The Tor Browser / file diff

diff: content/base/test/csp/test_bug886164.html

content/base/test/csp/test_bug886164.html

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/content/base/test/csp/test_bug886164.html	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,176 @@
     1.4 +<!DOCTYPE HTML>
     1.5 +<html>
     1.6 +<head>
     1.7 +  <meta charset="utf-8">
     1.8 +  <title>Bug 886164 - Enforce CSP in sandboxed iframe</title>
     1.9 +  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
    1.10 +  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
    1.11 +</head>
    1.12 +<body>
    1.13 +<p id="display"></p>
    1.14 +<div id="content" style="display: none">
    1.15 +</div>
    1.16 +<iframe style="width:200px;height:200px;" id='cspframe'  sandbox="allow-same-origin"></iframe>
    1.17 +<iframe style="width:200px;height:200px;" id='cspframe2' sandbox></iframe>
    1.18 +<iframe style="width:200px;height:200px;" id='cspframe3' sandbox="allow-same-origin"></iframe>
    1.19 +<iframe style="width:200px;height:200px;" id='cspframe4' sandbox></iframe>
    1.20 +<iframe style="width:200px;height:200px;" id='cspframe5' sandbox="allow-scripts"></iframe>
    1.21 +<iframe style="width:200px;height:200px;" id='cspframe6' sandbox="allow-same-origin allow-scripts"></iframe>
    1.22 +<script class="testbody" type="text/javascript">
    1.23 +
    1.24 +
    1.25 +var path = "/tests/content/base/test/csp/";
    1.26 +
    1.27 +// These are test results: -1 means it hasn't run,
    1.28 +// true/false is the pass/fail result.
    1.29 +window.tests = {
    1.30 +  // sandbox allow-same-origin; 'self'
    1.31 +  img_good: -1, // same origin
    1.32 +  img_bad: -1, //example.com
    1.33 +
    1.34 +  // sandbox; 'self'
    1.35 +  img2_bad: -1, //example.com
    1.36 +  img2a_good: -1, // same origin & is image
    1.37 +
    1.38 +  // sandbox allow-same-origin; 'none'
    1.39 +  img3_bad: -1,
    1.40 +  img3a_bad: -1,
    1.41 +
    1.42 +  // sandbox; 'none'
    1.43 +  img4_bad: -1,
    1.44 +  img4a_bad: -1,
    1.45 +
    1.46 +  // sandbox allow-scripts; 'none' 'unsafe-inline'
    1.47 +  img5_bad: -1,
    1.48 +  img5a_bad: -1,
    1.49 +  script5_bad: -1,
    1.50 +  script5a_bad: -1,
    1.51 +
    1.52 +  // sandbox allow-same-origin allow-scripts; 'self' 'unsafe-inline'
    1.53 +  img6_bad: -1,
    1.54 +  script6_bad: -1,
    1.55 +};
    1.56 +
    1.57 +// a postMessage handler that is used by sandboxed iframes without
    1.58 +// 'allow-same-origin' to communicate pass/fail back to this main page.
    1.59 +// it expects to be called with an object like {ok: true/false, desc:
    1.60 +// <description of the test> which it then forwards to ok()
    1.61 +window.addEventListener("message", receiveMessage, false);
    1.62 +
    1.63 +function receiveMessage(event)
    1.64 +{
    1.65 +  ok_wrapper(event.data.ok, event.data.desc);
    1.66 +}
    1.67 +
    1.68 +var cspTestsDone = false;
    1.69 +var iframeSandboxTestsDone = false;
    1.70 +
    1.71 +// iframe related
    1.72 +var completedTests = 0;
    1.73 +var passedTests = 0;
    1.74 +
    1.75 +function ok_wrapper(result, desc) {
    1.76 +  ok(result, desc);
    1.77 +
    1.78 +  completedTests++;
    1.79 +
    1.80 +  if (result) {
    1.81 +    passedTests++;
    1.82 +  }
    1.83 +
    1.84 +  if (completedTests === 5) {
    1.85 +    iframeSandboxTestsDone = true;
    1.86 +    if (cspTestsDone) {
    1.87 +      SimpleTest.finish();
    1.88 +    }
    1.89 +  }
    1.90 +}
    1.91 +
    1.92 +
    1.93 +//csp related
