tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

report-to-directive-allowed-in-meta.https.sub.html (2605B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test that reports using the report-api service are sent when there's a violation</title>
      5  <script src='/resources/testharness.js'></script>
      6  <script src='/resources/testharnessreport.js'></script>
      7  <meta http-equiv="content-security-policy" content="script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group">
      8 </head>
      9 <body>
     10  <script>
     11    var t1 = async_test("Test that image does not load");
     12    async_test(function(t2) {
     13    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
     14        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
     15        assert_equals(e.violatedDirective, "img-src");
     16        t2.done();
     17      }));
     18    }, "Event is fired");
     19 
     20    async_test(function(t3) {
     21      var observer = new ReportingObserver(function(reports, observer) {
     22        t3.step(function() {
     23          assert_equals(reports.length, 1);
     24 
     25          // Ensure that the contents of the report are valid.
     26          var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"
     27          var document_url = base_url + "reporting-api/report-to-directive-allowed-in-meta.https.sub.html";
     28          assert_equals(reports[0].type, "csp-violation");
     29          assert_equals(reports[0].url, document_url);
     30          assert_equals(reports[0].body.documentURL, document_url);
     31          assert_equals(reports[0].body.referrer, "");
     32          assert_equals(reports[0].body.blockedURL,
     33                        base_url + "support/fail.png");
     34          assert_equals(reports[0].body.effectiveDirective, "img-src");
     35          assert_equals(reports[0].body.originalPolicy,
     36                        "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
     37          assert_equals(reports[0].body.sourceFile, document_url);
     38          assert_equals(reports[0].body.sample, "");
     39          assert_equals(reports[0].body.disposition, "enforce");
     40          assert_equals(reports[0].body.statusCode, 200);
     41          assert_equals(reports[0].body.lineNumber, 54);
     42          assert_equals(reports[0].body.columnNumber, 0);
     43        });
     44 
     45        t3.done();
     46      });
     47      observer.observe();
     48    }, "Report is observable to ReportingObserver");
     49  </script>
     50  <img src='/content-security-policy/support/fail.png'
     51       onload='t1.unreached_func("The image should not have loaded");'
     52       onerror='t1.done();'>
     53 
     54  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
     55 </body>
     56 </html>