tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

script-sample.html (2967B)

      1 <!doctype html>
      2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'">
      3 <script nonce="abc" src="/resources/testharness.js"></script>
      4 <script nonce="abc" src="/resources/testharnessreport.js"></script>
      5 <body>
      6 <script nonce="abc">
      7    function waitForViolation(el) {
      8      return new Promise(resolve => {
      9        el.addEventListener('securitypolicyviolation', e => resolve(e));
     10      });
     11    }
     12 
     13    async_test(t => {
     14      var s = document.createElement('script');
     15      s.innerText = "assert_unreached('inline script block')";
     16 
     17      waitForViolation(s)
     18        .then(t.step_func_done(e => {
     19          assert_equals(e.blockedURI, "inline");
     20          assert_equals(e.sample, "assert_unreached('inline script block')");
     21        }));
     22 
     23      document.head.append(s);
     24    }, "Inline script should have a sample.");
     25 
     26    async_test(t => {
     27      var a = document.createElement("a");
     28      a.setAttribute("onclick", "assert_unreached('inline event handler')");
     29 
     30      waitForViolation(a)
     31        .then(t.step_func_done(e => {
     32          assert_equals(e.blockedURI, "inline");
     33          assert_equals(e.sample, "assert_unreached('inline event handler')");
     34        }));
     35 
     36      document.body.append(a);
     37      a.click();
     38    }, "Inline event handlers should have a sample.");
     39 
     40    async_test(t => {
     41      var i = document.createElement("iframe");
     42      i.src = "javascript:'inline url'";
     43 
     44      waitForViolation(i)
     45        .then(t.step_func_done(e => {
     46          assert_equals(e.blockedURI, "inline");
     47          assert_equals(e.sample, "javascript:'inline url'");
     48        }));
     49 
     50      document.body.append(i);
     51    }, "JavaScript URLs in iframes should have a sample.");
     52 
     53    async_test(t => {
     54      document.addEventListener('securitypolicyviolation', t.step_func(e => {
     55        if (e.blockedURI == "eval" &&
     56            e.sample == "assert_unreached('eval')") {
     57          t.done();
     58        }
     59      }));
     60      try {
     61        eval("assert_unreached('eval')");
     62        assert_unreached('eval');
     63      } catch (e) {
     64      }
     65    }, "eval() should have a sample.");
     66 
     67    async_test(t => {
     68      document.addEventListener('securitypolicyviolation', t.step_func(e => {
     69        if (e.blockedURI == "eval" &&
     70            e.sample == "assert_unreached('interval')") {
     71          t.done();
     72        }
     73      }));
     74      try {
     75        setInterval("assert_unreached('interval')", 1000);
     76        assert_unreached('interval');
     77      } catch (e) {
     78      }
     79    }, "setInterval() should have a sample.");
     80 
     81    async_test(t => {
     82      document.addEventListener('securitypolicyviolation', t.step_func(e => {
     83        if (e.blockedURI == "eval" &&
     84            e.sample == "assert_unreached('timeout')") {
     85          t.done();
     86        }
     87      }));
     88      try {
     89        setTimeout("assert_unreached('timeout')", 1000);
     90        assert_unreached('timeout');
     91      } catch (e) {
     92      }
     93    }, "setTimeout() should have a sample.");
     94 </script>