wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 925186 - Update test_bothCSPHeaders.html to catch the case where an invalid prefixed header fails closed. r=sstamm

Browse Source
This commit is contained in:
Garrett Robinson 2013-10-11 17:01:37 -07:00
parent 38d688077c
commit 9c90069d5d
3 changed files with 30 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
content/base/test/csp/file_bothCSPheaders.html
View File

@ -1,5 +1,6 @@
<html> <html>
<body> <body>
<img src="http://example.org/nonexistent.jpg"></img> <img src="http://example.org/prefixed.jpg"></img>
<img src="/unprefixed.jpg"></img>
</body> </body>
</html> </html>

2
content/base/test/csp/file_bothCSPheaders.html^headers^
View File

@ -1,2 +1,2 @@
X-Content-Security-Policy: default-src 'self' ; img-src 'self' http://example.org X-Content-Security-Policy: default-src 'none' ; img-src http://example.org
Content-Security-Policy: default-src 'self' Content-Security-Policy: default-src 'self'

45
content/base/test/csp/test_bothCSPheaders.html
View File

@ -2,6 +2,8 @@
<html> <html>
<head> <head>
<title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title> <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>
<!-- When both headers are present, we should ignore the pre-1.0 header and
only recognize the 1.0 spec-compliant header. -->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head> </head>
@ -13,7 +15,10 @@
<iframe style="width:200px;height:200px;" id='cspframe'></iframe> <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript"> <script class="testbody" type="text/javascript">
var loadedImgURL = "http://example.org/nonexistent.jpg"; var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";
var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";
var testsRun = 0;
var totalTests = 2;
// This is used to watch the blocked data bounce off CSP and allowed data // This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire. // get sent out to the wire.
@ -28,25 +33,21 @@ examiner.prototype = {
return; return;
if (topic === "http-on-modify-request") { if (topic === "http-on-modify-request") {
// the load was allowed, this is a fail, the Content-Security Policy
// should not allow the load
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec"); var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
if (asciiSpec != loadedImgURL) return; if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
is(asciiSpec, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");
ok(false, "the Content-Security Policy header does not allow the load, the X-Content-Security header should be ignored"); testRan();
window.examiner.remove(); }
SimpleTest.finish();
} }
if (topic === "csp-on-violate-policy") { if (topic === "csp-on-violate-policy") {
// the load was blocked, this is a pass, the Content-Security-Policy // the load was blocked, this is a pass, the Content-Security-Policy
// header doesn't allow the load, but the X-Content-Security-Header does // header doesn't allow the load, but the X-Content-Security-Header does
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (asciiSpec != loadedImgURL) return; if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
ok(true, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored"); testRan();
window.examiner.remove(); }
SimpleTest.finish();
} }
}, },
@ -59,17 +60,21 @@ examiner.prototype = {
} }
window.examiner = new examiner(); window.examiner = new examiner();
SimpleTest.waitForExplicitFinish(); SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered. function testRan() {
// ... this loads the testbed of good and bad requests. testsRun++;
if (testsRun == totalTests) {
window.examiner.remove();
SimpleTest.finish();
}
}
SpecialPowers.pushPrefEnv( SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]}, {'set':[["security.csp.speccompliant", true]]},
function() { function loadTestRequests() {
// save this for last so that our listeners are registered. var cspframe = document.getElementById('cspframe');
// ... this loads the testbed of good and bad requests. cspframe.src = 'file_bothCSPheaders.html';
document.getElementById('cspframe').src = 'file_bothCSPheaders.html';
} }
); );
</script> </script>