You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
euw-arasolofotsara1 be687c2db6 Start of List of AMP > URLs containing amp > link 1 1 month ago
.github/workflows Update node.js.yml 11 months ago
TEMPLATES Add ESLint standard config (#26) 2 years ago
autofill Add autofill form within iframe (#79) 4 months ago
crawler Apply linting to inline scripts (#27) 2 years ago
features Local storage tests page (#77) 5 months ago
helpers Implement test pages for platform-level privacy impacting APIs (#74) 3 months ago
privacy-protections Start of List of AMP > URLs containing amp > link 1 1 month ago
security Add demo phishing page (#83) 3 months ago
tracker-reporting Add delayed tracker test cases (#63) 10 months ago
.eslintignore Add ESLint standard config (#26) 2 years ago
.eslintrc Implement test pages for platform-level privacy impacting APIs (#74) 3 months ago
.gitignore Implement test pages for platform-level privacy impacting APIs (#74) 3 months ago
LICENSE.md Implement test pages for platform-level privacy impacting APIs (#74) 3 months ago
README.md Bugfix for HSTS partitioning test (#81) 3 months ago
git.sh Root branch was renamed from gh-pages to main 11 months ago
index.html Add demo phishing page (#83) 3 months ago
package-lock.json Implement test pages for platform-level privacy impacting APIs (#74) 3 months ago
package.json Implement test pages for platform-level privacy impacting APIs (#74) 3 months ago
server.js 10d expiry of cookies set by /set-cookie endpoint (#84) 2 months ago

README.md

Privacy Test Pages

🛡 Collection of pages for testing various privacy and security features of browsers and browser extensions.

How to use it?

The site with all tests is live here. All tests run either on page load or provide instructions on how to run them.

Privacy Protections Tests

Those tests by default require clicking a button to start, but can be run immediately on page load when loaded with a ?run query or by calling a global runTests() function. Results from those pages are available in the global results object that can be downloaded as JSON using "download results" button.

Contributing

Please note that we are not taking external contributions for new test pages, but we welcome all bug reports.

How to create a new test?

  • Templates for both simple and complex tests (Privacy Protections Tests) can be found in the TEMPLATES directory.
  • Please remember to link new test page from index.html.
  • Once you have a PR with a new page please assign it to one of the AoR DRIs (@kdzwinel, @jonathanKingston).

Test domains

We have couple of test domains, that all resolve to privacy-test-pages.glitch.me, which help us simulate various scenarios:

  • www.first-party.site - an alternative first-party domain used for tests that require first-party resources on other subdomains (e.g., hsts.first-party.site)
  • good.third-party.site - non-tracking third party, it's not on our blocklist and will not be blocked by our clients
  • broken.third-party.site - tracking third party that we can't block (e.g. due to brekage), it's on our blocklist, but it will not be blocked by our clients
  • bad.third-party.site - tracking third party that's on our blocklist and our clients will block

How to test it locally

If you are working on a simple page you can start any local server (e.g. python -m SimpleHTTPServer 8000) in the main folder of the project.

Test pages with a server-side component

Some test pages have a server-side component that must run using our custom server. First, install the dependencies (npm -i) and then start the server via node server.js.

Test pages that require HTTPS

Some test pages (i.e., privacy-protections/storage-partitioning/) require HTTPS and must load over real hostnames. This requires additional dependencies and machine/browser configuration.

Setting up local test domains

Many of the test pages can be visited via http://localhost, but browsers sometimes treat localhost differently than they would a real hostname (e.g., example.com). For example, it's not possible to register HSTS on localhost, even when loading over HTTPS.

If you're using Firefox, you can use a pref to force hostnames to resolve to 127.0.0.1:

  1. Go to about:config
  2. Set network.dns.localDomains to first-party.example,hsts.first-party.example,third-party.example.

If you're testing in a browser other than Firefox, you'll have to edit your OS's hosts file to add the following lines:

# Privacy Test Pages (https://github.com/duckduckgo/privacy-test-pages)
127.0.0.1 first-party.example
127.0.0.1 hsts.first-party.example
127.0.0.1 third-party.example

Unfortunately neither of these approaches support wildcard subdomains, so you will need to add new subdomains as required by your tests.

Adding HTTPS support for test domains

On MacOS:

brew install mkcert
brew install nss # if you use Firefox

Next, run the following command to make your OS cert store and Firefox's cert store trust your cert:

mkcert -install

Then, in the root directory of privacy-test-pages, run:

mkcert first-party.example "*.first-party.example" third-party.example "*.third-party.example"

This will generate two files (first-party.example+3-key.pem and first-party.example+3.pem) in the root directory. Express will automatically pick these up when you start the server (node server.js).

How to deploy it?

After PR is merged test pages are automatically deployed to glitch (code) and github pages (legacy).