mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 988616 - "hg cp" files that will be used in the split r=sstamm r=ckerschb
--HG-- rename : content/base/test/csp/chrome.ini => content/base/test/xcsp/chrome.ini rename : content/base/test/csp/file_CSP.css => content/base/test/xcsp/file_CSP.css rename : content/base/test/csp/file_CSP.sjs => content/base/test/xcsp/file_CSP.sjs rename : content/base/test/csp/file_CSP_evalscript_main.js => content/base/test/xcsp/file_CSP_evalscript_main.js rename : content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html => content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html rename : content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html^headers^ => content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^ rename : content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.js => content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js rename : content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.html => content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html rename : content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.html^headers^ => content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^ rename : content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.js => content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js rename : content/base/test/csp/file_csp_bug768029.html => content/base/test/xcsp/file_csp_bug768029.html rename : content/base/test/csp/file_csp_bug768029.sjs => content/base/test/xcsp/file_csp_bug768029.sjs rename : content/base/test/csp/file_csp_bug773891.html => content/base/test/xcsp/file_csp_bug773891.html rename : content/base/test/csp/file_csp_bug773891.sjs => content/base/test/xcsp/file_csp_bug773891.sjs rename : content/base/test/csp/file_csp_redirects_main.html => content/base/test/xcsp/file_csp_redirects_main.html rename : content/base/test/csp/file_csp_redirects_page.sjs => content/base/test/xcsp/file_csp_redirects_page.sjs rename : content/base/test/csp/file_csp_redirects_resource.sjs => content/base/test/xcsp/file_csp_redirects_resource.sjs rename : content/base/test/csp/file_csp_report.sjs => content/base/test/xcsp/file_csp_report.sjs rename : content/base/test/csp/file_multi_policy_injection_bypass.html => content/base/test/xcsp/file_multi_policy_injection_bypass.html rename : content/base/test/csp/file_multi_policy_injection_bypass.html^headers^ => content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^ rename : content/base/test/csp/file_multi_policy_injection_bypass_2.html => content/base/test/xcsp/file_multi_policy_injection_bypass_2.html rename : content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^ => content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^ rename : content/base/test/csp/file_redirect_content.sjs => content/base/test/xcsp/file_redirect_content.sjs rename : content/base/test/csp/file_redirect_report.sjs => content/base/test/xcsp/file_redirect_report.sjs rename : content/base/test/csp/file_subframe_run_js_if_allowed.html => content/base/test/xcsp/file_subframe_run_js_if_allowed.html rename : content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^ => content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^ rename : content/base/test/csp/mochitest.ini => content/base/test/xcsp/mochitest.ini rename : content/base/test/csp/moz.build => content/base/test/xcsp/moz.build rename : content/base/test/csp/test_301_redirect.html => content/base/test/xcsp/test_301_redirect.html rename : content/base/test/csp/test_302_redirect.html => content/base/test/xcsp/test_302_redirect.html rename : content/base/test/csp/test_303_redirect.html => content/base/test/xcsp/test_303_redirect.html rename : content/base/test/csp/test_307_redirect.html => content/base/test/xcsp/test_307_redirect.html rename : content/base/test/csp/test_CSP.html => content/base/test/xcsp/test_CSP.html rename : content/base/test/csp/test_CSP_evalscript.html => content/base/test/xcsp/test_CSP_evalscript.html rename : content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html => content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html rename : content/base/test/csp/test_CSP_frameancestors.html => content/base/test/xcsp/test_CSP_frameancestors.html rename : content/base/test/csp/test_CSP_inlinescript.html => content/base/test/xcsp/test_CSP_inlinescript.html rename : content/base/test/csp/test_CSP_inlinestyle.html => content/base/test/xcsp/test_CSP_inlinestyle.html rename : content/base/test/csp/test_csp_bug768029.html => content/base/test/xcsp/test_csp_bug768029.html rename : content/base/test/csp/test_csp_bug773891.html => content/base/test/xcsp/test_csp_bug773891.html rename : content/base/test/csp/test_csp_redirects.html => content/base/test/xcsp/test_csp_redirects.html rename : content/base/test/csp/test_csp_report.html => content/base/test/xcsp/test_csp_report.html rename : content/base/test/csp/test_multi_policy_injection_bypass.html => content/base/test/xcsp/test_multi_policy_injection_bypass.html rename : content/base/test/csp/test_subframe_run_js_if_allowed.html => content/base/test/xcsp/test_subframe_run_js_if_allowed.html
This commit is contained in:
parent
a81f32a1a0
commit
a6a986a320
4
content/base/test/xcsp/chrome.ini
Normal file
4
content/base/test/xcsp/chrome.ini
Normal file
@ -0,0 +1,4 @@
|
||||
[DEFAULT]
|
||||
|
||||
[test_csp_bug768029.html]
|
||||
[test_csp_bug773891.html]
|
20
content/base/test/xcsp/file_CSP.css
Normal file
20
content/base/test/xcsp/file_CSP.css
Normal file
@ -0,0 +1,20 @@
|
||||
/*
|
||||
* Moved this CSS from an inline stylesheet to an external file when we added
|
||||
* inline-style blocking in bug 763879.
|
||||
* This test may hang if the load for this .css file is blocked due to a
|
||||
* malfunction of CSP, but should pass if the style_good test passes.
