[ tor-browser ].git.dasho

csp-blocked.https.window.js (1027B)

      1 // META: title=FetchLater: blocked by CSP
      2 // META: script=/common/utils.js
      3 // META: script=/common/get-host-info.sub.js
      4 // META: script=/fetch/fetch-later/resources/fetch-later-helper.js
      5 'use strict';
      6 
      7 const {
      8  HTTPS_NOTSAMESITE_ORIGIN,
      9 } = get_host_info();
     10 
     11 // FetchLater requests blocked by Content Security Policy are rejected.
     12 // https://w3c.github.io/webappsec-csp/#should-block-request
     13 
     14 const meta = document.createElement('meta');
     15 meta.setAttribute('http-equiv', 'Content-Security-Policy');
     16 meta.setAttribute('content', 'connect-src \'self\'');
     17 document.head.appendChild(meta);
     18 
     19 promise_test(async t => {
     20  const uuid = token();
     21  const cspViolationUrl =
     22      generateSetBeaconURL(uuid, {host: HTTPS_NOTSAMESITE_ORIGIN});
     23  fetchLater(cspViolationUrl, {activateAfter: 0});
     24 
     25  await new Promise(
     26      resolve => window.addEventListener('securitypolicyviolation', e => {
     27        assert_equals(e.violatedDirective, 'connect-src');
     28        resolve();
     29      }));
     30  t.done();
     31 }, 'FetchLater blocked by CSP should reject');

	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE