Merge remote-tracking branch 'origin/main' into viewport-tests

duckduckgo · Dec 20, 2023 · 8e3feb7 · 8e3feb7
2 parents b58660e + 5b3f123
commit 8e3feb7
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 6 deletions.
diff --git a/privacy-protections/surrogates/index.html b/privacy-protections/surrogates/index.html
@@ -28,7 +28,7 @@
 </head>
 <p><a href="../../">[Home]</a> ↣ <a href="../">[Privacy Protections Tests]</a> ↣ <strong>[Surrogates Test Page]</strong></p>
 
-<p>This page tests if surrogate script for google-analytics.com/analytics.js is being loaded. This page expects <a href='https://github.com/duckduckgo/tracker-surrogates/blob/main/surrogates/analytics.js'>specific surrogate</a> to be loaded.</p>
+<p>This page tests that requests to google-analytics.com/analytics.js are redirected to the <a href='https://github.com/duckduckgo/tracker-surrogates/blob/main/surrogates/analytics.js'>analytics.js surrogate script</a>. The page also tests some related edge-cases. Note: "request failed" is expected for some test cases, but green always indicates a test success and red a test failure.</p>
 <table id='results-table'>
     <tr><th>Description</th><th>Loaded</th></tr>
 </table>

diff --git a/privacy-protections/surrogates/main.js b/privacy-protections/surrogates/main.js
@@ -1,3 +1,6 @@
+const GREEN = '#71bf69';
+const RED = '#f97268';
+
 const results = {
     page: 'surrogates',
     date: (new Date()).toUTCString(),
@@ -11,10 +14,14 @@ function updateTable ({ name, testData, error }) {
     const descriptionCell = row.insertCell(0);
     const testCell = row.insertCell(1);
 
+    const requestFailExpected = testData.expectedResult === 'failed';
+    const requestLoadedColor = requestFailExpected ? RED : GREEN;
+    const requestFailedColor = requestFailExpected ? GREEN : RED;
+
     // set default values and colors
     descriptionCell.innerText = testData.notes;
     testCell.innerText = 'request failed';
-    testCell.style.backgroundColor = '#f97268';
+    testCell.style.backgroundColor = requestFailedColor;
 
     const result = {
         id: name,
@@ -27,7 +34,7 @@ function updateTable ({ name, testData, error }) {
         if (testResult) {
             result.loaded = true;
             testCell.innerText = 'surrogate loaded';
-            testCell.style.backgroundColor = '#71bf69';
+            testCell.style.backgroundColor = requestLoadedColor;
         } else {
             testCell.innerText = 'surrogate not loaded';
         }
@@ -61,13 +68,15 @@ const surrogates = {
         url: 'https://google-analytics.com/analytics.js',
         notes: 'Loading surrogate in the main frame.',
         test: checkSurrogate,
+        expectedResult: 'loaded',
         cleanUp: () => { delete window.ga; }
     },
     'cross-origin': {
         url: 'https://google-analytics.com/analytics.js',
         crossOrigin: 'anonymous',
         notes: 'Loading surrogate with crossOrigin=anonymous set.',
         test: checkSurrogate,
+        expectedResult: 'loaded',
         cleanUp: () => { delete window.ga; }
     },
     'integrity-check': {
@@ -76,12 +85,14 @@ const surrogates = {
         integrity: 'sha512-1xNTXD/ZeaKg/Xjb6De9la7CXo5gC1lMk+beyKo691KJrjlj0HbZG6frzK0Wo6bm96i9Cp6w/WB4vSN/8zDBLQ==',
         notes: 'Loading surrogate with integrity=sha512-… set.',
         test: checkSurrogate,
+        expectedResult: 'failed',
         cleanUp: () => { delete window.ga; }
     },
     'direct-access': {
         url: 'chrome-extension://bkdgflcldnnnapblkhphbgpggdiikppg/web_accessible_resources/analytics.js',
         notes: 'Chromium only - it should not be possible to access local surrogate file',
-        test: () => { return true; }
+        test: () => { return true; },
+        expectedResult: 'failed'
     },
     'sub-frame': {
         notes: 'Loading surrogate in an iframe.',
@@ -115,7 +126,8 @@ const surrogates = {
             });
 
             return promise;
-        }
+        },
+        expectedResult: 'loaded'
     },
     'delayed-set': {
         notes: 'Set script src after insert',

diff --git a/security/address-bar-spoofing/server/routes.js b/security/address-bar-spoofing/server/routes.js
@@ -0,0 +1,10 @@
+const express = require('express');
+const router = express.Router();
+
+// Returns a 301 redirect to a download link of our browser
+// for use in the download path test
+router.get('/download-redirect', (req, res) => {
+    res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg');
+});
+
+module.exports = router;
diff --git a/security/address-bar-spoofing/spoof-js-download-url.html b/security/address-bar-spoofing/spoof-js-download-url.html
@@ -11,7 +11,7 @@
       const w = open()
       w.opener = null
       w.document.write('<h1>Not DDG.</h1>')
-      w.location = 'https://tyny.to/s509a8'
+      w.location = '/security/address-bar-spoofing/download-redirect'
     }
   </script>
 </head>

diff --git a/server.js b/server.js
@@ -255,6 +255,12 @@ app.get('/redirect', (req, res) => {
     res.end();
 });
 
+// Returns a 301 redirect to a download link of our browser
+// for use in the address bar spoofing test
+app.get('/security/address-bar-spoofing/download-redirect', (req, res) => {
+    res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg');
+});
+
 app.use('/content-scope-scripts/', express.static('node_modules/@duckduckgo/content-scope-scripts/integration-test/test-pages/'));
 
 const blockingRoutes = require('./privacy-protections/request-blocking/server/routes');
@@ -277,3 +283,6 @@ app.use('/features/clear-data', clearDataRoutes);
 
 const viewportRoutes = require('./viewport/server/routes.js');
 app.use('/viewport', viewportRoutes);
+
+const addressBarSpoofingRoutes = require('./security/address-bar-spoofing/server/routes.js');
+app.use('/security/address-bar-spoofing', addressBarSpoofingRoutes);