|
||||
*/
|
||||
|
||||
/* CSS font embedding tests */
|
||||
@font-face {
|
||||
font-family: "arbitrary_good";
|
||||
src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
|
||||
}
|
||||
@font-face {
|
||||
font-family: "arbitrary_bad";
|
||||
src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
|
||||
}
|
||||
|
||||
.div_arbitrary_good { font-family: "arbitrary_good"; }
|
||||
.div_arbitrary_bad { font-family: "arbitrary_bad"; }
|
||||
|
26
content/base/test/xcsp/file_CSP.sjs
Normal file
26
content/base/test/xcsp/file_CSP.sjs
Normal file
@ -0,0 +1,26 @@
|
||||
// SJS file for CSP mochitests
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
var query = {};
|
||||
request.queryString.split('&').forEach(function (val) {
|
||||
var [name, value] = val.split('=');
|
||||
query[name] = unescape(value);
|
||||
});
|
||||
|
||||
var isPreflight = request.method == "OPTIONS";
|
||||
|
||||
|
||||
//avoid confusing cache behaviors
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
if ("type" in query) {
|
||||
response.setHeader("Content-Type", unescape(query['type']), false);
|
||||
} else {
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
}
|
||||
|
||||
if ("content" in query) {
|
||||
response.write(unescape(query['content']));
|
||||
}
|
||||
}
|
126
content/base/test/xcsp/file_CSP_evalscript_main.js
Normal file
126
content/base/test/xcsp/file_CSP_evalscript_main.js
Normal file
@ -0,0 +1,126 @@
|
||||
// some javascript for the CSP eval() tests
|
||||
|
||||
function logResult(str, passed) {
|
||||
var elt = document.createElement('div');
|
||||
var color = passed ? "#cfc;" : "#fcc";
|
||||
elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
|
||||
elt.innerHTML = str;
|
||||
document.body.appendChild(elt);
|
||||
}
|
||||
|
||||
window._testResults = {};
|
||||
|
||||
// callback for when stuff is allowed by CSP
|
||||
var onevalexecuted = (function(window) {
|
||||
return function(shouldrun, what, data) {
|
||||
window._testResults[what] = "ran";
|
||||
window.parent.scriptRan(shouldrun, what, data);
|
||||
logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
|
||||
};})(window);
|
||||
|
||||
// callback for when stuff is blocked
|
||||
var onevalblocked = (function(window) {
|
||||
return function(shouldrun, what, data) {
|
||||
window._testResults[what] = "blocked";
|
||||
window.parent.scriptBlocked(shouldrun, what, data);
|
||||
logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
|
||||
};})(window);
|
||||
|
||||
|
||||
// Defer until document is loaded so that we can write the pretty result boxes
|
||||
// out.
|
||||
addEventListener('load', function() {
|
||||
// setTimeout(String) test -- mutate something in the window._testResults
|
||||
// obj, then check it.
|
||||
{
|
||||
var str_setTimeoutWithStringRan = 'onevalexecuted(false, "setTimeout(String)", "setTimeout with a string was enabled.");';
|
||||
function fcn_setTimeoutWithStringCheck() {
|
||||
if (this._testResults["setTimeout(String)"] !== "ran") {
|
||||
onevalblocked(false, "setTimeout(String)",
|
||||
"setTimeout with a string was blocked");
|
||||
}
|
||||
}
|
||||
setTimeout(fcn_setTimeoutWithStringCheck.bind(window), 10);
|
||||
setTimeout(str_setTimeoutWithStringRan, 10);
|
||||
}
|
||||
|
||||
// setTimeout(function) test -- mutate something in the window._testResults
|
||||
// obj, then check it.
|
||||
{
|
||||
function fcn_setTimeoutWithFunctionRan() {
|
||||
onevalexecuted(true, "setTimeout(function)",
|
||||
"setTimeout with a function was enabled.")
|
||||
}
|
||||
function fcn_setTimeoutWithFunctionCheck() {
|
||||
if (this._testResults["setTimeout(function)"] !== "ran") {
|
||||
onevalblocked(true, "setTimeout(function)",
|
||||
"setTimeout with a function was blocked");
|
||||
}
|
||||
}
|
||||
setTimeout(fcn_setTimeoutWithFunctionRan.bind(window), 10);
|
||||
setTimeout(fcn_setTimeoutWithFunctionCheck.bind(window), 10);
|
||||
}
|
||||
|
||||
// eval() test -- should throw exception as per spec
|
||||
try {
|
||||
eval('onevalexecuted(false, "eval(String)", "eval() was enabled.");');
|
||||
} catch (e) {
|
||||
onevalblocked(false, "eval(String)",
|
||||
"eval() was blocked");
|
||||
}
|
||||
|
||||
// eval(foo,bar) test -- should throw exception as per spec
|
||||
try {
|
||||
eval('onevalexecuted(false, "eval(String,scope)", "eval() was enabled.");',1);
|
||||
} catch (e) {
|
||||
onevalblocked(false, "eval(String,object)",
|
||||
"eval() with scope was blocked");
|
||||
}
|
||||
|
||||
// [foo,bar].sort(eval) test -- should throw exception as per spec
|
||||
try {
|
||||
['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
|
||||
} catch (e) {
|
||||
onevalblocked(false, "[String, obj].sort(eval)",
|
||||
"eval() with scope via sort was blocked");
|
||||
}
|
||||
|
||||
// [].sort.call([foo,bar], eval) test -- should throw exception as per spec
|
||||
try {
|
||||
[].sort.call(['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
|
||||
} catch (e) {
|
||||
onevalblocked(false, "[].sort.call([String, obj], eval)",
|
||||
"eval() with scope via sort/call was blocked");
|
||||
}
|
||||
|
||||
// new Function() test -- should throw exception as per spec
|
||||
try {
|
||||
var fcn = new Function('onevalexecuted(false, "new Function(String)", "new Function(String) was enabled.");');
|
||||
fcn();
|
||||
} catch (e) {
|
||||
onevalblocked(false, "new Function(String)",
|
||||
"new Function(String) was blocked.");
|
||||
}
|
||||
|
||||
// setTimeout(eval, 0, str)
|
||||
{
|
||||
// error is not catchable here, instead, we're going to side-effect
|
||||
// 'worked'.
|
||||
var worked = false;
|
||||
|
||||
setTimeout(eval, 0, 'worked = true');
|
||||
setTimeout(function(worked) {
|
||||
if (worked) {
|
||||
onevalexecuted(false, "setTimeout(eval, 0, str)",
|
||||
"setTimeout(eval, 0, string) was enabled.");
|
||||
} else {
|
||||
onevalblocked(false, "setTimeout(eval, 0, str)",
|
||||
"setTimeout(eval, 0, str) was blocked.");
|
||||
}
|
||||
}, 0, worked);
|
||||
}
|
||||
|
||||
}, false);
|
||||
|
||||
|
||||
|
@ -0,0 +1,12 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>CSP eval script tests</title>
|
||||
<script type="application/javascript"
|
||||
src="file_CSP_evalscript_main_getCRMFRequest.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
Foo.
