tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_resource_timing_cross_origin_navigate.html (1904B)

      1 <!--
      2  Any copyright is dedicated to the Public Domain.
      3  http://creativecommons.org/publicdomain/zero/1.0/
      4 -->
      5 
      6 <!DOCTYPE HTML>
      7 <html>
      8 <!--
      9 https://bugzilla.mozilla.org/show_bug.cgi?id=1789128
     10 -->
     11 <head>
     12  <script src="/tests/SimpleTest/SimpleTest.js"></script>
     13  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
     14 </head>
     15 <body>
     16 
     17 <pre id="test">
     18 <script type="application/javascript">
     19 
     20 </script>
     21 </pre>
     22 
     23 <a target="_blank"
     24     href="https://bugzilla.mozilla.org/show_bug.cgi?id=1789128"
     25     title="Cross origin resource timing">
     26    Bug #1789128 - Cross-Origin URL Steal is possible using performance.getEntries()
     27 </a>
     28 
     29 <script type="text/javascript">
     30 
     31 SimpleTest.waitForExplicitFinish();
     32 
     33 let domains = [
     34  // resource_timing_location_navigate.html navigates via document.location
     35  "https://example.org",
     36  // resource_timing_meta_refresh.html redirects via meta refresh
     37  "https://test2.example.org",
     38  // resource_timing_redirect.html redirects via 302 redirect
     39  "https://test1.example.org",
     40  // embed_navigate.html navigates via document.location
     41  "https://sub1.test1.example.org",
     42  ];
     43 
     44 
     45 let redirectResolves = {};
     46 
     47 window.addEventListener("message", (event) => {
     48  console.log("message", event);
     49  redirectResolves[event.origin]();
     50 });
     51 
     52 // Wait for all iframes to navigate.
     53 Promise.all(domains.map(domain => {
     54  return new Promise(resolve => {
     55    redirectResolves[domain] = resolve;
     56  })
     57 })).then(() => {
     58  // Check resource timing for iframes.
     59  for (let e of performance.getEntries()) {
     60    ok(!e.name.includes("example.org"), `${e.name} cross origin should not be present in resource timing`)
     61  }
     62  SimpleTest.finish();
     63 });
     64 
     65 </script>
     66 
     67 <iframe src="resource_timing_location_navigate.html"></iframe>
     68 <iframe src="resource_timing_meta_refresh.html"></iframe>
     69 <iframe src="resource_timing_redirect.html"></iframe>
     70 <embed src="embed_navigate.html">
     71 
     72 </body>
     73 </html>