Each page below attempts to load content from external domains using a specific browser mechanism. Run each page inside SecureTerminal with a managed URL that points to this server. In enforcement mode every test should show ๐ซ Blocked. In training mode every test should show โ Loaded and appear in the training log.
http://<your-pc-ip>:5050 ยท
Cloud: https://witness.lokblok.app
Runs every automated suite in one click and produces a diagnostic report showing exactly which filter vectors are leaking through. Use ๐ Copy Report to paste results for analysis.
20 suites ยท ~10 min
Tests every way a page can trigger external image loads:
<img src>, srcset, <picture>,
CSS background-image, new Image(), favicons.
External JavaScript loading via <script src>,
dynamically created script elements, ES module imports,
and import().
<link rel=stylesheet>, dynamic link elements,
@import in <style> blocks,
@font-face, and Google Fonts.
Static and dynamically created <iframe> elements
pointing to cross-origin pages. Tests sub-frame navigation interception.
JavaScript network APIs: fetch(), XMLHttpRequest,
navigator.sendBeacon(), and EventSource (SSE).
new WebSocket("wss://...") connections.
Note: Android WebView's
shouldInterceptRequest does NOT intercept WebSocket
upgrades โ this page verifies that gap.
<video src>, <audio src>,
<source> inside media elements, and
<track> (subtitle) loading.
Top-level navigation attempts via <a href>,
window.location, window.open(),
and <form action> โ tests
shouldOverrideUrlLoading.
Resource hints: rel=preload, rel=prefetch,
rel=preconnect, rel=dns-prefetch, and
web app manifests.
External Worker scripts, inline blob workers that
fetch() external URLs, and SharedWorker.
Tests whether requests inside workers are intercepted.
Exhaustive test of every known escape channel: WebRTC/STUN, <a ping>,
keepalive fetch, <object>/<embed>,
location redirects, meta-refresh, CSS url(), module workers,
SharedWorker, WebTransport, Service Worker registration, and more.
Tests every CSS url() property that triggers an external sub-resource
fetch: cursor, mask-image, border-image,
list-style-image, shape-outside, filter,
image-set(), and content: pseudo-elements.
Verifies the filter evaluates the final redirect destination: 301, 302, 307, 308, multi-hop chains. Also stress-tests host canonicalization: IPv4 literals, IPv4 integer form, IPv6 literals, IDN/punycode, trailing dot, uppercase hostname, and explicit default ports.
16 tests
Tests browser-generated reporting channels: CSP report-uri,
Reporting API, NEL simulation, image beacon pixel trackers,
application/reports+json POST, performance timing exfil,
and WebSocket telemetry.
Tests the Speculation Rules API (prefetch and prerender
of external documents), legacy rel=prerender, rel=modulepreload,
cross-origin document prefetch, fetchLater(), and preload-then-use cache replay.
Tests the full SW threat surface: external script registration, same-origin SW fetch relay to external URLs, CacheStorage exfil, BackgroundSync, PeriodicBackgroundSync, push subscription endpoints, and SW controller detection.
8 tests
Tests navigation-layer egress: location.assign(),
location.replace(), meta http-equiv=refresh,
<a ping> hyperlink auditing, window.open(),
form GET/POST with target=_blank, nested iframe parent navigation,
and history.pushState + navigate.
Tests <object> and <embed> as external
fetch vectors across multiple MIME types (HTML, PNG, XML, PDF, SVG, octet-stream),
including dynamic data= reassignment after append and
data: URI objects with nested external subresources.
Full WebRTC ICE/STUN/TURN coverage: Google and Cloudflare STUN servers, TURN relay on port 80 and TURNS on port 443, DataChannel loopback, SDP candidate extraction, plus WebTransport (QUIC/HTTP3) session and datagram exfil.
10 tests
Novel channels missed by most WebView filters: DNS-over-HTTPS tunnelling
(Google + Cloudflare + wireformat), CSS Houdini worklet module loads,
XSLT document() fetch, import map URL overrides,
javascript: URI execution, null-origin iframe escapes,
URL parser confusion attacks, SVG <use>/<feImage>,
device APIs (USB/BT/Serial/NFC), Web Share, Clipboard, and timing/cache oracles.