tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

script-src-wildcards-disallowed.html (2571B)

      1 <!DOCTYPE html>
      2 <html>
      3    <head>
      4    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';">
      5    <title>script-src disallowed wildcard use</title>
      6    <script src="/resources/testharness.js"></script>
      7    <script src="/resources/testharnessreport.js"></script>
      8    </head>
      9    <body>
     10    <script nonce="nonce">
     11        var t1 = async_test('data: URIs should not match *');
     12        t1.step(function() {
     13            var script = document.createElement("script");
     14            script.src = 'data:application/javascript,';
     15            script.addEventListener('load', t1.step_func(function() {
     16                assert_unreached('Should not successfully load data URI.');
     17            }));
     18            script.addEventListener('error', t1.step_func(function() {
     19                t1.done();
     20            }));
     21            document.head.appendChild(script);
     22        });
     23 
     24        var t2 = async_test('blob: URIs should not match *');
     25        t2.step(function() {
     26            var b = new Blob([''], { type: 'application/javascript' });
     27            var script = document.createElement('script');
     28            script.addEventListener('load', t2.step_func(function() {
     29                assert_unreached('Should not successfully load blob URI.');
     30            }));
     31            script.addEventListener('error', t2.step_func(function() {
     32                t2.done();
     33            }));
     34 
     35            script.src = URL.createObjectURL(b);
     36            document.head.appendChild(script);
     37        });
     38 
     39        var t3 = async_test('filesystem URIs should not match *');
     40        if (window.webkitRequestFileSystem) {
     41            window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
     42                fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
     43                    fileEntry.createWriter(function(fileWriter) {
     44                        var script = document.createElement('script');
     45 
     46                        script.addEventListener('load', t3.step_func(function() {
     47                            assert_unreached('Should not successfully load filesystem URI.');
     48                        }));
     49                        script.addEventListener('error', t3.step_func(function() {
     50                            t3.done();
     51                        }));
     52 
     53                        script.src = fileEntry.toURL('application/javascript');
     54                        document.body.appendChild(script);
     55                    });
     56                });
     57            });
     58        } else {
     59          t3.done();
     60        }
     61    </script>
     62    </body>
     63 </html>