Bug 746978 - sync CSP directive parsing and directive names with w3c CSP 1.0 spec - Part 3 (r=jst)

2024-09-13 09:24:08 -07:00 · 2013-01-09 10:57:05 -08:00 · 2013-01-09 10:57:05 -08:00 · 6357743b3f
commit 6357743b3f
parent eb8709b9d8
1 changed files with 138 additions and 1 deletions
--- a/content/base/test/unit/test_csputils.js
+++ b/content/base/test/unit/test_csputils.js
@ -16,7 +16,7 @@ Cu.import("resource://testing-common/httpd.js");

 var httpServer = new HttpServer();

-const POLICY_FROM_URI = "allow 'self'; img-src *";
+const POLICY_FROM_URI = "default-src 'self'; img-src *";
 const POLICY_PORT = 9000;
 const POLICY_URI = "http://localhost:" + POLICY_PORT + "/policy";
 const POLICY_URI_RELATIVE = "/policy";
@ -483,6 +483,118 @@ test(function test_CSPRep_fromString_withself() {
      do_check_true(cspr.permits("https://evil.com:100", SD.SCRIPT_SRC));
     });

+
+//////////////// TEST CSP REP SPEC COMPLIANT PARSER ////////////
+test(
+    function test_CSPRep_fromStringSpecCompliant() {
+
+      var cspr;
+      var cspr_allowval;
+      var SD = CSPRep.SRC_DIRECTIVES_NEW;
+      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.IMG_SRC, SD.SCRIPT_SRC, SD.FONT_SRC,
+                      SD.OBJECT_SRC, SD.FRAME_SRC, SD.CONNECT_SRC];
+
+      // check default policy "default-src *"
+      cspr = CSPRep.fromStringSpecCompliant("default-src *", URI("http://self.com:80"));
+      // "DEFAULT_SRC directive is missing when specified in
+      // fromStringSpecCompliant"
+      do_check_has_key(cspr._directives, SD.DEFAULT_SRC);
+
+      for(var x in DEFAULTS) {
+        // each of these should be equivalent to DEFAULT_SRC
+        //DEFAULTS[x] + " does not use default rule."
+        do_check_true(cspr.permits("http://bar.com", DEFAULTS[x]));
+      }
+    });
+
+
+test(
+    function test_CSPRep_fromStringSpecCompliant_oneDir() {
+
+      var cspr;
+      var SD = CSPRep.SRC_DIRECTIVES_NEW;
+      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.IMG_SRC,
+                      SD.FRAME_SRC, SD.CONNECT_SRC];
+
+      // check one-directive policies
+      cspr = CSPRep.fromStringSpecCompliant("default-src bar.com; script-src https://foo.com",
+                                            URI("http://self.com"));
+
+      for(var x in DEFAULTS) {
+        //DEFAULTS[x] + " does not use default rule."
+        do_check_false(cspr.permits("http://bar.com:22", DEFAULTS[x]));
+        //DEFAULTS[x] + " does not use default rule."
+        do_check_true(cspr.permits("http://bar.com:80", DEFAULTS[x]));
+        //DEFAULTS[x] + " does not use default rule."
+        do_check_false(cspr.permits("https://foo.com:400", DEFAULTS[x]));
+        //DEFAULTS[x] + " does not use default rule."
+        do_check_false(cspr.permits("https://foo.com", DEFAULTS[x]));
+      }
+      //"script-src false positive in policy.
+      do_check_false(cspr.permits("http://bar.com:22", SD.SCRIPT_SRC));
+      //"script-src false negative in policy.
+      do_check_true(cspr.permits("https://foo.com:443", SD.SCRIPT_SRC));
+    });
+
+test(
+    function test_CSPRep_fromStringSpecCompliant_twodir() {
+      var cspr;
+
+      var SD = CSPRep.SRC_DIRECTIVES_NEW;
+
+      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.FRAME_SRC,
+                      SD.CONNECT_SRC];
+
+      // check two-directive policies
+      var polstr = "default-src allow.com; " +
+                   "script-src https://foo.com; " +
+                   "img-src bar.com:*";
+      cspr = CSPRep.fromStringSpecCompliant(polstr, URI("http://self.com"));
+
+      for(var x in DEFAULTS) {
