tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

body-size-cross-origin.https.html (2448B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4 <meta charset="utf-8" />
      5 <title>Verify that encodedBodySize/decodedBodySize are CORS-protected rather than TAO-protected</title>
      6 <link rel="author" title="Noam Rosenthal" href="nrosenthal@chromium.org">
      7 <script src="/resources/testharness.js"></script>
      8 <script src="/resources/testharnessreport.js"></script>
      9 <script src="/common/get-host-info.sub.js"></script>
     10 <script src="/common/utils.js"></script>
     11 </head>
     12 <body>
     13 <script>
     14 const {ORIGIN, REMOTE_ORIGIN} = get_host_info();
     15 
     16 async function test_body_size({mode, tao, expected_body_sizes}) {
     17    promise_test(async t => {
     18        const origin = mode === "same-origin" ? ORIGIN : REMOTE_ORIGIN;
     19        const url = new URL(`${origin}/images/red.png?uid=${token()}`,
     20                            location.href);
     21        const pipes = [];
     22        if (mode === "cors")
     23            pipes.push("header(Access-Control-Allow-Origin,*)");
     24        if (tao)
     25            pipes.push("header(Timing-Allow-Origin,*)");
     26        const img = document.createElement("img");
     27        if (mode === "cors")
     28            img.crossOrigin = "anonymous";
     29 
     30        if (pipes.length)
     31            url.searchParams.set("pipe", pipes.join("|"));
     32        img.src = url.toString();
     33        await img.decode();
     34        const [entry] = performance.getEntriesByName(url.toString());
     35        if (expected_body_sizes) {
     36            assert_greater_than(entry.encodedBodySize, 0);
     37            assert_greater_than(entry.decodedBodySize, 0);
     38        } else {
     39            assert_equals(entry.encodedBodySize, 0);
     40            assert_equals(entry.decodedBodySize, 0);
     41        }
     42 
     43        if (tao || mode === "same-origin")
     44          assert_equals(entry.transferSize, entry.encodedBodySize + 300);
     45        else
     46          assert_equals(entry.transferSize, 0);
     47 
     48    }, `Retrieving a ${mode} resource ${
     49        tao ? "with" : "without"} Timing-Allow-Origin should ${
     50        expected_body_sizes ? "expose" : "not expose"
     51        } body size`);
     52 }
     53 
     54 test_body_size({mode: "same-origin", tao: false, expected_body_sizes: true});
     55 test_body_size({mode: "same-origin", tao: true, expected_body_sizes: true});
     56 test_body_size({mode: "no-cors", tao: false, expected_body_sizes: false});
     57 test_body_size({mode: "no-cors", tao: true, expected_body_sizes: false});
     58 test_body_size({mode: "cors", tao: false, expected_body_sizes: true});
     59 test_body_size({mode: "cors", tao: true, expected_body_sizes: true});
     60 
     61 </script>
     62 </body>
     63 </html>