tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

csp-allowed.https.tentative.html (2113B)

      1 <!DOCTYPE html>
      2 <title>CSP for subresource WebBundle (allowed cases)</title>
      3 <link
      4  rel="help"
      5  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
      6 />
      7 <meta
      8  http-equiv="Content-Security-Policy"
      9  content="
     10    script-src
     11      https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
     12      https://web-platform.test:8444/resources/testharness.js
     13      https://web-platform.test:8444/resources/testharnessreport.js
     14      'unsafe-inline';
     15    img-src
     16      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"
     17 />
     18 <script src="/resources/testharness.js"></script>
     19 <script src="/resources/testharnessreport.js"></script>
     20 <body>
     21  <script type="webbundle">
     22    {
     23      "source": "../resources/wbn/subresource.wbn",
     24      "resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"]
     25    }
     26  </script>
     27  <script type="webbundle">
     28    {
     29      "source": "../resources/wbn/uuid-in-package.wbn",
     30      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"
     31      ]
     32    }
     33  </script>
     34  <script>
     35    promise_test(() => {
     36      return new Promise((resolve, reject) => {
     37        const img = document.createElement("img");
     38        img.src =
     39          "https://web-platform.test:8444/web-bundle/resources/wbn/pass.png";
     40        img.onload = resolve;
     41        img.onerror = reject;
     42        document.body.appendChild(img);
     43      });
     44    }, "URL matching of CSP should be done based on the subresource URL " +
     45       "when the subresource URL is HTTPS URL.");
     46 
     47    promise_test(async () => {
     48      const result = await new Promise((resolve) => {
     49        // This function will be called from the script.
     50        window.report_result = resolve;
     51        const script = document.createElement("script");
     52        script.src = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
     53        document.body.appendChild(script);
     54      });
     55      assert_equals(result, "OK");
     56    }, "URL matching of script-src CSP should be done based on the bundle URL " +
     57       "when the subresource URL is uuid-in-package: URL.");
     58 
     59  </script>
     60 </body>