1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_bug909029.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,134 @@
1.4 +<!doctype html>
1.5 +<html>
1.6 + <head>
1.7 + <title>Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src)</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 + </head>
1.11 + <body>
1.12 + <div id=content style="visibility:hidden">
1.13 + <iframe id=testframe1></iframe>
1.14 + <iframe id=testframe2></iframe>
1.15 + </div>
1.16 + <script class="testbody" type="text/javascript">
1.17 +SimpleTest.waitForExplicitFinish();
1.18 +
1.19 +window.tests = {
1.20 + starExternalStylesLoaded: -1,
1.21 + starExternalImgLoaded: -1,
1.22 + noneExternalStylesBlocked: -1,
1.23 + noneExternalImgLoaded: -1,
1.24 + starInlineStyleAllowed: -1,
1.25 + starInlineScriptBlocked: -1,
1.26 + noneInlineStyleAllowed: -1,
1.27 + noneInlineScriptBlocked: -1
1.28 +}
1.29 +
1.30 +function examiner() {
1.31 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.32 + SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
1.33 +}
1.34 +examiner.prototype = {
1.35 + observe: function(subject, topic, data) {
1.36 + var testpat = new RegExp("testid=([a-zA-Z]+)");
1.37 +
1.38 + if (topic === "specialpowers-http-notify-request") {
1.39 + var uri = data;
1.40 + if (!testpat.test(uri)) return;
1.41 + var testid = testpat.exec(uri)[1];
1.42 + window.testResult(testid,
1.43 + /Loaded/.test(testid),
1.44 + "resource loaded");
1.45 + }
1.46 +
1.47 + if(topic === "csp-on-violate-policy") {
1.48 + // these were blocked... record that they were blocked
1.49 + // try because the subject could be an nsIURI or an nsISupportsCString
1.50 + try {
1.51 + var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.52 + if (!testpat.test(asciiSpec)) return;
1.53 + var testid = testpat.exec(asciiSpec)[1];
1.54 + window.testResult(testid,
1.55 + /Blocked/.test(testid),
1.56 + "resource blocked by CSP");
1.57 + } catch(e) {
1.58 + // if that fails, the subject is probably a string. Strings are only
1.59 + // reported for inline and eval violations. Since we are testing those
1.60 + // via the observed effects of script on CSSOM, we can simply ignore
1.61 + // these subjects.
1.62 + }
1.63 + }
1.64 + },
1.65 +
1.66 + // must eventually call this to remove the listener,
1.67 + // or mochitests might get borked.
1.68 + remove: function() {
1.69 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.70 + SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
1.71 + }
1.72 +}
1.73 +
1.74 +window.examiner = new examiner();
1.75 +
1.76 +window.testResult = function(testname, result, msg) {
1.77 + //dump("in testResult: testname = " + testname + "\n");
1.78 +
1.79 + //test already complete.... forget it... remember the first result.
1.80 + if (window.tests[testname] != -1)
1.81 + return;
1.82 +
1.83 + window.tests[testname] = result;
1.84 + is(result, true, testname + ' test: ' + msg);
1.85 +
1.86 + // if any test is incomplete, keep waiting
1.87 + for (var v in window.tests)
1.88 + if(tests[v] == -1)
1.89 + return;
1.90 +
1.91 + // ... otherwise, finish
1.92 + window.examiner.remove();
1.93 + SimpleTest.finish();
1.94 +}
1.95 +
1.96 +// Helpers for inline script/style checks
1.97 +var black = 'rgb(0, 0, 0)';
1.98 +var green = 'rgb(0, 128, 0)';
1.99 +function getElementColorById(doc, id) {
1.100 + return window.getComputedStyle(doc.contentDocument.getElementById(id)).color;
1.101 +}
1.102 +
1.103 +function checkInlineWithStar() {
1.104 + var testframe = document.getElementById('testframe1');
1.105 + window.testResult("starInlineStyleAllowed",
1.106 + getElementColorById(testframe, 'inline-style') === green,
1.107 + "Inline styles should be allowed (style-src 'unsafe-inline' with star)");
1.108 + window.testResult("starInlineScriptBlocked",
1.109 + getElementColorById(testframe, 'inline-script') === black,
1.110 + "Inline scripts should be blocked (style-src 'unsafe-inline' with star)");
1.111 +}
1.112 +
1.113 +function checkInlineWithNone() {
1.114 + // If a directive has 'none' in addition to other sources, 'none' is ignored
1.115 + // and the other sources are used. 'none' is only a valid source if it is
1.116 + // used by itself.
1.117 + var testframe = document.getElementById('testframe2');
1.118 + window.testResult("noneInlineStyleAllowed",
1.119 + getElementColorById(testframe, 'inline-style') === green,
1.120 + "Inline styles should be allowed (style-src 'unsafe-inline' with none)");
1.121 + window.testResult("noneInlineScriptBlocked",
1.122 + getElementColorById(testframe, 'inline-script') === black,
1.123 + "Inline scripts should be blocked (style-src 'unsafe-inline' with none)");
1.124 +}
1.125 +
1.126 +SpecialPowers.pushPrefEnv(
1.127 + {'set':[["security.csp.speccompliant", true]]},
1.128 + function () {
1.129 + document.getElementById('testframe1').src = 'file_CSP_bug909029_star.html';
1.130 + document.getElementById('testframe1').addEventListener('load', checkInlineWithStar, false);
1.131 + document.getElementById('testframe2').src = 'file_CSP_bug909029_none.html';
1.132 + document.getElementById('testframe2').addEventListener('load', checkInlineWithNone, false);
1.133 + }
1.134 +);
1.135 + </script>
1.136 + </body>
1.137 +</html>