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,2 @@
|
||||
Cache-Control: no-cache
|
||||
X-Content-Security-Policy: default-src 'self'
|
@ -0,0 +1,48 @@
|
||||
// some javascript for the CSP eval() tests
|
||||
|
||||
function logResult(str, passed) {
|
||||
var elt = document.createElement('div');
|
||||
var color = passed ? "#cfc;" : "#fcc";
|
||||
elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
|
||||
elt.innerHTML = str;
|
||||
document.body.appendChild(elt);
|
||||
}
|
||||
|
||||
window._testResults = {};
|
||||
|
||||
// callback for when stuff is allowed by CSP
|
||||
var onevalexecuted = (function(window) {
|
||||
return function(shouldrun, what, data) {
|
||||
window._testResults[what] = "ran";
|
||||
window.parent.scriptRan(shouldrun, what, data);
|
||||
logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
|
||||
};})(window);
|
||||
|
||||
// callback for when stuff is blocked
|
||||
var onevalblocked = (function(window) {
|
||||
return function(shouldrun, what, data) {
|
||||
window._testResults[what] = "blocked";
|
||||
window.parent.scriptBlocked(shouldrun, what, data);
|
||||
logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
|
||||
};})(window);
|
||||
|
||||
|
||||
// Defer until document is loaded so that we can write the pretty result boxes
|
||||
// out.
|
||||
addEventListener('load', function() {
|
||||
// generateCRMFRequest test -- make sure we cannot eval the callback if CSP is in effect
|
||||
try {
|
||||
var script = 'console.log("dynamic script eval\'d in crypto.generateCRMFRequest should be disallowed")';
|
||||
crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
|
||||
onevalexecuted(false, "crypto.generateCRMFRequest()",
|
||||
"crypto.generateCRMFRequest() should not run!");
|
||||
} catch (e) {
|
||||
onevalblocked(false, "eval(script) inside crypto.generateCRMFRequest",
|
||||
"eval was blocked during crypto.generateCRMFRequest");
|
||||
}
|
||||
|
||||
|
||||
}, false);
|
||||
|
||||
|
||||
|
@ -0,0 +1,12 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>CSP eval script tests: no CSP specified</title>
|
||||
<script type="application/javascript"
|
||||
src="file_CSP_evalscript_no_CSP_at_all.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
Foo. See bug 824652
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1 @@
|
||||
Cache-Control: no-cache
|
42
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
Normal file
42
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
Normal file
@ -0,0 +1,42 @@
|
||||
// some javascript for the CSP eval() tests
|
||||
// all of these evals should succeed, as the document loading this script
|
||||
// has script-src 'self' 'unsafe-eval'
|
||||
|
||||
function logResult(str, passed) {
|
||||
var elt = document.createElement('div');
|
||||
var color = passed ? "#cfc;" : "#fcc";
|
||||
elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
|
||||
elt.innerHTML = str;
|
||||
document.body.appendChild(elt);
|
||||
}
|
||||
|
||||
// callback for when stuff is allowed by CSP
|
||||
var onevalexecuted = (function(window) {
|
||||
return function(shouldrun, what, data) {
|
||||
window.parent.scriptRan(shouldrun, what, data);
|
||||
logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
|
||||
};})(window);
|
||||
|
||||
// callback for when stuff is blocked
|
||||
var onevalblocked = (function(window) {
|
||||
return function(shouldrun, what, data) {
|
||||
window.parent.scriptBlocked(shouldrun, what, data);
|
||||
logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
|
||||
};})(window);
|
||||
|
||||
|
||||
// Defer until document is loaded so that we can write the pretty result boxes
|
||||
// out.
|
||||
addEventListener('load', function() {
|
||||
// test that allows crypto.generateCRMFRequest eval to run when there is no CSP at all in place
|
||||
try {
|
||||
var script =
|
||||
'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
|
||||
crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
|
||||
onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest: no CSP at all",
|
||||
"eval executed during crypto.generateCRMFRequest where no CSP is set at all");
|
||||
} catch (e) {
|
||||
onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
|
||||
"eval was blocked during crypto.generateCRMFRequest");
|
||||
}
|
||||
}, false);
|
25
content/base/test/xcsp/file_csp_bug768029.html
Normal file
25
content/base/test/xcsp/file_csp_bug768029.html
Normal file
@ -0,0 +1,25 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
|
||||
-->
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>This is an app for testing</title>
|
||||
|
||||
<link rel="stylesheet" type="text/css"
|
||||
href="file_csp_bug768029.sjs?type=style&origin=same_origin" />
|
||||
<link rel="stylesheet" type="text/css"
|
||||
href="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=style&origin=cross_origin" />
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<script src="file_csp_bug768029.sjs?type=script&origin=same_origin"></script>
|
||||
<script src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=script&origin=cross_origin"></script>
|
||||
<img src="file_csp_bug768029.sjs?type=img&origin=same_origin" />
|
||||
<img src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=img&origin=cross_origin" />
|
||||
|
||||
Test for CSP applied to (simulated) app.
