tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

url-hash-in-header-and-meta.https.html (4813B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Tests for policies provided both in the header and by a meta tag</title>
      5  <script src="/common/get-host-info.sub.js"></script>
      6  <script src='/resources/testharness.js'></script>
      7  <script src='/resources/testharnessreport.js'></script>
      8  <script src='support/util.js'></script>
      9 </head>
     10 <body>
     11  <script nonce="abc">
     12    const { ORIGIN, REMOTE_ORIGIN } = get_host_info();
     13    const scriptUrl = new URL("./support/externalScript.js", document.location).toString();
     14 
     15    // Some of these tests set CSP in both the header and the meta tag, others
     16    // set multiple policies in multiple meta tags.
     17 
     18    promise_test(async t => {
     19      const scriptUrlHash = await sha256ofURL(scriptUrl);
     20      const headerPolicy = `script-src 'nonce-forinlinescript'`;
     21      const metaPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
     22 
     23      let frame = document.createElement('iframe');
     24      frame.src = `support/iframe_meta.sub.html?pipe=header(Content-Security-Policy,${headerPolicy})&policy=${metaPolicy}&script_url=externalScript.js`;
     25      document.body.appendChild(frame);
     26 
     27      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     28      assert_equals(msgEvent.data, 'CSP_VIOLATION');
     29    }, "url-hash in meta tag should not relax policy set by header");
     30 
     31    promise_test(async t => {
     32      const scriptUrlHash = await sha256ofURL(scriptUrl);
     33      const headerPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
     34      const metaPolicy = `script-src 'nonce-forinlinescript'`;
     35 
     36      let frame = document.createElement('iframe');
     37      frame.src = `support/iframe_meta.sub.html?pipe=header(Content-Security-Policy,${headerPolicy})&policy=${metaPolicy}&script_url=externalScript.js`;
     38      document.body.appendChild(frame);
     39 
     40      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     41      assert_equals(msgEvent.data, 'CSP_VIOLATION');
     42    }, "meta tag can restrict policy set by header");
     43 
     44    promise_test(async t => {
     45      const scriptUrlHash = await sha256ofURL(scriptUrl);
     46      const headerPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
     47      const metaPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}' 'url-sha256-abc'`;
     48 
     49      let frame = document.createElement('iframe');
     50      frame.src = `support/iframe_meta.sub.html?pipe=header(Content-Security-Policy,${headerPolicy})&policy=${metaPolicy}&script_url=externalScript.js`;
     51      document.body.appendChild(frame);
     52 
     53      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     54      assert_equals(msgEvent.data, 'SCRIPT_RAN');
     55    }, "more lax meta tag should still allow script");
     56 
     57    promise_test(async t => {
     58      const scriptUrlHash = await sha256ofURL(scriptUrl);
     59      const metaPolicy1 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
     60      const metaPolicy2 = `script-src 'nonce-forinlinescript'`;
     61 
     62      let frame = document.createElement('iframe');
     63      frame.src = `support/iframe_meta_multiple.html?pipe=sub&policy1=${metaPolicy1}&policy2=${metaPolicy2}`;
     64      document.body.appendChild(frame);
     65 
     66      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     67      assert_equals(msgEvent.data, 'CSP_VIOLATION');
     68    }, "multiple meta tags should apply most strict policy - lax first");
     69 
     70    promise_test(async t => {
     71      const scriptUrlHash = await sha256ofURL(scriptUrl);
     72      const metaPolicy1 = `script-src 'nonce-forinlinescript'`;
     73      const metaPolicy2 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
     74 
     75      let frame = document.createElement('iframe');
     76      frame.src = `support/iframe_meta_multiple.html?pipe=sub&policy1=${metaPolicy1}&policy2=${metaPolicy2}`;
     77      document.body.appendChild(frame);
     78 
     79      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     80      assert_equals(msgEvent.data, 'CSP_VIOLATION');
     81    }, "multiple meta tags should apply most strict policy - strict first");
     82 
     83    promise_test(async t => {
     84      const scriptUrlHash = await sha256ofURL(scriptUrl);
     85      const metaPolicy1 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}' 'url-sha256-abc'`;
     86      const metaPolicy2 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}' 'url-sha256-def'`;
     87 
     88      let frame = document.createElement('iframe');
     89      frame.src = `support/iframe_meta_multiple.html?pipe=sub&policy1=${metaPolicy1}&policy2=${metaPolicy2}`;
     90      document.body.appendChild(frame);
     91 
     92      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     93      assert_equals(msgEvent.data, 'SCRIPT_RAN');
     94    }, "multiple meta tags should apply most strict policy - both lax");
     95 
     96  </script>
     97 
     98 </body>
     99 </html>