1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_bug916446.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,114 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Bug 916446</title>
1.8 + <!--
1.9 + test that an invalid report-only policy (a stripped down version of what
1.10 + web.tweetdeck.com was serving) defaults to "default-src 'none'" but only
1.11 + sends reports and is not accidentally enforced
1.12 + -->
1.13 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.14 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.15 +</head>
1.16 +<body>
1.17 +<iframe style="width:200px;height:200px;" id='testframe'></iframe>
1.18 +
1.19 +<script class="testbody" type="text/javascript">
1.20 +
1.21 +// This is used to watch the blocked data bounce off CSP and allowed data
1.22 +// get sent out to the wire.
1.23 +function examiner() {
1.24 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.25 + SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
1.26 +}
1.27 +examiner.prototype = {
1.28 + completedTests: 0,
1.29 + totalTests: 4,
1.30 +
1.31 + observe: function(subject, topic, data) {
1.32 + var testpat = new RegExp("testid=([a-z0-9_]+)");
1.33 +
1.34 + if (topic === "specialpowers-http-notify-request") {
1.35 + // these things were allowed by CSP
1.36 + var uri = data;
1.37 + if (!testpat.test(uri)) return;
1.38 + var testid = testpat.exec(uri)[1];
1.39 + if (testid === "img_bad") {
1.40 + // img_bad should be *allowed* because the policy is report-only
1.41 + ok(true, "Inline scripts should execute (because the policy is report-only)");
1.42 + this.completedTests++;
1.43 + }
1.44 + }
1.45 +
1.46 + if(topic === "csp-on-violate-policy") {
1.47 + // these were blocked
1.48 + try {
1.49 + var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.50 + if (!testpat.test(asciiSpec)) return;
1.51 + var testid = testpat.exec(asciiSpec)[1];
1.52 + if (testid === "img_bad") {
1.53 + ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
1.54 + this.completedTests++;
1.55 + }
1.56 + } catch (e) {
1.57 + // if that fails, the subject is probably a string
1.58 + violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
1.59 + if (/Inline Scripts will not execute/.test(violation_msg)) {
1.60 + ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
1.61 + this.completedTests++;
1.62 + }
1.63 + }
1.64 + }
1.65 + },
1.66 +
1.67 + // must eventually call this to remove the listener,
1.68 + // or mochitests might get borked.
1.69 + remove: function() {
1.70 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.71 + SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
1.72 + }
1.73 +}
1.74 +
1.75 +window.examiner = new examiner();
1.76 +
1.77 +function checkInlineScriptExecuted() {
1.78 + var green = 'rgb(0, 128, 0)';
1.79 + var black = 'rgb(0, 0, 0)';
1.80 + var that = this;
1.81 + function getElementColorById(id) {
1.82 + return window.getComputedStyle(that.contentDocument.getElementById(id)).color;
1.83 + }
1.84 + if (getElementColorById('inline-script') === green) {
1.85 + ok(true, "Inline scripts should execute (because the policy is report-only)");
1.86 + window.examiner.completedTests++;
1.87 + }
1.88 +
1.89 + waitToFinish();
1.90 +}
1.91 +
1.92 +function waitToFinish() {
1.93 + setTimeout(function wait() {
1.94 + if (window.examiner.completedTests < window.examiner.totalTests) {
1.95 + waitToFinish();
1.96 + } else {
1.97 + // Cleanup
1.98 + window.examiner.remove();
1.99 + SimpleTest.finish();
1.100 + }
1.101 + }, 10);
1.102 +}
1.103 +
1.104 +SimpleTest.waitForExplicitFinish();
1.105 +
1.106 +SpecialPowers.pushPrefEnv(
1.107 + {'set':[["security.csp.speccompliant", false]]},
1.108 + function() {
1.109 + var testframe = document.getElementById('testframe');
1.110 + testframe.src = 'file_CSP_bug916446.html';
1.111 + testframe.addEventListener('load', checkInlineScriptExecuted);
1.112 + }
1.113 +);
1.114 +</script>
1.115 +</pre>
1.116 +</body>
1.117 +</html>
