content/base/test/csp/test_CSP_bug909029.html@b8a032363ba2 (annotated)
content/base/test/csp/test_CSP_bug909029.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!doctype html> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src)</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 7 | </head> |
| michael@0 | 8 | <body> |
| michael@0 | 9 | <div id=content style="visibility:hidden"> |
| michael@0 | 10 | <iframe id=testframe1></iframe> |
| michael@0 | 11 | <iframe id=testframe2></iframe> |
| michael@0 | 12 | </div> |
| michael@0 | 13 | <script class="testbody" type="text/javascript"> |
| michael@0 | 14 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 15 | |
| michael@0 | 16 | window.tests = { |
| michael@0 | 17 | starExternalStylesLoaded: -1, |
| michael@0 | 18 | starExternalImgLoaded: -1, |
| michael@0 | 19 | noneExternalStylesBlocked: -1, |
| michael@0 | 20 | noneExternalImgLoaded: -1, |
| michael@0 | 21 | starInlineStyleAllowed: -1, |
| michael@0 | 22 | starInlineScriptBlocked: -1, |
| michael@0 | 23 | noneInlineStyleAllowed: -1, |
| michael@0 | 24 | noneInlineScriptBlocked: -1 |
| michael@0 | 25 | } |
| michael@0 | 26 | |
| michael@0 | 27 | function examiner() { |
| michael@0 | 28 | SpecialPowers.addObserver(this, "csp-on-violate-policy", false); |
| michael@0 | 29 | SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); |
| michael@0 | 30 | } |
| michael@0 | 31 | examiner.prototype = { |
| michael@0 | 32 | observe: function(subject, topic, data) { |
| michael@0 | 33 | var testpat = new RegExp("testid=([a-zA-Z]+)"); |
| michael@0 | 34 | |
| michael@0 | 35 | if (topic === "specialpowers-http-notify-request") { |
| michael@0 | 36 | var uri = data; |
| michael@0 | 37 | if (!testpat.test(uri)) return; |
| michael@0 | 38 | var testid = testpat.exec(uri)[1]; |
| michael@0 | 39 | window.testResult(testid, |
| michael@0 | 40 | /Loaded/.test(testid), |
| michael@0 | 41 | "resource loaded"); |
| michael@0 | 42 | } |
| michael@0 | 43 | |
| michael@0 | 44 | if(topic === "csp-on-violate-policy") { |
| michael@0 | 45 | // these were blocked... record that they were blocked |
| michael@0 | 46 | // try because the subject could be an nsIURI or an nsISupportsCString |
| michael@0 | 47 | try { |
| michael@0 | 48 | var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); |
| michael@0 | 49 | if (!testpat.test(asciiSpec)) return; |
| michael@0 | 50 | var testid = testpat.exec(asciiSpec)[1]; |
| michael@0 | 51 | window.testResult(testid, |
| michael@0 | 52 | /Blocked/.test(testid), |
| michael@0 | 53 | "resource blocked by CSP"); |
| michael@0 | 54 | } catch(e) { |
| michael@0 | 55 | // if that fails, the subject is probably a string. Strings are only |
| michael@0 | 56 | // reported for inline and eval violations. Since we are testing those |
| michael@0 | 57 | // via the observed effects of script on CSSOM, we can simply ignore |
| michael@0 | 58 | // these subjects. |
| michael@0 | 59 | } |
| michael@0 | 60 | } |
| michael@0 | 61 | }, |
| michael@0 | 62 | |
| michael@0 | 63 | // must eventually call this to remove the listener, |
| michael@0 | 64 | // or mochitests might get borked. |
| michael@0 | 65 | remove: function() { |
| michael@0 | 66 | SpecialPowers.removeObserver(this, "csp-on-violate-policy"); |
| michael@0 | 67 | SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); |
| michael@0 | 68 | } |
| michael@0 | 69 | } |
| michael@0 | 70 | |
| michael@0 | 71 | window.examiner = new examiner(); |
| michael@0 | 72 | |
