tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

to-javascript-parent-initiated-parent-csp.html (2499B)

      1 <!DOCTYPE html>
      2 <head>
      3 <meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="support/utils.js"></script>
      7 </head>
      8 <body>
      9 <!-- <frame-with-csp.sub.html> without parameters corresponds to no csp.-->
     10 <iframe id="iframe" name="iframe" src="support/frame-with-csp.sub.html"></iframe>
     11 
     12 <a target="iframe" id="anchorElementWithTargetIframe">a</a>
     13 
     14 <a target="otherTab" id="anchorElementWithTargetOtherTab">a2</a>
     15 
     16 <map name="m">
     17  <area target="iframe" id="areaElementWithTargetIframe" shape="default">
     18  <area target="otherTab" id="areaElementWithTargetOtherTab" shape="default">
     19 </map>
     20 <img usemap="#m" alt="i">
     21 
     22 <script nonce='abc'>
     23  function addSuccessAndFailureEventListeners(test, resolve) {
     24    window.addEventListener("message", test.step_func(function(e) {
     25      if (e.data == "executed")
     26        assert_true(false, "Javascript url executed");
     27    }), { once: true });
     28    window.addEventListener('securitypolicyviolation', test.step_func_done(function(e) {
     29      assert_equals(e.blockedURI, 'inline');
     30      assert_equals(e.violatedDirective, 'script-src-elem');
     31      resolve();
     32    }), { once: true });
     33  }
     34 
     35  const otherTab = window.open("about:blank", "otherTab");
     36 
     37  const kTestCases = [
     38    { elementId: "iframe",
     39      propertySequence: ["contentWindow", "location", "href"],
     40    },
     41    { elementId: "iframe",
     42      propertySequence: ["src"],
     43    },
     44    { targetWindow: otherTab,
     45      propertySequence: ["location", "href"],
     46    },
     47    { elementId: "areaElementWithTargetIframe",
     48      propertySequence: ["href"],
     49      navigationFunction: "click",
     50    },
     51    { elementId: "areaElementWithTargetOtherTab",
     52      propertySequence: ["href"],
     53      navigationFunction: "click",
     54    },
     55    { elementId: "anchorElementWithTargetOtherTab",
     56      propertySequence: ["href"],
     57      navigationFunction: "click",
     58    },
     59    { elementId: "anchorElementWithTargetIframe",
     60      propertySequence: ["href"],
     61      navigationFunction: "click",
     62    },
     63  ]
     64 
     65  for (const testCase of kTestCases) {
     66    const injectionSinkDescription =
     67      determineInjectionSinkDescription(testCase);
     68 
     69    promise_test(t => new Promise(resolve => {
     70      addSuccessAndFailureEventListeners(t, resolve);
     71 
     72      assignJavascriptURLToInjectionSink(testCase);
     73    }), `Should not have executed the javascript url for
     74      ${injectionSinkDescription}`);
     75  }
     76 </script>
     77 </body>