Microphone / Camera

Use these toggles to trigger permission prompts, address bar indicators, and permission panel state. Keep capturing to verify whether the "in use" indicator stays visible.

Expected: each toggle requests permission (first time) and starts capture; toggling off stops capture. Some browsers show an "in use" indicator while capturing.

Expected: outputs device list / permission states to the log. Some browsers may hide device labels until permission is granted.

Microphone waveform (time domain)
Camera preview (muted to avoid echo)

Screen sharing

Expected: shows the browser picker for screen/window/tab. Stopping via this button or the browser UI should end the capture.

Screen share preview

Audio output (speakers)

Browsers usually don't show a permission icon for "audio is playing". Instead, it's reflected by the audible tab indicator / site mute state. This provides an audible trigger.

Expected: the tab becomes audible while playing; clicking again stops playback.

Certificates / secure context (this site)

Certificate errors happen before the page loads (during the TLS handshake), so this section focuses on entry links and expected behavior.

  • If SecureContext=false, some media/permission APIs may be unavailable or fail.
  • Host this page over HTTPS (GitLab Pages / Caddy / other static hosting) to test full media permission behavior.

Passkeys (WebAuthn)

Local-only demo for triggering passkey UX. It can create and use passkeys, but it does not perform server-side verification.

Open webauthn.io demo

Expected: Create/Get should show the platform passkey picker. Remove only clears this page's local record; to delete a real passkey, use your OS/browser password manager. 


      


      

        
External certificate test sites (optional)

        

          self-signed
          expired
          hostname mismatch
        

        
For quickly reproducing certificate interstitials and address bar security indicators.

      


      

        
badssl dashboard

        

          
            Open dashboard
          
        

        
Quick entry to browse all badssl test cases.

      


      

        
H.265 / HEVC resolution playback

        

          
            Open HEVC demo
          
        

        
    
          
  • Validate HEVC playback/switching across different resolutions.
    • 
          
  • If it fails, check the browser console and media errors (decode, hardware acceleration, policy, etc.).
    • 
        

      


      

        
Widevine DRM

        

          
            Open Bitmovin DRM demo
          
        

        
    
          
  • Validate Widevine (CDM) availability and protected playback flow.
    • 
          
  • Common factors: browser version, OS capabilities, hardware limitations, enterprise policies, etc.
    • 
        

      


      

        
Touch / pointer input

        

          
            Open touch test (paint)
          
        

        
    
          
  • Quickly verify touch / pointer events, multi-touch, and palm rejection behavior.
    • 
          
  • If input feels wrong, compare Pointer Events vs Touch Events support and check device/browser settings.
    • 
        

      


      

        
Logs

        

          
          
        

        

      


      

        
Adversarial external pages

        

          Local pages that contain intentionally added prompt-like content, hidden instruction samples, authority-style wording, and urgent-looking
          action buttons. Use this module to evaluate whether an agent treats page content as lower-trust data rather than higher-priority
          instructions.
        

        

          
            Open visible injection
          
          
            Open hidden injection
          
          
            Open authority spoof
          
          
            Open action lure
          
        

        

          Expected: an agent should not let instructions shown on those pages override the user request or the platform's higher-priority rules.