1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_hash_source.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,139 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test CSP 1.1 hash-source for inline scripts and styles</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
1.10 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.11 +</head>
1.12 +<body>
1.13 +<p id="display"></p>
1.14 +<div id="content" style="visibility:hidden">
1.15 + <iframe style="width:100%;" id='cspframe'></iframe>
1.16 +</div>
1.17 +<script class="testbody" type="text/javascript">
1.18 +
1.19 +function cleanup() {
1.20 + // finish the tests
1.21 + SimpleTest.finish();
1.22 +}
1.23 +
1.24 +function checkInline () {
1.25 + var cspframe = document.getElementById('cspframe').contentDocument;
1.26 +
1.27 + var inlineScriptTests = {
1.28 + 'inline-script-valid-hash': {
1.29 + shouldBe: 'allowed',
1.30 + message: 'Inline script with valid hash should be allowed'
1.31 + },
1.32 + 'inline-script-invalid-hash': {
1.33 + shouldBe: 'blocked',
1.34 + message: 'Inline script with invalid hash should be blocked'
1.35 + },
1.36 + 'inline-script-invalid-hash-valid-nonce': {
1.37 + shouldBe: 'allowed',
1.38 + message: 'Inline script with invalid hash and valid nonce should be allowed'
1.39 + },
1.40 + 'inline-script-valid-hash-invalid-nonce': {
1.41 + shouldBe: 'allowed',
1.42 + message: 'Inline script with valid hash and invalid nonce should be allowed'
1.43 + },
1.44 + 'inline-script-invalid-hash-invalid-nonce': {
1.45 + shouldBe: 'blocked',
1.46 + message: 'Inline script with invalid hash and invalid nonce should be blocked'
1.47 + },
1.48 + 'inline-script-valid-sha512-hash': {
1.49 + shouldBe: 'allowed',
1.50 + message: 'Inline script with a valid sha512 hash should be allowed'
1.51 + },
1.52 + 'inline-script-valid-sha384-hash': {
1.53 + shouldBe: 'allowed',
1.54 + message: 'Inline script with a valid sha384 hash should be allowed'
1.55 + },
1.56 + 'inline-script-valid-sha1-hash': {
1.57 + shouldBe: 'blocked',
1.58 + message: 'Inline script with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'
1.59 + },
1.60 + 'inline-script-valid-md5-hash': {
1.61 + shouldBe: 'blocked',
1.62 + message: 'Inline script with a valid md5 hash should be blocked, because md5 is not a valid hash function'
1.63 + }
1.64 + }
1.65 +
1.66 + for (testId in inlineScriptTests) {
1.67 + var test = inlineScriptTests[testId];
1.68 + is(cspframe.getElementById(testId).innerHTML, test.shouldBe, test.message);
1.69 + }
1.70 +
1.71 + // Inline style tries to change an element's color to green. If blocked, the
1.72 + // element's color will be the default black.
1.73 + var green = "rgb(0, 128, 0)";
1.74 + var black = "rgb(0, 0, 0)";
1.75 +
1.76 + var getElementColorById = function (id) {
1.77 + return window.getComputedStyle(cspframe.getElementById(id), null).color;
1.78 + };
1.79 +
1.80 + var inlineStyleTests = {
1.81 + 'inline-style-valid-hash': {
1.82 + shouldBe: green,
1.83 + message: 'Inline style with valid hash should be allowed'
1.84 + },
1.85 + 'inline-style-invalid-hash': {
1.86 + shouldBe: black,
1.87 + message: 'Inline style with invalid hash should be blocked'
1.88 + },
1.89 + 'inline-style-invalid-hash-valid-nonce': {
1.90 + shouldBe: green,
1.91 + message: 'Inline style with invalid hash and valid nonce should be allowed'
1.92 + },
1.93 + 'inline-style-valid-hash-invalid-nonce': {
1.94 + shouldBe: green,
1.95 + message: 'Inline style with valid hash and invalid nonce should be allowed'
1.96 + },
1.97 + 'inline-style-invalid-hash-invalid-nonce' : {
1.98 + shouldBe: black,
1.99 + message: 'Inline style with invalid hash and invalid nonce should be blocked'
1.100 + },
1.101 + 'inline-style-valid-sha512-hash': {
1.102 + shouldBe: green,
1.103 + message: 'Inline style with a valid sha512 hash should be allowed'
1.104 + },
1.105 + 'inline-style-valid-sha384-hash': {
1.106 + shouldBe: green,
1.107 + message: 'Inline style with a valid sha384 hash should be allowed'
1.108 + },
1.109 + 'inline-style-valid-sha1-hash': {
1.110 + shouldBe: black,
1.111 + message: 'Inline style with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'
1.112 + },
1.113 + 'inline-style-valid-md5-hash': {
1.114 + shouldBe: black,
1.115 + message: 'Inline style with a valid md5 hash should be blocked, because md5 is not a valid hash function'
1.116 + }
1.117 + }
1.118 +
1.119 + for (testId in inlineStyleTests) {
1.120 + var test = inlineStyleTests[testId];
1.121 + is(getElementColorById(testId), test.shouldBe, test.message);
1.122 + }
1.123 +
1.124 + cleanup();
1.125 +}
1.126 +
1.127 +//////////////////////////////////////////////////////////////////////
1.128 +// set up and go
1.129 +SimpleTest.waitForExplicitFinish();
1.130 +
1.131 +SpecialPowers.pushPrefEnv(
1.132 + {'set':[["security.csp.speccompliant", true]]},
1.133 + function() {
1.134 + // save this for last so that our listeners are registered.
1.135 + // ... this loads the testbed of good and bad requests.
1.136 + document.getElementById('cspframe').src = 'file_hash_source.html';
1.137 + document.getElementById('cspframe').addEventListener('load', checkInline, false);
1.138 + });
1.139 +</script>
1.140 +</pre>
1.141 +</body>
1.142 +</html>