|
||||
|
||||
</body>
|
||||
</html>
|
29
content/base/test/xcsp/file_csp_bug768029.sjs
Normal file
29
content/base/test/xcsp/file_csp_bug768029.sjs
Normal file
@ -0,0 +1,29 @@
|
||||
function handleRequest(request, response) {
|
||||
|
||||
var query = {};
|
||||
|
||||
request.queryString.split('&').forEach(function(val) {
|
||||
var [name, value] = val.split('=');
|
||||
query[name] = unescape(value);
|
||||
});
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
if ("type" in query) {
|
||||
switch (query.type) {
|
||||
case "script":
|
||||
response.setHeader("Content-Type", "application/javascript");
|
||||
response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
|
||||
return;
|
||||
case "style":
|
||||
response.setHeader("Content-Type", "text/css");
|
||||
response.write("\n\n.cspfoo { color:red; }\n\n");
|
||||
return;
|
||||
case "img":
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
response.setHeader("Content-Type", "text/plain");
|
||||
response.write("ohnoes!");
|
||||
}
|
25
content/base/test/xcsp/file_csp_bug773891.html
Normal file
25
content/base/test/xcsp/file_csp_bug773891.html
Normal file
@ -0,0 +1,25 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=773891
|
||||
-->
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>This is an app for csp testing</title>
|
||||
|
||||
<link rel="stylesheet" type="text/css"
|
||||
href="file_csp_bug773891.sjs?type=style&origin=same_origin" />
|
||||
<link rel="stylesheet" type="text/css"
|
||||
href="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=style&origin=cross_origin" />
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<script src="file_csp_bug773891.sjs?type=script&origin=same_origin"></script>
|
||||
<script src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=script&origin=cross_origin"></script>
|
||||
<img src="file_csp_bug773891.sjs?type=img&origin=same_origin" />
|
||||
<img src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=img&origin=cross_origin" />
|
||||
|
||||
Test for CSP applied to (simulated) app.
|
||||
|
||||
</body>
|
||||
</html>
|
29
content/base/test/xcsp/file_csp_bug773891.sjs
Normal file
29
content/base/test/xcsp/file_csp_bug773891.sjs
Normal file
@ -0,0 +1,29 @@
|
||||
function handleRequest(request, response) {
|
||||
|
||||
var query = {};
|
||||
|
||||
request.queryString.split('&').forEach(function(val) {
|
||||
var [name, value] = val.split('=');
|
||||
query[name] = unescape(value);
|
||||
});
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
if ("type" in query) {
|
||||
switch (query.type) {
|
||||
case "script":
|
||||
response.setHeader("Content-Type", "application/javascript");
|
||||
response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
|
||||
return;
|
||||
case "style":
|
||||
response.setHeader("Content-Type", "text/css");
|
||||
response.write("\n\n.cspfoo { color:red; }\n\n");
|
||||
return;
|
||||
case "img":
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
response.setHeader("Content-Type", "text/plain");
|
||||
response.write("ohnoes!");
|
||||
}
|
44
content/base/test/xcsp/file_csp_redirects_main.html
Normal file
44
content/base/test/xcsp/file_csp_redirects_main.html
Normal file
@ -0,0 +1,44 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>CSP redirect tests</title>
|
||||
</head>
|
||||
<body>
|
||||
<div id="container"></div>
|
||||
</body>
|
||||
|
||||
<script>
|
||||
var thisSite = "http://mochi.test:8888";
|
||||
var otherSite = "http://example.com";
|
||||
var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
|
||||
|
||||
var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
|
||||
"frame-src": thisSite+page+"?testid=frame-src&csp=1",
|
||||
"img-src": thisSite+page+"?testid=img-src&csp=1",
|
||||
"media-src": thisSite+page+"?testid=media-src&csp=1",
|
||||
"object-src": thisSite+page+"?testid=object-src&csp=1",
|
||||
"script-src": thisSite+page+"?testid=script-src&csp=1",
|
||||
"style-src": thisSite+page+"?testid=style-src&csp=1",
|
||||
"worker": thisSite+page+"?testid=worker&csp=1",
|
||||
"xhr-src": thisSite+page+"?testid=xhr-src&csp=1",
|
||||
"font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
|
||||
"frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
|
||||
"img-src-spec-compliant": thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
|
||||
"media-src-spec-compliant": thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
|
||||
"object-src-spec-compliant": thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
|
||||
"script-src-spec-compliant": thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
|
||||
"style-src-spec-compliant": thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
|
||||
"worker-spec-compliant": thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
|
||||
"xhr-src-spec-compliant": thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
|
||||
};
|
||||
|
||||
var container = document.getElementById("container");
|
||||
|
||||
// load each test in its own iframe
|
||||
for (tid in tests) {
|
||||
var i = document.createElement("iframe");
|
||||
i.id = tid;
|
||||
i.src = tests[tid];
|
||||
container.appendChild(i);
|
||||
}
|
||||
</script>
|
||||
</html>
|
133
content/base/test/xcsp/file_csp_redirects_page.sjs
Normal file
133
content/base/test/xcsp/file_csp_redirects_page.sjs
Normal file
@ -0,0 +1,133 @@
|
||||
// SJS file for CSP redirect mochitests
|
||||
// This file serves pages which can optionally specify a Content Security Policy
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
var query = {};
|
||||
request.queryString.split('&').forEach(function (val) {
|
||||
var [name, value] = val.split('=');
|
||||
query[name] = unescape(value);
|
||||
});
|
||||
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
|
||||
var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
|
||||
|
