michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: const Cc = Components.classes; michael@0: const Ci = Components.interfaces; michael@0: const Cu = Components.utils; michael@0: const Cr = Components.results; michael@0: michael@0: Cu.import('resource://gre/modules/CSPUtils.jsm'); michael@0: Cu.import('resource://gre/modules/NetUtil.jsm'); michael@0: michael@0: var httpServer = new HttpServer(); michael@0: httpServer.start(-1); michael@0: var testsToFinish = 0; michael@0: michael@0: const REPORT_SERVER_PORT = httpServer.identity.primaryPort; michael@0: const REPORT_SERVER_URI = "http://localhost"; michael@0: const REPORT_SERVER_PATH = "/report"; michael@0: michael@0: /** michael@0: * Construct a callback that listens to a report submission and either passes michael@0: * or fails a test based on what it gets. michael@0: */ michael@0: function makeReportHandler(testpath, message, expectedJSON) { michael@0: return function(request, response) { michael@0: // we only like "POST" submissions for reports! michael@0: if (request.method !== "POST") { michael@0: do_throw("violation report should be a POST request"); michael@0: return; michael@0: } michael@0: michael@0: // obtain violation report michael@0: var reportObj = JSON.parse( michael@0: NetUtil.readInputStreamToString( michael@0: request.bodyInputStream, michael@0: request.bodyInputStream.available())); michael@0: michael@0: dump("GOT REPORT:\n" + JSON.stringify(reportObj) + "\n"); michael@0: dump("TESTPATH: " + testpath + "\n"); michael@0: dump("EXPECTED: \n" + JSON.stringify(expectedJSON) + "\n\n"); michael@0: michael@0: for (var i in expectedJSON) michael@0: do_check_eq(expectedJSON[i], reportObj['csp-report'][i]); michael@0: michael@0: testsToFinish--; michael@0: httpServer.registerPathHandler(testpath, null); michael@0: if (testsToFinish < 1) michael@0: httpServer.stop(do_test_finished); michael@0: else michael@0: do_test_finished(); michael@0: }; michael@0: } michael@0: michael@0: /** michael@0: * Everything created by this assumes it will cause a report. If you want to michael@0: * add a test here that will *not* cause a report to go out, you're gonna have michael@0: * to make sure the test cleans up after itself. michael@0: */ michael@0: function makeTest(id, expectedJSON, useReportOnlyPolicy, callback) { michael@0: testsToFinish++; michael@0: do_test_pending(); michael@0: michael@0: // set up a new CSP instance for each test. michael@0: var csp = Cc["@mozilla.org/contentsecuritypolicy;1"] michael@0: .createInstance(Ci.nsIContentSecurityPolicy); michael@0: var policy = "allow 'none'; " + michael@0: "report-uri " + REPORT_SERVER_URI + michael@0: ":" + REPORT_SERVER_PORT + michael@0: "/test" + id; michael@0: var selfuri = NetUtil.newURI(REPORT_SERVER_URI + michael@0: ":" + REPORT_SERVER_PORT + michael@0: "/foo/self"); michael@0: var selfchan = NetUtil.newChannel(selfuri); michael@0: michael@0: dump("Created test " + id + " : " + policy + "\n\n"); michael@0: michael@0: // make the reports seem authentic by "binding" them to a channel. michael@0: csp.setRequestContext(selfuri, null, null, selfchan); michael@0: michael@0: // Load up the policy michael@0: // set as report-only if that's the case michael@0: csp.appendPolicy(policy, selfuri, useReportOnlyPolicy, false); michael@0: michael@0: // prime the report server michael@0: var handler = makeReportHandler("/test" + id, "Test " + id, expectedJSON); michael@0: httpServer.registerPathHandler("/test" + id, handler); michael@0: michael@0: //trigger the violation michael@0: callback(csp); michael@0: } michael@0: michael@0: function run_test() { michael@0: var selfuri = NetUtil.newURI(REPORT_SERVER_URI + michael@0: ":" + REPORT_SERVER_PORT + michael@0: "/foo/self"); michael@0: michael@0: // test that inline script violations cause a report. michael@0: makeTest(0, {"blocked-uri": "self"}, false, michael@0: function(csp) { michael@0: let inlineOK = true, oReportViolation = {'value': false}; michael@0: inlineOK = csp.getAllowsInlineScript(oReportViolation); michael@0: michael@0: // this is not a report only policy, so it better block inline scripts michael@0: do_check_false(inlineOK); michael@0: // ... and cause reports to go out michael@0: do_check_true(oReportViolation.value); michael@0: michael@0: if (oReportViolation.value) { michael@0: // force the logging, since the getter doesn't. michael@0: csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT, michael@0: selfuri.asciiSpec, michael@0: "script sample", michael@0: 0); michael@0: } michael@0: }); michael@0: michael@0: // test that eval violations cause a report. michael@0: makeTest(1, {"blocked-uri": "self"}, false, michael@0: function(csp) { michael@0: let evalOK = true, oReportViolation = {'value': false}; michael@0: evalOK = csp.getAllowsEval(oReportViolation); michael@0: michael@0: // this is not a report only policy, so it better block eval michael@0: do_check_false(evalOK); michael@0: // ... and cause reports to go out michael@0: do_check_true(oReportViolation.value); michael@0: michael@0: if (oReportViolation.value) { michael@0: // force the logging, since the getter doesn't. michael@0: csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_EVAL, michael@0: selfuri.asciiSpec, michael@0: "script sample", michael@0: 1); michael@0: } michael@0: }); michael@0: michael@0: makeTest(2, {"blocked-uri": "http://blocked.test/foo.js"}, false, michael@0: function(csp) { michael@0: // shouldLoad creates and sends out the report here. michael@0: csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SCRIPT, michael@0: NetUtil.newURI("http://blocked.test/foo.js"), michael@0: null, null, null, null); michael@0: }); michael@0: michael@0: // test that inline script violations cause a report in report-only policy michael@0: makeTest(3, {"blocked-uri": "self"}, true, michael@0: function(csp) { michael@0: let inlineOK = true, oReportViolation = {'value': false}; michael@0: inlineOK = csp.getAllowsInlineScript(oReportViolation); michael@0: michael@0: // this is a report only policy, so it better allow inline scripts michael@0: do_check_true(inlineOK); michael@0: michael@0: // ... and cause reports to go out michael@0: do_check_true(oReportViolation.value); michael@0: michael@0: if (oReportViolation.value) { michael@0: // force the logging, since the getter doesn't. michael@0: csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT, michael@0: selfuri.asciiSpec, michael@0: "script sample", michael@0: 3); michael@0: } michael@0: }); michael@0: michael@0: // test that eval violations cause a report in report-only policy michael@0: makeTest(4, {"blocked-uri": "self"}, true, michael@0: function(csp) { michael@0: let evalOK = true, oReportViolation = {'value': false}; michael@0: evalOK = csp.getAllowsEval(oReportViolation); michael@0: michael@0: // this is a report only policy, so it better allow eval michael@0: do_check_true(evalOK); michael@0: // ... but still cause reports to go out michael@0: do_check_true(oReportViolation.value); michael@0: michael@0: if (oReportViolation.value) { michael@0: // force the logging, since the getter doesn't. michael@0: csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT, michael@0: selfuri.asciiSpec, michael@0: "script sample", michael@0: 4); michael@0: } michael@0: }); michael@0: }