tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

revalidate-not-blocked-by-csp.html (2448B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <title>Test revalidations requests aren't blocked by CSP.</title>
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="/common/utils.js"></script>
      7 <body>
      8 <script>
      9 
     10 // Regression test for https://crbug.com/1070117.
     11 var request_token = token();
     12 let image_src = "resources/stale-image.py?token=" + request_token;
     13 
     14 let loadImage = async () => {
     15  let img = document.createElement("img");
     16  img.src = image_src;
     17  let loaded = new Promise(r => img.onload = r);
     18  document.body.appendChild(img);
     19  await loaded;
     20  return img;
     21 };
     22 
     23 promise_test(async t => {
     24  await new Promise(r => window.onload = r);
     25 
     26  // No CSP report must be sent from now.
     27  //
     28  // TODO(arthursonzogni): Some browser implementations do not support the
     29  // ReportingObserver yet. Ideally, another way to access the reports should be
     30  // used to test them.
     31  const observer = new ReportingObserver(t.unreached_func(
     32    "CSP reports aren't sent for revalidation requests"));
     33  if (observer)
     34    observer.observe();
     35 
     36  let img1 = await loadImage(); // Load initial resource.
     37  let img2 = loadImage();       // Request stale resource.
     38 
     39  // Insert a <meta> CSP. This will block any image load starting from now.
     40  const metaCSP = document.createElement("meta");
     41  metaCSP.httpEquiv = "Content-Security-Policy";
     42  metaCSP.content = "img-src 'none'";
     43  document.getElementsByTagName("head")[0].appendChild(metaCSP)
     44 
     45  // The images were requested before the <meta> CSP above was added. So they
     46  // will load. Nevertheless, the resource will be stale. A revalidation request
     47  // is going to be made after that.
     48  assert_equals(img1.width, 16, "(initial version loaded)");
     49  assert_equals((await img2).width, 16, "(stale version loaded)");
     50 
     51  // At some point, the <img> resource is going to be revalidated. It must not
     52  // be blocked nor trigger a CSP violation report.
     53 
     54  // Query the server again and again. At some point it must have received the
     55  // revalidation request. We poll, because we don't know when the revalidation
     56  // will occur.
     57  let query = false;
     58  while(true) {
     59    await new Promise(r => step_timeout(r, 25));
     60    let response = await fetch(`${image_src}${query ? "&query" : ""}`);
     61    let count = response.headers.get("Count");
     62    if (count == "2")
     63      break;
     64    query ^= true;
     65  }
     66 }, "Request revalidation aren't blocked by CSP");
     67 
     68 </script>
     69 </body>