+        do_check_true(cspr.permits("http://allow.com", DEFAULTS[x]));
+        //DEFAULTS[x] + " does not use default rule.
+        do_check_false(cspr.permits("https://foo.com:400", DEFAULTS[x]));
+        //DEFAULTS[x] + " does not use default rule.
+        do_check_false(cspr.permits("http://bar.com:400", DEFAULTS[x]));
+        //DEFAULTS[x] + " does not use default rule.
+      }
+      //"img-src does not use default rule.
+      do_check_false(cspr.permits("http://allow.com:22", SD.IMG_SRC));
+      //"img-src does not use default rule.
+      do_check_false(cspr.permits("https://foo.com:400", SD.IMG_SRC));
+      //"img-src does not use default rule.
+      do_check_true(cspr.permits("http://bar.com:88", SD.IMG_SRC));
+
+      //"script-src does not use default rule.
+      do_check_false(cspr.permits("http://allow.com:22", SD.SCRIPT_SRC));
+      //"script-src does not use default rule.
+      do_check_true(cspr.permits("https://foo.com:443", SD.SCRIPT_SRC));
+      //"script-src does not use default rule.
+      do_check_false(cspr.permits("http://bar.com:400", SD.SCRIPT_SRC));
+    });
+
+test(function test_CSPRep_fromStringSpecCompliant_withself() {
+      var cspr;
+      var self = "https://self.com:34";
+      var SD = CSPRep.SRC_DIRECTIVES_NEW;
+
+      // check one-directive policies
+      cspr = CSPRep.fromStringSpecCompliant("default-src 'self'; script-src 'self' https://*:*",
+                                            URI(self));
+      //"img-src does not enforce default rule, 'self'.
+      do_check_false(cspr.permits("https://foo.com:400", SD.IMG_SRC));
+      //"img-src does not allow self
+      do_check_true(cspr.permits(self, SD.IMG_SRC));
+      //"script-src is too relaxed
+      do_check_false(cspr.permits("http://evil.com", SD.SCRIPT_SRC));
+      //"script-src should allow self
+      do_check_true(cspr.permits(self, SD.SCRIPT_SRC));
+      //"script-src is too strict on host/port
+      do_check_true(cspr.permits("https://evil.com:100", SD.SCRIPT_SRC));
+     });
+
+
 //////////////// TEST FRAME ANCESTOR DEFAULTS /////////////////
 // (see bug 555068)
 test(function test_FrameAncestor_defaults() {
@ -509,6 +621,31 @@ test(function test_FrameAncestor_defaults() {
      do_check_false(cspr.permits("http://subd.self.com:34", SD.FRAME_ANCESTORS));
     });

+test(function test_FrameAncestor_defaults_specCompliant() {
+      var cspr;
+      var self = "http://self.com:34";
+      var SD = CSPRep.SRC_DIRECTIVES_NEW;
+
+      cspr = CSPRep.fromStringSpecCompliant("default-src 'none'", URI(self));
+
+      //"frame-ancestors should default to * not 'default-src' value"
+      do_check_true(cspr.permits("https://foo.com:400", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("http://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("https://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("http://self.com", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("http://subd.self.com:34", SD.FRAME_ANCESTORS));
+
+      cspr = CSPRep.fromStringSpecCompliant("default-src 'none'; frame-ancestors 'self'", URI(self));
+
+      //"frame-ancestors should only allow self"
+      do_check_true(cspr.permits("http://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("https://foo.com:400", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("https://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("http://self.com", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("http://subd.self.com:34", SD.FRAME_ANCESTORS));
+     });
+
+
 test(function test_FrameAncestor_TLD_defaultPorts() {
      var cspr;
      var SD = CSPRep.SRC_DIRECTIVES_OLD;