| michael@0 | 73 | window.testResult = function(testname, result, msg) { |
| michael@0 | 74 | //dump("in testResult: testname = " + testname + "\n"); |
| michael@0 | 75 | |
| michael@0 | 76 | //test already complete.... forget it... remember the first result. |
| michael@0 | 77 | if (window.tests[testname] != -1) |
| michael@0 | 78 | return; |
| michael@0 | 79 | |
| michael@0 | 80 | window.tests[testname] = result; |
| michael@0 | 81 | is(result, true, testname + ' test: ' + msg); |
| michael@0 | 82 | |
| michael@0 | 83 | // if any test is incomplete, keep waiting |
| michael@0 | 84 | for (var v in window.tests) |
| michael@0 | 85 | if(tests[v] == -1) |
| michael@0 | 86 | return; |
| michael@0 | 87 | |
| michael@0 | 88 | // ... otherwise, finish |
| michael@0 | 89 | window.examiner.remove(); |
| michael@0 | 90 | SimpleTest.finish(); |
| michael@0 | 91 | } |
| michael@0 | 92 | |
| michael@0 | 93 | // Helpers for inline script/style checks |
| michael@0 | 94 | var black = 'rgb(0, 0, 0)'; |
| michael@0 | 95 | var green = 'rgb(0, 128, 0)'; |
| michael@0 | 96 | function getElementColorById(doc, id) { |
| michael@0 | 97 | return window.getComputedStyle(doc.contentDocument.getElementById(id)).color; |
| michael@0 | 98 | } |
| michael@0 | 99 | |
| michael@0 | 100 | function checkInlineWithStar() { |
| michael@0 | 101 | var testframe = document.getElementById('testframe1'); |
| michael@0 | 102 | window.testResult("starInlineStyleAllowed", |
| michael@0 | 103 | getElementColorById(testframe, 'inline-style') === green, |
| michael@0 | 104 | "Inline styles should be allowed (style-src 'unsafe-inline' with star)"); |
| michael@0 | 105 | window.testResult("starInlineScriptBlocked", |
| michael@0 | 106 | getElementColorById(testframe, 'inline-script') === black, |
| michael@0 | 107 | "Inline scripts should be blocked (style-src 'unsafe-inline' with star)"); |
| michael@0 | 108 | } |
| michael@0 | 109 | |
| michael@0 | 110 | function checkInlineWithNone() { |
| michael@0 | 111 | // If a directive has 'none' in addition to other sources, 'none' is ignored |
| michael@0 | 112 | // and the other sources are used. 'none' is only a valid source if it is |
| michael@0 | 113 | // used by itself. |
| michael@0 | 114 | var testframe = document.getElementById('testframe2'); |
| michael@0 | 115 | window.testResult("noneInlineStyleAllowed", |
| michael@0 | 116 | getElementColorById(testframe, 'inline-style') === green, |
| michael@0 | 117 | "Inline styles should be allowed (style-src 'unsafe-inline' with none)"); |
| michael@0 | 118 | window.testResult("noneInlineScriptBlocked", |
| michael@0 | 119 | getElementColorById(testframe, 'inline-script') === black, |
| michael@0 | 120 | "Inline scripts should be blocked (style-src 'unsafe-inline' with none)"); |
| michael@0 | 121 | } |
| michael@0 | 122 | |
| michael@0 | 123 | SpecialPowers.pushPrefEnv( |
| michael@0 | 124 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 125 | function () { |
| michael@0 | 126 | document.getElementById('testframe1').src = 'file_CSP_bug909029_star.html'; |
| michael@0 | 127 | document.getElementById('testframe1').addEventListener('load', checkInlineWithStar, false); |
| michael@0 | 128 | document.getElementById('testframe2').src = 'file_CSP_bug909029_none.html'; |
| michael@0 | 129 | document.getElementById('testframe2').addEventListener('load', checkInlineWithNone, false); |
| michael@0 | 130 | } |
| michael@0 | 131 | ); |
| michael@0 | 132 | </script> |
| michael@0 | 133 | </body> |
| michael@0 | 134 | </html> |
