tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

window_nosniff_navigation.html (4821B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8  <style>
      9    iframe{
     10      border: 1px solid orange;
     11    }
     12  </style>
     13 
     14  <!-- Using Content-Type: */* -->
     15  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=xml"></iframe>
     16  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=html"></iframe>
     17  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=css" ></iframe>
     18  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=json"></iframe>
     19  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=img"></iframe>
     20  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=pdf"></iframe>
     21  <iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*"></iframe>
     22  <hr>
     23  <!-- Using Content-Type: image/png -->
     24  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=xml"></iframe>
     25  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=html"></iframe>
     26  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=css"></iframe>
     27  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=json"></iframe>
     28  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=img"></iframe>
     29  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=pdf"></iframe>
     30  <iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng"></iframe>
     31  <hr>
     32  <!-- Using Content-Type: garbage/garbage -->
     33  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=xml"> </iframe>
     34  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=html"></iframe>
     35  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=css" ></iframe>
     36  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=json"></iframe>
     37  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=img"></iframe>
     38  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=pdf"></iframe>
     39  <iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage"></iframe>
     40 </head>
     41 
     42 <body>
     43 
     44 <!-- add the two script tests -->
     45 <script id="scriptCorrectType"></script>
     46 <script id="scriptWrongType"></script>
     47 
     48 <script class="testbody" type="text/javascript">
     49 /* Description of the test:
     50 * We're testing if Firefox respects the nosniff Header for Top-Level
     51 * Navigations.
     52 * If Firefox cant Display the Page, it will prompt a download
     53 * and the URL of the Page will be about:blank.
     54 * So we will try to open different content send with
     55 * no-mime, mismatched-mime and garbage-mime types.
     56 *
     57 */
     58 
     59 SimpleTest.waitForExplicitFinish();
     60 
     61 window.addEventListener("load", ()=>{
     62  let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
     63  noMimeFrames.forEach(frame => {
     64    let doc = frame.contentWindow.document;
     65    // In case of no Provided Content Type, not rendering or assuming text/plain is valid
     66    let result = doc.URL == "about:blank" || doc.contentType == "text/plain";
     67    let sniffTarget = (new URL(frame.src)).searchParams.get("content");
     68    window.opener.ok(result, `${sniffTarget} without MIME - was not sniffed`);
     69  });
     70 
     71  let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
     72  mismatchedMimes.forEach(frame => {
     73    // In case the Server mismatches the Mime Type (sends content X as image/png)
     74    // assert that we do not sniff and correct this.
     75    let result = frame.contentWindow.document.contentType == "image/png";
     76    let sniffTarget = (new URL(frame.src)).searchParams.get("content");
     77    window.opener.ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
     78  });
     79 
     80  let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
     81  badMimeFrames.forEach(frame => {
     82    // In the case we got a bogous mime, assert that we dont sniff.
     83    // We must not default here to text/plain
     84    // as the Server at least provided a mime type.
     85    let result = frame.contentWindow.document.URL == "about:blank";
     86    let sniffTarget = (new URL(frame.src)).searchParams.get("content");
     87    window.opener.ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
     88  });
     89 
     90  window.opener.SimpleTest.finish();
     91  this.close();
     92 });
     93 </script>
     94 </body>
     95 
     96 </html>