tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_hash_source.html (4602B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test CSP 1.1 hash-source for inline scripts and styles</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <script src="/tests/SimpleTest/EventUtils.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10 <p id="display"></p>
     11 <div id="content" style="visibility:hidden">
     12  <iframe style="width:100%;" id='cspframe'></iframe>
     13 </div>
     14 <script class="testbody" type="text/javascript">
     15 
     16 function cleanup() {
     17  // finish the tests
     18  SimpleTest.finish();
     19 }
     20 
     21 function checkInline () {
     22  var cspframe = document.getElementById('cspframe').contentDocument;
     23 
     24  var inlineScriptTests = {
     25    'inline-script-valid-hash': {
     26      shouldBe: 'allowed',
     27      message:  'Inline script with valid hash should be allowed'
     28    },
     29    'inline-script-invalid-hash': {
     30      shouldBe: 'blocked',
     31      message: 'Inline script with invalid hash should be blocked'
     32    },
     33    'inline-script-invalid-hash-valid-nonce': {
     34      shouldBe: 'allowed',
     35      message: 'Inline script with invalid hash and valid nonce should be allowed'
     36    },
     37    'inline-script-valid-hash-invalid-nonce': {
     38      shouldBe: 'allowed',
     39      message: 'Inline script with valid hash and invalid nonce should be allowed'
     40    },
     41    'inline-script-invalid-hash-invalid-nonce': {
     42      shouldBe: 'blocked',
     43      message: 'Inline script with invalid hash and invalid nonce should be blocked'
     44    },
     45    'inline-script-valid-sha512-hash': {
     46      shouldBe: 'allowed',
     47      message: 'Inline script with a valid sha512 hash should be allowed'
     48    },
     49    'inline-script-valid-sha384-hash': {
     50      shouldBe: 'allowed',
     51      message: 'Inline script with a valid sha384 hash should be allowed'
     52    },
     53    'inline-script-valid-sha1-hash': {
     54      shouldBe: 'blocked',
     55      message: 'Inline script with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'
     56    },
     57    'inline-script-valid-md5-hash': {
     58      shouldBe: 'blocked',
     59      message: 'Inline script with a valid md5 hash should be blocked, because md5 is not a valid hash function'
     60    }
     61  }
     62 
     63  for (testId in inlineScriptTests) {
     64    var test = inlineScriptTests[testId];
     65    is(cspframe.getElementById(testId).innerHTML, test.shouldBe, test.message);
     66  }
     67 
     68  // Inline style tries to change an element's color to green. If blocked, the
     69  // element's color will be the default black.
     70  var green = "rgb(0, 128, 0)";
     71  var black = "rgb(0, 0, 0)";
     72 
     73  var getElementColorById = function (id) {
     74    return window.getComputedStyle(cspframe.getElementById(id)).color;
     75  };
     76 
     77  var inlineStyleTests = {
     78    'inline-style-valid-hash': {
     79      shouldBe: green,
     80      message: 'Inline style with valid hash should be allowed'
     81    },
     82    'inline-style-invalid-hash': {
     83      shouldBe: black,
     84      message: 'Inline style with invalid hash should be blocked'
     85    },
     86    'inline-style-invalid-hash-valid-nonce': {
     87      shouldBe: green,
     88      message: 'Inline style with invalid hash and valid nonce should be allowed'
     89    },
     90    'inline-style-valid-hash-invalid-nonce': {
     91      shouldBe: green,
     92      message: 'Inline style with valid hash and invalid nonce should be allowed'
     93    },
     94    'inline-style-invalid-hash-invalid-nonce' : {
     95      shouldBe: black,
     96      message: 'Inline style with invalid hash and invalid nonce should be blocked'
     97    },
     98    'inline-style-valid-sha512-hash': {
     99      shouldBe: green,
    100      message: 'Inline style with a valid sha512 hash should be allowed'
    101    },
    102    'inline-style-valid-sha384-hash': {
    103      shouldBe: green,
    104      message: 'Inline style with a valid sha384 hash should be allowed'
    105    },
    106    'inline-style-valid-sha1-hash': {
    107      shouldBe: black,
    108      message: 'Inline style with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'
    109    },
    110    'inline-style-valid-md5-hash': {
    111      shouldBe: black,
    112      message: 'Inline style with a valid md5 hash should be blocked, because md5 is not a valid hash function'
    113    }
    114  }
    115 
    116  for (testId in inlineStyleTests) {
    117    var test = inlineStyleTests[testId];
    118    is(getElementColorById(testId), test.shouldBe, test.message);
    119  }
    120 
    121  cleanup();
    122 }
    123 
    124 //////////////////////////////////////////////////////////////////////
    125 // set up and go
    126 SimpleTest.waitForExplicitFinish();
    127 
    128 // save this for last so that our listeners are registered.
    129 // ... this loads the testbed of good and bad requests.
    130 document.getElementById('cspframe').src = 'file_hash_source.html';
    131 document.getElementById('cspframe').addEventListener('load', checkInline);
    132 </script>
    133 </pre>
    134 </body>
    135 </html>