content/base/test/csp/test_CSP.html@6474c204b198 (annotated)
content/base/test/csp/test_CSP.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test for Content Security Policy Connections</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 7 | </head> |
| michael@0 | 8 | <body> |
| michael@0 | 9 | <p id="display"></p> |
| michael@0 | 10 | <div id="content" style="display: none"> |
| michael@0 | 11 | </div> |
| michael@0 | 12 | <iframe style="width:200px;height:200px;" id='cspframe'></iframe> |
| michael@0 | 13 | <iframe style="width:200px;height:200px;" id='cspframe2'></iframe> |
| michael@0 | 14 | <script class="testbody" type="text/javascript"> |
| michael@0 | 15 | |
| michael@0 | 16 | var path = "/tests/content/base/test/csp/"; |
| michael@0 | 17 | |
| michael@0 | 18 | // These are test results: -1 means it hasn't run, |
| michael@0 | 19 | // true/false is the pass/fail result. |
| michael@0 | 20 | window.tests = { |
| michael@0 | 21 | img_good: -1, |
| michael@0 | 22 | img_bad: -1, |
| michael@0 | 23 | style_good: -1, |
| michael@0 | 24 | style_bad: -1, |
| michael@0 | 25 | frame_good: -1, |
| michael@0 | 26 | frame_bad: -1, |
| michael@0 | 27 | script_good: -1, |
| michael@0 | 28 | script_bad: -1, |
| michael@0 | 29 | xhr_good: -1, |
| michael@0 | 30 | xhr_bad: -1, |
| michael@0 | 31 | media_good: -1, |
| michael@0 | 32 | media_bad: -1, |
| michael@0 | 33 | font_good: -1, |
| michael@0 | 34 | font_bad: -1, |
| michael@0 | 35 | object_good: -1, |
| michael@0 | 36 | object_bad: -1, |
| michael@0 | 37 | img_spec_compliant_good: -1, |
| michael@0 | 38 | img_spec_compliant_bad: -1, |
| michael@0 | 39 | style_spec_compliant_good: -1, |
| michael@0 | 40 | style_spec_compliant_bad: -1, |
| michael@0 | 41 | frame_spec_compliant_good: -1, |
| michael@0 | 42 | frame_spec_compliant_bad: -1, |
| michael@0 | 43 | script_spec_compliant_good: -1, |
| michael@0 | 44 | script_spec_compliant_bad: -1, |
| michael@0 | 45 | xhr_spec_compliant_good: -1, |
| michael@0 | 46 | xhr_spec_compliant_bad: -1, |
| michael@0 | 47 | media_spec_compliant_good: -1, |
| michael@0 | 48 | media_spec_compliant_bad: -1, |
| michael@0 | 49 | font_spec_compliant_good: -1, |
| michael@0 | 50 | font_spec_compliant_bad: -1, |
| michael@0 | 51 | object_spec_compliant_good: -1, |
| michael@0 | 52 | object_spec_compliant_bad: -1, |
| michael@0 | 53 | }; |
| michael@0 | 54 | |
| michael@0 | 55 | // This is used to watch the blocked data bounce off CSP and allowed data |
| michael@0 | 56 | // get sent out to the wire. |
| michael@0 | 57 | function examiner() { |
| michael@0 | 58 | SpecialPowers.addObserver(this, "csp-on-violate-policy", false); |
| michael@0 | 59 | SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); |
| michael@0 | 60 | } |
| michael@0 | 61 | examiner.prototype = { |
| michael@0 | 62 | observe: function(subject, topic, data) { |
| michael@0 | 63 | var testpat = new RegExp("testid=([a-z0-9_]+)"); |
| michael@0 | 64 | |
| michael@0 | 65 | //_good things better be allowed! |
| michael@0 | 66 | //_bad things better be stopped! |
| michael@0 | 67 | |
| michael@0 | 68 | // This is a special observer topic that is proxied from |
| michael@0 | 69 | // http-on-modify-request in the parent process to inform us when a URI is |
| michael@0 | 70 | // loaded |
| michael@0 | 71 | if (topic === "specialpowers-http-notify-request") { |
