The Tor Browser / file comparison
comparison: content/base/test/csp/test_hash_source.html
content/base/test/csp/test_hash_source.html
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:d69ee8c4d2e7 |
|---|---|
| 1 <!DOCTYPE HTML> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Test CSP 1.1 hash-source for inline scripts and styles</title> | |
| 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 6 <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script> | |
| 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 8 </head> | |
| 9 <body> | |
| 10 <p id="display"></p> | |
| 11 <div id="content" style="visibility:hidden"> | |
| 12 <iframe style="width:100%;" id='cspframe'></iframe> | |
| 13 </div> | |
| 14 <script class="testbody" type="text/javascript"> | |
| 15 | |
| 16 function cleanup() { | |
| 17 // finish the tests | |
| 18 SimpleTest.finish(); | |
| 19 } | |
| 20 | |
| 21 function checkInline () { | |
| 22 var cspframe = document.getElementById('cspframe').contentDocument; | |
| 23 | |
| 24 var inlineScriptTests = { | |
| 25 'inline-script-valid-hash': { | |
| 26 shouldBe: 'allowed', | |
| 27 message: 'Inline script with valid hash should be allowed' | |
| 28 }, | |
| 29 'inline-script-invalid-hash': { | |
| 30 shouldBe: 'blocked', | |
| 31 message: 'Inline script with invalid hash should be blocked' | |
| 32 }, | |
| 33 'inline-script-invalid-hash-valid-nonce': { | |
| 34 shouldBe: 'allowed', | |
| 35 message: 'Inline script with invalid hash and valid nonce should be allowed' | |
| 36 }, | |
| 37 'inline-script-valid-hash-invalid-nonce': { | |
| 38 shouldBe: 'allowed', | |
| 39 message: 'Inline script with valid hash and invalid nonce should be allowed' | |
| 40 }, | |
| 41 'inline-script-invalid-hash-invalid-nonce': { | |
| 42 shouldBe: 'blocked', | |
| 43 message: 'Inline script with invalid hash and invalid nonce should be blocked' | |
| 44 }, | |
| 45 'inline-script-valid-sha512-hash': { | |
| 46 shouldBe: 'allowed', | |
| 47 message: 'Inline script with a valid sha512 hash should be allowed' | |
| 48 }, | |
| 49 'inline-script-valid-sha384-hash': { | |
| 50 shouldBe: 'allowed', | |
| 51 message: 'Inline script with a valid sha384 hash should be allowed' | |
| 52 }, | |
| 53 'inline-script-valid-sha1-hash': { | |
| 54 shouldBe: 'blocked', | |
| 55 message: 'Inline script with a valid sha1 hash should be blocked, because sha1 is not a valid hash function' | |
| 56 }, | |
| 57 'inline-script-valid-md5-hash': { | |
| 58 shouldBe: 'blocked', | |
| 59 message: 'Inline script with a valid md5 hash should be blocked, because md5 is not a valid hash function' | |
| 60 } | |
| 61 } | |
| 62 | |
| 63 for (testId in inlineScriptTests) { | |
| 64 var test = inlineScriptTests[testId]; | |
| 65 is(cspframe.getElementById(testId).innerHTML, test.shouldBe, test.message); | |
| 66 } | |
| 67 | |
| 68 // Inline style tries to change an element's color to green. If blocked, the | |
| 69 // element's color will be the default black. | |
| 70 var green = "rgb(0, 128, 0)"; | |
| 71 var black = "rgb(0, 0, 0)"; | |
| 72 | |
| 73 var getElementColorById = function (id) { | |
| 74 return window.getComputedStyle(cspframe.getElementById(id), null).color; | |
| 75 }; | |
| 76 | |
| 77 var inlineStyleTests = { | |
| 78 'inline-style-valid-hash': { | |
| 79 shouldBe: green, | |
| 80 message: 'Inline style with valid hash should be allowed' | |
| 81 }, | |
| 82 'inline-style-invalid-hash': { | |
| 83 shouldBe: black, | |
| 84 message: 'Inline style with invalid hash should be blocked' | |
| 85 }, | |
| 86 'inline-style-invalid-hash-valid-nonce': { | |
| 87 shouldBe: green, | |
| 88 message: 'Inline style with invalid hash and valid nonce should be allowed' | |
| 89 }, | |
| 90 'inline-style-valid-hash-invalid-nonce': { | |
| 91 shouldBe: green, | |
| 92 message: 'Inline style with valid hash and invalid nonce should be allowed' | |
| 93 }, | |
| 94 'inline-style-invalid-hash-invalid-nonce' : { | |
| 95 shouldBe: black, | |
| 96 message: 'Inline style with invalid hash and invalid nonce should be blocked' | |
| 97 }, | |
| 98 'inline-style-valid-sha512-hash': { | |
| 99 shouldBe: green, | |
| 100 message: 'Inline style with a valid sha512 hash should be allowed' | |
| 101 }, | |
| 102 'inline-style-valid-sha384-hash': { | |
| 103 shouldBe: green, | |
| 104 message: 'Inline style with a valid sha384 hash should be allowed' | |
| 105 }, | |
| 106 'inline-style-valid-sha1-hash': { | |
| 107 shouldBe: black, | |
| 108 message: 'Inline style with a valid sha1 hash should be blocked, because sha1 is not a valid hash function' | |
| 109 }, | |
| 110 'inline-style-valid-md5-hash': { | |
| 111 shouldBe: black, | |
| 112 message: 'Inline style with a valid md5 hash should be blocked, because md5 is not a valid hash function' | |
| 113 } | |
| 114 } | |
| 115 | |
| 116 for (testId in inlineStyleTests) { | |
| 117 var test = inlineStyleTests[testId]; | |
| 118 is(getElementColorById(testId), test.shouldBe, test.message); | |
| 119 } | |
| 120 | |
| 121 cleanup(); | |
| 122 } | |
| 123 | |
| 124 ////////////////////////////////////////////////////////////////////// | |
| 125 // set up and go | |
| 126 SimpleTest.waitForExplicitFinish(); | |
| 127 | |
| 128 SpecialPowers.pushPrefEnv( | |
| 129 {'set':[["security.csp.speccompliant", true]]}, | |
| 130 function() { | |
| 131 // save this for last so that our listeners are registered. | |
| 132 // ... this loads the testbed of good and bad requests. | |
| 133 document.getElementById('cspframe').src = 'file_hash_source.html'; | |
| 134 document.getElementById('cspframe').addEventListener('load', checkInline, false); | |
| 135 }); | |
| 136 </script> | |
| 137 </pre> | |
| 138 </body> | |
| 139 </html> |
