The Tor Browser / file comparison
comparison: content/base/test/csp/test_nonce_source.html
content/base/test/csp/test_nonce_source.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:f7b8331c0f47 |
|---|---|
| 1 <!DOCTYPE HTML> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Test CSP 1.1 nonce-source for scripts and styles</title> | |
| 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 6 <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script> | |
| 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 8 </head> | |
| 9 <body> | |
| 10 <p id="display"></p> | |
| 11 <div id="content" style="visibility:hidden"> | |
| 12 <iframe style="width:100%;" id='cspframe'></iframe> | |
| 13 </div> | |
| 14 <script class="testbody" type="text/javascript"> | |
| 15 | |
| 16 var testsRun = 0; | |
| 17 var totalTests = 20; | |
| 18 | |
| 19 // This is used to watch the blocked data bounce off CSP | |
| 20 function examiner() { | |
| 21 SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); | |
| 22 SpecialPowers.addObserver(this, "csp-on-violate-policy", false); | |
| 23 } | |
| 24 | |
| 25 examiner.prototype = { | |
| 26 observe: function(subject, topic, data) { | |
| 27 var testid_re = new RegExp("testid=([a-z0-9_]+)"); | |
| 28 | |
| 29 //_good things better be allowed! | |
| 30 //_bad things better be blocked! | |
| 31 | |
| 32 if (topic === "specialpowers-http-notify-request") { | |
| 33 var uri = data; | |
| 34 if (!testid_re.test(uri)) return; | |
| 35 var testid = testid_re.exec(uri)[1]; | |
| 36 ok(/_good/.test(testid), "should allow URI with good testid " + testid); | |
| 37 ranTests(1); | |
| 38 } | |
| 39 | |
| 40 if (topic === "csp-on-violate-policy") { | |
| 41 try { | |
| 42 // if it is an blocked external load, subject will be the URI of the resource | |
| 43 var blocked_uri = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); | |
| 44 if (!testid_re.test(blocked_uri)) return; | |
| 45 var testid = testid_re.exec(blocked_uri)[1]; | |
| 46 ok(/_bad/.test(testid), "should block URI with bad testid " + testid); | |
| 47 ranTests(1); | |
| 48 } catch (e) { | |
| 49 // if the subject is blocked inline, data will be a violation message | |
| 50 // we can't distinguish which resources triggered these, so we ignore them | |
| 51 } | |
| 52 } | |
| 53 }, | |
| 54 // must eventually call this to remove the listener, or mochitests might get borked. | |
| 55 remove: function() { | |
| 56 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); | |
| 57 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); | |
| 58 } | |
| 59 } | |
| 60 | |
| 61 function cleanup() { | |
| 62 // remove the observer so we don't bork other tests | |
| 63 window.examiner.remove(); | |
| 64 // finish the tests | |
| 65 SimpleTest.finish(); | |
| 66 } | |
| 67 | |
| 68 function ranTests(num) { | |
| 69 testsRun += num; | |
| 70 if (testsRun < totalTests) { | |
| 71 return; | |
| 72 } | |
| 73 cleanup(); | |
| 74 } | |
| 75 | |
| 76 function checkInlineScriptsAndStyles () { | |
| 77 var cspframe = document.getElementById('cspframe'); | |
| 78 var getElementColorById = function (id) { | |
| 79 return window.getComputedStyle(cspframe.contentDocument.getElementById(id), null).color; | |
| 80 }; | |
| 81 // Inline style tries to change an element's color to green. If blocked, the | |
| 82 // element's color will be the (unchanged) default black. | |
| 83 var green = "rgb(0, 128, 0)"; | |
| 84 var red = "rgb(255,0,0)"; | |
| 85 var black = "rgb(0, 0, 0)"; | |
| 86 | |
| 87 // inline script tests | |
| 88 is(getElementColorById('inline-script-correct-nonce'), green, | |
| 89 "Inline script with correct nonce should execute"); | |
| 90 is(getElementColorById('inline-script-incorrect-nonce'), black, | |
| 91 "Inline script with incorrect nonce should not execute"); | |
| 92 is(getElementColorById('inline-script-correct-style-nonce'), black, | |
| 93 "Inline script with correct nonce for styles (but not for scripts) should not execute"); | |
| 94 is(getElementColorById('inline-script-no-nonce'), black, | |
| 95 "Inline script with no nonce should not execute"); | |
| 96 | |
| 97 // inline style tests | |
| 98 is(getElementColorById('inline-style-correct-nonce'), green, | |
| 99 "Inline style with correct nonce should be allowed"); | |
| 100 is(getElementColorById('inline-style-incorrect-nonce'), black, | |
| 101 "Inline style with incorrect nonce should be blocked"); | |
| 102 is(getElementColorById('inline-style-correct-script-nonce'), black, | |
| 103 "Inline style with correct nonce for scripts (but incorrect nonce for styles) should be blocked"); | |
| 104 is(getElementColorById('inline-style-no-nonce'), black, | |
| 105 "Inline style with no nonce should be blocked"); | |
| 106 | |
| 107 ranTests(8); | |
| 108 } | |
| 109 | |
| 110 ////////////////////////////////////////////////////////////////////// | |
| 111 // set up and go | |
| 112 window.examiner = new examiner(); | |
| 113 SimpleTest.waitForExplicitFinish(); | |
| 114 | |
| 115 SpecialPowers.pushPrefEnv( | |
| 116 {'set':[["security.csp.speccompliant", true]]}, | |
| 117 function() { | |
| 118 // save this for last so that our listeners are registered. | |
| 119 // ... this loads the testbed of good and bad requests. | |
| 120 document.getElementById('cspframe').src = 'file_nonce_source.html'; | |
| 121 document.getElementById('cspframe').addEventListener('load', checkInlineScriptsAndStyles, false); | |
| 122 }); | |
| 123 </script> | |
| 124 </pre> | |
| 125 </body> | |
| 126 </html> |
