tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

script-sample-no-opt-in.html (2370B)

      1 <!doctype html>
      2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; style-src 'self'; img-src 'none'">
      3 <script nonce="abc" src="/resources/testharness.js"></script>
      4 <script nonce="abc" src="/resources/testharnessreport.js"></script>
      5 <body>
      6 <script nonce="abc">
      7    function waitForViolation(el) {
      8      return new Promise(resolve => {
      9        el.addEventListener('securitypolicyviolation', e => resolve(e));
     10      });
     11    }
     12 
     13    async_test(t => {
     14      var s = document.createElement('script');
     15      s.innerText = "assert_unreached('inline script block')";
     16 
     17      waitForViolation(s)
     18        .then(t.step_func_done(e => {
     19          assert_equals(e.blockedURI, "inline");
     20          assert_equals(e.sample, "");
     21        }));
     22 
     23      document.head.append(s);
     24    }, "Inline script should not have a sample.");
     25 
     26    async_test(t => {
     27      var a = document.createElement("a");
     28      a.setAttribute("onclick", "assert_unreached('inline event handler')");
     29 
     30      waitForViolation(a)
     31        .then(t.step_func_done(e => {
     32          assert_equals(e.blockedURI, "inline");
     33          assert_equals(e.sample, "");
     34        }));
     35 
     36      document.body.append(a);
     37      a.click();
     38    }, "Inline event handlers should not have a sample.");
     39 
     40    async_test(t => {
     41      var i = document.createElement("iframe");
     42      i.src = "javascript:'inline url'";
     43 
     44      waitForViolation(i)
     45        .then(t.step_func_done(e => {
     46          assert_equals(e.blockedURI, "inline");
     47          assert_equals(e.sample, "");
     48        }));
     49 
     50      document.body.append(i);
     51    }, "JavaScript URLs in iframes should not have a sample.");
     52 
     53    async_test(t => {
     54      var violations = 0;
     55      document.addEventListener('securitypolicyviolation', t.step_func(e => {
     56        if (e.blockedURI != "eval")
     57          return;
     58 
     59        assert_equals(e.sample, "");
     60        violations++
     61        if (violations == 3)
     62          t.done();
     63      }));
     64      try {
     65        eval("assert_unreached('eval')");
     66        assert_unreached('eval');
     67      } catch (e) {
     68      }
     69      try {
     70        setInterval("assert_unreached('interval')", 1000);
     71        assert_unreached('interval');
     72      } catch (e) {
     73      }
     74      try {
     75        setTimeout("assert_unreached('timeout')", 1000);
     76        assert_unreached('timeout');
     77      } catch (e) {
     78      }
     79    }, "eval()-alikes should not have a sample.");
     80 </script>