||||
// CSP header value
|
||||
if (query["csp"] == 1) {
|
||||
if (query["spec"] == 1) {
|
||||
response.setHeader("Content-Security-Policy", "default-src 'self' ; style-src 'self' 'unsafe-inline'", false);
|
||||
} else {
|
||||
response.setHeader("X-Content-Security-Policy", "allow 'self'", false);
|
||||
}
|
||||
}
|
||||
|
||||
// downloadable font that redirects to another site
|
||||
if (query["testid"] == "font-src") {
|
||||
var resp = '<style type="text/css"> @font-face { font-family:' +
|
||||
'"Redirecting Font"; src: url("' + resource +
|
||||
'?res=font&redir=other&id=font-src-redir")} #test{font-family:' +
|
||||
'"Redirecting Font"}</style></head><body>' +
|
||||
'<div id="test">test</div></body>';
|
||||
response.write(resp);
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "font-src-spec-compliant") {
|
||||
var resp = '<style type="text/css"> @font-face { font-family:' +
|
||||
'"Redirecting Font Spec Compliant"; src: url("' + resource +
|
||||
'?res=font-spec-compliant&redir=other&id=font-src-redir-spec-compliant")} #test{font-family:' +
|
||||
'"Redirecting Font Spec Compliant"}</style></head><body>' +
|
||||
'<div id="test">test</div></body>';
|
||||
response.write(resp);
|
||||
return;
|
||||
}
|
||||
|
||||
// iframe that redirects to another site
|
||||
if (query["testid"] == "frame-src") {
|
||||
response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir"></iframe>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "frame-src-spec-compliant") {
|
||||
response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir-spec-compliant"></iframe>');
|
||||
return;
|
||||
}
|
||||
|
||||
// image that redirects to another site
|
||||
if (query["testid"] == "img-src") {
|
||||
response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir" />');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "img-src-spec-compliant") {
|
||||
response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir-spec-compliant" />');
|
||||
return;
|
||||
}
|
||||
|
||||
// video content that redirects to another site
|
||||
if (query["testid"] == "media-src") {
|
||||
response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir"></video>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "media-src-spec-compliant") {
|
||||
response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir-spec-compliant"></video>');
|
||||
return;
|
||||
}
|
||||
|
||||
// object content that redirects to another site
|
||||
if (query["testid"] == "object-src") {
|
||||
response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir"></object>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "object-src-spec-compliant") {
|
||||
response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir-spec-compliant"></object>');
|
||||
return;
|
||||
}
|
||||
|
||||
// external script that redirects to another site
|
||||
if (query["testid"] == "script-src") {
|
||||
response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "script-src-spec-compliant") {
|
||||
response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir-spec-compliant"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
// external stylesheet that redirects to another site
|
||||
if (query["testid"] == "style-src") {
|
||||
response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "style-src-spec-compliant") {
|
||||
response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir-spec-compliant"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
// worker script resource that redirects to another site
|
||||
if (query["testid"] == "worker") {
|
||||
response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "worker-spec-compliant") {
|
||||
response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir-spec-compliant"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
// script that XHR's to a resource that redirects to another site
|
||||
if (query["testid"] == "xhr-src") {
|
||||
response.write('<script src="'+resource+'?res=xhr"></script>');
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["testid"] == "xhr-src-spec-compliant") {
|
||||
response.write('<script src="'+resource+'?res=xhr-spec-compliant"></script>');
|
||||
return;
|
||||
}
|
||||
}
|
128
content/base/test/xcsp/file_csp_redirects_resource.sjs
Normal file
128
content/base/test/xcsp/file_csp_redirects_resource.sjs
Normal file
@ -0,0 +1,128 @@
|
||||
// SJS file to serve resources for CSP redirect tests
|
||||
// This file mimics serving resources, e.g. fonts, images, etc., which a CSP
|
||||
// can include. The resource may redirect to a different resource, if specified.
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
var query = {};
|
||||
request.queryString.split('&').forEach(function (val) {
|
||||
var [name, value] = val.split('=');
|
||||
query[name] = unescape(value);
|
||||
});
|
||||
|
||||
var thisSite = "http://mochi.test:8888";
|
||||
var otherSite = "http://example.com";
|
||||
var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
|
||||
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
// redirect to a resource on this site
|
||||
if (query["redir"] == "same") {
|
||||
var loc = thisSite+resource+"?res="+query["res"]+"&testid="+query["id"];
|
||||
response.setStatusLine("1.1", 302, "Found");
|
||||
response.setHeader("Location", loc, false);
|
||||
return;
|
||||
}
|
||||
|
||||
// redirect to a resource on a different site
|
||||
else if (query["redir"] == "other") {
|
||||
var loc = otherSite+resource+"?res="+query["res"]+"&testid="+query["id"];
|
||||
response.setStatusLine("1.1", 302, "Found");
|
||||
response.setHeader("Location", loc, false);
|
||||
return;
|
||||
}
|
||||
|
||||
// not a redirect. serve some content.
|
||||
// the content doesn't have to be valid, since we're only checking whether
|
||||
// the request for the content was sent or not.
