tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subsumption_algorithm-general.html (4933B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Subsumption Algorithm - Basic implementation.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    // Note that the returned csp should always allow execution of an
     12    // inline script with nonce "abc" (as returned by
     13    // support/echo-policy-multiple.py), otherwise the test might
     14    // return false negatives.
     15    var tests = [
     16      { "name": "If there is no required csp, iframe should load.",
     17        "required_csp": null,
     18        "returned_csp": null,
     19        "expected": IframeLoad.EXPECT_LOAD },
     20      { "name": "Iframe with empty returned CSP should be blocked.",
     21        "required_csp": "style-src 'none';",
     22        "returned_csp": null,
     23        "expected": IframeLoad.EXPECT_BLOCK },
     24      { "name": "Iframe with matching CSP should load.",
     25        "required_csp": "style-src 'none'; script-src 'unsafe-inline'",
     26        "returned_csp": "style-src 'none'; script-src 'unsafe-inline'",
     27        "expected": IframeLoad.EXPECT_LOAD },
     28      { "name": "Iframe with more restricting CSP should load.",
     29        "required_csp": "script-src 'nonce-abc' 'nonce-123'",
     30        "returned_csp": "script-src 'nonce-abc'",
     31        "expected": IframeLoad.EXPECT_LOAD },
     32      { "name": "Iframe with less restricting CSP should be blocked.",
     33        "required_csp": "style-src 'none'; script-src 'none'",
     34        "returned_csp": "style-src 'none'; script-src 'self' 'nonce-abc'",
     35        "expected": IframeLoad.EXPECT_BLOCK },
     36      { "name": "Iframe with a different CSP should be blocked.",
     37        "required_csp": "script-src 'nonce-abc' 'nonce-123'",
     38        "returned_csp": "style-src 'none'",
     39        "expected": IframeLoad.EXPECT_BLOCK },
     40      { "name": "Iframe with a matching and more restrictive ports should load.",
     41        "required_csp": "frame-src http://c.com:443 http://b.com",
     42        "returned_csp": "frame-src http://b.com:80 http://c.com:443",
     43        "expected": IframeLoad.EXPECT_LOAD },
     44      { "name": "Host wildcard *.a.com does not match a.com",
     45        "required_csp": "frame-src http://*.a.com",
     46        "returned_csp": "frame-src http://a.com",
     47        "expected": IframeLoad.EXPECT_BLOCK },
     48      { "name": "Host intersection with wildcards is computed correctly.",
     49        "required_csp": "frame-sr 'none'",
     50        "returned_csp": "frame-src http://a.com",
     51        "returned_csp_2": "frame-src http://*.a.com",
     52        "expected": IframeLoad.EXPECT_LOAD },
     53      { "name": "Iframe should load even if the ports are different but are default for the protocols.",
     54        "required_csp": "frame-src http://b.com:80",
     55        "returned_csp": "child-src https://b.com:443",
     56        "expected": IframeLoad.EXPECT_LOAD },
     57      { "name": "Iframe should block if intersection allows sources which are not in required_csp.",
     58        "required_csp": "style-src http://*.example.com:*",
     59        "returned_csp": "style-src http://*.com:*",
     60        "returned_csp_2": "style-src http://*.com http://*.example.com:*",
     61        "expected": IframeLoad.EXPECT_BLOCK },
     62      { "name": "Iframe should block if intersection allows sources which are not in required_csp (other ordering).",
     63        "required_csp": "style-src http://*.example.com:*",
     64        "returned_csp": "style-src http://*.com:*",
     65        "returned_csp_2": "style-src http://*.example.com:* http://*.com",
     66        "expected": IframeLoad.EXPECT_BLOCK },
     67      { "name": "Iframe should load if intersection allows only sources which are in required_csp.",
     68        "required_csp": "style-src http://*.example.com",
     69        "returned_csp": "style-src http://*.example.com:*",
     70        "returned_csp_2": "style-src http://*.com",
     71        "expected": IframeLoad.EXPECT_LOAD },
     72      { "name": "Removed plugin-types directive should be ignored.",
     73        "required_csp": "plugin-types application/pdf",
     74        "returned_csp": null,
     75        "expected": IframeLoad.EXPECT_LOAD },
     76      { "name": "Removed plugin-types directive should be ignored 2.",
     77        "required_csp": "plugin-types application/pdf application/x-java-applet",
     78        "returned_csp": "plugin-types application/pdf",
     79        "expected": IframeLoad.EXPECT_LOAD },
     80      { "name": "Removed plugin-types directive should be ignored 3.",
     81        "required_csp": "style-src 'none'; plugin-types application/pdf",
     82        "returned_csp": null,
     83        "expected": IframeLoad.EXPECT_BLOCK },
     84    ];
     85 
     86    tests.forEach(test => {
     87      async_test(t =>  {
     88        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
     89        if (test.returned_csp_2)
     90          url.searchParams.append("policy2", test.returned_csp_2);
     91        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
     92      }, test.name);
     93    });
     94  </script>
     95 </body>
     96 </html>