content/base/test/csp/test_CSP_inlinestyle.html@b8a032363ba2 (annotated)
content/base/test/csp/test_CSP_inlinestyle.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test for Content Security Policy inline stylesheets stuff</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 7 | </head> |
| michael@0 | 8 | <body> |
| michael@0 | 9 | <p id="display"></p> |
| michael@0 | 10 | <div id="content" style="display: none"> |
| michael@0 | 11 | </div> |
| michael@0 | 12 | |
| michael@0 | 13 | <iframe style="width:100%;height:300px;" id='cspframe'></iframe> |
| michael@0 | 14 | <iframe style="width:100%;height:300px;" id='cspframe2'></iframe> |
| michael@0 | 15 | <iframe style="width:100%;height:300px;" id='cspframe3'></iframe> |
| michael@0 | 16 | <script class="testbody" type="text/javascript"> |
| michael@0 | 17 | |
| michael@0 | 18 | var path = "/tests/content/base/test/csp/"; |
| michael@0 | 19 | |
| michael@0 | 20 | |
| michael@0 | 21 | ////////////////////////////////////////////////////////////////////// |
| michael@0 | 22 | // set up and go |
| michael@0 | 23 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 24 | |
| michael@0 | 25 | var done = 0; |
| michael@0 | 26 | |
| michael@0 | 27 | // Our original CSP implementation does not block inline styles. |
| michael@0 | 28 | function checkStyles(evt) { |
| michael@0 | 29 | var cspframe = document.getElementById('cspframe'); |
| michael@0 | 30 | var color; |
| michael@0 | 31 | |
| michael@0 | 32 | // black means the style wasn't applied. green colors are used for styles |
| michael@0 | 33 | //expected to be applied. A color is red if a style is erroneously applied |
| michael@0 | 34 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color']; |
| michael@0 | 35 | ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')'); |
| michael@0 | 36 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color']; |
| michael@0 | 37 | ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')'); |
| michael@0 | 38 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color']; |
| michael@0 | 39 | ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')'); |
| michael@0 | 40 | // SMIL tests |
| michael@0 | 41 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill']; |
| michael@0 | 42 | ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')'); |
| michael@0 | 43 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill']; |
| michael@0 | 44 | ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')'); |
| michael@0 | 45 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill']; |
| michael@0 | 46 | ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')'); |
| michael@0 | 47 | color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill']; |
| michael@0 | 48 | ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')'); |
| michael@0 | 49 | checkIfDone(); |
| michael@0 | 50 | } |
| michael@0 | 51 | |
| michael@0 | 52 | // When a CSP 1.0 compliant policy is specified we should block inline |
| michael@0 | 53 | // styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags |
| michael@0 | 54 | // (when it's not explicitly allowed.) |
| michael@0 | 55 | function checkStylesSpecCompliant(evt) { |
| michael@0 | 56 | var cspframe = document.getElementById('cspframe2'); |
| michael@0 | 57 | var color; |
| michael@0 | 58 | |
| michael@0 | 59 | // black means the style wasn't applied. green colors are used for styles |
| michael@0 | 60 | //expected to be applied. A color is red if a style is erroneously applied |
| michael@0 | 61 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color']; |
| michael@0 | 62 | ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')'); |
| michael@0 | 63 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color']; |
| michael@0 | 64 | ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')'); |
| michael@0 | 65 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color']; |
| michael@0 | 66 | ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')'); |
| michael@0 | 67 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color']; |
| michael@0 | 68 | ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')'); |
| michael@0 | 69 | // SMIL tests |
| michael@0 | 70 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill']; |
| michael@0 | 71 | ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')'); |
| michael@0 | 72 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill']; |
| michael@0 | 73 | ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')'); |
| michael@0 | 74 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill']; |
| michael@0 | 75 | ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')'); |
| michael@0 | 76 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill']; |
| michael@0 | 77 | ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')'); |
| michael@0 | 78 | |
| michael@0 | 79 | color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color']; |
| michael@0 | 80 | ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')'); |
| michael@0 | 81 | |
| michael@0 | 82 | checkIfDone(); |
| michael@0 | 83 | } |
| michael@0 | 84 | |
| michael@0 | 85 | // When a CSP 1.0 compliant policy is specified we should allow inline |
| michael@0 | 86 | // styles when it is explicitly allowed. |
| michael@0 | 87 | function checkStylesSpecCompliantAllowed(evt) { |
| michael@0 | 88 | var cspframe = document.getElementById('cspframe3'); |
| michael@0 | 89 | var color; |
| michael@0 | 90 | |
| michael@0 | 91 | // black means the style wasn't applied. green colors are used for styles |
| michael@0 | 92 | // expected to be applied. A color is red if a style is erroneously applied |
| michael@0 | 93 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color']; |
| michael@0 | 94 | ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')'); |
| michael@0 | 95 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color']; |
| michael@0 | 96 | ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')'); |
| michael@0 | 97 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color']; |
| michael@0 | 98 | ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')'); |
| michael@0 | 99 | |
| michael@0 | 100 | // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks, |
| michael@0 | 101 | // since it relies on executing script to set .cssText |
| michael@0 | 102 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color']; |
| michael@0 | 103 | ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')'); |
| michael@0 | 104 | // SMIL tests |
| michael@0 | 105 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill']; |
| michael@0 | 106 | ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')'); |
| michael@0 | 107 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill']; |
| michael@0 | 108 | ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')'); |
| michael@0 | 109 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill']; |
| michael@0 | 110 | ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')'); |
| michael@0 | 111 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill']; |
| michael@0 | 112 | ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')'); |
| michael@0 | 113 | |
| michael@0 | 114 | color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color']; |
| michael@0 | 115 | ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')'); |
| michael@0 | 116 | |
| michael@0 | 117 | checkIfDone(); |
| michael@0 | 118 | } |
| michael@0 | 119 | |
| michael@0 | 120 | function checkIfDone() { |
| michael@0 | 121 | done++; |
| michael@0 | 122 | if (done == 3) |
| michael@0 | 123 | SimpleTest.finish(); |
| michael@0 | 124 | } |
| michael@0 | 125 | |
| michael@0 | 126 | SpecialPowers.pushPrefEnv( |
| michael@0 | 127 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 128 | function() { |
| michael@0 | 129 | // save this for last so that our listeners are registered. |
| michael@0 | 130 | // ... this loads the testbed of good and bad requests. |
| michael@0 | 131 | document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html'; |
| michael@0 | 132 | document.getElementById('cspframe').addEventListener('load', checkStyles, false); |
| michael@0 | 133 | document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html'; |
| michael@0 | 134 | document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false); |
| michael@0 | 135 | document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html'; |
| michael@0 | 136 | document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false); |
| michael@0 | 137 | } |
| michael@0 | 138 | ); |
| michael@0 | 139 | </script> |
| michael@0 | 140 | </pre> |
| michael@0 | 141 | </body> |
| michael@0 | 142 | </html> |
