content/base/test/csp/test_CSP_bug909029.html@6474c204b198
content/base/test/csp/test_CSP_bug909029.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 <!doctype html>
2 <html>
3 <head>
4 <title>Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src)</title>
5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
7 </head>
8 <body>
9 <div id=content style="visibility:hidden">
10 <iframe id=testframe1></iframe>
11 <iframe id=testframe2></iframe>
12 </div>
13 <script class="testbody" type="text/javascript">
14 SimpleTest.waitForExplicitFinish();
16 window.tests = {
17 starExternalStylesLoaded: -1,
18 starExternalImgLoaded: -1,
19 noneExternalStylesBlocked: -1,
20 noneExternalImgLoaded: -1,
21 starInlineStyleAllowed: -1,
22 starInlineScriptBlocked: -1,
23 noneInlineStyleAllowed: -1,
24 noneInlineScriptBlocked: -1
25 }
27 function examiner() {
28 SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
29 SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
30 }
31 examiner.prototype = {
32 observe: function(subject, topic, data) {
33 var testpat = new RegExp("testid=([a-zA-Z]+)");
35 if (topic === "specialpowers-http-notify-request") {
36 var uri = data;
37 if (!testpat.test(uri)) return;
38 var testid = testpat.exec(uri)[1];
39 window.testResult(testid,
40 /Loaded/.test(testid),
41 "resource loaded");
42 }
44 if(topic === "csp-on-violate-policy") {
45 // these were blocked... record that they were blocked
46 // try because the subject could be an nsIURI or an nsISupportsCString
47 try {
48 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
49 if (!testpat.test(asciiSpec)) return;
50 var testid = testpat.exec(asciiSpec)[1];
51 window.testResult(testid,
52 /Blocked/.test(testid),
53 "resource blocked by CSP");
54 } catch(e) {
55 // if that fails, the subject is probably a string. Strings are only
56 // reported for inline and eval violations. Since we are testing those
57 // via the observed effects of script on CSSOM, we can simply ignore
58 // these subjects.
59 }
60 }
61 },
63 // must eventually call this to remove the listener,
64 // or mochitests might get borked.
65 remove: function() {
66 SpecialPowers.removeObserver(this, "csp-on-violate-policy");
67 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
68 }
69 }
71 window.examiner = new examiner();
73 window.testResult = function(testname, result, msg) {
74 //dump("in testResult: testname = " + testname + "\n");
76 //test already complete.... forget it... remember the first result.
77 if (window.tests[testname] != -1)
78 return;
80 window.tests[testname] = result;
81 is(result, true, testname + ' test: ' + msg);
83 // if any test is incomplete, keep waiting
84 for (var v in window.tests)
85 if(tests[v] == -1)
86 return;
88 // ... otherwise, finish
89 window.examiner.remove();
90 SimpleTest.finish();
91 }
93 // Helpers for inline script/style checks
94 var black = 'rgb(0, 0, 0)';
95 var green = 'rgb(0, 128, 0)';
96 function getElementColorById(doc, id) {
97 return window.getComputedStyle(doc.contentDocument.getElementById(id)).color;
98 }
100 function checkInlineWithStar() {
101 var testframe = document.getElementById('testframe1');
102 window.testResult("starInlineStyleAllowed",
103 getElementColorById(testframe, 'inline-style') === green,
104 "Inline styles should be allowed (style-src 'unsafe-inline' with star)");
105 window.testResult("starInlineScriptBlocked",
106 getElementColorById(testframe, 'inline-script') === black,
107 "Inline scripts should be blocked (style-src 'unsafe-inline' with star)");
108 }
110 function checkInlineWithNone() {
111 // If a directive has 'none' in addition to other sources, 'none' is ignored
112 // and the other sources are used. 'none' is only a valid source if it is
113 // used by itself.
114 var testframe = document.getElementById('testframe2');
115 window.testResult("noneInlineStyleAllowed",
116 getElementColorById(testframe, 'inline-style') === green,
117 "Inline styles should be allowed (style-src 'unsafe-inline' with none)");
118 window.testResult("noneInlineScriptBlocked",
119 getElementColorById(testframe, 'inline-script') === black,
120 "Inline scripts should be blocked (style-src 'unsafe-inline' with none)");
121 }
123 SpecialPowers.pushPrefEnv(
124 {'set':[["security.csp.speccompliant", true]]},
125 function () {
126 document.getElementById('testframe1').src = 'file_CSP_bug909029_star.html';
127 document.getElementById('testframe1').addEventListener('load', checkInlineWithStar, false);
128 document.getElementById('testframe2').src = 'file_CSP_bug909029_none.html';
129 document.getElementById('testframe2').addEventListener('load', checkInlineWithNone, false);
130 }
131 );
132 </script>
133 </body>
134 </html>
