tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

to-javascript-url-script-src.html (2775B)

      1 <!DOCTYPE html>
      2 <script src="/resources/testharness.js"></script>
      3 <script src="/resources/testharnessreport.js"></script>
      4 
      5 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
      6 
      7 <body>
      8 
      9 <script nonce="abc">
     10  function assert_csp_event_for_element(test, element, resolve) {
     11    assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
     12    document.addEventListener("securitypolicyviolation", test.step_func(e => {
     13      assert_equals(e.blockedURI, "inline");
     14      assert_equals(e.effectiveDirective, "script-src-elem");
     15      assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
     16      element.remove();
     17      resolve();
     18    }, { once: true }));
     19  }
     20 
     21  function navigate_to_javascript_onload(test, iframe) {
     22    iframe.addEventListener("load", test.step_func(e => {
     23      assert_equals(typeof SecurityPolicyViolationEvent, "function");
     24      iframe.contentDocument.addEventListener(
     25        "securitypolicyviolation",
     26        test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
     27      );
     28 
     29      iframe.src = "javascript:'Fail.'";
     30    }));
     31  }
     32 
     33  promise_test(t => {
     34    return new Promise(resolve => {
     35      var i = document.createElement("iframe");
     36      i.src = "javascript:'Fail.'";
     37 
     38      assert_csp_event_for_element(t, i, resolve);
     39 
     40      document.body.appendChild(i);
     41    })
     42  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
     43 
     44  promise_test(t => {
     45    return new Promise(resolve => {
     46      var i = document.createElement("iframe");
     47 
     48      assert_csp_event_for_element(t, i, resolve);
     49      navigate_to_javascript_onload(t, i);
     50 
     51      document.body.appendChild(i);
     52    })
     53  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
     54 
     55  promise_test(t => {
     56    return new Promise(resolve => {
     57      var i = document.createElement("iframe");
     58      i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");
     59 
     60      assert_csp_event_for_element(t, i, resolve);
     61      navigate_to_javascript_onload(t, i);
     62 
     63      document.body.appendChild(i);
     64    })
     65  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
     66 
     67  promise_test(t => {
     68    return new Promise(resolve => {
     69      var i = document.createElement("iframe");
     70      i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");
     71 
     72      assert_csp_event_for_element(t, i, resolve);
     73      navigate_to_javascript_onload(t, i);
     74 
     75      document.body.appendChild(i);
     76    })
     77  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
     78 </script>