tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

meta-element.sub.html (2031B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <meta content="sandbox allow-scripts" http-equiv="Content-Security-Policy">
      6 <body>
      7 <iframe id="iframe"></iframe>
      8 <script>
      9 // According to
     10 // https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy
     11 // `sandbox` directives must be ignored when delivered via `<meta>`.
     12 test(() => {
     13  assert_equals(location.origin, "{{location[scheme]}}://{{location[host]}}");
     14 }, "Document shouldn't be sandboxed by <meta>");
     15 
     16 // Note: sandbox directive for workers are not yet specified.
     17 // https://github.com/w3c/webappsec-csp/issues/279
     18 // Anyway workers shouldn't be affected by sandbox directives in `<meta>`.
     19 async_test(t => {
     20  const worker = new Worker("support/post-origin-on-load-worker.js");
     21  worker.onerror = t.unreached_func("Worker construction failed");
     22  worker.onmessage = t.step_func_done(e => {
     23    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
     24  });
     25 }, "Worker shouldn't be sandboxed by inheriting <meta>");
     26 
     27 parent.async_test(t => {
     28  // Although <iframe about:blank> should inherit parent's CSP,
     29  // sandbox directives in <meta> should be ignored in the first place,
     30  // so workers created from such <iframe>s shouldn't also be sandboxed.
     31  const iframeDocument = document.querySelector("#iframe").contentDocument;
     32  const script = iframeDocument.createElement("script");
     33  script.innerText = `
     34    const worker = new Worker("support/post-origin-on-load-worker.js");
     35    worker.onerror = () => parent.postMessage("onerror", "*");
     36    worker.onmessage = (e) => parent.postMessage(e.data, "*");
     37  `;
     38  iframeDocument.body.appendChild(script);
     39 
     40  // Receive message from <iframe>.
     41  onmessage = t.step_func_done(e => {
     42    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
     43  });
     44 }, "Worker shouldn't be sandboxed when created <iframe> inheriting parent's CSP with sandbox <meta>");
     45 </script>
     46 </body>