The Tor Browser: comparison content/base/test/csp/test_CSP

--1:000000000000
+:747f13cff7d6
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>Test for Bug 916446</title>
+<!--
+test that an invalid report-only policy (a stripped down version of what
+web.tweetdeck.com was serving) defaults to "default-src 'none'" but only
+sends reports and is not accidentally enforced
+-->
+<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:200px;height:200px;" id='testframe'></iframe>
+<script class="testbody" type="text/javascript">
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+examiner.prototype  = {
+completedTests: 0,
+totalTests: 4,
+observe: function(subject, topic, data) {
+var testpat = new RegExp("testid=([a-z0-9_]+)");
+if (topic === "specialpowers-http-notify-request") {
+// these things were allowed by CSP
+var uri = data;
+if (!testpat.test(uri)) return;
+var testid = testpat.exec(uri)[1];
+if (testid === "img_bad") {
+// img_bad should be *allowed* because the policy is report-only
+ok(true, "Inline scripts should execute (because the policy is report-only)");
+this.completedTests++;
+}
+}
+if(topic === "csp-on-violate-policy") {
+// these were blocked
+try {
+var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+if (!testpat.test(asciiSpec)) return;
+var testid = testpat.exec(asciiSpec)[1];
+if (testid === "img_bad") {
+ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
+this.completedTests++;
+}
+} catch (e) {
+// if that fails, the subject is probably a string
+violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
+if (/Inline Scripts will not execute/.test(violation_msg)) {
+ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
+this.completedTests++;
+}
+}
+}
+},
+// must eventually call this to remove the listener,
+// or mochitests might get borked.
+remove: function() {
+SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+}
+}
+window.examiner = new examiner();
+function checkInlineScriptExecuted() {
+var green = 'rgb(0, 128, 0)';
+var black = 'rgb(0, 0, 0)';
+var that = this;
+function getElementColorById(id) {
+return window.getComputedStyle(that.contentDocument.getElementById(id)).color;
+}
+if (getElementColorById('inline-script') === green) {
+ok(true, "Inline scripts should execute (because the policy is report-only)");
+window.examiner.completedTests++;
+}
+waitToFinish();
+}
+function waitToFinish() {
+setTimeout(function wait() {
+if (window.examiner.completedTests < window.examiner.totalTests) {
+waitToFinish();
+} else {
+// Cleanup
+window.examiner.remove();
+SimpleTest.finish();
+}
+}, 10);
+}
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv(
+{'set':[["security.csp.speccompliant", false]]},
+function() {
+var testframe = document.getElementById('testframe');
+testframe.src = 'file_CSP_bug916446.html';
+testframe.addEventListener('load', checkInlineScriptExecuted);
+}
+);
+</script>
+</pre>
+</body>
+</html>

The Tor Browser / file comparison

comparison: content/base/test/csp/test_CSP_bug916446.html

content/base/test/csp/test_CSP_bug916446.html