|
||||
|
||||
// downloadable font
|
||||
if (query["res"] == "font") {
|
||||
response.setHeader("Access-Control-Allow-Origin", "*", false);
|
||||
response.setHeader("Content-Type", "text/plain", false);
|
||||
response.write("font data...");
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["res"] == "font-spec-compliant") {
|
||||
response.setHeader("Access-Control-Allow-Origin", "*", false);
|
||||
response.setHeader("Content-Type", "text/plain", false);
|
||||
response.write("font data...");
|
||||
return;
|
||||
}
|
||||
|
||||
// iframe with arbitrary content
|
||||
if (query["res"] == "iframe") {
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
response.write("iframe content...");
|
||||
return;
|
||||
}
|
||||
|
||||
// image
|
||||
if (query["res"] == "image") {
|
||||
response.setHeader("Content-Type", "image/gif", false);
|
||||
response.write("image data...");
|
||||
return;
|
||||
}
|
||||
|
||||
// media content, e.g. Ogg video
|
||||
if (query["res"] == "media") {
|
||||
response.setHeader("Content-Type", "video/ogg", false);
|
||||
response.write("video data...");
|
||||
return;
|
||||
}
|
||||
|
||||
// plugin content, e.g. <object>
|
||||
if (query["res"] == "object") {
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
response.write("object data...");
|
||||
return;
|
||||
}
|
||||
|
||||
// script
|
||||
if (query["res"] == "script") {
|
||||
response.setHeader("Content-Type", "application/javascript", false);
|
||||
response.write("some script...");
|
||||
return;
|
||||
}
|
||||
|
||||
// external stylesheet
|
||||
if (query["res"] == "style") {
|
||||
response.setHeader("Content-Type", "text/css", false);
|
||||
response.write("css data...");
|
||||
return;
|
||||
}
|
||||
|
||||
// web worker resource
|
||||
if (query["res"] == "worker") {
|
||||
response.setHeader("Content-Type", "application/javascript", false);
|
||||
response.write("worker script data...");
|
||||
return;
|
||||
}
|
||||
|
||||
// script that invokes XHR
|
||||
if (query["res"] == "xhr") {
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
|
||||
resource+'?res=xhr-resp&testid=xhr-src-redir", false); ' +
|
||||
'x.send(null);';
|
||||
response.write(resp);
|
||||
return;
|
||||
}
|
||||
|
||||
if (query["res"] == "xhr-spec-compliant") {
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
|
||||
resource+'?res=xhr-resp-spec-compliant&testid=xhr-src-redir-spec-compliant", false); ' +
|
||||
'x.send(null);';
|
||||
response.write(resp);
|
||||
return;
|
||||
}
|
||||
|
||||
// response to XHR
|
||||
if (query["res"] == "xhr-resp-spec-compliant") {
|
||||
response.setHeader("Access-Control-Allow-Origin", "*", false);
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
response.write('XHR response...');
|
||||
return;
|
||||
}
|
||||
}
|
25
content/base/test/xcsp/file_csp_report.sjs
Normal file
25
content/base/test/xcsp/file_csp_report.sjs
Normal file
@ -0,0 +1,25 @@
|
||||
// SJS file for CSP violation report test
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=548193
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
var query = {};
|
||||
request.queryString.split('&').forEach(function (val) {
|
||||
var [name, value] = val.split('=');
|
||||
query[name] = unescape(value);
|
||||
});
|
||||
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
|
||||
// avoid confusing cache behaviors
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
// set CSP header
|
||||
response.setHeader("X-Content-Security-Policy",
|
||||
"allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
|
||||
false);
|
||||
|
||||
// content which will trigger a violation report
|
||||
response.write('<html><body>');
|
||||
response.write('<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>');
|
||||
response.write('</body></html>');
|
||||
}
|
@ -0,0 +1,15 @@
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
|
||||
-->
|
||||
<body>
|
||||
<!-- these should be stopped by CSP after fixing bug 717511. :) -->
|
||||
<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
|
||||
<script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
|
||||
|
||||
<!-- these should load ok after fixing bug 717511. :) -->
|
||||
<img src="file_CSP.sjs?testid=img_good&type=img/png" />
|
||||
<script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1 @@
|
||||
X-Content-Security-Policy: default-src 'self', allow *
|
@ -0,0 +1,15 @@
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
|
||||
-->
|
||||
<body>
|
||||
<!-- these should be stopped by CSP after fixing bug 717511. :) -->
|
||||
<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img2_bad&type=img/png"> </img>
|
||||
<script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script2_bad&type=text/javascript'></script>
|
||||
|
||||
<!-- these should load ok after fixing bug 717511. :) -->
|
||||
<img src="file_CSP.sjs?testid=img2_good&type=img/png" />
|
||||
<script src='file_CSP.sjs?testid=script2_good&type=text/javascript'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1 @@
|
||||
X-Content-Security-Policy: default-src 'self' , allow *
|
38
content/base/test/xcsp/file_redirect_content.sjs
Normal file
38
content/base/test/xcsp/file_redirect_content.sjs
Normal file
@ -0,0 +1,38 @@
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
|
||||
// This SJS file serves file_redirect_content.html
|
||||
// with a CSP that will trigger a violation and that will report it
|
||||
// to file_redirect_report.sjs
|
||||
//
|
||||
// This handles 301, 302, 303 and 307 redirects. The HTTP status code
|
||||
// returned/type of redirect to do comes from the query string
|
||||
// parameter passed in from the test_bug650386_* files and then also
|
||||
// uses that value in the report-uri parameter of the CSP
|
||||
function handleRequest(request, response) {
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
// this gets used in the CSP as part of the report URI.
|
||||
var redirect = request.queryString;
|
||||
|
||||
if (redirect < 301 || (redirect > 303 && redirect <= 306) || redirect > 307) {
|
||||
// if we somehow got some bogus redirect code here,
|
||||
// do a 302 redirect to the same URL as the report URI
|
||||
// redirects to - this will fail the test.
|
||||
var loc = "http://example.com/some/fake/path";
|
||||
response.setStatusLine("1.1", 302, "Found");
|
||||
response.setHeader("Location", loc, false);
|
||||
return;
|
||||
}
|
||||
|
||||
var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
|
||||
|
||||
response.setHeader("X-Content-Security-Policy", csp, false);
|
||||
|
||||
// the actual file content.
|
||||
// this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
|
||||
// specified by the CSP string above.
|
||||
var content = "<!DOCTYPE HTML><html><body><img src = \"http://some.other.domain.example.com\"></body></html>";
|
||||
|
||||
response.write(content);
|
||||
|
||||
return;
|
||||
}
|
17
content/base/test/xcsp/file_redirect_report.sjs
Normal file
17
content/base/test/xcsp/file_redirect_report.sjs
Normal file
@ -0,0 +1,17 @@
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
|
||||
// This SJS file serves as CSP violation report target
|
||||
// and issues a redirect, to make sure the browser does not post to the target
|
||||
// of the redirect, per CSP spec.
