The Tor Browser: content/base/test/csp/test_nonce

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test CSP 1.1 nonce-source for scripts and styles</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>

     7   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     8 </head>

     9 <body>

    10 <p id="display"></p>

    11 <div id="content" style="visibility:hidden">

    12   <iframe style="width:100%;" id='cspframe'></iframe>

    13 </div>

    14 <script class="testbody" type="text/javascript">

    16 var testsRun = 0;

    17 var totalTests = 20;

    19 // This is used to watch the blocked data bounce off CSP

    20 function examiner() {

    21   SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);

    22   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);

    23 }

    25 examiner.prototype = {

    26   observe: function(subject, topic, data) {

    27     var testid_re = new RegExp("testid=([a-z0-9_]+)");

    29     //_good things better be allowed!

    30     //_bad things better be blocked!

    32     if (topic === "specialpowers-http-notify-request") {

    33       var uri = data;

    34       if (!testid_re.test(uri)) return;

    35       var testid = testid_re.exec(uri)[1];

    36       ok(/_good/.test(testid), "should allow URI with good testid " + testid);

    37       ranTests(1);

    38     }

    40     if (topic === "csp-on-violate-policy") {

    41       try {

    42         // if it is an blocked external load, subject will be the URI of the resource

    43         var blocked_uri = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");

    44         if (!testid_re.test(blocked_uri)) return;

    45         var testid = testid_re.exec(blocked_uri)[1];

    46         ok(/_bad/.test(testid), "should block URI with bad testid " + testid);

    47         ranTests(1);

    48       } catch (e) {

    49         // if the subject is blocked inline, data will be a violation message

    50         // we can't distinguish which resources triggered these, so we ignore them

    51       }

    52     }

    53   },

    54   // must eventually call this to remove the listener, or mochitests might get borked.

    55   remove: function() {

    56     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");

    57     SpecialPowers.removeObserver(this, "csp-on-violate-policy");

    58   }

    59 }

    61 function cleanup() {

    62   // remove the observer so we don't bork other tests

    63   window.examiner.remove();

    64   // finish the tests

    65   SimpleTest.finish();

    66 }

    68 function ranTests(num) {

    69   testsRun += num;

    70   if (testsRun < totalTests) {

    71     return;

    72   }

    73   cleanup();

    74 }

    76 function checkInlineScriptsAndStyles () {

    77   var cspframe = document.getElementById('cspframe');

    78   var getElementColorById = function (id) {

    79     return window.getComputedStyle(cspframe.contentDocument.getElementById(id), null).color;

    80   };

    81   // Inline style tries to change an element's color to green. If blocked, the

    82   // element's color will be the (unchanged) default black.

    83   var green = "rgb(0, 128, 0)";

    84   var red = "rgb(255,0,0)";

    85   var black = "rgb(0, 0, 0)";

    87   // inline script tests

    88   is(getElementColorById('inline-script-correct-nonce'), green,

    89      "Inline script with correct nonce should execute");

    90   is(getElementColorById('inline-script-incorrect-nonce'), black,

    91      "Inline script with incorrect nonce should not execute");

    92   is(getElementColorById('inline-script-correct-style-nonce'), black,

    93      "Inline script with correct nonce for styles (but not for scripts) should not execute");

    94   is(getElementColorById('inline-script-no-nonce'), black,

    95      "Inline script with no nonce should not execute");

    97   // inline style tests

    98   is(getElementColorById('inline-style-correct-nonce'), green,

    99      "Inline style with correct nonce should be allowed");

   100   is(getElementColorById('inline-style-incorrect-nonce'), black,

   101      "Inline style with incorrect nonce should be blocked");

   102   is(getElementColorById('inline-style-correct-script-nonce'), black,

   103      "Inline style with correct nonce for scripts (but incorrect nonce for styles) should be blocked");

   104   is(getElementColorById('inline-style-no-nonce'), black,

   105      "Inline style with no nonce should be blocked");

   107   ranTests(8);

   108 }

   110 //////////////////////////////////////////////////////////////////////

   111 // set up and go

   112 window.examiner = new examiner();

   113 SimpleTest.waitForExplicitFinish();

   115 SpecialPowers.pushPrefEnv(

   116   {'set':[["security.csp.speccompliant", true]]},

   117   function() {

   118     // save this for last so that our listeners are registered.

   119     // ... this loads the testbed of good and bad requests.

   120     document.getElementById('cspframe').src = 'file_nonce_source.html';

   121     document.getElementById('cspframe').addEventListener('load', checkInlineScriptsAndStyles, false);

   122   });

   123 </script>

   124 </pre>

   125 </body>

   126 </html>

The Tor Browser / file revision