tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

prefetch-generate-directives.html (2942B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <meta name="timeout" content="long">
      5 <script src='/resources/testharness.js'></script>
      6 <script src='/resources/testharnessreport.js'></script>
      7 <script src='/common/utils.js'></script>
      8 <script src='/content-security-policy/support/testharness-helper.js'></script>
      9 <script>
     10 
     11 const directives = {
     12  'script-src': true,
     13  'img-src': true,
     14  'connect-src': true,
     15  'object-src': true,
     16  'font-src': true,
     17  'manifest-src': true,
     18  'media-src': true,
     19  'style-src': true,
     20  'child-src': true,
     21  'frame-src': true,
     22  'worker-src': true,
     23  'base-uri': false,
     24 };
     25 
     26 function prefetch_with_csp_in_a_popup(byDirective, t) {
     27  // Allow inline scripts so that we can run the postMessage script...
     28  if (byDirective["script-src"] === "*")
     29    byDirective["script-src"] = "* 'unsafe-inline'";
     30  else
     31    byDirective["script-src"] = "'unsafe-inline'";
     32 
     33  const url = new URL('/content-security-policy/support/prefetch-with-csp.html', location.href);
     34  const csp = Object.entries(byDirective).map(([key, value]) => `${key} ${value}`).join(";");
     35  url.searchParams.set("pipe", `header(Content-Security-Policy, ${csp})`);
     36  const uid = token();
     37  url.searchParams.set("uid", uid);
     38  const bc = new BroadcastChannel(uid);
     39  const popup = window.open(url.href);
     40  t.add_cleanup(() => popup.close());
     41  return new Promise(resolve => {
     42    bc.addEventListener("message", ({data}) => {
     43      resolve(data);
     44    });
     45  });
     46 }
     47 
     48 for (const directive in directives) {
     49  promise_test(async t => {
     50    const byDirective = Object.fromEntries(Object.keys(directives).map(d => [d, "'none'"]));
     51    byDirective[directive] = "*";
     52    byDirective["default-src"] = "'none'";
     53    const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
     54    assert_equals(prefetch_ok, directives[directive], directive);
     55  }, `Test that ${directive} enabled with everything else disabled allows prefetching`);
     56 
     57  promise_test(async t => {
     58    const byDirective = {
     59      "default-src": "'none'",
     60      [directive]: "*",
     61    };
     62    const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
     63    assert_equals(prefetch_ok, directives[directive], directive);
     64  }, `Test that ${directive} enabled with default-src disabled allows prefetching`);
     65 }
     66 
     67 promise_test(async t => {
     68    const byDirective = {
     69      "default-src": "'none'",
     70      "script-src-elem": "* 'unsafe-inline'",
     71      "script-src": "'none'",
     72    };
     73    const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
     74    assert_true(prefetch_ok);
     75  }, `Test that permissive script-src-elem supersedes script-src`);
     76 
     77 promise_test(async t => {
     78  const byDirective = {
     79    "default-src": "'none'",
     80    "script-src-elem": "'unsafe-inline'",
     81    "script-src": "*",
     82  };
     83  const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
     84  assert_true(prefetch_ok);
     85 }, `Test that permissive script-src supersedes script-src-elem`);
     86 
     87 </script>
     88 </head>
     89 <body>
     90 </body>
     91 </html>