tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

iframe_script_crossdomain.html (4891B)

      1 <!DOCTYPE HTML>
      2 <!-- Any copyright is dedicated to the Public Domain.
      3     http://creativecommons.org/publicdomain/zero/1.0/ -->
      4 <html>
      5 <head>
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
      8 </head>
      9 <body>
     10 <p id="display"></p>
     11 <div id="content" style="display: none">
     12 </div>
     13 <pre id="test">
     14 </pre>
     15 
     16 <script type="application/javascript">
     17  SimpleTest.waitForExplicitFinish();
     18 
     19  window.hasCORSLoaded = false;
     20  window.hasNonCORSLoaded = false;
     21 
     22  function good_nonsriLoaded() {
     23    ok(true, "Non-eligible non-SRI resource was loaded correctly.");
     24  }
     25  function bad_nonsriBlocked() {
     26    ok(false, "Non-eligible non-SRI resources should be loaded!");
     27  }
     28 
     29  function good_nonCORSInvalidBlocked() {
     30    ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");
     31  }
     32  function bad_nonCORSInvalidLoaded() {
     33    ok(false, "Non-CORS resources with invalid metadata should be blocked!");
     34  }
     35 
     36  window.onerrorCalled = false;
     37  window.onloadCalled = false;
     38 
     39  function bad_onloadCalled() {
     40    window.onloadCalled = true;
     41  }
     42 
     43  function good_onerrorCalled() {
     44    window.onerrorCalled = true;
     45  }
     46 
     47  function good_incorrect301Blocked() {
     48    ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");
     49  }
     50  function bad_incorrect301Loaded() {
     51    ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");
     52  }
     53 
     54  function good_correct301Blocked() {
     55    ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
     56  }
     57  function bad_correct301Loaded() {
     58    ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
     59  }
     60 
     61  function good_correctDataLoaded() {
     62    ok(true, "Since data: URLs are same-origin, they should be loaded.");
     63  }
     64  function bad_correctDataBlocked() {
     65    todo(false, "We should not block scripts in data: URIs!");
     66  }
     67  function good_correctDataCORSLoaded() {
     68    ok(true, "A data: URL with a CORS load was loaded correctly.");
     69  }
     70  function bad_correctDataCORSBlocked() {
     71    ok(false, "We should not BLOCK scripts!");
     72  }
     73 
     74  window.onload = function() {
     75    SimpleTest.finish()
     76  }
     77 </script>
     78 
     79 <!-- cors-enabled. should be loaded -->
     80 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
     81        crossorigin=""
     82        integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script>
     83 
     84 <!-- not cors-enabled. should be blocked -->
     85 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js"
     86        crossorigin="anonymous"
     87        integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94="
     88        onload="bad_onloadCalled()"
     89        onerror="good_onerrorCalled()"></script>
     90 
     91 <!-- non-cors but not actually using SRI. should trigger onload -->
     92 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
     93        integrity="    "
     94        onload="good_nonsriLoaded()"
     95        onerror="bad_nonsriBlocked()"></script>
     96 
     97 <!-- non-cors with invalid metadata -->
     98 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"
     99        integrity="sha256-bogus"
    100        onload="bad_nonCORSInvalidLoaded()"
    101        onerror="good_nonCORSInvalidBlocked()"></script>
    102 
    103 <!-- non-cors that's same-origin initially but redirected to another origin -->
    104 <script src="script_301.js"
    105        integrity="sha384-invalid"
    106        onerror="good_incorrect301Blocked()"
    107        onload="bad_incorrect301Loaded()"></script>
    108 
    109 <!-- non-cors that's same-origin initially but redirected to another origin -->
    110 <script src="script_301.js"
    111        integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
    112        onerror="good_correct301Blocked()"
    113        onload="bad_correct301Loaded()"></script>
    114 
    115 <!-- data: URLs are same-origin -->
    116 <script src="data:,console.log('data:valid');"
    117        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
    118        onerror="bad_correctDataBlocked()"
    119        onload="good_correctDataLoaded()"></script>
    120 
    121 <!-- not cors-enabled with data: URLs. should trigger onload -->
    122 <script src="data:,console.log('data:valid');"
    123        crossorigin="anonymous"
    124        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
    125        onerror="bad_correctDataCORSBlocked()"
    126        onload="good_correctDataCORSLoaded()"></script>
    127 
    128 <script>
    129  ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
    130  ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
    131  ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
    132  ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
    133 </script>
    134 </body>
    135 </html>