tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

script-src-self.sub.js (2755B)

      1 importScripts("{{location[server]}}/resources/testharness.js");
      2 importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
      3 
      4 let importscripts_url ="https://{{hosts[][www]}}:{{ports[https][1]}}" +
      5    "/content-security-policy/support/var-a.js";
      6 
      7 promise_test(async t => {
      8  self.a = false;
      9  assert_throws_dom("NetworkError",
     10                    _ => importScripts(importscripts_url),
     11                    "importScripts should throw `NetworkError`");
     12  assert_false(self.a);
     13  return waitUntilCSPEventForURL(t, importscripts_url);
     14 }, "Cross-origin `importScripts()` blocked in " + self.location.protocol +
     15             " with {{GET[test-name]}}");
     16 
     17 promise_test(t => {
     18  assert_throws_js(EvalError,
     19                   _ => eval("1 + 1"),
     20                   "`eval()` should throw 'EvalError'.");
     21 
     22  assert_throws_js(EvalError,
     23                   _ => new Function("1 + 1"),
     24                   "`new Function()` should throw 'EvalError'.");
     25  return Promise.all([
     26    waitUntilCSPEventForEval(t, 19),
     27    waitUntilCSPEventForEval(t, 23),
     28  ]);
     29 }, "`eval()` blocked in " + self.location.protocol +
     30             " with {{GET[test-name]}}");
     31 
     32 promise_test(t => {
     33  self.setTimeoutTest = t;
     34  let result = setTimeout("(self.setTimeoutTest.unreached_func(" +
     35                          "'setTimeout([string]) should not execute.'))()", 1);
     36  assert_equals(result, 0);
     37  return waitUntilCSPEventForEval(t, 34);
     38 }, "`setTimeout([string])` blocked in " + self.location.protocol +
     39             " with {{GET[test-name]}}");
     40 
     41 promise_test(async t => {
     42  let report_url = "{{location[server]}}/reporting/resources/report.py" +
     43      "?op=retrieve_report&reportID={{GET[id]}}&min_count=4";
     44 
     45  let response = await fetch(report_url);
     46  assert_equals(response.status, 200, "Fetching reports failed");
     47 
     48  let response_json = await response.json();
     49  let reports = response_json.map(x => x["csp-report"]);
     50 
     51  assert_array_equals(
     52      reports.map(x => x["blocked-uri"]).sort(),
     53      [ importscripts_url, "eval", "eval", "eval" ].sort(),
     54      "Reports do not match");
     55  assert_array_equals(
     56      reports.map(x => x["violated-directive"]).sort(),
     57      [ "script-src-elem", "script-src", "script-src", "script-src" ].sort(),
     58      "Violated directive in report does not match");
     59  assert_array_equals(
     60      reports.map(x => x["effective-directive"]).sort(),
     61      [ "script-src-elem", "script-src", "script-src", "script-src" ].sort(),
     62      "Effective directive in report does not match");
     63  reports.forEach(x => {
     64    assert_equals(
     65        x["disposition"], "enforce",
     66        "Disposition in report does not match");
     67  });
     68 }, "Reports are sent for " + self.location.protocol +
     69                  " with {{GET[test-name]}}");
     70 
     71 done();