tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

dangling-markup-mitigation.tentative.https.html (2417B)

      1 <!DOCTYPE html>
      2 <meta name="timeout" content="long">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <body>
      6 <script>
      7  function get_requests(worker, expected) {
      8    return new Promise(resolve => {
      9      navigator.serviceWorker.addEventListener('message', function onMsg(evt) {
     10        if (evt.data.size >= expected) {
     11          navigator.serviceWorker.removeEventListener('message', onMsg);
     12          resolve(evt.data);
     13        } else {
     14          worker.postMessage("");
     15        }
     16      });
     17      worker.postMessage("");
     18    });
     19  }
     20 
     21  const resources = [
     22    x=>`<link rel="stylesheet" href="404/style?${x}">`,
     23    x=>`<link rel="prefetch" as="style" href="404/prefetch?${x}">`,
     24    x=>`<script src="404/script?${x}"><\/script>`,
     25    x=>`<iframe src="404/iframe?${x}"></iframe>`,
     26    x=>`<meta http-equiv="refresh" content="0;url=404/meta?${x}">`,
     27    x=>`<a href="404/a?${x}">click</a><script>document.querySelector('a').click()<\/script>`,
     28    x=>`<base href="404/base?${x}"><a href>me</a><script>document.querySelector('a').click()<\/script>`,
     29    x=>`<video controls poster="404/poster?${x}"></video>`,
     30    x=>`<input type="image" src="404/input?${x}">`,
     31    x=>`<form method="GET" action="404/form?${x}"></form><script>document.querySelector('form').submit()<\/script>`,
     32    x=>`<body background="404/body?${x}"></body>`,
     33  ];
     34 
     35  async_test(t => {
     36    const script = 'service-worker.js';
     37    const paths = [];
     38    navigator.serviceWorker.register(script);
     39    t.step(async () => {
     40      const registration = await navigator.serviceWorker.ready;
     41      for (const html of resources) {
     42        const iframe1 =
     43          document.body.appendChild(document.createElement('iframe'));
     44        iframe1.src = 'resources.html?html=' + html`%0A<`;
     45        const iframe2 =
     46          document.body.appendChild(document.createElement('iframe'));
     47        iframe2.src = 'resources.html?html=' + html``;
     48        const path = html`EOP`;
     49        paths.push(path.substring(path.search('404\\/')+4, path.search('EOP')));
     50      }
     51 
     52      const requests = await get_requests(registration.active, resources.length);
     53      paths.forEach(path => {
     54        assert_true(requests.has(path),
     55                    `${path} should appear in requests sent`);
     56      });
     57      await registration.unregister();
     58      t.done();
     59    });
     60  }, 'Only blocks dangling markup requests');
     61 </script>