The Tor Browser: content/base/test/csp/test_hash

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test CSP 1.1 hash-source for inline scripts and styles</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>

     7   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     8 </head>

     9 <body>

    10 <p id="display"></p>

    11 <div id="content" style="visibility:hidden">

    12   <iframe style="width:100%;" id='cspframe'></iframe>

    13 </div>

    14 <script class="testbody" type="text/javascript">

    16 function cleanup() {

    17   // finish the tests

    18   SimpleTest.finish();

    19 }

    21 function checkInline () {

    22   var cspframe = document.getElementById('cspframe').contentDocument;

    24   var inlineScriptTests = {

    25     'inline-script-valid-hash': {

    26       shouldBe: 'allowed',

    27       message:  'Inline script with valid hash should be allowed'

    28     },

    29     'inline-script-invalid-hash': {

    30       shouldBe: 'blocked',

    31       message: 'Inline script with invalid hash should be blocked'

    32     },

    33     'inline-script-invalid-hash-valid-nonce': {

    34       shouldBe: 'allowed',

    35       message: 'Inline script with invalid hash and valid nonce should be allowed'

    36     },

    37     'inline-script-valid-hash-invalid-nonce': {

    38       shouldBe: 'allowed',

    39       message: 'Inline script with valid hash and invalid nonce should be allowed'

    40     },

    41     'inline-script-invalid-hash-invalid-nonce': {

    42       shouldBe: 'blocked',

    43       message: 'Inline script with invalid hash and invalid nonce should be blocked'

    44     },

    45     'inline-script-valid-sha512-hash': {

    46       shouldBe: 'allowed',

    47       message: 'Inline script with a valid sha512 hash should be allowed'

    48     },

    49     'inline-script-valid-sha384-hash': {

    50       shouldBe: 'allowed',

    51       message: 'Inline script with a valid sha384 hash should be allowed'

    52     },

    53     'inline-script-valid-sha1-hash': {

    54       shouldBe: 'blocked',

    55       message: 'Inline script with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'

    56     },

    57     'inline-script-valid-md5-hash': {

    58       shouldBe: 'blocked',

    59       message: 'Inline script with a valid md5 hash should be blocked, because md5 is not a valid hash function'

    60     }

    61   }

    63   for (testId in inlineScriptTests) {

    64     var test = inlineScriptTests[testId];

    65     is(cspframe.getElementById(testId).innerHTML, test.shouldBe, test.message);

    66   }

    68   // Inline style tries to change an element's color to green. If blocked, the

    69   // element's color will be the default black.

    70   var green = "rgb(0, 128, 0)";

    71   var black = "rgb(0, 0, 0)";

    73   var getElementColorById = function (id) {

    74     return window.getComputedStyle(cspframe.getElementById(id), null).color;

    75   };

    77   var inlineStyleTests = {

    78     'inline-style-valid-hash': {

    79       shouldBe: green,

    80       message: 'Inline style with valid hash should be allowed'

    81     },

    82     'inline-style-invalid-hash': {

    83       shouldBe: black,

    84       message: 'Inline style with invalid hash should be blocked'

    85     },

    86     'inline-style-invalid-hash-valid-nonce': {

    87       shouldBe: green,

    88       message: 'Inline style with invalid hash and valid nonce should be allowed'

    89     },

    90     'inline-style-valid-hash-invalid-nonce': {

    91       shouldBe: green,

    92       message: 'Inline style with valid hash and invalid nonce should be allowed'

    93     },

    94     'inline-style-invalid-hash-invalid-nonce' : {

    95       shouldBe: black,

    96       message: 'Inline style with invalid hash and invalid nonce should be blocked'

    97     },

    98     'inline-style-valid-sha512-hash': {

    99       shouldBe: green,

   100       message: 'Inline style with a valid sha512 hash should be allowed'

   101     },

   102     'inline-style-valid-sha384-hash': {

   103       shouldBe: green,

   104       message: 'Inline style with a valid sha384 hash should be allowed'

   105     },

   106     'inline-style-valid-sha1-hash': {

   107       shouldBe: black,

   108       message: 'Inline style with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'

   109     },

   110     'inline-style-valid-md5-hash': {

   111       shouldBe: black,

   112       message: 'Inline style with a valid md5 hash should be blocked, because md5 is not a valid hash function'

   113     }

   114   }

   116   for (testId in inlineStyleTests) {

   117     var test = inlineStyleTests[testId];

   118     is(getElementColorById(testId), test.shouldBe, test.message);

   119   }

   121   cleanup();

   122 }

   124 //////////////////////////////////////////////////////////////////////

   125 // set up and go

   126 SimpleTest.waitForExplicitFinish();

   128 SpecialPowers.pushPrefEnv(

   129   {'set':[["security.csp.speccompliant", true]]},

   130   function() {

   131     // save this for last so that our listeners are registered.

   132     // ... this loads the testbed of good and bad requests.

   133     document.getElementById('cspframe').src = 'file_hash_source.html';

   134     document.getElementById('cspframe').addEventListener('load', checkInline, false);

   135   });

   136 </script>

   137 </pre>

   138 </body>

   139 </html>

The Tor Browser / file revision