content/base/test/csp/test_CSP_bug888172.html@b8a032363ba2 (annotated)
content/base/test/csp/test_CSP_bug888172.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Bug 888172 - CSP 1.0 does not process 'unsafe-inline' or 'unsafe-eval' for default-src</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 7 | </head> |
| michael@0 | 8 | <body> |
| michael@0 | 9 | <p id="display"></p> |
| michael@0 | 10 | <div id="content" style="display: none"> |
| michael@0 | 11 | </div> |
| michael@0 | 12 | |
| michael@0 | 13 | <iframe style="width:100%;" id='testframe1'></iframe> |
| michael@0 | 14 | <iframe style="width:100%;" id='testframe2'></iframe> |
| michael@0 | 15 | <iframe style="width:100%;" id='testframe3'></iframe> |
| michael@0 | 16 | <script class="testbody" type="text/javascript"> |
| michael@0 | 17 | |
| michael@0 | 18 | ////////////////////////////////////////////////////////////////////// |
| michael@0 | 19 | // set up and go |
| michael@0 | 20 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 21 | |
| michael@0 | 22 | // utilities for check functions |
| michael@0 | 23 | // black means the style wasn't applied, applied styles are green |
| michael@0 | 24 | var green = 'rgb(0, 128, 0)'; |
| michael@0 | 25 | var black = 'rgb(0, 0, 0)'; |
| michael@0 | 26 | |
| michael@0 | 27 | function getElementColorById(doc, id) { |
| michael@0 | 28 | return window.getComputedStyle(doc.contentDocument.getElementById(id)).color; |
| michael@0 | 29 | } |
| michael@0 | 30 | |
| michael@0 | 31 | // We test both script and style execution by observing changes in computed styles |
| michael@0 | 32 | function checkDefaultSrcOnly() { |
| michael@0 | 33 | var testframe = document.getElementById('testframe1'); |
| michael@0 | 34 | |
| michael@0 | 35 | ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed"); |
| michael@0 | 36 | ok(getElementColorById(testframe, 'unsafe-eval-script') === green, "Eval should be allowed"); |
| michael@0 | 37 | ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed"); |
| michael@0 | 38 | } |
| michael@0 | 39 | |
| michael@0 | 40 | function checkDefaultSrcWithScriptSrc() { |
| michael@0 | 41 | var testframe = document.getElementById('testframe2'); |
| michael@0 | 42 | |
| michael@0 | 43 | ok(getElementColorById(testframe, 'unsafe-inline-script') === black, "Inline script should be blocked"); |
| michael@0 | 44 | ok(getElementColorById(testframe, 'unsafe-eval-script') === black, "Eval should be blocked"); |
| michael@0 | 45 | ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed"); |
| michael@0 | 46 | } |
| michael@0 | 47 | |
| michael@0 | 48 | function checkDefaultSrcWithStyleSrc() { |
| michael@0 | 49 | var testframe = document.getElementById('testframe3'); |
| michael@0 | 50 | |
| michael@0 | 51 | ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed"); |
| michael@0 | 52 | ok(getElementColorById(testframe, 'unsafe-eval-script') === green, "Eval should be allowed"); |
| michael@0 | 53 | ok(getElementColorById(testframe, 'unsafe-inline-style') === black, "Inline style should be blocked"); |
| michael@0 | 54 | |
| michael@0 | 55 | // last test calls finish |
| michael@0 | 56 | SimpleTest.finish(); |
| michael@0 | 57 | } |
| michael@0 | 58 | |
| michael@0 | 59 | SpecialPowers.pushPrefEnv( |
| michael@0 | 60 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 61 | function () { |
| michael@0 | 62 | document.getElementById('testframe1').src = 'file_CSP_bug888172.sjs?csp=' + |
| michael@0 | 63 | escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'"); |
| michael@0 | 64 | document.getElementById('testframe1').addEventListener('load', checkDefaultSrcOnly, false); |
| michael@0 | 65 | |
| michael@0 | 66 | document.getElementById('testframe2').src = 'file_CSP_bug888172.sjs?csp=' + |
| michael@0 | 67 | escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self'"); |
| michael@0 | 68 | document.getElementById('testframe2').addEventListener('load', checkDefaultSrcWithScriptSrc, false); |
| michael@0 | 69 | |
| michael@0 | 70 | document.getElementById('testframe3').src = 'file_CSP_bug888172.sjs?csp=' + |
| michael@0 | 71 | escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self'"); |
| michael@0 | 72 | document.getElementById('testframe3').addEventListener('load', checkDefaultSrcWithStyleSrc, false); |
| michael@0 | 73 | } |
| michael@0 | 74 | ); |
| michael@0 | 75 | </script> |
| michael@0 | 76 | </pre> |
| michael@0 | 77 | </body> |
| michael@0 | 78 | </html> |
