tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subsumption_algorithm-hashes.html (4761B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Subsumption Algorithm - Hashes.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    var tests = [
     12      { "name": "'sha256-abc123' is properly subsumed.",
     13        "required_csp": "style-src 'sha256-abc123'",
     14        "returned_csp_1": "style-src 'sha256-abc123'",
     15        "expected": IframeLoad.EXPECT_LOAD },
     16      { "name": "Returned should not include hashes not present in required csp.",
     17        "required_csp": "style-src http://example.com",
     18        "returned_csp_1": "style-src 'sha256-abc123'",
     19        "expected": IframeLoad.EXPECT_BLOCK },
     20      { "name": "'sha256-abc123' is properly subsumed with other sources.",
     21        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes' 'strict-dynamic' 'sha256-abc123'",
     22        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'sha256-abc123'",
     23        "expected": IframeLoad.EXPECT_LOAD },
     24      { "name": "Hashes do not have to be present in returned csp.",
     25        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
     26        "returned_csp_1": "style-src http://example1.com/foo/",
     27        "expected": IframeLoad.EXPECT_LOAD },
     28      { "name": "Hashes do not have to be present in returned csp but must not allow all inline behavior.",
     29        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
     30        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
     31        "expected": IframeLoad.EXPECT_BLOCK },
     32      { "name": "Other expressions have to be subsumed.",
     33        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
     34        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'sha256-abc123'",
     35        "expected": IframeLoad.EXPECT_BLOCK },
     36      { "name": "Other expressions have to be subsumed but 'unsafe-inline' gets ignored.",
     37        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
     38        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'sha256-abc123'",
     39        "expected": IframeLoad.EXPECT_LOAD },
     40      { "name": "Effective policy is properly found.",
     41        "required_csp": "style-src http://example1.com/foo/ 'self'  'sha256-abc123'",
     42        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-attributes' 'sha256-abc123'",
     43        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
     44        "expected": IframeLoad.EXPECT_LOAD },
     45      { "name": "Required csp must allow 'sha256-abc123'.",
     46        "required_csp": "style-src http://example1.com/foo/ 'self'",
     47        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'sha256-abc123'",
     48        "expected": IframeLoad.EXPECT_BLOCK },
     49      { "name": "Effective policy is properly found where 'sha256-abc123' is not subsumed.",
     50        "required_csp": "style-src http://example1.com/foo/ 'self'",
     51        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'",
     52        "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'",
     53        "expected": IframeLoad.EXPECT_BLOCK },
     54      { "name": "'sha256-abc123' is not subsumed by 'sha256-abc456'.",
     55        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc456'",
     56        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'",
     57        "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'",
     58        "expected": IframeLoad.EXPECT_BLOCK },
     59      { "name": "Effective policy now does not allow 'sha256-abc123'.",
     60        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc456'",
     61        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123' 'sha256-abc456'",
     62        "returned_csp_2": "style-src 'sha256-abc456' 'unsafe-inline'",
     63        "expected": IframeLoad.EXPECT_LOAD },
     64      { "name": "Effective policy is properly found where 'sha256-abc123' is not part of it.",
     65        "required_csp": "style-src http://example1.com/foo/ 'self'",
     66        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'",
     67        "returned_csp_2": "style-src 'sha256-abc123' 'self'",
     68        "expected": IframeLoad.EXPECT_LOAD },
     69    ];
     70    tests.forEach(test => {
     71      async_test(t =>  {
     72        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
     73        if (test.returned_csp_2)
     74          url.searchParams.append("policy2", test.returned_csp_2);
     75        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
     76      }, test.name);
     77    });
     78  </script>
     79 </body>
     80 </html>