[ tor-browser ].git.dasho

parsing.html (4392B)
      1 <!doctype html>
      2 <head>
      3  <meta name="timeout" content="long">
      4  <meta name="variant" content="?type=enforce">
      5  <meta name="variant" content="?type=report">
      6  <script src="/resources/testharness.js"></script>
      7  <script src="/resources/testharnessreport.js"></script>
      8  <script src="/common/dispatcher/dispatcher.js"></script>
      9  <script src="/common/utils.js"></script>
     10  <script src="/reporting/resources/report-helper.js"></script>
     11 </head>
     12 <body>
     13 <script>
     14 
     15  const run_test = (test_case) => {
     16    promise_test(async () => {
     17      const REMOTE_EXECUTOR =
     18        `/common/dispatcher/remote-executor.html?pipe=`;
     19 
     20      let header_name = "Integrity-Policy";
     21      const params = new URLSearchParams(location.search);
     22      if (params.get('type') === "report") {
     23        if (test_case.expected.blocked) {
     24          return;
     25        }
     26        header_name += "-Report-Only";
     27      }
     28      const iframe_uuid = token();
     29      const header =
     30        `header(${header_name},${test_case.header_value})`;
     31      const iframe_url =
     32        `${REMOTE_EXECUTOR}${encodeURIComponent(header)}&uuid=${iframe_uuid}`;
     33 
     34      const iframe = document.createElement('iframe');
     35      iframe.src = iframe_url;
     36      document.body.appendChild(iframe);
     37 
     38      // Execute code directly from the iframe.
     39      const ctx = new RemoteContext(iframe_uuid);
     40      const result = await ctx.execute_script(async (test_case) => {
     41        const resource_url = "/content-security-policy/resources/ran.js";
     42        let report_observed_promise;
     43 
     44        // Load a script with no integrity. If there's a policy in place, it
     45        // would be blocked.
     46        const loaded = await new Promise(resolve => {
     47          const script = document.createElement('script');
     48          script.onload = () => { resolve(true); };
     49          script.onerror = () => { resolve(false); };
     50          script.src = resource_url;
     51          document.body.appendChild(script);
     52        });
     53        return { blocked: !loaded, ran: window.ran };
     54      }, [test_case]);
     55      assert_equals(!result.blocked, !!result.ran);
     56      assert_equals(result.blocked, test_case.expected.blocked);
     57    }, test_case.description);
     58  };
     59 
     60  const test_cases = [
     61    {
     62      description: "Ensure that test is working with a valid destination",
     63      header_value: "blocked-destinations=\\(script\\)",
     64      expected: {blocked: true},
     65    },
     66    {
     67      description: "Ensure that test is working with a valid destination and source",
     68      header_value: "blocked-destinations=\\(script\\)\\, sources=\\(inline\\)",
     69      expected: {blocked: true},
     70    },
     71    {
     72      description: "Ensure that an empty header does not block",
     73      header_value: "",
     74      expected: {blocked: false},
     75    },
     76    {
     77      description: "Ensure that a destination header with a token value does not parse",
     78      header_value: "blocked-destinations=script",
     79      expected: {blocked: false},
     80    },
     81    {
     82      description: "Ensure that a destination header with an inner list of strings does not parse",
     83      header_value: 'blocked-destinations=\\("script"\\)',
     84      expected: {blocked: false},
     85    },
     86    {
     87      description: "Ensure that a destination header with an inner list of single-quote strings does not parse",
     88      header_value: "blocked-destinations=\\('script'\\)",
     89      expected: {blocked: false},
     90    },
     91    {
     92      description: "Ensure that a destination header with an unclosed inner list does not parse",
     93      header_value: "blocked-destinations=\\(script",
     94      expected: {blocked: false},
     95    },
     96    {
     97      description: "Ensure that a destination header with a malformed inner list does not parse",
     98      header_value: "blocked-destinations=\\(script\\,style\\)",
     99      expected: {blocked: false},
    100    },
    101    {
    102      description: "Ensure that an unknown destination does not enforce a policy",
    103      header_value: "blocked-destinations=\\(style\\)",
    104      expected: {blocked: false},
    105    },
    106    {
    107      description: "Ensure that an unknown source causes the policy to not be enforced",
    108      header_value: "blocked-destinations=\\(script\\)\\, sources=\\(telepathy\\)",
    109      expected: {blocked: false},
    110    },
    111    {
    112      description: "Ensure that an invalid source causes the policy to not be enforced",
    113      header_value: "blocked-destinations=\\(script\\)\\, sources=\\(invalid",
    114      expected: {blocked: false},
    115    },
    116  ];
    117  test_cases.map(run_test);
    118 </script>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE