tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

base-uri_iframe_sandbox.sub.html (2867B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 
      4 <head>
      5    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
      6 
      7    <title>base-uri works correctly inside a sandboxed iframe.</title>
      8    <script src='/resources/testharness.js'></script>
      9    <script src='/resources/testharnessreport.js'></script>
     10 </head>
     11 
     12 <body>
     13    <h1>base-uri works correctly inside a sandboxed iframe.</h1>
     14    <div id='log'></div>
     15 
     16    <script>
     17        window.addEventListener('securitypolicyviolation', function(e) {
     18            assert_unreached('No CSP violation report should have been fired.');
     19        });
     20 
     21        async_test(function(t) {
     22            var i = document.createElement('iframe');
     23            i.sandbox = 'allow-scripts';
     24            i.style.display = 'none';
     25            i.srcdoc = `
     26              <script>
     27                window.addEventListener('securitypolicyviolation', function() {
     28                  top.postMessage('FAIL', '*');
     29                });
     30              </sc` + `ript>
     31              <base href="{{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
     32              <script>
     33                top.postMessage(document.baseURI, '*');
     34              </sc` + `ript>`;
     35 
     36            window.addEventListener('message', t.step_func(function(e) {
     37              if (e.source === i.contentWindow) {
     38                assert_equals(e.data, location.origin + '/base/');
     39                t.done();
     40              }
     41            }));
     42 
     43            document.body.appendChild(i);
     44        }, 'base-uri \'self\' works with same-origin sandboxed iframes.');
     45 
     46        async_test(function(t) {
     47            var i = document.createElement('iframe');
     48            i.sandbox = 'allow-scripts';
     49            i.style.display = 'none';
     50            i.srcdoc = `
     51            <script>
     52              window.addEventListener('securitypolicyviolation',
     53                function(violation) {
     54                  if (violation.blockedURI !== '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/' || violation.effectiveDirective !== 'base-uri') {
     55                      top.postMessage('FAIL');
     56                      return;
     57                  }
     58                  top.postMessage(document.baseURI, '*');
     59              });
     60            </sc` + `ript>
     61            <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/">
     62            <script>
     63              top.postMessage(document.baseURI, '*');
     64            </sc` + `ript>`;
     65 
     66            window.addEventListener('message', t.step_func(function(e) {
     67                if (e.source === i.contentWindow) {
     68                    assert_equals(e.data, location.href);
     69                    t.done();
     70                }
     71            }));
     72 
     73            document.body.appendChild(i);
     74        }, 'base-uri \'self\' blocks foreign-origin sandboxed iframes.');
     75    </script>
     76 
     77 </body>
     78 
     79 </html>