Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Firefox/dom/security/test/sri/   (Browser von der Mozilla Stiftung Version 136.0.1©)  Datei vom 10.2.2025 mit Größe 4 kB image not shown  

Quelle  iframe_script_crossdomain.html   Sprache: HTML

 
 products/Sources/formale Sprachen/C/Firefox/dom/security/test/sri/iframe_script_crossdomain.html


<!DOCTYPE HTML>
<!-- Any copyright is dedicated to the Public Domain.
     http://creativecommons.org/publicdomain/zero/1.0/ -->
<html>
<head>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
</pre>

<script type="application/javascript">
  SimpleTest.waitForExplicitFinish();

  window.hasCORSLoaded = false;
  window.hasNonCORSLoaded = false;

  function good_nonsriLoaded() {
    ok(true, "Non-eligible non-SRI resource was loaded correctly.");
  }
  function bad_nonsriBlocked() {
    ok(false, "Non-eligible non-SRI resources should be loaded!");
  }

  function good_nonCORSInvalidBlocked() {
    ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");
  }
  function bad_nonCORSInvalidLoaded() {
    ok(false, "Non-CORS resources with invalid metadata should be blocked!");
  }

  window.onerrorCalled = false;
  window.onloadCalled = false;

  function bad_onloadCalled() {
    window.onloadCalled = true;
  }

  function good_onerrorCalled() {
    window.onerrorCalled = true;
  }

  function good_incorrect301Blocked() {
    ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");
  }
  function bad_incorrect301Loaded() {
    ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");
  }

  function good_correct301Blocked() {
    ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
  }
  function bad_correct301Loaded() {
    ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
  }

  function good_correctDataLoaded() {
    ok(true, "Since data: URLs are same-origin, they should be loaded.");
  }
  function bad_correctDataBlocked() {
    todo(false, "We should not block scripts in data: URIs!");
  }
  function good_correctDataCORSLoaded() {
    ok(true, "A data: URL with a CORS load was loaded correctly.");
  }
  function bad_correctDataCORSBlocked() {
    ok(false, "We should not BLOCK scripts!");
  }

  window.onload = function() {
    SimpleTest.finish()
  }
</script>

<!-- cors-enabled. should be loaded -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
        crossorigin=""
        integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script>

<!-- not cors-enabled. should be blocked -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js"
        crossorigin="anonymous"
        integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94="
        onload="bad_onloadCalled()"
        onerror="good_onerrorCalled()"></script>

<!-- non-cors but not actually using SRI. should trigger onload -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
        integrity=" "
        onload="good_nonsriLoaded()"
        onerror="bad_nonsriBlocked()"></script>

<!-- non-cors with invalid metadata -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"
        integrity="sha256-bogus"
        onload="bad_nonCORSInvalidLoaded()"
        onerror="good_nonCORSInvalidBlocked()"></script>

<!-- non-cors that's same-origin initially but redirected to another origin -->
<script src="script_301.js"
        integrity="sha384-invalid"
        onerror="good_incorrect301Blocked()"
        onload="bad_incorrect301Loaded()"></script>

<!-- non-cors that's same-origin initially but redirected to another origin -->
<script src="script_301.js"
        integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
        onerror="good_correct301Blocked()"
        onload="bad_correct301Loaded()"></script>

<!-- data: URLs are same-origin -->
<script src="data:,console.log('data:valid');"
        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
        onerror="bad_correctDataBlocked()"
        onload="good_correctDataLoaded()"></script>

<!-- not cors-enabled with data: URLs. should trigger onload -->
<script src="data:,console.log('data:valid');"
        crossorigin="anonymous"
        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
        onerror="bad_correctDataCORSBlocked()"
        onload="good_correctDataCORSLoaded()"></script>

<script>
  ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
  ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
  ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
  ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
</script>
</body>
</html>

Messung V0.5
C=89 H=99 G=94

¤ Dauer der Verarbeitung: 0.27 Sekunden  (vorverarbeitet)  ¤

*© Formatika GbR, Deutschland




Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.