tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_scheme_relative_sources.html (2221B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 921493 - CSP: test allowlisting of scheme-relative sources</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10 <iframe style="width:100%;" id="testframe"></iframe>
     11 
     12 <script class="testbody" type="text/javascript">
     13 
     14 SimpleTest.waitForExplicitFinish();
     15 
     16 /* Description of the test:
     17 * We load http and https pages and verify that scheme relative sources
     18 * are allowed unless its a downgrade from https -> http.
     19 *
     20 * Please note that the policy contains 'unsafe-inline' so we can use
     21 * an inline script to query the result from within the sandboxed iframe
     22 * and report it back to the parent document.
     23 */
     24 
     25 var POLICY = "default-src 'none'; script-src 'unsafe-inline' example.com;";
     26 
     27 var tests = [
     28  {
     29    description: "http -> http",
     30    from: "http",
     31    to: "http",
     32    result: "allowed",
     33  },
     34  {
     35    description: "http -> https",
     36    from: "http",
     37    to: "https",
     38    result: "allowed",
     39  },
     40  {
     41    description: "https -> https",
     42    from: "https",
     43    to: "https",
     44    result: "allowed",
     45  },
     46  {
     47    description: "https -> http",
     48    from: "https",
     49    to: "http",
     50    result: "blocked",
     51  }
     52 ];
     53 
     54 var counter = 0;
     55 var curTest;
     56 
     57 function loadNextTest() {
     58  if (counter == tests.length) {
     59    window.removeEventListener("message", receiveMessage);
     60    SimpleTest.finish();
     61    return;
     62  }
     63 
     64  curTest = tests[counter++];
     65 
     66  var src = curTest.from +
     67             "://example.com/tests/dom/security/test/csp/file_scheme_relative_sources.sjs" +
     68            "?scheme=" + curTest.to +
     69            "&policy=" + escape(POLICY);
     70 
     71  document.getElementById("testframe").src = src;
     72 }
     73 
     74 // using a postMessage handler to report the result back from
     75 // within the sandboxed iframe without 'allow-same-origin'.
     76 window.addEventListener("message", receiveMessage);
     77 
     78 function receiveMessage(event) {
     79 
     80  is(event.data.result, curTest.result,
     81     "should be " + curTest.result + " in test (" + curTest.description + ")!");
     82 
     83  loadNextTest();
     84 }
     85 
     86 // get the test started
     87 loadNextTest();
     88 
     89 </script>
     90 </body>
     91 </html>