The Tor Browser / file revision

content/base/test/csp/test_CSP_bug916446.html@b8a032363ba2

content/base/test/csp/test_CSP_bug916446.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test for Bug 916446</title>

     5    <!--

     6    test that an invalid report-only policy (a stripped down version of what

     7    web.tweetdeck.com was serving) defaults to "default-src 'none'" but only

     8    sends reports and is not accidentally enforced

     9    -->

    10   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

    11   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

    12 </head>

    13 <body>

    14 <iframe style="width:200px;height:200px;" id='testframe'></iframe>

    15 

    16 <script class="testbody" type="text/javascript">

    17 

    18 // This is used to watch the blocked data bounce off CSP and allowed data

    19 // get sent out to the wire.

    20 function examiner() {

    21   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);

    22   SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);

    23 }

    24 examiner.prototype  = {

    25   completedTests: 0,

    26   totalTests: 4,

    27 

    28   observe: function(subject, topic, data) {

    29     var testpat = new RegExp("testid=([a-z0-9_]+)");

    30 

    31     if (topic === "specialpowers-http-notify-request") {

    32       // these things were allowed by CSP

    33       var uri = data;

    34       if (!testpat.test(uri)) return;

    35       var testid = testpat.exec(uri)[1];

    36       if (testid === "img_bad") {

    37         // img_bad should be *allowed* because the policy is report-only

    38         ok(true, "Inline scripts should execute (because the policy is report-only)");

    39         this.completedTests++;

    40       }

    41     }

    42 

    43     if(topic === "csp-on-violate-policy") {

    44       // these were blocked

    45       try {

    46         var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");

    47         if (!testpat.test(asciiSpec)) return;

    48         var testid = testpat.exec(asciiSpec)[1];

    49         if (testid === "img_bad") {

    50           ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");

    51           this.completedTests++;

    52         }

    53       } catch (e) {

    54         // if that fails, the subject is probably a string

    55         violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");

    56         if (/Inline Scripts will not execute/.test(violation_msg)) {

    57           ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");

    58           this.completedTests++;

    59         }

    60       }

    61     }

    62   },

    63 

    64   // must eventually call this to remove the listener,

    65   // or mochitests might get borked.

    66   remove: function() {

    67     SpecialPowers.removeObserver(this, "csp-on-violate-policy");

    68     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");

    69   }

    70 }

    71 

    72 window.examiner = new examiner();

    73 

    74 function checkInlineScriptExecuted() {

    75   var green = 'rgb(0, 128, 0)';

    76   var black = 'rgb(0, 0, 0)';

    77   var that = this;

    78   function getElementColorById(id) {

    79     return window.getComputedStyle(that.contentDocument.getElementById(id)).color;

    80   }

    81   if (getElementColorById('inline-script') === green) {

    82     ok(true, "Inline scripts should execute (because the policy is report-only)");

    83     window.examiner.completedTests++;

    84   }

    85 

    86   waitToFinish();

    87 }

    88 

    89 function waitToFinish() {

    90   setTimeout(function wait() {

    91     if (window.examiner.completedTests < window.examiner.totalTests) {

    92         waitToFinish();

    93     } else {

    94       // Cleanup

    95       window.examiner.remove();

    96       SimpleTest.finish();

    97     }

    98   }, 10);

    99 }

   100 

   101 SimpleTest.waitForExplicitFinish();

   102 

   103 SpecialPowers.pushPrefEnv(

   104   {'set':[["security.csp.speccompliant", false]]},

   105   function() {

   106     var testframe = document.getElementById('testframe');

   107     testframe.src = 'file_CSP_bug916446.html';

   108     testframe.addEventListener('load', checkInlineScriptExecuted);

   109   }

   110 );

   111 </script>

   112 </pre>

   113 </body>

   114 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial