tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

csp-tests.js (5570B)

      1 function openWindow(url) {
      2  return new Promise(resolve => {
      3    const win = window.open(url, '_blank');
      4    add_result_callback(() => win.close());
      5    window.onmessage = e => {
      6      assert_equals(e.data, 'LOADED');
      7      resolve(win);
      8    };
      9  });
     10 }
     11 
     12 function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {
     13  return openWindow(windowURL).then(win => {
     14    const promise = new Promise(r => window.onmessage = r);
     15    win.postMessage({ type: type, script_url: scriptURL }, '*');
     16    return promise;
     17  }).then(msg_event => assert_equals(msg_event.data, expectation));
     18 }
     19 
     20 // Runs a series of tests related to content security policy on a worklet.
     21 //
     22 // Usage:
     23 // runContentSecurityPolicyTests("paint");
     24 function runContentSecurityPolicyTests(workletType) {
     25  runSrcTests(workletType);
     26  runMixedContentTests(workletType);
     27 }
     28 
     29 // script-src and worker-src tests.
     30 function runSrcTests(workletType) {
     31  const kWindowConfigs = [
     32    {
     33      'windowURL':
     34        'resources/addmodule-window.html?pipe=header(' +
     35        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')',
     36      'crossOriginExpectation': 'REJECTED',
     37      'message': 'should be blocked by the script-src \'self\' directive.'
     38    },
     39    {
     40      'windowURL':
     41        'resources/addmodule-window.html?pipe=header(' +
     42        'Content-Security-Policy, script-src ' + location.origin + ' ' +
     43        get_host_info().HTTPS_REMOTE_ORIGIN + ' \'unsafe-inline\')',
     44      'crossOriginExpectation': 'RESOLVED',
     45      'message':
     46        'should not be blocked because the script-src directive ' +
     47        'specifying the origin allows it.'
     48    },
     49    {
     50      'windowURL':
     51        'resources/addmodule-window.html?pipe=header(' +
     52        'Content-Security-Policy, script-src * \'unsafe-inline\')',
     53      'crossOriginExpectation': 'RESOLVED',
     54      'message':
     55        'should not be blocked because the script-src * directive allows it.'
     56    },
     57    {
     58      'windowURL':
     59        'resources/addmodule-window.html?pipe=header(' +
     60        'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')',
     61      'crossOriginExpectation': 'RESOLVED',
     62      'message':
     63        'should not be blocked by the worker-src directive ' +
     64        'because worklets obey the script-src directive.'
     65    }
     66  ];
     67  for (const windowConfig of kWindowConfigs) {
     68    promise_test(t => {
     69        const kScriptURL =
     70          get_host_info().HTTPS_REMOTE_ORIGIN +
     71          '/worklets/resources/empty-worklet-script-with-cors-header.js';
     72        return openWindowAndExpectResult(
     73          windowConfig.windowURL, kScriptURL, workletType,
     74          windowConfig.crossOriginExpectation);
     75      },
     76      'A remote-origin worklet ' + windowConfig.message);
     77 
     78    promise_test(t => {
     79        const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
     80        return openWindowAndExpectResult(
     81          windowConfig.windowURL, kScriptURL, workletType,
     82          windowConfig.crossOriginExpectation);
     83      },
     84      'A same-origin worklet importing a remote-origin script ' +
     85      windowConfig.message);
     86 
     87    promise_test(t => {
     88        // A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
     89        // HTTPS_REMOTE_ORIGIN.
     90        const kScriptURL =
     91          get_host_info().HTTPS_REMOTE_ORIGIN +
     92          '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
     93        return openWindowAndExpectResult(
     94          windowConfig.windowURL, kScriptURL, workletType,
     95          windowConfig.crossOriginExpectation);
     96      },
     97      'A remote-origin worklet importing a remote-origin script ' +
     98      windowConfig.message);
     99 
    100    promise_test(t => {
    101        const kScriptURL =
    102          '/common/redirect.py?location=' + encodeURIComponent(
    103              get_host_info().HTTPS_REMOTE_ORIGIN +
    104              '/worklets/resources/empty-worklet-script-with-cors-header.js');
    105        return openWindowAndExpectResult(
    106          windowConfig.windowURL, kScriptURL, workletType,
    107          windowConfig.crossOriginExpectation);
    108      },
    109      'A remote-origin-redirected worklet ' + windowConfig.message);
    110 
    111    promise_test(t => {
    112        const kScriptURL =
    113          'import-remote-origin-redirected-empty-worklet-script.sub.js';
    114        return openWindowAndExpectResult(
    115          windowConfig.windowURL, kScriptURL, workletType,
    116          windowConfig.crossOriginExpectation);
    117      },
    118      'A same-origin worklet importing a remote-origin-redirected script ' +
    119      windowConfig.message);
    120  }
    121 }
    122 
    123 // Mixed content tests.
    124 function runMixedContentTests(workletType) {
    125  const kInsecureURL =
    126      get_host_info().HTTP_ORIGIN +
    127      '/worklets/resources/empty-worklet-script-with-cors-header.js';
    128  const kScriptConfigs = [
    129    {URL: kInsecureURL,
    130     message: 'An insecure-origin worklet'},
    131    {URL: '/common/redirect.py?location=' + encodeURIComponent(kInsecureURL),
    132     message: 'An insecure-origin-redirected worklet'},
    133    {URL: 'import-insecure-origin-empty-worklet-script.sub.js',
    134     message: 'A same-origin worklet importing an insecure-origin script'},
    135    {URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',
    136     message: 'A same-origin worklet ' +
    137              'importing an insecure-origin-redirected script'}
    138  ];
    139  for (const scriptConfig of kScriptConfigs) {
    140    promise_test(t => {
    141        const kWindowURL = 'resources/addmodule-window.html';
    142        return openWindowAndExpectResult(
    143          kWindowURL, scriptConfig.URL, workletType, 'REJECTED');
    144      },
    145      scriptConfig.message + ' should be blocked because of mixed contents.');
    146  }
    147 }