tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

echo-allow-csp-from.py (1439B)

      1 import json
      2 def main(request, response):
      3    headers = [(b"Content-Type", b"text/html")]
      4    if b"allow_csp_from" in request.GET:
      5        headers.append((b"Allow-CSP-From", request.GET[b"allow_csp_from"]))
      6    message = request.GET[b"id"]
      7    return headers, b'''
      8 <!DOCTYPE html>
      9 <html>
     10 <head>
     11    <title>This page enforces embedder's policies</title>
     12    <script nonce="123">
     13        document.addEventListener("securitypolicyviolation", function(e) {
     14            var response = {};
     15            response["id"] = "%s";
     16            response["securitypolicyviolation"] = true;
     17            response["blockedURI"] = e.blockedURI;
     18            response["lineNumber"] = e.lineNumber;
     19            window.top.postMessage(response, '*');
     20        });
     21    </script>
     22 </head>
     23 <body>
     24    <script nonce="123">
     25        let img = document.createElement('img');
     26        img.src = "../../support/pass.png";
     27        img.onload = function() { window.top.postMessage("img loaded", '*'); }
     28        document.body.appendChild(img);
     29    </script>
     30    <style>
     31        body {
     32            background-color: maroon;
     33        }
     34    </style>
     35    <script nonce="123">
     36        var response = {};
     37        response["id"] = "%s";
     38        response["loaded"] = true;
     39        window.top.postMessage(response, '*');
     40    </script>
     41    <script>
     42        // Inline script which might be blocked by CSP.
     43        navigator.userAgent;
     44    </script>
     45 </body>
     46 </html>
     47 ''' % (message, message)