tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

feature-policy-nested-subframe-policy.https.sub.html (2774B)

      1 <!DOCTYPE html>
      2 <body>
      3 <script>
      4 'use strict';
      5 const same_origin_src = '/feature-policy/resources/feature-policy-allowedfeatures.html';
      6 const cross_origin_src = 'https://{{domains[www1]}}:{{ports[https][0]}}' + same_origin_src;
      7 const subframe_header_policy = '?pipe=header(Feature-Policy, fullscreen ';
      8 const policy_all = '*';
      9 const policy_self = '\'self\'';
     10 const policy_none = '\'none\'';
     11 
     12 // Messages gathered from subframes. When all subframe messages are gathered,
     13 // it will be send back to top level frame.
     14 const subframe_messages = [];
     15 
     16 let local_frame_all = document.createElement('iframe');
     17 let local_frame_self = document.createElement('iframe');
     18 let local_frame_none = document.createElement('iframe');
     19 local_frame_all.src = same_origin_src + subframe_header_policy + policy_all + ';)';
     20 local_frame_self.src = same_origin_src + subframe_header_policy + policy_self + ';)';
     21 local_frame_none.src = same_origin_src + subframe_header_policy + policy_none + ';)';
     22 
     23 let remote_frame_all = document.createElement('iframe');
     24 let remote_frame_self = document.createElement('iframe');
     25 let remote_frame_none = document.createElement('iframe');
     26 remote_frame_all.src = cross_origin_src + subframe_header_policy + policy_all + ';)';
     27 remote_frame_self.src = cross_origin_src + subframe_header_policy + policy_self + ';)';
     28 remote_frame_none.src = cross_origin_src + subframe_header_policy + policy_none + ';)';
     29 
     30 window.addEventListener('message', function(evt) {
     31  if (evt.source === local_frame_all.contentWindow) {
     32    subframe_messages.push({frame: 'local', policy: policy_all, allowedfeatures: evt.data});
     33  } else if (evt.source === local_frame_self.contentWindow) {
     34    subframe_messages.push({frame: 'local', policy: policy_self, allowedfeatures: evt.data});
     35  } else if (evt.source === local_frame_none.contentWindow) {
     36    subframe_messages.push({frame: 'local', policy: policy_none, allowedfeatures: evt.data});
     37  } else if (evt.source === remote_frame_all.contentWindow) {
     38    subframe_messages.push({frame: 'remote', policy: policy_all, allowedfeatures: evt.data});
     39  } else if (evt.source === remote_frame_self.contentWindow) {
     40    subframe_messages.push({frame: 'remote', policy: policy_self, allowedfeatures: evt.data});
     41  } else if (evt.source === remote_frame_none.contentWindow) {
     42    subframe_messages.push({frame: 'remote', policy: policy_none, allowedfeatures: evt.data});
     43  }
     44 
     45  if (subframe_messages.length == 6)
     46    parent.postMessage(subframe_messages, '*');
     47 });
     48 
     49 document.body.appendChild(local_frame_all);
     50 document.body.appendChild(local_frame_self);
     51 document.body.appendChild(local_frame_none);
     52 document.body.appendChild(remote_frame_all);
     53 document.body.appendChild(remote_frame_self);
     54 document.body.appendChild(remote_frame_none);
     55 </script>
     56 </body>