tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

sri-test-helpers.sub.js (2133B)

      1 // This horrible hack is needed for the 'use-credentials' tests because, on
      2 // response, if port 80 or 443 is the current port, it will not appear to
      3 // the browser as part of the origin string. Since the origin *string* is
      4 // used for CORS access control, instead of the origin itself, if there
      5 // isn't an exact string match, the check will fail. For example,
      6 // "http://example.com" would not match "http://example.com:80", because
      7 // they are not exact string matches, even though the origins are the same.
      8 //
      9 // Thus, we only want the Access-Control-Allow-Origin header to have
     10 // the port if it's not port 80 or 443, since the user agent will elide the
     11 // ports in those cases.
     12 const main_domain = '{{domains[]}}';
     13 const www_domain = '{{domains[www]}}';
     14 const default_port = (location.protocol === 'https:') ? '{{ports[https][0]}}' :
     15                                                        '{{ports[http][0]}}';
     16 
     17 const port_string = (default_port !== '80' && default_port !== '443') ?
     18                      `:${default_port}` : '';
     19 const www_host_and_port = www_domain + port_string;
     20 
     21 // General resource prefixes.
     22 const same_origin_prefix = '/subresource-integrity/';
     23 const xorigin_prefix = `${location.protocol}//${www_host_and_port}/subresource-integrity/`;
     24 
     25 // General resource suffixes, for piping CORS headers.
     26 const anonymous = '&pipe=header(Access-Control-Allow-Origin,*)';
     27 const use_credentials = "&pipe=header(Access-Control-Allow-Credentials,true)|" +
     28                        "header(Access-Control-Allow-Origin," + location.origin + ")";
     29 
     30 // Note that all of these style URLs have query parameters started, so any
     31 // additional parameters should be appended starting with '&'.
     32 const xorigin_anon_style = location.protocol
     33  + '//' + www_host_and_port
     34  + '/subresource-integrity/crossorigin-anon-style.css?';
     35 
     36 const xorigin_creds_style = location.protocol
     37  + '//' + www_host_and_port
     38  + '/subresource-integrity/crossorigin-creds-style.css?acao_port='
     39  + port_string;
     40 
     41 const xorigin_ineligible_style = location.protocol
     42  + '//' + www_host_and_port
     43  + '/subresource-integrity/crossorigin-ineligible-style.css?';