|
||||
// This handles 301, 302, 303 and 307 redirects. The HTTP status code
|
||||
// returned/type of redirect to do comes from the query string
|
||||
// parameter
|
||||
function handleRequest(request, response) {
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
var redirect = request.queryString;
|
||||
|
||||
var loc = "http://example.com/some/fake/path";
|
||||
response.setStatusLine("1.1", redirect, "Found");
|
||||
response.setHeader("Location", loc, false);
|
||||
return;
|
||||
}
|
13
content/base/test/xcsp/file_subframe_run_js_if_allowed.html
Normal file
13
content/base/test/xcsp/file_subframe_run_js_if_allowed.html
Normal file
@ -0,0 +1,13 @@
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=702439
|
||||
|
||||
This document is a child frame of a CSP document and the
|
||||
test verifies that it is permitted to run javascript: URLs
|
||||
if the parent has a policy that allows them.
|
||||
-->
|
||||
<body onload="document.getElementById('a').click()">
|
||||
<a id="a" href="javascript:parent.javascript_link_ran = true;
|
||||
parent.checkResult();">click</a>
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1 @@
|
||||
X-Content-Security-Policy: default-src *; options inline-script
|
165
content/base/test/xcsp/mochitest.ini
Normal file
165
content/base/test/xcsp/mochitest.ini
Normal file
@ -0,0 +1,165 @@
|
||||
[DEFAULT]
|
||||
support-files =
|
||||
file_CSP.css
|
||||
file_CSP.sjs
|
||||
file_CSP_bug663567.xsl
|
||||
file_CSP_bug663567_allows.xml
|
||||
file_CSP_bug663567_allows.xml^headers^
|
||||
file_CSP_bug663567_blocks.xml
|
||||
file_CSP_bug663567_blocks.xml^headers^
|
||||
file_CSP_bug802872.html
|
||||
file_CSP_bug802872.html^headers^
|
||||
file_CSP_bug802872.js
|
||||
file_CSP_bug802872.sjs
|
||||
file_CSP_bug885433_allows.html
|
||||
file_CSP_bug885433_allows.html^headers^
|
||||
file_CSP_bug885433_blocks.html
|
||||
file_CSP_bug885433_blocks.html^headers^
|
||||
file_CSP_bug888172.html
|
||||
file_CSP_bug888172.sjs
|
||||
file_CSP_bug916446.html
|
||||
file_CSP_bug916446.html^headers^
|
||||
file_CSP_evalscript_main.html
|
||||
file_CSP_evalscript_main.html^headers^
|
||||
file_CSP_evalscript_main.js
|
||||
file_CSP_evalscript_main_allowed.js
|
||||
file_CSP_evalscript_main_allowed_getCRMFRequest.js
|
||||
file_CSP_evalscript_main_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_main_getCRMFRequest.js
|
||||
file_CSP_evalscript_main_spec_compliant.html
|
||||
file_CSP_evalscript_main_spec_compliant.html^headers^
|
||||
file_CSP_evalscript_main_spec_compliant_allowed.html
|
||||
file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_no_CSP_at_all.html
|
||||
file_CSP_evalscript_no_CSP_at_all.html^headers^
|
||||
file_CSP_evalscript_no_CSP_at_all.js
|
||||
file_CSP_frameancestors.sjs
|
||||
file_CSP_frameancestors_main.html
|
||||
file_CSP_frameancestors_main.js
|
||||
file_CSP_frameancestors_main_spec_compliant.html
|
||||
file_CSP_frameancestors_main_spec_compliant.js
|
||||
file_CSP_frameancestors_spec_compliant.sjs
|
||||
file_CSP_inlinescript_main.html
|
||||
file_CSP_inlinescript_main.html^headers^
|
||||
file_CSP_inlinescript_main_spec_compliant.html
|
||||
file_CSP_inlinescript_main_spec_compliant.html^headers^
|
||||
file_CSP_inlinescript_main_spec_compliant_allowed.html
|
||||
file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_inlinestyle_main.html
|
||||
file_CSP_inlinestyle_main.html^headers^
|
||||
file_CSP_inlinestyle_main_spec_compliant.html
|
||||
file_CSP_inlinestyle_main_spec_compliant.html^headers^
|
||||
file_CSP_inlinestyle_main_spec_compliant_allowed.html
|
||||
file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_main.html
|
||||
file_CSP_main.html^headers^
|
||||
file_CSP_main.js
|
||||
file_CSP_main_spec_compliant.html
|
||||
file_CSP_main_spec_compliant.html^headers^
|
||||
file_CSP_main_spec_compliant.js
|
||||
file_bothCSPheaders.html
|
||||
file_bothCSPheaders.html^headers^
|
||||
file_bug836922_npolicies.html
|
||||
file_bug836922_npolicies.html^headers^
|
||||
file_bug836922_npolicies_ro_violation.sjs
|
||||
file_bug836922_npolicies_violation.sjs
|
||||
file_bug886164.html
|
||||
file_bug886164.html^headers^
|
||||
file_bug886164_2.html
|
||||
file_bug886164_2.html^headers^
|
||||
file_bug886164_3.html
|
||||
file_bug886164_3.html^headers^
|
||||
file_bug886164_4.html
|
||||
file_bug886164_4.html^headers^
|
||||
file_bug886164_5.html
|
||||
file_bug886164_5.html^headers^
|
||||
file_bug886164_6.html
|
||||
file_bug886164_6.html^headers^
|
||||
file_csp_bug768029.html
|
||||
file_csp_bug768029.sjs
|
||||
file_csp_bug773891.html
|
||||
file_csp_bug773891.sjs
|
||||
file_csp_redirects_main.html
|
||||
file_csp_redirects_page.sjs
|
||||
file_csp_redirects_resource.sjs
|
||||
file_CSP_bug910139.sjs
|
||||
file_CSP_bug910139.xml
|
||||
file_CSP_bug910139.xsl
|
||||
file_CSP_bug909029_star.html
|
||||
file_CSP_bug909029_star.html^headers^
|
||||
file_CSP_bug909029_none.html
|
||||
file_CSP_bug909029_none.html^headers^
|
||||
file_policyuri_regression_from_multipolicy.html
|
||||
file_policyuri_regression_from_multipolicy.html^headers^
|
||||
file_policyuri_regression_from_multipolicy_policy
|
||||
file_nonce_source.html
|
||||
file_nonce_source.html^headers^
|
||||
file_CSP_bug941404.html
|
||||
file_CSP_bug941404_xhr.html
|
||||
