/
index.html
107 lines (91 loc) · 2.46 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<link rel="icon" href="/src/favicon.ico" />
<h2>Normal Import</h2>
<pre class="full"></pre>
<pre class="named"></pre>
<h2>Safe Fetch</h2>
<pre class="safe-fetch-status"></pre>
<pre class="safe-fetch"></pre>
<h2>Safe Fetch Subdirectory</h2>
<pre class="safe-fetch-subdir-status"></pre>
<pre class="safe-fetch-subdir"></pre>
<h2>Unsafe Fetch</h2>
<pre class="unsafe-fetch-status"></pre>
<pre class="unsafe-fetch"></pre>
<h2>Safe /@fs/ Fetch</h2>
<pre class="safe-fs-fetch-status"></pre>
<pre class="safe-fs-fetch"></pre>
<h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre>
<h2>Nested Entry</h2>
<pre class="nested-entry"></pre>
<h2>Denied</h2>
<pre class="unsafe-dotenv"></pre>
<script type="module">
import '../../entry'
import json, { msg } from '../../safe.json'
text('.full', JSON.stringify(json))
text('.named', msg)
// inside allowed dir, safe fetch
fetch('/src/safe.txt')
.then((r) => {
text('.safe-fetch-status', r.status)
return r.text()
})
.then((data) => {
text('.safe-fetch', JSON.stringify(data))
})
// inside allowed dir, safe fetch
fetch('/src/subdir/safe.txt')
.then((r) => {
text('.safe-fetch-subdir-status', r.status)
return r.text()
})
.then((data) => {
text('.safe-fetch-subdir', JSON.stringify(data))
})
// outside of allowed dir, treated as unsafe
fetch('/unsafe.txt')
.then((r) => {
text('.unsafe-fetch-status', r.status)
return r.text()
})
.then((data) => {
text('.unsafe-fetch', data)
})
.catch((e) => {
console.error(e)
})
// imported before, should be treated as safe
fetch('/@fs/' + ROOT + '/safe.json')
.then((r) => {
text('.safe-fs-fetch-status', r.status)
return r.json()
})
.then((data) => {
text('.safe-fs-fetch', JSON.stringify(data))
})
// not imported before, outside of root, treated as unsafe
fetch('/@fs/' + ROOT + '/unsafe.json')
.then((r) => {
text('.unsafe-fs-fetch-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch', JSON.stringify(data))
})
.catch((e) => {
console.error(e)
})
// .env, denied by default
fetch('/@fs/' + ROOT + '/root/.env')
.then((r) => {
text('.unsafe-dotenv', r.status)
})
.catch((e) => {
console.error(e)
})
function text(sel, text) {
document.querySelector(sel).textContent = text
}
</script>