tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

media-src-redir-bug.sub.html (3099B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4    <title>Video element src attribute must match src list - positive test</title>
      5    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src http://{{domains[www2]}}:{{ports[http][0]}}/ 'self'; connect-src 'self';">
      6    <script src='/resources/testharness.js'></script>
      7    <script src='/resources/testharnessreport.js'></script>
      8 </head>
      9 <body>
     10    <h1>Video element in media-src list - redirect test</h1>
     11    <div id='log'></div>
     12 
     13  <p>This test tests a buggy interaction in Chrome 46.  Two hosts (self and www2) are both allowed
     14    as media-src, but only one (self) is allowed for connect-src.  If a video src starts on
     15    an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug
     16    causes the redirect to be done in a fetch context to which connect-src is being applied instead, so
     17    the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p>
     18 
     19  <script>
     20    var src_test = async_test("In-policy async video src");
     21    var src_redir_test = async_test("in-policy async video src w/redir")
     22    var source_test = async_test("In-policy async video source element");
     23    var source_redir_test = async_test("In-policy async video source element w/redir");
     24 
     25    var t_spv = async_test("Should not fire policy violation events");
     26    var test_count = 4;
     27    window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
     28 
     29    function media_loaded(t) {
     30      t.done();
     31      if (--test_count <= 0) {
     32        t_spv.done();
     33      }
     34    }
     35 
     36    function media_error_handler(t) {
     37      t.step( function () {
     38          assert_unreached("Media error handler shouldn't be triggered for allowed domain.");
     39      });
     40      t.done();
     41    }
     42  </script>
     43 
     44    <video id="videoObject" width="320" height="240" controls
     45           onloadeddata="media_loaded(source_test)">
     46        <source id="videoSourceObject"
     47                type="video/webm"
     48                onerror="media_error_handler(source_test)"
     49                src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.webm">
     50    </video>
     51 
     52    <video id="videoObject2" width="320" height="240" controls
     53           onerror="media_error_handler(src_test)"
     54           onloadeddata="media_loaded(src_test)"
     55           src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.webm">
     56 
     57    <video id="videoObject3" width="320" height="240" controls
     58           onloadeddata="media_loaded(source_redir_test)">
     59        <source id="videoSourceObject"
     60                type="video/webm"
     61                onerror="media_error_handler(source_test)"
     62                src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.webm">
     63    </video>
     64 
     65    <video id="videoObject2" width="320" height="240" controls
     66           onerror="media_error_handler(src_redir_test)"
     67           onloadeddata="media_loaded(src_redir_test)"
     68           src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.webm">
     69 
     70 </body>
     71 </html>