The Tor Browser / file comparison
comparison: content/base/test/csp/test_CSP_bug909029.html
content/base/test/csp/test_CSP_bug909029.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:01fbb5a375f3 |
|---|---|
| 1 <!doctype html> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src)</title> | |
| 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 7 </head> | |
| 8 <body> | |
| 9 <div id=content style="visibility:hidden"> | |
| 10 <iframe id=testframe1></iframe> | |
| 11 <iframe id=testframe2></iframe> | |
| 12 </div> | |
| 13 <script class="testbody" type="text/javascript"> | |
| 14 SimpleTest.waitForExplicitFinish(); | |
| 15 | |
| 16 window.tests = { | |
| 17 starExternalStylesLoaded: -1, | |
| 18 starExternalImgLoaded: -1, | |
| 19 noneExternalStylesBlocked: -1, | |
| 20 noneExternalImgLoaded: -1, | |
| 21 starInlineStyleAllowed: -1, | |
| 22 starInlineScriptBlocked: -1, | |
| 23 noneInlineStyleAllowed: -1, | |
| 24 noneInlineScriptBlocked: -1 | |
| 25 } | |
| 26 | |
| 27 function examiner() { | |
| 28 SpecialPowers.addObserver(this, "csp-on-violate-policy", false); | |
| 29 SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); | |
| 30 } | |
| 31 examiner.prototype = { | |
| 32 observe: function(subject, topic, data) { | |
| 33 var testpat = new RegExp("testid=([a-zA-Z]+)"); | |
| 34 | |
| 35 if (topic === "specialpowers-http-notify-request") { | |
| 36 var uri = data; | |
| 37 if (!testpat.test(uri)) return; | |
| 38 var testid = testpat.exec(uri)[1]; | |
| 39 window.testResult(testid, | |
| 40 /Loaded/.test(testid), | |
| 41 "resource loaded"); | |
| 42 } | |
| 43 | |
| 44 if(topic === "csp-on-violate-policy") { | |
| 45 // these were blocked... record that they were blocked | |
| 46 // try because the subject could be an nsIURI or an nsISupportsCString | |
| 47 try { | |
| 48 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); | |
| 49 if (!testpat.test(asciiSpec)) return; | |
| 50 var testid = testpat.exec(asciiSpec)[1]; | |
| 51 window.testResult(testid, | |
| 52 /Blocked/.test(testid), | |
| 53 "resource blocked by CSP"); | |
| 54 } catch(e) { | |
| 55 // if that fails, the subject is probably a string. Strings are only | |
| 56 // reported for inline and eval violations. Since we are testing those | |
| 57 // via the observed effects of script on CSSOM, we can simply ignore | |
| 58 // these subjects. | |
| 59 } | |
| 60 } | |
| 61 }, | |
| 62 | |
| 63 // must eventually call this to remove the listener, | |
| 64 // or mochitests might get borked. | |
| 65 remove: function() { | |
| 66 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); | |
| 67 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); | |
| 68 } | |
| 69 } | |
| 70 | |
| 71 window.examiner = new examiner(); | |
| 72 | |
| 73 window.testResult = function(testname, result, msg) { | |
| 74 //dump("in testResult: testname = " + testname + "\n"); | |
| 75 | |
| 76 //test already complete.... forget it... remember the first result. | |
| 77 if (window.tests[testname] != -1) | |
| 78 return; | |
| 79 | |
| 80 window.tests[testname] = result; | |
| 81 is(result, true, testname + ' test: ' + msg); | |
| 82 | |
| 83 // if any test is incomplete, keep waiting | |
| 84 for (var v in window.tests) | |
| 85 if(tests[v] == -1) | |
| 86 return; | |
| 87 | |
| 88 // ... otherwise, finish | |
| 89 window.examiner.remove(); | |
| 90 SimpleTest.finish(); | |
| 91 } | |
| 92 | |
| 93 // Helpers for inline script/style checks | |
| 94 var black = 'rgb(0, 0, 0)'; | |
| 95 var green = 'rgb(0, 128, 0)'; | |
| 96 function getElementColorById(doc, id) { | |
| 97 return window.getComputedStyle(doc.contentDocument.getElementById(id)).color; | |
| 98 } | |
| 99 | |
| 100 function checkInlineWithStar() { | |
| 101 var testframe = document.getElementById('testframe1'); | |
| 102 window.testResult("starInlineStyleAllowed", | |
| 103 getElementColorById(testframe, 'inline-style') === green, | |
| 104 "Inline styles should be allowed (style-src 'unsafe-inline' with star)"); | |
| 105 window.testResult("starInlineScriptBlocked", | |
| 106 getElementColorById(testframe, 'inline-script') === black, | |
| 107 "Inline scripts should be blocked (style-src 'unsafe-inline' with star)"); | |
| 108 } | |
| 109 | |
| 110 function checkInlineWithNone() { | |
| 111 // If a directive has 'none' in addition to other sources, 'none' is ignored | |
| 112 // and the other sources are used. 'none' is only a valid source if it is | |
| 113 // used by itself. | |
| 114 var testframe = document.getElementById('testframe2'); | |
| 115 window.testResult("noneInlineStyleAllowed", | |
| 116 getElementColorById(testframe, 'inline-style') === green, | |
| 117 "Inline styles should be allowed (style-src 'unsafe-inline' with none)"); | |
| 118 window.testResult("noneInlineScriptBlocked", | |
| 119 getElementColorById(testframe, 'inline-script') === black, | |
| 120 "Inline scripts should be blocked (style-src 'unsafe-inline' with none)"); | |
| 121 } | |
| 122 | |
| 123 SpecialPowers.pushPrefEnv( | |
| 124 {'set':[["security.csp.speccompliant", true]]}, | |
| 125 function () { | |
| 126 document.getElementById('testframe1').src = 'file_CSP_bug909029_star.html'; | |
| 127 document.getElementById('testframe1').addEventListener('load', checkInlineWithStar, false); | |
| 128 document.getElementById('testframe2').src = 'file_CSP_bug909029_none.html'; | |
| 129 document.getElementById('testframe2').addEventListener('load', checkInlineWithNone, false); | |
| 130 } | |
| 131 ); | |
| 132 </script> | |
| 133 </body> | |
| 134 </html> |
