tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

subsumption_algorithm-unsafe_eval.html (2931B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-eval' keyword.</title>
      5  <script src="/resources/testharness.js"></script>
      6  <script src="/resources/testharnessreport.js"></script>
      7  <script src="support/testharness-helper.sub.js"></script>
      8 </head>
      9 <body>
     10  <script>
     11    var tests = [
     12      { "name": "'unsafe-eval' is properly subsumed.",
     13        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes' 'strict-dynamic' 'unsafe-eval'",
     14        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-eval'",
     15        "expected": IframeLoad.EXPECT_LOAD },
     16      { "name": "No other keyword has the same effect as 'unsafe-eval'.",
     17        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'",
     18        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
     19        "expected": IframeLoad.EXPECT_BLOCK },
     20      { "name": "Other expressions have to be subsumed.",
     21        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'",
     22        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'",
     23        "expected": IframeLoad.EXPECT_BLOCK },
     24      { "name": "Effective policy is properly found.",
     25        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-eval'",
     26        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-attributes' 'unsafe-eval'",
     27        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'",
     28        "expected": IframeLoad.EXPECT_LOAD },
     29      { "name": "Required csp must allow 'unsafe-eval'.",
     30        "required_csp": "style-src http://example1.com/foo/ 'self'",
     31        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-eval'",
     32        "expected": IframeLoad.EXPECT_BLOCK },
     33      { "name": "Effective policy is properly found where 'unsafe-eval' is not subsumed.",
     34        "required_csp": "style-src http://example1.com/foo/ 'self'",
     35        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'unsafe-eval'",
     36        "returned_csp_2": "style-src 'unsafe-eval' 'unsafe-inline'",
     37        "expected": IframeLoad.EXPECT_BLOCK },
     38      { "name": "Effective policy is properly found where 'unsafe-eval' is not part of it.",
     39        "required_csp": "style-src http://example1.com/foo/ 'self'",
     40        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'",
     41        "returned_csp_2": "style-src 'unsafe-eval' 'self'",
     42        "expected": IframeLoad.EXPECT_LOAD },
     43    ];
     44    tests.forEach(test => {
     45      async_test(t =>  {
     46        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
     47        if (test.returned_csp_2)
     48          url.searchParams.append("policy2", test.returned_csp_2);
     49        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
     50      }, test.name);
     51    });
     52  </script>
     53 </body>
     54 </html>