content/base/test/csp/test_hash_source.html@b8a032363ba2 (annotated)
content/base/test/csp/test_hash_source.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test CSP 1.1 hash-source for inline scripts and styles</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script> |
| michael@0 | 7 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 8 | </head> |
| michael@0 | 9 | <body> |
| michael@0 | 10 | <p id="display"></p> |
| michael@0 | 11 | <div id="content" style="visibility:hidden"> |
| michael@0 | 12 | <iframe style="width:100%;" id='cspframe'></iframe> |
| michael@0 | 13 | </div> |
| michael@0 | 14 | <script class="testbody" type="text/javascript"> |
| michael@0 | 15 | |
| michael@0 | 16 | function cleanup() { |
| michael@0 | 17 | // finish the tests |
| michael@0 | 18 | SimpleTest.finish(); |
| michael@0 | 19 | } |
| michael@0 | 20 | |
| michael@0 | 21 | function checkInline () { |
| michael@0 | 22 | var cspframe = document.getElementById('cspframe').contentDocument; |
| michael@0 | 23 | |
| michael@0 | 24 | var inlineScriptTests = { |
| michael@0 | 25 | 'inline-script-valid-hash': { |
| michael@0 | 26 | shouldBe: 'allowed', |
| michael@0 | 27 | message: 'Inline script with valid hash should be allowed' |
| michael@0 | 28 | }, |
| michael@0 | 29 | 'inline-script-invalid-hash': { |
| michael@0 | 30 | shouldBe: 'blocked', |
| michael@0 | 31 | message: 'Inline script with invalid hash should be blocked' |
| michael@0 | 32 | }, |
| michael@0 | 33 | 'inline-script-invalid-hash-valid-nonce': { |
| michael@0 | 34 | shouldBe: 'allowed', |
| michael@0 | 35 | message: 'Inline script with invalid hash and valid nonce should be allowed' |
| michael@0 | 36 | }, |
| michael@0 | 37 | 'inline-script-valid-hash-invalid-nonce': { |
| michael@0 | 38 | shouldBe: 'allowed', |
| michael@0 | 39 | message: 'Inline script with valid hash and invalid nonce should be allowed' |
| michael@0 | 40 | }, |
| michael@0 | 41 | 'inline-script-invalid-hash-invalid-nonce': { |
| michael@0 | 42 | shouldBe: 'blocked', |
| michael@0 | 43 | message: 'Inline script with invalid hash and invalid nonce should be blocked' |
| michael@0 | 44 | }, |
| michael@0 | 45 | 'inline-script-valid-sha512-hash': { |
| michael@0 | 46 | shouldBe: 'allowed', |
| michael@0 | 47 | message: 'Inline script with a valid sha512 hash should be allowed' |
| michael@0 | 48 | }, |
| michael@0 | 49 | 'inline-script-valid-sha384-hash': { |
| michael@0 | 50 | shouldBe: 'allowed', |
| michael@0 | 51 | message: 'Inline script with a valid sha384 hash should be allowed' |
| michael@0 | 52 | }, |
| michael@0 | 53 | 'inline-script-valid-sha1-hash': { |
| michael@0 | 54 | shouldBe: 'blocked', |
| michael@0 | 55 | message: 'Inline script with a valid sha1 hash should be blocked, because sha1 is not a valid hash function' |
| michael@0 | 56 | }, |
| michael@0 | 57 | 'inline-script-valid-md5-hash': { |
| michael@0 | 58 | shouldBe: 'blocked', |
| michael@0 | 59 | message: 'Inline script with a valid md5 hash should be blocked, because md5 is not a valid hash function' |
| michael@0 | 60 | } |
| michael@0 | 61 | } |
| michael@0 | 62 | |
| michael@0 | 63 | for (testId in inlineScriptTests) { |
| michael@0 | 64 | var test = inlineScriptTests[testId]; |
| michael@0 | 65 | is(cspframe.getElementById(testId).innerHTML, test.shouldBe, test.message); |
| michael@0 | 66 | } |
| michael@0 | 67 | |
| michael@0 | 68 | // Inline style tries to change an element's color to green. If blocked, the |
| michael@0 | 69 | // element's color will be the default black. |
