tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subsumption_algorithm-self.html (2251B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Subsumption Algorithm - 'self' keyword.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    var tests = [
     12      { "name": "'self' keywords should match.",
     13        "required_csp": "img-src 'self' http://b.com:*",
     14        "returned_csp": "img-src 'self' http://b.com:*",
     15        "expected": IframeLoad.EXPECT_LOAD },
     16      { "name": "Returned CSP does not have to specify 'self'.",
     17        "required_csp": "img-src 'self' http://b.com:*",
     18        "returned_csp": "img-src http://b.com:*",
     19        "expected": IframeLoad.EXPECT_LOAD },
     20      { "name": "Returned CSP must not allow 'self' if required CSP does not.",
     21        "required_csp": "img-src http://b.com:*",
     22        "returned_csp": "img-src 'self' http://b.com:*",
     23        "expected": IframeLoad.EXPECT_BLOCK },
     24      { "name": "Returned 'self' should match to an origin's url.",
     25        "required_csp": "img-src 'self' http://b.com:*",
     26        "returned_csp": "img-src " + getCrossOrigin(),
     27        "expected": IframeLoad.EXPECT_LOAD },
     28      { "name": "Required 'self' should match to a origin's url.",
     29        "required_csp": "img-src " +  getCrossOrigin() + " http://b.com:*",
     30        "returned_csp": "img-src 'self'",
     31        "expected": IframeLoad.EXPECT_LOAD },
     32      { "name": "Required 'self' should subsume a more secure version of origin's url.",
     33        "required_csp": "img-src 'self' http://b.com:*",
     34        "returned_csp": "img-src " + getSecureCrossOrigin(),
     35        "expected": IframeLoad.EXPECT_LOAD },
     36      { "name": "Returned 'self' should not be subsumed by a more secure version of origin's url.",
     37        "required_csp": "img-src " + getSecureCrossOrigin() + " http://b.com:*",
     38        "returned_csp": "img-src 'self'",
     39        "expected": IframeLoad.EXPECT_BLOCK },
     40    ];
     41    tests.forEach(test => {
     42      async_test(t =>  {
     43        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
     44        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
     45      }, test.name);
     46    });
     47  </script>
     48 </body>
     49 </html>