tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

TAO-port-mismatch-means-crossorigin.html (2007B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <meta charset="utf-8" />
      5 <title>TAO - port mismatch must fail the check</title>
      6 <link rel="author" title="Google" href="http://www.google.com/" />
      7 <link rel="help" href="https://www.w3.org/TR/resource-timing-2/#sec-timing-allow-origin"/>
      8 <script src="/resources/testharness.js"></script>
      9 <script src="/resources/testharnessreport.js"></script>
     10 <script src="/common/get-host-info.sub.js"></script>
     11 <script src="resources/entry-invariants.js"></script>
     12 <script>
     13 
     14 const {ORIGINAL_HOST, PORT, PORT2} = get_host_info();
     15 
     16 // The main page is being requested on the default port (PORT), while the
     17 // subresource will be requested on a separate port (PORT2). The response will
     18 // have a Timing-Allow-Origin header value with the second port so this page's
     19 // origin should not be a match.
     20 const port_mismatch_url = `${location.protocol}//${ORIGINAL_HOST}:${PORT2}` +
     21                          `/resource-timing/resources/TAOResponse.py?` +
     22                          `tao=origin_port_${PORT2}`;
     23 attribute_test(
     24  fetch, port_mismatch_url, invariants.assert_tao_failure_resource,
     25  "A port mismatch must fail the TAO check");
     26 
     27 // The same URL as above except the Timing-Allow-Origin header will have the
     28 // same port as this page's origin. Therefore, this page's origin will match
     29 // the Timing-Allow-Origin header's value. Therefore, the subresource's timings
     30 // must be exposed.
     31 const port_match_url = `${location.protocol}//${ORIGINAL_HOST}:${PORT2}` +
     32                       `/resource-timing/resources/TAOResponse.py?` +
     33                       `tao=origin_port_${PORT}`;
     34 attribute_test(
     35  fetch, port_match_url, invariants.assert_tao_pass_no_redirect_http,
     36  "An identical port must pass the TAO check");
     37 
     38 </script>
     39 </head>
     40 <body>
     41 <h1>Description</h1>
     42 <p>This test validates that for a cross origin resource with different ports,
     43 the timing allow check algorithm will fail when the value of
     44 Timing-Allow-Origin value has the right host but the wrong port in it.</p>
     45 </body>
     46 </html>