The Tor Browser / annotate

content/base/test/csp/test_CSP_bug916446.html@b8a032363ba2 (annotated)

content/base/test/csp/test_CSP_bug916446.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 <!DOCTYPE HTML>
michael@0 2 <html>
michael@0 3 <head>
michael@0 4 <title>Test for Bug 916446</title>
michael@0 5 <!--
michael@0 6 test that an invalid report-only policy (a stripped down version of what
michael@0 7 web.tweetdeck.com was serving) defaults to "default-src 'none'" but only
michael@0 8 sends reports and is not accidentally enforced
michael@0 9 -->
michael@0 10 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
michael@0 11 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
michael@0 12 </head>
michael@0 13 <body>
michael@0 14 <iframe style="width:200px;height:200px;" id='testframe'></iframe>
michael@0 15
michael@0 16 <script class="testbody" type="text/javascript">
michael@0 17
michael@0 18 // This is used to watch the blocked data bounce off CSP and allowed data
michael@0 19 // get sent out to the wire.
michael@0 20 function examiner() {
michael@0 21 SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
michael@0 22 SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
michael@0 23 }
michael@0 24 examiner.prototype = {
michael@0 25 completedTests: 0,
michael@0 26 totalTests: 4,
michael@0 27
michael@0 28 observe: function(subject, topic, data) {
michael@0 29 var testpat = new RegExp("testid=([a-z0-9_]+)");
michael@0 30
michael@0 31 if (topic === "specialpowers-http-notify-request") {
michael@0 32 // these things were allowed by CSP
michael@0 33 var uri = data;
michael@0 34 if (!testpat.test(uri)) return;
michael@0 35 var testid = testpat.exec(uri)[1];
michael@0 36 if (testid === "img_bad") {
michael@0 37 // img_bad should be *allowed* because the policy is report-only
michael@0 38 ok(true, "Inline scripts should execute (because the policy is report-only)");
michael@0 39 this.completedTests++;
michael@0 40 }
michael@0 41 }
michael@0 42
michael@0 43 if(topic === "csp-on-violate-policy") {
michael@0 44 // these were blocked
michael@0 45 try {
michael@0 46 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
michael@0 47 if (!testpat.test(asciiSpec)) return;
michael@0 48 var testid = testpat.exec(asciiSpec)[1];
michael@0 49 if (testid === "img_bad") {
michael@0 50 ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
michael@0 51 this.completedTests++;
michael@0 52 }
michael@0 53 } catch (e) {
michael@0 54 // if that fails, the subject is probably a string
michael@0 55 violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
michael@0 56 if (/Inline Scripts will not execute/.test(violation_msg)) {
michael@0 57 ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
michael@0 58 this.completedTests++;
michael@0 59 }
michael@0 60 }
michael@0 61 }
michael@0 62 },
michael@0 63
michael@0 64 // must eventually call this to remove the listener,
michael@0 65 // or mochitests might get borked.
michael@0 66 remove: function() {
michael@0 67 SpecialPowers.removeObserver(this, "csp-on-violate-policy");
michael@0 68 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
michael@0 69 }
michael@0 70 }
michael@0 71
michael@0 72 window.examiner = new examiner();
michael@0 73
michael@0 74 function checkInlineScriptExecuted() {
michael@0 75 var green = 'rgb(0, 128, 0)';
michael@0 76 var black = 'rgb(0, 0, 0)';
michael@0 77 var that = this;
michael@0 78 function getElementColorById(id) {
michael@0 79 return window.getComputedStyle(that.contentDocument.getElementById(id)).color;
michael@0 80 }
michael@0 81 if (getElementColorById('inline-script') === green) {
michael@0 82 ok(true, "Inline scripts should execute (because the policy is report-only)");
michael@0 83 window.examiner.completedTests++;
michael@0 84 }
michael@0 85
michael@0 86 waitToFinish();
michael@0 87 }
michael@0 88
michael@0 89 function waitToFinish() {
michael@0 90 setTimeout(function wait() {
michael@0 91 if (window.examiner.completedTests < window.examiner.totalTests) {
michael@0 92 waitToFinish();
michael@0 93 } else {
michael@0 94 // Cleanup
michael@0 95 window.examiner.remove();
michael@0 96 SimpleTest.finish();
michael@0 97 }
michael@0 98 }, 10);
michael@0 99 }
michael@0 100
michael@0 101 SimpleTest.waitForExplicitFinish();
michael@0 102
michael@0 103 SpecialPowers.pushPrefEnv(
michael@0 104 {'set':[["security.csp.speccompliant", false]]},
michael@0 105 function() {
michael@0 106 var testframe = document.getElementById('testframe');
michael@0 107 testframe.src = 'file_CSP_bug916446.html';
michael@0 108 testframe.addEventListener('load', checkInlineScriptExecuted);
michael@0 109 }
michael@0 110 );
michael@0 111 </script>
michael@0 112 </pre>
michael@0 113 </body>
michael@0 114 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial