tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

csp-blockes-bundle.https.tentative.html (2359B)

      1 <!DOCTYPE html>
      2 <title>CSP blocks WebBundle</title>
      3 <link
      4  rel="help"
      5  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
      6 />
      7 <meta
      8  http-equiv="Content-Security-Policy"
      9  content="
     10    default-src
     11      https://web-platform.test:8444/web-bundle/resources/wbn/relative-url-file.js
     12      https://web-platform.test:8444/resources/testharness.js
     13      https://web-platform.test:8444/resources/testharnessreport.js
     14      https://web-platform.test:8444/web-bundle/resources/test-helpers.js
     15      'unsafe-inline';
     16    img-src
     17      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;"
     18 />
     19 <script src="/resources/testharness.js"></script>
     20 <script src="/resources/testharnessreport.js"></script>
     21 <script src="../resources/test-helpers.js"></script>
     22 <body>
     23  <script>
     24    // This bundle should be blocked because its URL is not listed in CSP directive.
     25    const bundle_url =
     26      "https://web-platform.test:8444/web-bundle/resources/wbn/relative-url.wbn";
     27 
     28    const subresource_url =
     29      "https://web-platform.test:8444/web-bundle/resources/wbn/relative-url-file.js";
     30 
     31    promise_test(() => {
     32      // if a WebBundle is blocked by CSP,
     33      // - A request for the WebBundle should fail.
     34      // - A subresource request associated with the bundle should fail.
     35      // - A window.load should be fired. In other words, any request shouldn't remain
     36      //   pending forever.
     37 
     38      const window_load = new Promise((resolve) => {
     39        window.addEventListener("load", () => {
     40          resolve();
     41        });
     42      });
     43 
     44      const script_webbundle = createWebBundleElement(bundle_url, [
     45        subresource_url,
     46      ]);
     47      const webbundle_error = new Promise((resolve) => {
     48        script_webbundle.addEventListener("error", () => {
     49          resolve();
     50        });
     51      });
     52      document.body.appendChild(script_webbundle);
     53 
     54      const script_js = document.createElement("script");
     55      script_js.src = subresource_url;
     56      const script_js_error = new Promise((resolve) => {
     57        script_js.addEventListener("error", () => {
     58          resolve();
     59        });
     60      });
     61      document.body.appendChild(script_js);
     62 
     63      return Promise.all([window_load, webbundle_error, script_js_error]);
     64    }, "WebBundle and subresource loadings should fail when CSP blocks a WebBundle");
     65  </script>
     66 </body>