 
     67 document.getElementById('testframe1').src = 'file_bug888172.sjs?csp=' +
     68  escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'");
     69 document.getElementById('testframe1').addEventListener('load', checkDefaultSrcOnly);
     70 </script>
     71 </pre>
     72 </body>
     73 </html>