tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

csp-blocked.https.html (2927B)

      1 <!DOCTYPE html>
      2 <title>Test opaque fenced frame navigations with disallowed CSP blocked</title>
      3 <meta name="timeout" content="long">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/common/utils.js"></script>
      7 <script src="resources/utils.js"></script>
      8 <script src="/common/dispatcher/dispatcher.js"></script>
      9 
     10 <body>
     11 <script>
     12 const blockedCSPs = [
     13  "'none'",
     14  "'self'",
     15  "data:",
     16  "https://*",
     17  "https://*:80",
     18  "https://b.test:*"
     19 ];
     20 for (const resolve_to_config of [true, false]) {
     21  blockedCSPs.forEach((csp) => {
     22    promise_test(async(t) => {
     23      const iframe = setupCSP(csp);
     24      const key = token();
     25 
     26      await iframe.execute(async(key, resolve_to_config, csp) => {
     27        let promise = new Promise((resolve) => {
     28          window.addEventListener('securitypolicyviolation', function(e) {
     29            resolve(e.violatedDirective + ";" + e.blockedURI);
     30          }, {once: true});
     31        });
     32 
     33        attachFencedFrame(await runSelectURL(
     34            "/fenced-frame/resources/embeddee.html", [key], resolve_to_config));
     35 
     36        await promise.then((result) => {
     37          assert_equals(result, "fenced-frame-src;",
     38              "The fenced frame should not load for CSP fenced-frame-src " +
     39              csp);
     40        });
     41      }, [key, resolve_to_config, csp]);
     42    }, "Fenced frame blocked for CSP fenced-frame-src " + csp + " using " +
     43       (resolve_to_config ? "config" : "urn:uuid"));
     44  });
     45 
     46  promise_test(async(t) => {
     47    const iframe = setupCSP("*", "'self'");
     48    const key = token();
     49 
     50    await iframe.execute(async(key, resolve_to_config) => {
     51      window.addEventListener('securitypolicyviolation', function(e) {
     52        // Write to the server even though the listener is in the same file in
     53        // the test below.
     54        writeValueToServer(key, e.violatedDirective + ";" + e.blockedURI);
     55      }, {once: true});
     56      attachFencedFrame(await runSelectURL("resources/embeddee.html",
     57                                  [key], resolve_to_config));
     58    }, [key, resolve_to_config]);
     59 
     60    const result = await nextValueFromServer(key);
     61    assert_equals(result, "fenced-frame-src;",
     62        "The fenced frame should not load for CSP frame-src 'self' even if " +
     63        "another CSP allows loading a fenced frame.");
     64 
     65    await iframe.execute(() => {
     66      // Test the canLoadOpaqueURL API to ensure it arrives at the same result.
     67      assert_false(navigator.canLoadAdAuctionFencedFrame());
     68    });
     69  }, "Fenced frame not loaded using " +
     70     (resolve_to_config ? "config" : "urn:uuid") +
     71     " if any of CSPs in place disallow loading");
     72 }
     73 
     74 blockedCSPs.forEach((csp) => {
     75  promise_test(async() => {
     76    const iframe = setupCSP(csp);
     77    await iframe.execute(() => {
     78      assert_false(navigator.canLoadAdAuctionFencedFrame());
     79    })
     80  }, "Opaque-ads can load API returns false for " + csp);
     81 });
     82 </script>
     83 </body>