tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

invalid-characters-in-policy.html (2335B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4    <script src='/resources/testharness.js'></script>
      5    <script src='/resources/testharnessreport.js'></script>
      6 </head>
      7 <body>
      8  <script>
      9    var tests = [
     10      // Make sure that csp works properly in normal situations
     11      {
     12        "csp": "",
     13        "expected": true,
     14        "name": "Should load image without any CSP",
     15      },
     16      {
     17        "csp": "img-src 'none';",
     18        "expected": false,
     19        "name": "Should not load image with 'none' CSP",
     20      },
     21 
     22      // Now test with non-ASCII characters.
     23      {
     24        "csp": "img-src 'none' \u00A1invalid-source; style-src 'none'",
     25        "expected": true,
     26        "name": "Non-ASCII character in directive value should drop the whole directive.",
     27      },
     28      {
     29        "csp": "img-src ‘none’;",
     30        "expected": true,
     31        "name": "Non-ASCII quote character in directive value should drop the whole directive.",
     32      },
     33      {
     34        "csp": "img-src 'none'; style-src \u00A1invalid-source 'none'",
     35        "expected": false,
     36        "name": "Non-ASCII character in directive value should not affect other directives.",
     37      },
     38      {
     39        "csp": "img-src 'none'; style\u00A1-src 'none'",
     40        "expected": false,
     41        "name": "Non-ASCII character in directive name should not affect other directives.",
     42      },
     43    ];
     44 
     45    tests.forEach(test => {
     46      async_test(t => {
     47        var url = "support/load_img_and_post_result_meta.sub.html?csp="
     48            + encodeURIComponent(test.csp);
     49        test_image_loads_as_expected(test, t, url);
     50      }, test.name + " - meta tag");
     51 
     52      async_test(t => {
     53        var url = "support/load_img_and_post_result_header.html?csp="
     54            + encodeURIComponent(test.csp);
     55        test_image_loads_as_expected(test, t, url);
     56      }, test.name + " - HTTP header");
     57    });
     58 
     59    function test_image_loads_as_expected(test, t, url) {
     60      var i = document.createElement('iframe');
     61      i.src = url;
     62      window.addEventListener('message', t.step_func(function(e) {
     63        if (e.source != i.contentWindow) return;
     64        if (test.expected) {
     65          assert_equals(e.data, "img loaded");
     66        } else {
     67          assert_equals(e.data, "img not loaded");
     68        }
     69        t.done();
     70      }));
     71      document.body.appendChild(i);
     72    }
     73  </script>
     74 </body>
     75 </html>