tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

failure-check-sequence.https.html (2954B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <meta charset="utf-8">
      5 <title>Sequence of the checks performed against a navigation response</title>
      6 <script src="/resources/testharness.js"></script>
      7 <script src="/resources/testharnessreport.js"></script>
      8 </head>
      9 <body>
     10 <script>
     11 'use strict';
     12 const collect = (win) => {
     13  const report = new Promise((resolve) => {
     14    if (!win.ReportingObserver) {
     15      return;
     16    }
     17 
     18    const observer = new win.ReportingObserver(resolve);
     19    observer.observe();
     20  }).then((reports) => reports[0].type);
     21  // Although CSP also makes use of ReportingObserver, monitoring this event
     22  // allows the test to provide value to implementations that have not yet
     23  // integrated CSP and Reporting (as of the time of this writing, Firefox and
     24  // Safari).
     25  const cspViolation = new Promise((resolve) => {
     26    win.document.addEventListener('securitypolicyviolation', () => resolve('csp-violation'));
     27  });
     28  const halfASecond = new Promise((resolve) => setTimeout(() => resolve(null), 500));
     29 
     30  return Promise.race([report, cspViolation, halfASecond]);
     31 };
     32 
     33 const createWindow = (t, url) => {
     34  const win = open(url);
     35  t.add_cleanup(() => win.close());
     36  return new Promise((resolve) => win.onload = () => resolve(win));
     37 };
     38 
     39 promise_test(async (t) => {
     40  const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)');
     41  const iframe = win.document.createElement('iframe');
     42  iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
     43  win.document.body.appendChild(iframe);
     44 
     45  assert_equals(await collect(win), 'csp-violation');
     46 }, 'CSP check precedes X-Frame-Options check');
     47 
     48 promise_test(async (t) => {
     49  const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)|header(cross-origin-embedder-policy, require-corp)');
     50  const iframe = win.document.createElement('iframe');
     51  iframe.src = '/common/blank.html';
     52  win.document.body.appendChild(iframe);
     53 
     54  assert_equals(await collect(win), 'csp-violation');
     55 }, 'CSP check precedes COEP check - CSP header first');
     56 
     57 promise_test(async (t) => {
     58  const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)|header(content-security-policy, frame-src none)');
     59  const iframe = win.document.createElement('iframe');
     60  iframe.src = '/common/blank.html';
     61  win.document.body.appendChild(iframe);
     62 
     63  assert_equals(await collect(win), 'csp-violation');
     64 }, 'CSP check precedes COEP check - COEP header first');
     65 
     66 promise_test(async (t) => {
     67  const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)');
     68  const iframe = win.document.createElement('iframe');
     69  iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
     70  win.document.body.appendChild(iframe);
     71 
     72  assert_equals(await collect(win), 'coep');
     73 }, 'COEP check precedes X-Frame-Options check');
     74 </script>
     75 </body>
     76 </html>