tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

refresh-cross-origin.sub.html (2111B)

      1 <!doctype html>
      2 <meta charset="utf-8">
      3 <title>Cross-Origin Referrer Policy applied to Refresh</title>
      4 <link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=266554">
      5 <link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">
      6 <link rel="help" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#populating-a-session-history-entry:concept-request">
      7 <link rel="help" href="https://github.com/privacycg/proposals/issues/13">
      8 <link rel="author" title="Zach Hoffman" href="mailto:zach@zrhoffman.net">
      9 <script src="/resources/testharness.js"></script>
     10 <script src="/resources/testharnessreport.js"></script>
     11 <script src="./resources/refresh-by-host.js"></script>
     12 <body>
     13 <script>
     14 const ports = {
     15  http: "{{ports[http][0]}}",
     16  https: "{{ports[https][0]}}",
     17 };
     18 
     19 let scheme;
     20 const originScheme = location.protocol.slice(0, -1);
     21 if (originScheme === "http") {
     22  scheme = originScheme;
     23 } else {
     24  scheme = "https";
     25 }
     26 const port = ports[scheme];
     27 
     28 const origin = `${scheme}://{{hosts[alt][]}}:${port}`;
     29 const path = "resources/referrer-info.sub.html";
     30 const base = new URL(location.pathname, origin);
     31 const url = new URL(path, base).href;
     32 const expectationsByPolicy = {
     33  "no-referrer": kExpectEmptyString,
     34  // WebKit and Gecko send the origin for no-referrer-when-downgrade Referrer Policy refreshes in an
     35  // iframe, but per the spec, the full URL should be sent in this case. Further discussion:
     36  // <https://github.com/privacycg/proposals/issues/13>
     37  "no-referrer-when-downgrade": kExpectFullURL,
     38  "origin": kExpectOrigin,
     39  "origin-when-cross-origin": kExpectOrigin,
     40  "same-origin": kExpectEmptyString,
     41  "strict-origin": kExpectOrigin,
     42  "strict-origin-when-cross-origin": kExpectOrigin,
     43  // WebKit and Gecko send the origin for unsafe-url Referrer Policy refreshes in an iframe, but per
     44  // the spec, the full URL should be sent in this case. Further discussion:
     45  // <https://github.com/privacycg/proposals/issues/13>
     46  "unsafe-url": kExpectFullURL,
     47  "": kExpectOrigin,
     48 };
     49 
     50 refreshWithPoliciesTest(url, expectationsByPolicy);
     51 </script>