tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

cspee.https.html (2489B)

      1 <!DOCTYPE html>
      2 <title>Test fenced frame in CSPEE</title>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/common/utils.js"></script>
      6 <script src="/common/dispatcher/dispatcher.js"></script>
      7 <script src="resources/utils.js"></script>
      8 
      9 <body>
     10 <script>
     11 promise_test(async(t) => {
     12  const iframe = attachIFrameContext({
     13    attributes: [["csp", "frame-src *"]],
     14    headers: [["Allow-CSP-From", "*"]]
     15  });
     16  t.step_timeout(() => t.done(), 1000);
     17  await iframe.execute(async (t) => {
     18    const fencedframe = attachFencedFrameContext({
     19      headers: [["Allow-CSP-From", "*"]]
     20    });
     21    await fencedframe.execute(() => {});
     22  });
     23  assert_unreached("fenced frame should not be loaded.");
     24 }, 'fenced frame should not be loaded in CSPEE');
     25 
     26 promise_test(async(t) => {
     27  const iframe_a = attachIFrameContext({
     28    attributes: [["csp", "frame-src *"]],
     29    headers: [["Allow-CSP-From", "*"]]
     30  });
     31  t.step_timeout(() => t.done(), 1000);
     32  await iframe_a.execute(async (t) => {
     33    const iframe_b = attachIFrameContext({headers: [["Allow-CSP-From", "*"]]});
     34    await iframe_b.execute(async (t) => {
     35      const fencedframe = attachFencedFrameContext({
     36        headers: [["Allow-CSP-From", "*"]]
     37      });
     38      await fencedframe.execute(() => {});
     39    });
     40  });
     41  assert_unreached("fenced frame should not be loaded.");
     42 }, 'fenced frame should not be loaded if any ancestor has CSPEE');
     43 
     44 promise_test(async(t) => {
     45  const iframe = attachIFrameContext({
     46    attributes: [["csp", "frame-src *"]],
     47    headers: [["Allow-CSP-From", "*"]]
     48  });
     49  await iframe.execute(async (t) => {
     50    assert_false(navigator.canLoadAdAuctionFencedFrame());
     51  });
     52 }, 'canLoadOpaqueURL considers CSPEE headers');
     53 
     54 promise_test(async(t) => {
     55  const iframe_a = attachIFrameContext({
     56    attributes: [["csp", "frame-src *"]],
     57    headers: [["Allow-CSP-From", "*"]]
     58  });
     59  await iframe_a.execute(async (t) => {
     60    const iframe_b = attachIFrameContext({headers: [["Allow-CSP-From", "*"]]});
     61    await iframe_b.execute(async (t) => {
     62      assert_false(navigator.canLoadAdAuctionFencedFrame());
     63    });
     64  });
     65 }, 'canLoadOpaqueURL considers CSPEE headers up the ancestor chain');
     66 
     67 promise_test(async(t) => {
     68  const iframe = attachIFrameContext();
     69  await iframe.execute(async (t) => {
     70    assert_true(navigator.canLoadAdAuctionFencedFrame());
     71  });
     72 }, 'canLoadOpaqueURL returns true if no CSPEE headers are present in iframe');
     73 </script>
     74 </body>