tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

required-csp-header-cascade.html (3418B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Sec-Required-CSP header.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    var tests = [
     12      { "name": "Test same policy for both iframes",
     13        "csp1": "script-src 'unsafe-inline';",
     14        "csp2": "script-src 'unsafe-inline';",
     15        "expected1": "script-src 'unsafe-inline';",
     16        "expected2": "script-src 'unsafe-inline';"},
     17      { "name": "Test more restrictive policy on second iframe",
     18        "csp1": "script-src 'unsafe-inline';",
     19        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
     20        "expected1": "script-src 'unsafe-inline';",
     21        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     22      { "name": "Test less restrictive policy on second iframe",
     23        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
     24        "csp2": "script-src 'unsafe-inline';",
     25        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
     26        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     27      { "name": "Test no policy on second iframe",
     28        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
     29        "csp2": "",
     30        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
     31        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     32      { "name": "Test no policy on first iframe",
     33        "csp1": "",
     34        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
     35        "expected1": null,
     36        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     37      { "name": "Test invalid policy on first iframe (bad directive name)",
     38        "csp1": "default-src http://example.com; i//nvalid-policy-name http://example.com",
     39        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
     40        "expected1": null,
     41        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     42      { "name": "Test invalid policy on first iframe (report directive)",
     43        "csp1": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
     44        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
     45        "expected1": null,
     46        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     47      { "name": "Test invalid policy on second iframe (bad directive name)",
     48        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
     49        "csp2": "default-src http://example.com; i//nvalid-policy-name http://example.com",
     50        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
     51        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     52      { "name": "Test invalid policy on second iframe (report directive)",
     53        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
     54        "csp2": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
     55        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
     56        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
     57    ];
     58 
     59    tests.forEach(test => {
     60      async_test(t =>  {
     61        var url = generateURLStringWithSecondIframeParams(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP, test.csp2);
     62        assert_required_csp(t, url, test.csp1, [test.expected1, test.expected2]);
     63      }, "Test same origin: " + test.name);
     64    });
     65  </script>
     66 </body>
     67 </html>