    1.94 +
    1.95 +// This is used to watch the blocked data bounce off CSP and allowed data
    1.96 +// get sent out to the wire.
    1.97 +function examiner() {
    1.98 +  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
    1.99 +  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
   1.100 +}
   1.101 +examiner.prototype  = {
   1.102 +  observe: function(subject, topic, data) {
   1.103 +    var testpat = new RegExp("testid=([a-z0-9_]+)");
   1.104 +
   1.105 +    //_good things better be allowed!
   1.106 +    //_bad things better be stopped!
   1.107 +
   1.108 +    if (topic === "specialpowers-http-notify-request") {
   1.109 +      //these things were allowed by CSP
   1.110 +      var uri = data;
   1.111 +      if (!testpat.test(uri)) return;
   1.112 +      var testid = testpat.exec(uri)[1];
   1.113 +
   1.114 +      window.testResult(testid,
   1.115 +                        /_good/.test(testid),
   1.116 +                        uri + " allowed by csp");
   1.117 +    }
   1.118 +
   1.119 +    if(topic === "csp-on-violate-policy") {
   1.120 +      //these were blocked... record that they were blocked
   1.121 +      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
   1.122 +      if (!testpat.test(asciiSpec)) return;
   1.123 +      var testid = testpat.exec(asciiSpec)[1];
   1.124 +      window.testResult(testid,
   1.125 +                        /_bad/.test(testid),
   1.126 +                        asciiSpec + " blocked by \"" + data + "\"");
   1.127 +    }
   1.128 +  },
   1.129 +
   1.130 +  // must eventually call this to remove the listener,
   1.131 +  // or mochitests might get borked.
   1.132 +  remove: function() {
   1.133 +    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
   1.134 +    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
   1.135 +  }
   1.136 +}
   1.137 +
   1.138 +window.examiner = new examiner();
   1.139 +
   1.140 +window.testResult = function(testname, result, msg) {
   1.141 +  //test already complete.... forget it... remember the first result.
   1.142 +  if (window.tests[testname] != -1)
   1.143 +    return;
   1.144 +
   1.145 +  window.tests[testname] = result;
   1.146 +  ok(result, testname + ' test: ' + msg);
   1.147 +
   1.148 +  // if any test is incomplete, keep waiting
   1.149 +  for (var v in window.tests)
   1.150 +    if(tests[v] == -1)
   1.151 +      return;
   1.152 +
   1.153 +  // ... otherwise, finish
   1.154 +  window.examiner.remove();
   1.155 +  cspTestsDone = true;
   1.156 +  if (iframeSandboxTestsDone) {
   1.157 +    SimpleTest.finish();
   1.158 +  }
   1.159 +}
   1.160 +
   1.161 +SimpleTest.waitForExplicitFinish();
   1.162 +
   1.163 +SpecialPowers.pushPrefEnv(
   1.164 +  {'set':[["security.csp.speccompliant", true]]},
   1.165 +  function() {
   1.166 +    // save this for last so that our listeners are registered.
   1.167 +    // ... this loads the testbed of good and bad requests.
   1.168 +    document.getElementById('cspframe').src = 'file_bug886164.html';
   1.169 +    document.getElementById('cspframe2').src = 'file_bug886164_2.html';
   1.170 +    document.getElementById('cspframe3').src = 'file_bug886164_3.html';
   1.171 +    document.getElementById('cspframe4').src = 'file_bug886164_4.html';
   1.172 +    document.getElementById('cspframe5').src = 'file_bug886164_5.html';
   1.173 +    document.getElementById('cspframe6').src = 'file_bug886164_6.html';
   1.174 +  });
   1.175 +
   1.176 +</script>
   1.177 +</pre>
   1.178 +</body>
   1.179 +</html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial