tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

iframe-failed-commit.html (4822B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <meta charset="utf-8" />
      5 <title>Resource Timing - test that unsuccessful iframes create entries</title>
      6 <meta name="timeout" content="long">
      7 <link rel="author" title="Google" href="http://www.google.com/" />
      8 <link rel="help" href=
      9  "https://www.w3.org/TR/resource-timing-2/#resources-included-in-the-performanceresourcetiming-interface"/>
     10 <script src="/resources/testharness.js"></script>
     11 <script src="/resources/testharnessreport.js"></script>
     12 <script src="/common/get-host-info.sub.js"></script>
     13 <script src="resources/entry-invariants.js"></script>
     14 <script src="resources/resource-loaders.js"></script>
     15 <body>
     16 <script>
     17 
     18 // Like load.iframe but fetches the iframe under a "default-src 'none'"
     19 // Content-Security-Policy.
     20 const load_iframe_with_csp = async path => {
     21  return load.iframe_with_attrs(path, {"csp": "default-src 'none'"});
     22 };
     23 
     24 const load_iframe_with_csp_no_navigation = async path => {
     25  return load.iframe_with_attrs(path, {"csp": "default-src 'none'"}, () => {}, true);
     26 }
     27 
     28 // Runs a test (labeled by the given label) to verify that loading an iframe
     29 // with the given URL generates a PerformanceResourceTiming entry and that the
     30 // entry does not expose sensitive timing attributes.
     31 const masked_entry_test = (url, label) => {
     32  return attribute_test(load.iframe, url,
     33    invariants.assert_tao_failure_resource, label);
     34 };
     35 
     36 // Runs a test (labeled by the given label) to verify that loading an iframe
     37 // with the given URL generates a PerformanceResourceTiming entry and that the
     38 // entry does expose sensitive timing attributes.
     39 const unmasked_entry_with_csp_test = (url, label) => {
     40  return attribute_test(load_iframe_with_csp, url,
     41    invariants.assert_tao_pass_no_redirect_http, label);
     42 };
     43 
     44 // Runs a test (labeled by the given label) to verify that loading an iframe
     45 // with the given URL under a "default-src 'none' Content-Security-Policy
     46 // generates a PerformanceResourceTiming entry and that the entry does not
     47 // expose sensitive timing attributes.
     48 const masked_entry_with_csp_test = (url, label) => {
     49  return attribute_test(load_iframe_with_csp, url,
     50    invariants.assert_tao_failure_resource, label);
     51 };
     52 
     53 // Runs a test (labeled by the given label) to verify that loading an iframe
     54 // with the given URL under a "default-src 'none' Content-Security-Policy
     55 // generates a PerformanceResourceTiming entry and that the entry does not
     56 // expose sensitive timing attributes.
     57 const non_navigating_masked_entry_with_csp_test = (url, label) => {
     58  return attribute_test(load_iframe_with_csp_no_navigation, url,
     59    invariants.assert_tao_failure_resource, label);
     60 };
     61 
     62 const {REMOTE_ORIGIN, ORIGINAL_HOST, HTTPS_PORT} = get_host_info();
     63 const unhosted_url = `https://nonexistent.${ORIGINAL_HOST}:${HTTPS_PORT}/`;
     64 
     65 masked_entry_test(
     66  unhosted_url,
     67  "Test iframe from non-existent host gets reported");
     68 
     69 masked_entry_test(
     70  "/resource-timing/resources/fake_responses.py?redirect=" + unhosted_url,
     71  "Test iframe redirecting to non-existent host gets reported");
     72 
     73 unmasked_entry_with_csp_test("/resource-timing/resources/csp-default-none.html",
     74  "Same-origin iframe that complies with CSP attribute gets reported");
     75 
     76 // masked because this will load an error page which is cross-origin.
     77 masked_entry_with_csp_test("/resource-timing/resources/green-frame.html",
     78  "Same-origin iframe that doesn't comply with CSP attribute gets reported");
     79 
     80 masked_entry_with_csp_test(
     81  new URL("/resource-timing/resources/csp-default-none.html", REMOTE_ORIGIN),
     82  "Cross-origin iframe that complies with CSP attribute gets reported");
     83 
     84 masked_entry_with_csp_test(
     85  new URL("/resource-timing/resources/green-frame.html", REMOTE_ORIGIN),
     86  "Cross-origin iframe that doesn't comply with CSP attribute gets reported");
     87 
     88 masked_entry_with_csp_test(
     89  "/resource-timing/resources/200_empty.asis",
     90  "Same-origin empty iframe with a 200 status gets reported");
     91 
     92 masked_entry_with_csp_test(
     93  new URL("/resource-timing/resources/200_empty.asis", REMOTE_ORIGIN),
     94  "Cross-origin empty iframe with a 200 status gets reported");
     95 
     96 non_navigating_masked_entry_with_csp_test(
     97    new URL("/resource-timing/resources/204_empty.asis", location.origin),
     98    "Same-origin empty iframe with a 204 status gets reported");
     99 
    100 non_navigating_masked_entry_with_csp_test(
    101    new URL("/resource-timing/resources/205_empty.asis", location.origin),
    102    "Same-origin empty iframe with a 205 status gets reported");
    103 
    104 non_navigating_masked_entry_with_csp_test(
    105    new URL("/resource-timing/resources/204_empty.asis", REMOTE_ORIGIN),
    106    "Cross-origin empty iframe with a 204 status gets reported");
    107 
    108 non_navigating_masked_entry_with_csp_test(
    109    new URL("/resource-timing/resources/205_empty.asis", REMOTE_ORIGIN),
    110    "Cross-origin empty iframe with a 205 status gets reported");
    111 
    112 </script>
    113 </body>
    114 </html>