tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subsumption_algorithm-nonces.html (2725B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Subsumption Algorithm - Nonces.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    var tests = [
     12      { "name": "Exact nonce subsumes.",
     13        "required_csp": "style-src 'nonce-abc'",
     14        "returned_csp_1": "style-src 'nonce-abc'",
     15        "expected": IframeLoad.EXPECT_LOAD },
     16      { "name": "Any nonce subsumes.",
     17        "required_csp": "style-src 'nonce-abc'",
     18        "returned_csp_1": "style-src 'nonce-xyz'",
     19        "expected": IframeLoad.EXPECT_LOAD },
     20      { "name": "A nonce has to be returned if required by the embedder.",
     21        "required_csp": "style-src 'nonce-abc'",
     22        "returned_csp_1": "style-src http://example1.com/foo",
     23        "expected": IframeLoad.EXPECT_BLOCK },
     24      { "name": "Multiples nonces returned subsume.",
     25        "required_csp": "style-src 'nonce-abc'",
     26        "returned_csp_1": "style-src 'nonce-xyz' 'nonce-abc'",
     27        "expected": IframeLoad.EXPECT_LOAD },
     28      // nonce intersection
     29      { "name": "Nonce intersection is still done on exact match - non-matching nonces.",
     30        "required_csp": "style-src 'none'",
     31        "returned_csp_1": "style-src 'nonce-def'",
     32        "returned_csp_2": "style-src 'nonce-xyz'",
     33        "expected": IframeLoad.EXPECT_LOAD },
     34      { "name": "Nonce intersection is still done on exact match - matching nonces.",
     35        "required_csp": "style-src 'none'",
     36        "returned_csp_1": "style-src 'nonce-def'",
     37        "returned_csp_2": "style-src 'nonce-def' 'nonce-xyz'",
     38        "expected": IframeLoad.EXPECT_BLOCK },
     39      // other expressions still have to work
     40      { "name": "Other expressions still have to be subsumed - positive test.",
     41        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
     42        "returned_csp_1": "style-src http://example1.com/foo/ 'nonce-xyz'",
     43        "expected": IframeLoad.EXPECT_LOAD },
     44      { "name": "Other expressions still have to be subsumed - negative test",
     45        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
     46        "returned_csp_1": "style-src http://not-example1.com/foo/ 'nonce-xyz'",
     47        "expected": IframeLoad.EXPECT_BLOCK },
     48    ];
     49    tests.forEach(test => {
     50      async_test(t =>  {
     51        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
     52        if (test.returned_csp_2)
     53          url.searchParams.append("policy2", test.returned_csp_2);
     54        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
     55      }, test.name);
     56    });
     57  </script>
     58 </body>
     59 </html>