Add Request Blocklist test page

Add a simple test page for the Request Blocklist feature, that acts as a quick
way for folks to test and see visually if the feature is enabled and working.

Notes:
 - For detailed testing of the feature's edge-cases, see the reference tests[1].
 - For automated integration tests, prefer the Request Blocking test page[2],
   which can be used with an empty blocklist and suitable configuration to check
   that requests are being blocked as expected.
 - See corresponding configuration changes[3].

1 - https://github.com/duckduckgo/privacy-reference-tests/tree/main/request-blocklist
2 - https://privacy-test-pages.site/privacy-protections/request-blocking/
3 - duckduckgo/privacy-configuration#3990

Author: kzar

README.md

@@ -24,9 +24,11 @@ Please note that we are not taking external contributions for new test pages, bu
 We have couple of test domains, that all resolve to `privacy-test-pages.site`, which help us simulate various scenarios:
 
 - `www.first-party.site` - an alternative first-party domain used for tests that require first-party resources on other subdomains (e.g., `hsts.first-party.site`)
-- `good.third-party.site` - non-tracking third party, it's not on our blocklist and will not be blocked by our clients
-- `broken.third-party.site` - tracking third party that we can't block (e.g. due to brekage), it's on our blocklist, but it will not be blocked by our clients
-- `bad.third-party.site` - tracking third party that's on our blocklist and our clients will block
+- `good.third-party.site` - non-tracking third party domain, it's not in our blocklist and will not be blocked by our clients
+- `allowlisted.third-party.site` - non-tracking third-party domain, it's not in our blocklist and furthermore is explicitly allowlisted by the Tracker Allowlist (e.g. to prevent the Request Blocklist from applying)
+- `broken.third-party.site` - tracking third-party domain that we can't block (e.g. due to breakage), it's in our blocklist, but it will not be blocked by our clients (default action "ignore")
+- `bad.third-party.site` - tracking third-party domain that's in our blocklist and our clients will block
+
 
 We also have additional domains specifically for the Ad Attribution tests hosted [here](https://www.search-company.site):
 

index.html

@@ -67,7 +67,8 @@ <h2>Security</h2>
 <h2>Privacy Protections Tests</h2>
 
 <ul>
-	<li><a href='./privacy-protections/request-blocking/'>Request blocking</a></li>
+	<li><a href='./privacy-protections/request-blocking/'>Tracker Blocking</a> - verifies blocking of many different types of tracking requests</li>
+	<li><a href='./privacy-protections/request-blocklist/'>Request Blocklist</a> - verifies blocking (and allowing) of requests via the privacy config</li>
 	<li><a href='./privacy-protections/fingerprinting/'>Fingerprinting</a></li>
 	<li><a href='./privacy-protections/fingerprinting/canvas.html'>Fingerprinting canvas verification</a></li>
 	<li><a href='./privacy-protections/storage-blocking/'>Storage blocking</a></li>

privacy-protections/request-blocklist/blocked-fail.png

@@ -0,0 +1,136 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width">
+  <title>Request Blocklist test page</title>
+
+  <style>
+    #notes { margin-bottom: 20px; }
+    #notes > * { margin: 0; font-style: italic; }
+    table { border-collapse: collapse; }
+    td { margin: 0; padding: 0px; width: 200px; height: 100px; border: 1px #000 solid; }
+    img, iframe { display: block; width: 100%; height: 100%; margin: 0; padding: 0; border: 0; }
+    .allow { background-color: red; background-image: url("./blocked-fail.png"); }
+    .block { background-color: green; background-image: url("./blocked-pass.png");}
+  </style>
+</head>
+<body>
+  <p><a href="../index.html">[Home]</a></p>
+
+  <p>
+    Simple test page that serves as a quick visual test to show if the Request
+    Blocklist feature is active and working.
+  </p>
+
+  <p>
+    Test cases are shown as green if they are blocked/allowed as expected, and
+    shown as red otherwise. Where possible, "Loaded"/"Blocked" text is also
+    shown.
+  </p>
+
+  <section id="notes">
+    <p><b>Notes:</b></p>
+    <ul>
+      <li>
+        Some browsers will display blocked frames as white/grey, instead of the
+        green/red background that we want. Consider that a pass for the
+        "Blocked ..." test cases, and a fail for the others.
+      </li>
+      <li>
+        For automated integration tests, prefer the
+        <a href="../request-blocking/">Request Blocking Test Page</a>. An empty
+        blocklist + suitable Request Blocklist configuration can be used to test
+        the feature.
+      </li>
+    </ul>
+  </section>
+
+  <table>
+    <thead>
+      <tr>
+        <th>Test result</th>
+        <th>Description</th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr>
+        <td class="block">
+          <img src="./loaded-fail.png?block=true"
+               class="block">
+        </td>
+        <td>
+          Blocked first-party image
+        </td>
+      </tr>
+      <tr>
+        <td class="block">
+          <img src="https://third-party.site/privacy-protections/request-blocklist/loaded-fail.png?block=true"
+               class="block">
+        </td>
+        <td>
+          Blocked third-party image
+        </td>
+      </tr>
+      <tr>
+        <td class="block">
+          <iframe src="./loaded-fail.html?block=true"
+                  class="block">
+          </iframe>
+        </td>
+        <td>
+          Blocked first-party frame
+        </td>
+      </tr>
+      <tr>
+        <td class="block">
+          <iframe src="https://third-party.site/privacy-protections/request-blocklist/loaded-fail.html?block=true"
+                  class="block">
+          </iframe>
+        </td>
+        <td>
+          Blocked third-party frame
+        </td>
+      </tr>
+      <tr>
+        <td class="allow">
+          <img src="./loaded-pass.png?block=false"
+               class="allow">
+        </td>
+        <td>
+          Unblocked first-party image
+        </td>
+      </tr>
+      <tr>
+        <td class="allow">
+          <iframe src="./loaded-pass.html?block=false"
+                  class="allow">
+          </iframe>
+        </td>
+        <td>
+          Unblocked first-party frame
+        </td>
+      </tr>
+      <tr>
+        <td class="allow">
+          <img src="https://allowlisted.third-party.site/privacy-protections/request-blocklist/loaded-pass.png?block=true"
+               class="allow">
+        </td>
+        <td>
+          Allowlisted third-party image
+        </td>
+      </tr>
+      <tr>
+        <td class="allow">
+          <iframe src="https://allowlisted.third-party.site/privacy-protections/request-blocklist/loaded-pass.html?block=true"
+                  class="allow">
+          </iframe>
+        </td>
+        <td>
+          Allowlisted third-party frame
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</body>
+</html>

privacy-protections/request-blocklist/blocked-pass.png

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style>
+     body { background-color: red; color: white; }
+     h1 { font-size: 40px; font-family: sans-serif; font-weight: normal; text-align: center; }
+    </style>
+  <body>
+    <h1>Loaded</h1>
+  </body>
+</html>

privacy-protections/request-blocklist/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style>
+     body { background-color: green; color: white; }
+     h1 { font-size: 40px; font-family: sans-serif; font-weight: normal; text-align: center; }
+    </style>
+  <body>
+    <h1>Loaded</h1>
+  </body>
+</html>