The Tor Browser / file revision

content/base/test/csp/test_CSP.html@b8a032363ba2

content/base/test/csp/test_CSP.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test for Content Security Policy Connections</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     7 </head>

     8 <body>

     9 <p id="display"></p>

    10 <div id="content" style="display: none">

    11 </div>

    12 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>

    13 <iframe style="width:200px;height:200px;" id='cspframe2'></iframe>

    14 <script class="testbody" type="text/javascript">

    15 

    16 var path = "/tests/content/base/test/csp/";

    17 

    18 // These are test results: -1 means it hasn't run,

    19 // true/false is the pass/fail result.

    20 window.tests = {

    21   img_good: -1,

    22   img_bad: -1,

    23   style_good: -1,

    24   style_bad: -1,

    25   frame_good: -1,

    26   frame_bad: -1,

    27   script_good: -1,

    28   script_bad: -1,

    29   xhr_good: -1,

    30   xhr_bad: -1,

    31   media_good: -1,

    32   media_bad: -1,

    33   font_good: -1,

    34   font_bad: -1,

    35   object_good: -1,

    36   object_bad: -1,

    37   img_spec_compliant_good: -1,

    38   img_spec_compliant_bad: -1,

    39   style_spec_compliant_good: -1,

    40   style_spec_compliant_bad: -1,

    41   frame_spec_compliant_good: -1,

    42   frame_spec_compliant_bad: -1,

    43   script_spec_compliant_good: -1,

    44   script_spec_compliant_bad: -1,

    45   xhr_spec_compliant_good: -1,

    46   xhr_spec_compliant_bad: -1,

    47   media_spec_compliant_good: -1,

    48   media_spec_compliant_bad: -1,

    49   font_spec_compliant_good: -1,

    50   font_spec_compliant_bad: -1,

    51   object_spec_compliant_good: -1,

    52   object_spec_compliant_bad: -1,

    53 };

    54 

    55 // This is used to watch the blocked data bounce off CSP and allowed data

    56 // get sent out to the wire.

    57 function examiner() {

    58   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);

    59   SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);

    60 }

    61 examiner.prototype  = {

    62   observe: function(subject, topic, data) {

    63     var testpat = new RegExp("testid=([a-z0-9_]+)");

    64 

    65     //_good things better be allowed!

    66     //_bad things better be stopped!

    67 

    68     // This is a special observer topic that is proxied from

    69     // http-on-modify-request in the parent process to inform us when a URI is

    70     // loaded

    71     if (topic === "specialpowers-http-notify-request") {

    72       var uri = data;

    73       if (!testpat.test(uri)) return;

    74       var testid = testpat.exec(uri)[1];

    75 

    76       window.testResult(testid,

    77                         /_good/.test(testid),

    78                         uri + " allowed by csp");

    79     }

    80 

    81     if (topic === "csp-on-violate-policy") {

    82       // these were blocked... record that they were blocked

    83       var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");

    84       if (!testpat.test(asciiSpec)) return;

    85       var testid = testpat.exec(asciiSpec)[1];

    86       window.testResult(testid,

    87                         /_bad/.test(testid),

    88                         asciiSpec + " blocked by \"" + data + "\"");

    89     }

    90   },

    91 

    92   // must eventually call this to remove the listener,

    93   // or mochitests might get borked.

    94   remove: function() {

    95     SpecialPowers.removeObserver(this, "csp-on-violate-policy");

    96     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");

    97   }

    98 }

    99 

   100 window.examiner = new examiner();

   101 

   102 window.testResult = function(testname, result, msg) {

   103   //test already complete.... forget it... remember the first result.

   104   if (window.tests[testname] != -1)

   105     return;

   106 

   107   window.tests[testname] = result;

   108   is(result, true, testname + ' test: ' + msg);

   109 

   110   // if any test is incomplete, keep waiting

   111   for (var v in window.tests)

   112     if(tests[v] == -1)

   113       return;

   114 

   115   // ... otherwise, finish

   116   window.examiner.remove();

   117   SimpleTest.finish();

   118 }

   119 

   120 SimpleTest.waitForExplicitFinish();

   121 

   122 SpecialPowers.pushPrefEnv(

   123   {'set':[["security.csp.speccompliant", true],

   124           // This defaults to 0 ("preload none") on mobile (B2G/Android), which

   125           // blocks loading the resource until the user interacts with a

   126           // corresponding widget, which breaks the media_* tests. We set it

   127           // back to the default used by desktop Firefox to get consistent

   128           // behavior.

   129           ["media.preload.default", 2]]},

   130     function() {

   131       // save this for last so that our listeners are registered.

   132       // ... this loads the testbed of good and bad requests.

   133       document.getElementById('cspframe').src = 'file_CSP_main.html';

   134       document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';

   135     });

   136 </script>

   137 </pre>

   138 </body>

   139 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial