tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subsumption_algorithm-host_sources-protocols.html (3190B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Subsumption Algorithm - Scheme parts in host source expressions.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    var tests = [
     12      { "name": "`https` is more restrictive than `http`.",
     13        "required_csp": "img-src http://c.com:* https://b.com",
     14        "returned_csp": "img-src http://b.com",
     15        "expected": IframeLoad.EXPECT_BLOCK },
     16      { "name": "The reverse allows iframe be to be loaded.",
     17        "required_csp": "img-src http://c.com:* http://b.com",
     18        "returned_csp": "img-src https://b.com",
     19        "expected": IframeLoad.EXPECT_LOAD },
     20      { "name": "Matching `https` protocols.",
     21        "required_csp": "img-src http://c.com:* https://b.com",
     22        "returned_csp": "img-src https://b.com",
     23        "expected": IframeLoad.EXPECT_LOAD },
     24      { "name": "`http:` should subsume all host source expressions with this protocol.",
     25        "required_csp": "img-src http:",
     26        "returned_csp": "img-src http://c.com:* https://b.com http://c.com",
     27        "expected": IframeLoad.EXPECT_LOAD },
     28      { "name": "`http:` should subsume all host source expressions with `https:`.",
     29        "required_csp": "img-src http:",
     30        "returned_csp": "img-src https://c.com:* https://b.com http://c.com",
     31        "expected": IframeLoad.EXPECT_LOAD },
     32      { "name": "`http:` does not subsume other protocols.",
     33        "required_csp": "img-src http:",
     34        "returned_csp": "img-src https://c.com:* wss://b.com http://c.com",
     35        "expected": IframeLoad.EXPECT_BLOCK },
     36      { "name": "If scheme source is present in returned csp, it must be specified in required csp too.",
     37        "required_csp": "img-src https://c.com:* wss://b.com http://c.com",
     38        "returned_csp": "img-src http:",
     39        "expected": IframeLoad.EXPECT_BLOCK },
     40      { "name": "`http:` subsumes other `http:` source expression.",
     41        "required_csp": "img-src http:",
     42        "returned_csp": "img-src http: https://c.com:* https://b.com http://c.com",
     43        "expected": IframeLoad.EXPECT_LOAD },
     44      { "name": "`http:` subsumes other `https:` source expression and expressions with `http:`.",
     45        "required_csp": "img-src http:",
     46        "returned_csp": "img-src https: https://c.com:* http://b.com",
     47        "expected": IframeLoad.EXPECT_LOAD },
     48      { "name": "All scheme sources must be subsumed.",
     49        "required_csp": "img-src http: wss:",
     50        "returned_csp": "img-src https: ws:",
     51        "expected": IframeLoad.EXPECT_BLOCK },
     52      { "name": "All scheme sources are subsumed by their stronger variants.",
     53        "required_csp": "img-src http: wss:",
     54        "returned_csp": "img-src https: wss:",
     55        "expected": IframeLoad.EXPECT_LOAD },
     56    ];
     57 
     58    tests.forEach(test => {
     59      async_test(t =>  {
     60        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
     61        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
     62      }, test.name);
     63    });
     64  </script>
     65 </body>
     66 </html>