content/base/test/csp/test_nonce_source.html@b8a032363ba2 (annotated)
content/base/test/csp/test_nonce_source.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test CSP 1.1 nonce-source for scripts and styles</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script> |
| michael@0 | 7 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 8 | </head> |
| michael@0 | 9 | <body> |
| michael@0 | 10 | <p id="display"></p> |
| michael@0 | 11 | <div id="content" style="visibility:hidden"> |
| michael@0 | 12 | <iframe style="width:100%;" id='cspframe'></iframe> |
| michael@0 | 13 | </div> |
| michael@0 | 14 | <script class="testbody" type="text/javascript"> |
| michael@0 | 15 | |
| michael@0 | 16 | var testsRun = 0; |
| michael@0 | 17 | var totalTests = 20; |
| michael@0 | 18 | |
| michael@0 | 19 | // This is used to watch the blocked data bounce off CSP |
| michael@0 | 20 | function examiner() { |
| michael@0 | 21 | SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); |
| michael@0 | 22 | SpecialPowers.addObserver(this, "csp-on-violate-policy", false); |
| michael@0 | 23 | } |
| michael@0 | 24 | |
| michael@0 | 25 | examiner.prototype = { |
| michael@0 | 26 | observe: function(subject, topic, data) { |
| michael@0 | 27 | var testid_re = new RegExp("testid=([a-z0-9_]+)"); |
| michael@0 | 28 | |
| michael@0 | 29 | //_good things better be allowed! |
| michael@0 | 30 | //_bad things better be blocked! |
| michael@0 | 31 | |
| michael@0 | 32 | if (topic === "specialpowers-http-notify-request") { |
| michael@0 | 33 | var uri = data; |
| michael@0 | 34 | if (!testid_re.test(uri)) return; |
| michael@0 | 35 | var testid = testid_re.exec(uri)[1]; |
| michael@0 | 36 | ok(/_good/.test(testid), "should allow URI with good testid " + testid); |
| michael@0 | 37 | ranTests(1); |
| michael@0 | 38 | } |
| michael@0 | 39 | |
| michael@0 | 40 | if (topic === "csp-on-violate-policy") { |
| michael@0 | 41 | try { |
| michael@0 | 42 | // if it is an blocked external load, subject will be the URI of the resource |
| michael@0 | 43 | var blocked_uri = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); |
| michael@0 | 44 | if (!testid_re.test(blocked_uri)) return; |
| michael@0 | 45 | var testid = testid_re.exec(blocked_uri)[1]; |
| michael@0 | 46 | ok(/_bad/.test(testid), "should block URI with bad testid " + testid); |
| michael@0 | 47 | ranTests(1); |
| michael@0 | 48 | } catch (e) { |
| michael@0 | 49 | // if the subject is blocked inline, data will be a violation message |
| michael@0 | 50 | // we can't distinguish which resources triggered these, so we ignore them |
| michael@0 | 51 | } |
| michael@0 | 52 | } |
| michael@0 | 53 | }, |
| michael@0 | 54 | // must eventually call this to remove the listener, or mochitests might get borked. |
| michael@0 | 55 | remove: function() { |
| michael@0 | 56 | SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); |
| michael@0 | 57 | SpecialPowers.removeObserver(this, "csp-on-violate-policy"); |
| michael@0 | 58 | } |
| michael@0 | 59 | } |
| michael@0 | 60 | |
| michael@0 | 61 | function cleanup() { |
| michael@0 | 62 | // remove the observer so we don't bork other tests |
| michael@0 | 63 | window.examiner.remove(); |
| michael@0 | 64 | // finish the tests |
| michael@0 | 65 | SimpleTest.finish(); |
| michael@0 | 66 | } |
| michael@0 | 67 | |
| michael@0 | 68 | function ranTests(num) { |
| michael@0 | 69 | testsRun += num; |
| michael@0 | 70 | if (testsRun < totalTests) { |
| michael@0 | 71 | return; |
| michael@0 | 72 | } |
| michael@0 | 73 | cleanup(); |
| michael@0 | 74 | } |
| michael@0 | 75 | |
| michael@0 | 76 | function checkInlineScriptsAndStyles () { |
| michael@0 | 77 | var cspframe = document.getElementById('cspframe'); |
| michael@0 | 78 | var getElementColorById = function (id) { |
| michael@0 | 79 | return window.getComputedStyle(cspframe.contentDocument.getElementById(id), null).color; |
| michael@0 | 80 | }; |
| michael@0 | 81 | // Inline style tries to change an element's color to green. If blocked, the |
| michael@0 | 82 | // element's color will be the (unchanged) default black. |
| michael@0 | 83 | var green = "rgb(0, 128, 0)"; |
| michael@0 | 84 | var red = "rgb(255,0,0)"; |
| michael@0 | 85 | var black = "rgb(0, 0, 0)"; |
| michael@0 | 86 | |
| michael@0 | 87 | // inline script tests |
| michael@0 | 88 | is(getElementColorById('inline-script-correct-nonce'), green, |
| michael@0 | 89 | "Inline script with correct nonce should execute"); |
| michael@0 | 90 | is(getElementColorById('inline-script-incorrect-nonce'), black, |
| michael@0 | 91 | "Inline script with incorrect nonce should not execute"); |
| michael@0 | 92 | is(getElementColorById('inline-script-correct-style-nonce'), black, |
| michael@0 | 93 | "Inline script with correct nonce for styles (but not for scripts) should not execute"); |
| michael@0 | 94 | is(getElementColorById('inline-script-no-nonce'), black, |
| michael@0 | 95 | "Inline script with no nonce should not execute"); |
| michael@0 | 96 | |
| michael@0 | 97 | // inline style tests |
| michael@0 | 98 | is(getElementColorById('inline-style-correct-nonce'), green, |
| michael@0 | 99 | "Inline style with correct nonce should be allowed"); |
| michael@0 | 100 | is(getElementColorById('inline-style-incorrect-nonce'), black, |
| michael@0 | 101 | "Inline style with incorrect nonce should be blocked"); |
| michael@0 | 102 | is(getElementColorById('inline-style-correct-script-nonce'), black, |
| michael@0 | 103 | "Inline style with correct nonce for scripts (but incorrect nonce for styles) should be blocked"); |
| michael@0 | 104 | is(getElementColorById('inline-style-no-nonce'), black, |
| michael@0 | 105 | "Inline style with no nonce should be blocked"); |
| michael@0 | 106 | |
| michael@0 | 107 | ranTests(8); |
| michael@0 | 108 | } |
| michael@0 | 109 | |
| michael@0 | 110 | ////////////////////////////////////////////////////////////////////// |
| michael@0 | 111 | // set up and go |
| michael@0 | 112 | window.examiner = new examiner(); |
| michael@0 | 113 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 114 | |
| michael@0 | 115 | SpecialPowers.pushPrefEnv( |
| michael@0 | 116 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 117 | function() { |
| michael@0 | 118 | // save this for last so that our listeners are registered. |
| michael@0 | 119 | // ... this loads the testbed of good and bad requests. |
| michael@0 | 120 | document.getElementById('cspframe').src = 'file_nonce_source.html'; |
| michael@0 | 121 | document.getElementById('cspframe').addEventListener('load', checkInlineScriptsAndStyles, false); |
| michael@0 | 122 | }); |
| michael@0 | 123 | </script> |
| michael@0 | 124 | </pre> |
| michael@0 | 125 | </body> |
| michael@0 | 126 | </html> |
