tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

preload-strict-dynamic.sub.html (3031B)

      1 <!DOCTYPE html>
      2 <head>
      3 <script src="/resources/testharness.js" nonce="123"></script>
      4 <script src="/resources/testharnessreport.js" nonce="123"></script>
      5 <script src="/common/utils.js" nonce="123"></script>
      6 <script src="/preload/resources/preload_helper.js" nonce="123"></script>
      7 <title>CSP strict-dynamic + preload</title>
      8 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" />
      9 </head>
     10 <body>
     11 <script nonce="123">
     12 const PATTERN = /\?key=([a-zA-Z0-9\-]+)$/;
     13 
     14 // We use async_test instead of promise_test in this file because these
     15 // tests take long time to run and we want to run them in parallel.
     16 async_test((t) => {
     17  Promise.resolve().then(async () => {
     18    let sawViolation = false;
     19    self.addEventListener('securitypolicyviolation', (e) => {
     20      const link = document.querySelector('#static-no-nonce');
     21      if (e.violatedDirective == 'script-src-elem' && e.blockedURI === link.href) {
     22        sawViolation = true;
     23      }
     24    });
     25 
     26    await new Promise((resolve) => step_timeout(resolve, 3000));
     27 
     28    const link = document.querySelector('#static-no-nonce');
     29    const key = link.href.match(PATTERN)[1]
     30 
     31    assert_true(sawViolation, 'sawViolation');
     32    assert_false(await hasArrivedAtServer(key), 'hasArrivedAtServer');
     33    t.done();
     34  }).catch(t.step_func((e) => {
     35    throw e;
     36  }));
     37 }, 'static-no-nonce');
     38 
     39 async_test((t) => {
     40  Promise.resolve().then(async () => {
     41    let sawViolation = false;
     42    self.addEventListener('securitypolicyviolation', (e) => {
     43      const link = document.querySelector('#static-nonce');
     44      if (e.violatedDirective == 'script-src-elem' && e.blockedURI === link.href) {
     45        sawViolation = true;
     46      }
     47    });
     48 
     49    // TODO: Use step_wait after
     50    // https://github.com/web-platform-tests/wpt/pull/34289 is merged.
     51    await new Promise((resolve) => step_timeout(resolve, 3000));
     52 
     53    const link = document.querySelector('#static-nonce');
     54    const key = link.href.match(PATTERN)[1]
     55 
     56    assert_false(sawViolation, 'sawViolation');
     57    assert_true(await hasArrivedAtServer(key), 'hasArrivedAtServer');
     58    t.done();
     59  }).catch(t.step_func((e) => {
     60    throw e;
     61  }));
     62 }, 'static-nonce');
     63 
     64 async_test((t) => {
     65  Promise.resolve().then(async () => {
     66    const link = document.createElement('link');
     67    link.rel = 'preload';
     68    const id = token();
     69    link.href = `/preload/resources/stash-put.py?key=${id}`;
     70    link.as = 'script';
     71 
     72    document.head.appendChild(link);
     73    await new Promise((resolve, reject) => {
     74      link.addEventListener('load', resolve, {once: true});
     75      link.addEventListener('error', resolve, {once: true});
     76    });
     77    assert_true(await hasArrivedAtServer(id), 'hasArrivedAtServer');
     78    t.done();
     79  }).catch(t.step_func((e) => {
     80    throw e;
     81  }));
     82 }, 'dynamic');
     83 </script>
     84 
     85 <link id="static-no-nonce" href="/preload/resources/stash-put.py?key={{uuid()}}" rel=preload as=script>
     86 <link id="static-nonce" href="/preload/resources/stash-put.py?key={{uuid()}}" rel=preload as=script nonce="123">
     87 </body>
     88 </html>