tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

frame-src-blocked-path-matching.sub.html (2205B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4    <!-- Make sure frame-src does path matching -->
      5    <meta http-equiv="Content-Security-Policy" content="frame-src data: https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/;">
      6    <title>frame-src-blocked-path-matching</title>
      7    <script src="/resources/testharness.js"></script>
      8    <script src="/resources/testharnessreport.js"></script>
      9 </head>
     10 <body>
     11    <script>
     12      async_test(t => {
     13        let frame = document.createElement("iframe");
     14        frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html";
     15 
     16        window.addEventListener('message', t.step_func(e => {
     17          if (e.source === frame.contentWindow) {
     18            assert_equals(e.data, "PASS");
     19            t.done();
     20          }
     21        }));
     22 
     23        document.body.append(frame);
     24      }, "Cross-origin frame with allowed path loads");
     25 
     26      async_test(t => {
     27        let frame = document.createElement("iframe");
     28        frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/";
     29 
     30        window.addEventListener('securitypolicyviolation', t.step_func_done(e => {
     31          assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}");
     32          assert_equals(e.effectiveDirective, "frame-src");
     33        }), { once: true });
     34 
     35        document.body.append(frame);
     36      }, "Cross-origin frame with other path is blocked");
     37 
     38      async_test(t => {
     39        let frame = document.createElement("iframe");
     40        frame.src = "data:text/html,<h1>Hello World</h1>"
     41        frame.onload = t.step_func(() => {
     42          frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/";
     43 
     44          window.addEventListener('securitypolicyviolation', t.step_func_done(e => {
     45            assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}");
     46            assert_equals(e.effectiveDirective, "frame-src");
     47          }), { once: true });
     48        });
     49        document.body.append(frame);
     50      }, "Cross-origin frame with other path is blocked even after replacing the already loaded URL");
     51    </script>
     52  </body>
     53 </html>