1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_nonce_source.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,126 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test CSP 1.1 nonce-source for scripts and styles</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
1.10 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.11 +</head>
1.12 +<body>
1.13 +<p id="display"></p>
1.14 +<div id="content" style="visibility:hidden">
1.15 + <iframe style="width:100%;" id='cspframe'></iframe>
1.16 +</div>
1.17 +<script class="testbody" type="text/javascript">
1.18 +
1.19 +var testsRun = 0;
1.20 +var totalTests = 20;
1.21 +
1.22 +// This is used to watch the blocked data bounce off CSP
1.23 +function examiner() {
1.24 + SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
1.25 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.26 +}
1.27 +
1.28 +examiner.prototype = {
1.29 + observe: function(subject, topic, data) {
1.30 + var testid_re = new RegExp("testid=([a-z0-9_]+)");
1.31 +
1.32 + //_good things better be allowed!
1.33 + //_bad things better be blocked!
1.34 +
1.35 + if (topic === "specialpowers-http-notify-request") {
1.36 + var uri = data;
1.37 + if (!testid_re.test(uri)) return;
1.38 + var testid = testid_re.exec(uri)[1];
1.39 + ok(/_good/.test(testid), "should allow URI with good testid " + testid);
1.40 + ranTests(1);
1.41 + }
1.42 +
1.43 + if (topic === "csp-on-violate-policy") {
1.44 + try {
1.45 + // if it is an blocked external load, subject will be the URI of the resource
1.46 + var blocked_uri = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.47 + if (!testid_re.test(blocked_uri)) return;
1.48 + var testid = testid_re.exec(blocked_uri)[1];
1.49 + ok(/_bad/.test(testid), "should block URI with bad testid " + testid);
1.50 + ranTests(1);
1.51 + } catch (e) {
1.52 + // if the subject is blocked inline, data will be a violation message
1.53 + // we can't distinguish which resources triggered these, so we ignore them
1.54 + }
1.55 + }
1.56 + },
1.57 + // must eventually call this to remove the listener, or mochitests might get borked.
1.58 + remove: function() {
1.59 + SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
1.60 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.61 + }
1.62 +}
1.63 +
1.64 +function cleanup() {
1.65 + // remove the observer so we don't bork other tests
1.66 + window.examiner.remove();
1.67 + // finish the tests
1.68 + SimpleTest.finish();
1.69 +}
1.70 +
1.71 +function ranTests(num) {
1.72 + testsRun += num;
1.73 + if (testsRun < totalTests) {
1.74 + return;
1.75 + }
1.76 + cleanup();
1.77 +}
1.78 +
1.79 +function checkInlineScriptsAndStyles () {
1.80 + var cspframe = document.getElementById('cspframe');
1.81 + var getElementColorById = function (id) {
1.82 + return window.getComputedStyle(cspframe.contentDocument.getElementById(id), null).color;
1.83 + };
1.84 + // Inline style tries to change an element's color to green. If blocked, the
1.85 + // element's color will be the (unchanged) default black.
1.86 + var green = "rgb(0, 128, 0)";
1.87 + var red = "rgb(255,0,0)";
1.88 + var black = "rgb(0, 0, 0)";
1.89 +
1.90 + // inline script tests
1.91 + is(getElementColorById('inline-script-correct-nonce'), green,
1.92 + "Inline script with correct nonce should execute");
1.93 + is(getElementColorById('inline-script-incorrect-nonce'), black,
1.94 + "Inline script with incorrect nonce should not execute");
1.95 + is(getElementColorById('inline-script-correct-style-nonce'), black,
1.96 + "Inline script with correct nonce for styles (but not for scripts) should not execute");
1.97 + is(getElementColorById('inline-script-no-nonce'), black,
1.98 + "Inline script with no nonce should not execute");
1.99 +
1.100 + // inline style tests
1.101 + is(getElementColorById('inline-style-correct-nonce'), green,
1.102 + "Inline style with correct nonce should be allowed");
1.103 + is(getElementColorById('inline-style-incorrect-nonce'), black,
1.104 + "Inline style with incorrect nonce should be blocked");
1.105 + is(getElementColorById('inline-style-correct-script-nonce'), black,
1.106 + "Inline style with correct nonce for scripts (but incorrect nonce for styles) should be blocked");
1.107 + is(getElementColorById('inline-style-no-nonce'), black,
1.108 + "Inline style with no nonce should be blocked");
1.109 +
1.110 + ranTests(8);
1.111 +}
1.112 +
1.113 +//////////////////////////////////////////////////////////////////////
1.114 +// set up and go
1.115 +window.examiner = new examiner();
1.116 +SimpleTest.waitForExplicitFinish();
1.117 +
1.118 +SpecialPowers.pushPrefEnv(
1.119 + {'set':[["security.csp.speccompliant", true]]},
1.120 + function() {
1.121 + // save this for last so that our listeners are registered.
1.122 + // ... this loads the testbed of good and bad requests.
1.123 + document.getElementById('cspframe').src = 'file_nonce_source.html';
1.124 + document.getElementById('cspframe').addEventListener('load', checkInlineScriptsAndStyles, false);
1.125 + });
1.126 +</script>
1.127 +</pre>
1.128 +</body>
1.129 +</html>
