The Tor Browser / file diff

diff: content/base/test/csp/file_CSP_evalscript_main_allowed.js

content/base/test/csp/file_CSP_evalscript_main_allowed.js

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/content/base/test/csp/file_CSP_evalscript_main_allowed.js	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,121 @@
     1.4 +// some javascript for the CSP eval() tests
     1.5 +// all of these evals should succeed, as the document loading this script
     1.6 +// has script-src 'self' 'unsafe-eval'
     1.7 +
     1.8 +function logResult(str, passed) {
     1.9 +  var elt = document.createElement('div');
    1.10 +  var color = passed ? "#cfc;" : "#fcc";
    1.11 +  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
    1.12 +  elt.innerHTML = str;
    1.13 +  document.body.appendChild(elt);
    1.14 +}
    1.15 +
    1.16 +// callback for when stuff is allowed by CSP
    1.17 +var onevalexecuted = (function(window) {
    1.18 +    return function(shouldrun, what, data) {
    1.19 +      window.parent.scriptRan(shouldrun, what, data);
    1.20 +      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
    1.21 +    };})(window);
    1.22 +
    1.23 +// callback for when stuff is blocked
    1.24 +var onevalblocked = (function(window) {
    1.25 +    return function(shouldrun, what, data) {
    1.26 +      window.parent.scriptBlocked(shouldrun, what, data);
    1.27 +      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
    1.28 +    };})(window);
    1.29 +
    1.30 +
    1.31 +// Defer until document is loaded so that we can write the pretty result boxes
    1.32 +// out.
    1.33 +addEventListener('load', function() {
    1.34 +  // setTimeout(String) test  -- should pass
    1.35 +  try {
    1.36 +    setTimeout('onevalexecuted(true, "setTimeout(String)", "setTimeout with a string was enabled.");', 10);
    1.37 +  } catch (e) {
    1.38 +    onevalblocked(true, "setTimeout(String)",
    1.39 +                  "setTimeout with a string was blocked");
    1.40 +  }
    1.41 +
    1.42 +  // setTimeout(function) test  -- should pass
    1.43 +  try {
    1.44 +    setTimeout(function() {
    1.45 +          onevalexecuted(true, "setTimeout(function)",
    1.46 +                        "setTimeout with a function was enabled.")
    1.47 +        }, 10);
    1.48 +  } catch (e) {
    1.49 +    onevalblocked(true, "setTimeout(function)",
    1.50 +                  "setTimeout with a function was blocked");
    1.51 +  }
    1.52 +
    1.53 +  // eval() test
    1.54 +  try {
    1.55 +    eval('onevalexecuted(true, "eval(String)", "eval() was enabled.");');
    1.56 +  } catch (e) {
    1.57 +    onevalblocked(true, "eval(String)",
    1.58 +                  "eval() was blocked");
    1.59 +  }
    1.60 +
    1.61 +  // eval(foo,bar) test
    1.62 +  try {
    1.63 +    eval('onevalexecuted(true, "eval(String,scope)", "eval() was enabled.");',1);
    1.64 +  } catch (e) {
    1.65 +    onevalblocked(true, "eval(String,object)",
    1.66 +                  "eval() with scope was blocked");
    1.67 +  }
    1.68 +
    1.69 +  // [foo,bar].sort(eval) test
    1.70 +  try {
    1.71 +    ['onevalexecuted(true, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
    1.72 +  } catch (e) {
    1.73 +    onevalblocked(true, "[String, obj].sort(eval)",
    1.74 +                  "eval() with scope via sort was blocked");
    1.75 +  }
    1.76 +
    1.77 +  // [].sort.call([foo,bar], eval) test
    1.78 +  try {
    1.79 +    [].sort.call(['onevalexecuted(true, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
    1.80 +  } catch (e) {
    1.81 +    onevalblocked(true, "[].sort.call([String, obj], eval)",
    1.82 +                  "eval() with scope via sort/call was blocked");
    1.83 +  }
    1.84 +
    1.85 +  // new Function() test
    1.86 +  try {
    1.87 +    var fcn = new Function('onevalexecuted(true, "new Function(String)", "new Function(String) was enabled.");');
    1.88 +    fcn();
    1.89 +  } catch (e) {
    1.90 +    onevalblocked(true, "new Function(String)",
    1.91 +                  "new Function(String) was blocked.");
    1.92 +  }
    1.93 +
    1.94 +  function checkResult() {
    1.95 +    //alert(bar);
    1.96 +    if (bar) {
    1.97 +      onevalexecuted(true, "setTimeout(eval, 0, str)",
    1.98 +                      "setTimeout(eval, 0, string) was enabled.");
    1.99 +    } else {
   1.100 +      onevalblocked(true, "setTimeout(eval, 0, str)",
   1.101 +                          "setTimeout(eval, 0, str) was blocked.");
   1.102 +    }
   1.103 +  }
   1.104 +
   1.105 +  var bar = false;
   1.106 +
   1.107 +  function foo() {
   1.108 +    bar = true;
   1.109 +  }
   1.110 +
   1.111 +  window.foo = foo;
   1.112 +
   1.113 +  // setTimeout(eval, 0, str)
   1.114 +
   1.115 +  // error is not catchable here
   1.116 +
   1.117 +  setTimeout(eval, 0, 'window.foo();');
   1.118 +
   1.119 +  setTimeout(checkResult.bind(this), 0);
   1.120 +
   1.121 +}, false);
   1.122 +
   1.123 +
   1.124 +

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial