tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

connect-src-allow.sub.js (2661B)

      1 importScripts("{{location[server]}}/resources/testharness.js");
      2 importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
      3 
      4 let base_same_origin_url =
      5      "{{location[server]}}/content-security-policy/support/resource.py";
      6 let base_cross_origin_url =
      7      "https://{{hosts[][www]}}:{{ports[https][1]}}" +
      8      "/content-security-policy/support/resource.py";
      9 
     10 // Same-origin
     11 promise_test(t => {
     12  let url = `${base_same_origin_url}?same-origin-fetch`;
     13  assert_no_csp_event_for_url(t, url);
     14 
     15  return fetch(url)
     16    .then(t.step_func(r => assert_equals(r.status, 200)));
     17 }, "Same-origin 'fetch()' in " + self.location.protocol + " without CSP");
     18 
     19 // XHR is not available in service workers.
     20 if (self.XMLHttpRequest) {
     21  promise_test(t => {
     22    let url = `${base_same_origin_url}?same-origin-xhr`;
     23    assert_no_csp_event_for_url(t, url);
     24 
     25    return new Promise((resolve, reject) => {
     26      let xhr = new XMLHttpRequest();
     27      xhr.open("GET", url);
     28      xhr.onload = resolve;
     29      xhr.onerror = _ => reject("xhr.open should success.");
     30      xhr.send();
     31    });
     32  }, "Same-origin XHR in " + self.location.protocol + " without CSP");
     33 }
     34 
     35 // Cross-origin
     36 promise_test(t => {
     37  let url = `${base_cross_origin_url}?cross-origin-fetch`;
     38  assert_no_csp_event_for_url(t, url);
     39 
     40  return fetch(url)
     41    .then(t.step_func(r => assert_equals(r.status, 200)));
     42 }, "Cross-origin 'fetch()' in " + self.location.protocol + " without CSP");
     43 
     44 // XHR is not available in service workers.
     45 if (self.XMLHttpRequest) {
     46  promise_test(t => {
     47    let url = `${base_cross_origin_url}?cross-origin-xhr`;
     48    assert_no_csp_event_for_url(t, url);
     49 
     50    return new Promise((resolve, reject) => {
     51      let xhr = new XMLHttpRequest();
     52      xhr.open("GET", url);
     53      xhr.onload = resolve;
     54      xhr.onerror = _ => reject("xhr.open should success.");
     55      xhr.send();
     56    });
     57  }, "Cross-origin XHR in " + self.location.protocol + " without CSP");
     58 }
     59 
     60 // Same-origin redirecting to cross-origin
     61 promise_test(t => {
     62  let url = `{{location[server]}}/common/redirect-opt-in.py?` +
     63      `status=307&location=${base_cross_origin_url}?cross-origin-fetch`;
     64  assert_no_csp_event_for_url(t, url);
     65 
     66  return fetch(url)
     67    .then(t.step_func(r => assert_equals(r.status, 200)));
     68 }, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol +
     69           " without CSP");
     70 
     71 // WebSocket
     72 promise_test(async function(t) {
     73  let url = "wss://{{host}}:{{ports[wss][0]}}/echo";
     74  assert_no_csp_event_for_url(t, url);
     75 
     76  return new Promise(resolve => {
     77    let ws = new WebSocket(url);
     78    ws.onopen = resolve;
     79  });
     80 }, "WebSocket without CSP");
     81 
     82 done();