The Tor Browser / file revision

content/base/test/csp/test_CSP_inlinestyle.html@b8a032363ba2

content/base/test/csp/test_CSP_inlinestyle.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test for Content Security Policy inline stylesheets stuff</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     7 </head>

     8 <body>

     9 <p id="display"></p>

    10 <div id="content" style="display: none">

    11 </div>

    12 

    13 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>

    14 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>

    15 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe>

    16 <script class="testbody" type="text/javascript">

    17 

    18 var path = "/tests/content/base/test/csp/";

    19 

    20 

    21 //////////////////////////////////////////////////////////////////////

    22 // set up and go

    23 SimpleTest.waitForExplicitFinish();

    24 

    25 var done = 0;

    26 

    27 // Our original CSP implementation does not block inline styles.

    28 function checkStyles(evt) {

    29   var cspframe = document.getElementById('cspframe');

    30   var color;

    31 

    32   // black means the style wasn't applied.  green colors are used for styles

    33   //expected to be applied.  A color is red if a style is erroneously applied

    34   color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];

    35   ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');

    36   color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];

    37   ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');

    38   color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];

    39   ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');

    40   // SMIL tests

    41   color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];

    42   ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');

    43   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];

    44   ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');

    45   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];

    46   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');

    47   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];

    48   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');

    49   checkIfDone();

    50 }

    51 

    52 // When a CSP 1.0 compliant policy is specified we should block inline

    53 // styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags

    54 // (when it's not explicitly allowed.)

    55 function checkStylesSpecCompliant(evt) {

    56   var cspframe = document.getElementById('cspframe2');

    57   var color;

    58 

    59   // black means the style wasn't applied.  green colors are used for styles

    60   //expected to be applied.  A color is red if a style is erroneously applied

    61   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];

    62   ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');

    63   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];

    64   ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');

    65   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];

    66   ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');

    67   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];

    68   ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');

    69   // SMIL tests

    70   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];

    71   ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');

    72   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];

    73   ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');

    74   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];

    75   ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');

    76   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];

    77   ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');

    78 

    79   color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];

    80   ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');

    81 

    82   checkIfDone();

    83 }

    84 

    85 // When a CSP 1.0 compliant policy is specified we should allow inline

    86 // styles when it is explicitly allowed.

    87 function checkStylesSpecCompliantAllowed(evt) {

    88   var cspframe = document.getElementById('cspframe3');

    89   var color;

    90 

    91   // black means the style wasn't applied.  green colors are used for styles

    92   // expected to be applied.  A color is red if a style is erroneously applied

    93   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];

    94   ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');

    95   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];

    96   ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');

    97   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];

    98   ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');

    99 

   100   // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,

   101   // since it relies on executing script to set .cssText

   102   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];

   103   ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');

   104   // SMIL tests

   105   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];

   106   ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');

   107   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];

   108   ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');

   109   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];

   110   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');

   111   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];

   112   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');

   113 

   114   color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];

   115   ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');

   116 

   117   checkIfDone();

   118 }

   119 

   120 function checkIfDone() {

   121   done++;

   122   if (done == 3)

   123     SimpleTest.finish();

   124 }

   125 

   126 SpecialPowers.pushPrefEnv(

   127   {'set':[["security.csp.speccompliant", true]]},

   128   function() {

   129     // save this for last so that our listeners are registered.

   130     // ... this loads the testbed of good and bad requests.

   131     document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';

   132     document.getElementById('cspframe').addEventListener('load', checkStyles, false);

   133     document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';

   134     document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);

   135     document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';

   136     document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);

   137   }

   138 );

   139 </script>

   140 </pre>

   141 </body>

   142 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial