wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 925186 - Update test_bothCSPHeaders.html to catch the case where an invalid prefixed header fails closed. r=sstamm

Browse Source
This commit is contained in:
Garrett Robinson 2013-10-11 17:01:37 -07:00
parent 38d688077c
commit 9c90069d5d
3 changed files with 30 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
content/base/test/csp/file_bothCSPheaders.html
View File

@ -1,5 +1,6 @@
<html>
<body>
<img src="http://example.org/nonexistent.jpg"></img>
<img src="http://example.org/prefixed.jpg"></img>
<img src="/unprefixed.jpg"></img>
</body>
</html>

2
content/base/test/csp/file_bothCSPheaders.html^headers^
View File

@ -1,2 +1,2 @@
X-Content-Security-Policy: default-src 'self' ; img-src 'self' http://example.org
X-Content-Security-Policy: default-src 'none' ; img-src http://example.org
Content-Security-Policy: default-src 'self'

49
content/base/test/csp/test_bothCSPheaders.html
View File

@ -2,6 +2,8 @@
<html>
<head>
<title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>
<!-- When both headers are present, we should ignore the pre-1.0 header and
only recognize the 1.0 spec-compliant header. -->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
@ -13,9 +15,12 @@
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
var loadedImgURL = "http://example.org/nonexistent.jpg";
var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";
var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";
var testsRun = 0;
var totalTests = 2;
// This is used to watch the blocked data bounce off CSP and allowed data
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
@ -28,25 +33,21 @@ examiner.prototype = {
return;
if (topic === "http-on-modify-request") {
// the load was allowed, this is a fail, the Content-Security Policy
// should not allow the load
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
if (asciiSpec != loadedImgURL) return;
ok(false, "the Content-Security Policy header does not allow the load, the X-Content-Security header should be ignored");
window.examiner.remove();
SimpleTest.finish();
if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
is(asciiSpec, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");
testRan();
}
}
if (topic === "csp-on-violate-policy") {
// the load was blocked, this is a pass, the Content-Security-Policy
// header doesn't allow the load, but the X-Content-Security-Header does
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (asciiSpec != loadedImgURL) return;
ok(true, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
window.examiner.remove();
SimpleTest.finish();
if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
testRan();
}
}
},
@ -59,17 +60,21 @@ examiner.prototype = {
}
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
function testRan() {
testsRun++;
if (testsRun == totalTests) {
window.examiner.remove();
SimpleTest.finish();
}
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_bothCSPheaders.html';
{'set':[["security.csp.speccompliant", true]]},
function loadTestRequests() {
var cspframe = document.getElementById('cspframe');
cspframe.src = 'file_bothCSPheaders.html';
}
);
</script>