| michael@0 | 72 | var uri = data; |
| michael@0 | 73 | if (!testpat.test(uri)) return; |
| michael@0 | 74 | var testid = testpat.exec(uri)[1]; |
| michael@0 | 75 | |
| michael@0 | 76 | window.testResult(testid, |
| michael@0 | 77 | /_good/.test(testid), |
| michael@0 | 78 | uri + " allowed by csp"); |
| michael@0 | 79 | } |
| michael@0 | 80 | |
| michael@0 | 81 | if (topic === "csp-on-violate-policy") { |
| michael@0 | 82 | // these were blocked... record that they were blocked |
| michael@0 | 83 | var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); |
| michael@0 | 84 | if (!testpat.test(asciiSpec)) return; |
| michael@0 | 85 | var testid = testpat.exec(asciiSpec)[1]; |
| michael@0 | 86 | window.testResult(testid, |
| michael@0 | 87 | /_bad/.test(testid), |
| michael@0 | 88 | asciiSpec + " blocked by \"" + data + "\""); |
| michael@0 | 89 | } |
| michael@0 | 90 | }, |
| michael@0 | 91 | |
| michael@0 | 92 | // must eventually call this to remove the listener, |
| michael@0 | 93 | // or mochitests might get borked. |
| michael@0 | 94 | remove: function() { |
| michael@0 | 95 | SpecialPowers.removeObserver(this, "csp-on-violate-policy"); |
| michael@0 | 96 | SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); |
| michael@0 | 97 | } |
| michael@0 | 98 | } |
| michael@0 | 99 | |
| michael@0 | 100 | window.examiner = new examiner(); |
| michael@0 | 101 | |
| michael@0 | 102 | window.testResult = function(testname, result, msg) { |
| michael@0 | 103 | //test already complete.... forget it... remember the first result. |
| michael@0 | 104 | if (window.tests[testname] != -1) |
| michael@0 | 105 | return; |
| michael@0 | 106 | |
| michael@0 | 107 | window.tests[testname] = result; |
| michael@0 | 108 | is(result, true, testname + ' test: ' + msg); |
| michael@0 | 109 | |
| michael@0 | 110 | // if any test is incomplete, keep waiting |
| michael@0 | 111 | for (var v in window.tests) |
| michael@0 | 112 | if(tests[v] == -1) |
| michael@0 | 113 | return; |
| michael@0 | 114 | |
| michael@0 | 115 | // ... otherwise, finish |
| michael@0 | 116 | window.examiner.remove(); |
| michael@0 | 117 | SimpleTest.finish(); |
| michael@0 | 118 | } |
| michael@0 | 119 | |
| michael@0 | 120 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 121 | |
| michael@0 | 122 | SpecialPowers.pushPrefEnv( |
| michael@0 | 123 | {'set':[["security.csp.speccompliant", true], |
| michael@0 | 124 | // This defaults to 0 ("preload none") on mobile (B2G/Android), which |
| michael@0 | 125 | // blocks loading the resource until the user interacts with a |
| michael@0 | 126 | // corresponding widget, which breaks the media_* tests. We set it |
| michael@0 | 127 | // back to the default used by desktop Firefox to get consistent |
| michael@0 | 128 | // behavior. |
| michael@0 | 129 | ["media.preload.default", 2]]}, |
| michael@0 | 130 | function() { |
| michael@0 | 131 | // save this for last so that our listeners are registered. |
| michael@0 | 132 | // ... this loads the testbed of good and bad requests. |
| michael@0 | 133 | document.getElementById('cspframe').src = 'file_CSP_main.html'; |
| michael@0 | 134 | document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html'; |
| michael@0 | 135 | }); |
| michael@0 | 136 | </script> |
| michael@0 | 137 | </pre> |
| michael@0 | 138 | </body> |
| michael@0 | 139 | </html> |