| michael@0 | 70 | var green = "rgb(0, 128, 0)"; |
| michael@0 | 71 | var black = "rgb(0, 0, 0)"; |
| michael@0 | 72 | |
| michael@0 | 73 | var getElementColorById = function (id) { |
| michael@0 | 74 | return window.getComputedStyle(cspframe.getElementById(id), null).color; |
| michael@0 | 75 | }; |
| michael@0 | 76 | |
| michael@0 | 77 | var inlineStyleTests = { |
| michael@0 | 78 | 'inline-style-valid-hash': { |
| michael@0 | 79 | shouldBe: green, |
| michael@0 | 80 | message: 'Inline style with valid hash should be allowed' |
| michael@0 | 81 | }, |
| michael@0 | 82 | 'inline-style-invalid-hash': { |
| michael@0 | 83 | shouldBe: black, |
| michael@0 | 84 | message: 'Inline style with invalid hash should be blocked' |
| michael@0 | 85 | }, |
| michael@0 | 86 | 'inline-style-invalid-hash-valid-nonce': { |
| michael@0 | 87 | shouldBe: green, |
| michael@0 | 88 | message: 'Inline style with invalid hash and valid nonce should be allowed' |
| michael@0 | 89 | }, |
| michael@0 | 90 | 'inline-style-valid-hash-invalid-nonce': { |
| michael@0 | 91 | shouldBe: green, |
| michael@0 | 92 | message: 'Inline style with valid hash and invalid nonce should be allowed' |
| michael@0 | 93 | }, |
| michael@0 | 94 | 'inline-style-invalid-hash-invalid-nonce' : { |
| michael@0 | 95 | shouldBe: black, |
| michael@0 | 96 | message: 'Inline style with invalid hash and invalid nonce should be blocked' |
| michael@0 | 97 | }, |
| michael@0 | 98 | 'inline-style-valid-sha512-hash': { |
| michael@0 | 99 | shouldBe: green, |
| michael@0 | 100 | message: 'Inline style with a valid sha512 hash should be allowed' |
| michael@0 | 101 | }, |
| michael@0 | 102 | 'inline-style-valid-sha384-hash': { |
| michael@0 | 103 | shouldBe: green, |
| michael@0 | 104 | message: 'Inline style with a valid sha384 hash should be allowed' |
| michael@0 | 105 | }, |
| michael@0 | 106 | 'inline-style-valid-sha1-hash': { |
| michael@0 | 107 | shouldBe: black, |
| michael@0 | 108 | message: 'Inline style with a valid sha1 hash should be blocked, because sha1 is not a valid hash function' |
| michael@0 | 109 | }, |
| michael@0 | 110 | 'inline-style-valid-md5-hash': { |
| michael@0 | 111 | shouldBe: black, |
| michael@0 | 112 | message: 'Inline style with a valid md5 hash should be blocked, because md5 is not a valid hash function' |
| michael@0 | 113 | } |
| michael@0 | 114 | } |
| michael@0 | 115 | |
| michael@0 | 116 | for (testId in inlineStyleTests) { |
| michael@0 | 117 | var test = inlineStyleTests[testId]; |
| michael@0 | 118 | is(getElementColorById(testId), test.shouldBe, test.message); |
| michael@0 | 119 | } |
| michael@0 | 120 | |
| michael@0 | 121 | cleanup(); |
| michael@0 | 122 | } |
| michael@0 | 123 | |
| michael@0 | 124 | ////////////////////////////////////////////////////////////////////// |
| michael@0 | 125 | // set up and go |
| michael@0 | 126 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 127 | |
| michael@0 | 128 | SpecialPowers.pushPrefEnv( |
| michael@0 | 129 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 130 | function() { |
| michael@0 | 131 | // save this for last so that our listeners are registered. |
| michael@0 | 132 | // ... this loads the testbed of good and bad requests. |
| michael@0 | 133 | document.getElementById('cspframe').src = 'file_hash_source.html'; |
| michael@0 | 134 | document.getElementById('cspframe').addEventListener('load', checkInline, false); |
| michael@0 | 135 | }); |
| michael@0 | 136 | </script> |
| michael@0 | 137 | </pre> |
| michael@0 | 138 | </body> |
| michael@0 | 139 | </html> |
