tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

reporting-api-sends-reports-on-violation.https.sub.html (2483B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test that reports using the report-api service are sent when there's a violation</title>
      5  <script src='/resources/testharness.js'></script>
      6  <script src='/resources/testharnessreport.js'></script>
      7 </head>
      8 <body>
      9  <script>
     10    var t1 = async_test("Test that image does not load");
     11    async_test(function(t2) {
     12    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
     13        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
     14        assert_equals(e.violatedDirective, "img-src");
     15        t2.done();
     16      }));
     17    }, "Event is fired");
     18 
     19    async_test(function(t3) {
     20      var observer = new ReportingObserver(function(reports, observer) {
     21        t3.step(function() {
     22          assert_equals(reports.length, 1);
     23 
     24          // Ensure that the contents of the report are valid.
     25          var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"
     26          var document_url = base_url + "reporting-api/reporting-api-sends-reports-on-violation.https.sub.html";
     27          assert_equals(reports[0].type, "csp-violation");
     28          assert_equals(reports[0].url, document_url);
     29          assert_equals(reports[0].body.documentURL, document_url);
     30          assert_equals(reports[0].body.referrer, "");
     31          assert_equals(reports[0].body.blockedURL,
     32                        base_url + "support/fail.png");
     33          assert_equals(reports[0].body.effectiveDirective, "img-src");
     34          assert_equals(reports[0].body.originalPolicy,
     35                        "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
     36          assert_equals(reports[0].body.sourceFile, document_url);
     37          assert_equals(reports[0].body.sample, "");
     38          assert_equals(reports[0].body.disposition, "enforce");
     39          assert_equals(reports[0].body.statusCode, 200);
     40          assert_equals(reports[0].body.lineNumber, 53);
     41          assert_equals(reports[0].body.columnNumber, 0);
     42        });
     43 
     44        t3.done();
     45      });
     46      observer.observe();
     47    }, "Report is observable to ReportingObserver");
     48  </script>
     49  <img src='/content-security-policy/support/fail.png'
     50       onload='t1.unreached_func("The image should not have loaded");'
     51       onerror='t1.done();'>
     52 
     53  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
     54 </body>
     55 </html>