tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

csp-blocked.https.tentative.html (4363B)

      1 <!DOCTYPE html>
      2 <title>CSP for subresource WebBundle (blocked cases)</title>
      3 <link
      4  rel="help"
      5  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
      6 />
      7 <meta
      8  http-equiv="Content-Security-Policy"
      9  content="
     10    script-src
     11      urn:
     12      https://web-platform.test:8444/resources/testharness.js
     13      https://web-platform.test:8444/resources/testharnessreport.js
     14      'unsafe-inline';
     15    img-src
     16      https://web-platform.test:8444/web-bundle/resources/wbn/subresource.wbn;
     17    report-to
     18      csp-group"
     19 />
     20 <script src="/resources/testharness.js"></script>
     21 <script src="/resources/testharnessreport.js"></script>
     22 <body>
     23  <script type="webbundle">
     24    {
     25      "source": "../resources/wbn/subresource.wbn",
     26      "resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/fail.png"]
     27    }
     28  </script>
     29  <script type="webbundle">
     30    {
     31      "source": "../resources/wbn/uuid-in-package.wbn",
     32      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"]
     33    }
     34  </script>
     35  <script>
     36    const uuid_bundle_url =
     37      "https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn";
     38 
     39    function expect_violation() {
     40      return new Promise((resolve) => {
     41        document.addEventListener(
     42          "securitypolicyviolation",
     43          (e) => {
     44            e.stopPropagation();
     45            resolve(e);
     46          },
     47          { once: true }
     48        );
     49      });
     50    }
     51 
     52    function getReportID() {
     53      const cookies = document.cookie.split(";");
     54      for (var i = 0; i < cookies.length; i++) {
     55        const name_value = cookies[i].split("=");
     56        const cookieName = name_value[0].trim();
     57        if (cookieName === "csp-blocked-report-id") {
     58          return name_value[1].trim();
     59        }
     60      }
     61    }
     62 
     63    function sortReportsByEffectiveDirective(reports) {
     64      reports.sort(
     65        (report1, report2) =>
     66          report1.body.effectiveDirective.localeCompare(
     67            report2.body.effectiveDirective
     68          ) || report1.body.blockedURL.localeCompare(report2.body.blockedURL)
     69      );
     70    }
     71 
     72    promise_test(async () => {
     73      const p = expect_violation();
     74      const img = document.createElement("img");
     75      const error_promise = new Promise((resolve) => {
     76        img.onerror = resolve;
     77      });
     78      img.src =
     79        "https://web-platform.test:8444/web-bundle/resources/wbn/fail.png";
     80      document.body.appendChild(img);
     81      const e = await p;
     82      assert_equals(e.blockedURI, img.src);
     83      await error_promise;
     84    }, "URL matching of CSP should be done based on the subresource URL, " +
     85       "not on the bundle URL, when the subresource URL is HTTPS URL.");
     86 
     87    const testCases = [
     88      {
     89        prefix: "uuid-in-package:",
     90        bundle_url: uuid_bundle_url,
     91      },
     92    ];
     93    for (const params of testCases) {
     94      promise_test(async () => {
     95        const urn_uuid = params.prefix + "020111b3-437a-4c5c-ae07-adb6bbffb720";
     96        const p = expect_violation();
     97        const script = document.createElement("script");
     98        script.src = urn_uuid;
     99        document.body.appendChild(script);
    100        const e = await p;
    101        // Currently Chromium is reporting the bundle URL.
    102        // TODO(crbug.com/1208659): Consider deeper integration with CSP for
    103        // providing the both URLs.
    104        assert_equals(e.blockedURI, params.bundle_url);
    105        assert_equals(e.violatedDirective, "script-src-elem");
    106      }, "URL matching of script-src CSP should be done based on the bundle URL " +
    107         `when the subresource URL is ${params.prefix} URL.`);
    108    }
    109 
    110    promise_test(async () => {
    111      const retrieve_report_url =
    112        "/reporting/resources/report.py?op=retrieve_report&timeout=3&reportID=" +
    113        getReportID();
    114      const reports = await (await fetch(retrieve_report_url)).json();
    115      sortReportsByEffectiveDirective(reports);
    116 
    117      assert_equals(reports.length, 2, "Report count.");
    118 
    119      assert_equals(
    120        reports[0].body.blockedURL,
    121        "https://web-platform.test:8444/web-bundle/resources/wbn/fail.png"
    122      );
    123      assert_equals(reports[0].body.effectiveDirective, "img-src");
    124 
    125      assert_equals(reports[1].body.blockedURL, uuid_bundle_url);
    126      assert_equals(reports[1].body.effectiveDirective, "script-src-elem");
    127    }, "Check the CSP violation reports.");
    128  </script>
    129 </body>