tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_path_matching.html (4467B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 808292 - Implement path-level host-source matching to CSP</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10  <p id="display"></p>
     11  <div id="content" style="visibility: hidden">
     12    <iframe style="width:100%;" id="testframe"></iframe>
     13  </div>
     14 
     15 <script class="testbody" type="text/javascript">
     16 
     17 SimpleTest.waitForExplicitFinish();
     18 
     19 /* Description of the test:
     20 * We are loading the following url (including a fragment portion):
     21 * http://test1.example.com/tests/dom/security/test/csp/file_path_matching.js#foo
     22 * using different policies and verify that the applied policy is accurately enforced.
     23 */
     24 
     25 var policies = [
     26  ["allowed", "*"],
     27  ["allowed", "http://*"], // test for bug 1075230, enforcing scheme and wildcard
     28  ["allowed", "test1.example.com"],
     29  ["allowed", "test1.example.com/"],
     30  ["allowed", "test1.example.com/tests/dom/security/test/csp/"],
     31  ["allowed", "test1.example.com/tests/dom/security/test/csp/file_path_matching.js"],
     32 
     33  ["allowed", "test1.example.com?foo=val"],
     34  ["allowed", "test1.example.com/?foo=val"],
     35  ["allowed", "test1.example.com/tests/dom/security/test/csp/?foo=val"],
     36  ["allowed", "test1.example.com/tests/dom/security/test/csp/file_path_matching.js?foo=val"],
     37 
     38  ["allowed", "test1.example.com#foo"],
     39  ["allowed", "test1.example.com/#foo"],
     40  ["allowed", "test1.example.com/tests/dom/security/test/csp/#foo"],
     41  ["allowed", "test1.example.com/tests/dom/security/test/csp/file_path_matching.js#foo"],
     42 
     43  ["allowed", "*.example.com"],
     44  ["allowed", "*.example.com/"],
     45  ["allowed", "*.example.com/tests/dom/security/test/csp/"],
     46  ["allowed", "*.example.com/tests/dom/security/test/csp/file_path_matching.js"],
     47 
     48  ["allowed", "test1.example.com:80"],
     49  ["allowed", "test1.example.com:80/"],
     50  ["allowed", "test1.example.com:80/tests/dom/security/test/csp/"],
     51  ["allowed", "test1.example.com:80/tests/dom/security/test/csp/file_path_matching.js"],
     52 
     53  ["allowed", "test1.example.com:*"],
     54  ["allowed", "test1.example.com:*/"],
     55  ["allowed", "test1.example.com:*/tests/dom/security/test/csp/"],
     56  ["allowed", "test1.example.com:*/tests/dom/security/test/csp/file_path_matching.js"],
     57 
     58  ["blocked", "test1.example.com/tests"],
     59  ["blocked", "test1.example.com/tests/dom/security/test/csp"],
     60  ["blocked", "test1.example.com/tests/dom/security/test/csp/file_path_matching.py"],
     61 
     62  ["blocked", "test1.example.com:8888/tests"],
     63  ["blocked", "test1.example.com:8888/tests/dom/security/test/csp"],
     64  ["blocked", "test1.example.com:8888/tests/dom/security/test/csp/file_path_matching.py"],
     65 
     66  // case insensitive matching for scheme and host, but case sensitive matching for paths
     67  ["allowed", "HTTP://test1.EXAMPLE.com/tests/"],
     68  ["allowed", "test1.EXAMPLE.com/tests/"],
     69  ["blocked", "test1.example.com/tests/dom/security/test/CSP/?foo=val"],
     70  ["blocked", "test1.example.com/tests/dom/security/test/csp/FILE_path_matching.js?foo=val"],
     71 ]
     72 
     73 var counter = 0;
     74 var policy;
     75 
     76 function loadNextTest() {
     77  if (counter == policies.length) {
     78    SimpleTest.finish();
     79  }
     80  else {
     81    policy = policies[counter++];
     82    var src = "file_testserver.sjs?file=";
     83    // append the file that should be served
     84    src += (counter % 2 == 0)
     85               // load url including ref: example.com#foo
     86             ? escape("tests/dom/security/test/csp/file_path_matching.html")
     87               // load url including query: example.com?val=foo (bug 1147026)
     88             : escape("tests/dom/security/test/csp/file_path_matching_incl_query.html");
     89 
     90    // append the CSP that should be used to serve the file
     91    src += "&csp=" + escape("default-src 'none'; script-src " + policy[1]);
     92 
     93    document.getElementById("testframe").addEventListener("load", test);
     94    document.getElementById("testframe").src = src;
     95  }
     96 }
     97 
     98 function test() {
     99  try {
    100    document.getElementById("testframe").removeEventListener('load', test);
    101    var testframe = document.getElementById("testframe");
    102    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
    103    is(divcontent, policy[0], "should be " + policy[0] + " in test " + (counter - 1) + "!");
    104  }
    105  catch (e) {
    106    ok(false, "ERROR: could not access content in test " + (counter - 1) + "!");
    107  }
    108  loadNextTest();
    109 }
    110 
    111 loadNextTest();
    112 
    113 </script>
    114 </body>
    115 </html>