file_CSP_bug941404_xhr.html^headers^
|
||||
file_hash_source.html
|
||||
file_hash_source.html^headers^
|
||||
file_dual_headers_warning.html
|
||||
file_dual_headers_warning.html^headers^
|
||||
file_self_none_as_hostname_confusion.html
|
||||
file_self_none_as_hostname_confusion.html^headers^
|
||||
file_csp_testserver.sjs
|
||||
file_csp_regexp_parsing.html
|
||||
file_csp_regexp_parsing.js
|
||||
file_report_uri_missing_in_report_only_header.html
|
||||
file_report_uri_missing_in_report_only_header.html^headers^
|
||||
file_csp_report.sjs
|
||||
file_policyuri_async_fetch.html
|
||||
file_policyuri_async_fetch.html^headers^
|
||||
file_redirect_content.sjs
|
||||
file_redirect_report.sjs
|
||||
file_subframe_run_js_if_allowed.html
|
||||
file_subframe_run_js_if_allowed.html^headers^
|
||||
file_multi_policy_injection_bypass.html
|
||||
file_multi_policy_injection_bypass.html^headers^
|
||||
file_multi_policy_injection_bypass_2.html
|
||||
file_multi_policy_injection_bypass_2.html^headers^
|
||||
|
||||
[test_CSP.html]
|
||||
[test_CSP_bug663567.html]
|
||||
[test_CSP_bug802872.html]
|
||||
[test_CSP_bug885433.html]
|
||||
[test_CSP_bug888172.html]
|
||||
[test_CSP_bug916446.html]
|
||||
[test_CSP_evalscript.html]
|
||||
[test_CSP_evalscript_getCRMFRequest.html]
|
||||
skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
|
||||
[test_CSP_frameancestors.html]
|
||||
skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
|
||||
[test_CSP_inlinescript.html]
|
||||
[test_CSP_inlinestyle.html]
|
||||
[test_bothCSPheaders.html]
|
||||
[test_bug836922_npolicies.html]
|
||||
[test_bug886164.html]
|
||||
[test_csp_redirects.html]
|
||||
[test_CSP_bug910139.html]
|
||||
[test_CSP_bug909029.html]
|
||||
[test_policyuri_regression_from_multipolicy.html]
|
||||
[test_nonce_source.html]
|
||||
[test_CSP_bug941404.html]
|
||||
[test_hash_source.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
|
||||
[test_dual_headers_warning.html]
|
||||
[test_self_none_as_hostname_confusion.html]
|
||||
[test_bug949549.html]
|
||||
[test_csp_regexp_parsing.html]
|
||||
[test_report_uri_missing_in_report_only_header.html]
|
||||
[test_csp_report.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
|
||||
[test_policyuri_async_fetch.html]
|
||||
[test_301_redirect.html]
|
||||
[test_302_redirect.html]
|
||||
[test_303_redirect.html]
|
||||
[test_307_redirect.html]
|
||||
[test_subframe_run_js_if_allowed.html]
|
||||
[test_multi_policy_injection_bypass.html]
|
10
content/base/test/xcsp/moz.build
Normal file
10
content/base/test/xcsp/moz.build
Normal file
@ -0,0 +1,10 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
MOCHITEST_MANIFESTS += ['mochitest.ini']
|
||||
|
||||
MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
|
||||
|
77
content/base/test/xcsp/test_301_redirect.html
Normal file
77
content/base/test/xcsp/test_301_redirect.html
Normal file
@ -0,0 +1,77 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
|
||||
Test that CSP violation reports are not sent when a 301 redirect is encountered
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 650386</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
<iframe id = "content_iframe"></iframe>
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
/** Test for Bug 650386 **/
|
||||
|
||||
// This is used to watch the redirect of the report POST get blocked
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI
|
||||
if(!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
// this is used to fail the test - if we see the POST to the target of the redirect
|
||||
// we know this is a fail
|
||||
var uri = data;
|
||||
if (uri == "http://example.com/some/fake/path")
|
||||
window.done(false);
|
||||
}
|
||||
|
||||
if(topic === "csp-on-violate-policy") {
|
||||
// something was blocked, but we are looking specifically for the redirect being blocked
|
||||
if (data == "denied redirect while sending violation report")
|
||||
window.done(true);
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
// result == true if we saw the redirect blocked notify, false if we saw the post
|
||||
// to the redirect target go out
|
||||
window.done = function(result) {
|
||||
ok(result, "a 301 redirect when posting violation report should be blocked");
|
||||
|
||||
// clean up observers and finish the test
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// save this for last so that our listeners are registered.
|
||||
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?301';
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
77
content/base/test/xcsp/test_302_redirect.html
Normal file
77
content/base/test/xcsp/test_302_redirect.html
Normal file
@ -0,0 +1,77 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
|
||||
Test that CSP violation reports are not sent when a 302 redirect is encountered
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 650386</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
<iframe id = "content_iframe"></iframe>
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
/** Test for Bug 650386 **/
|
||||
|
||||
// This is used to watch the redirect of the report POST get blocked
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI
|
||||
if(!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
// this is used to fail the test - if we see the POST to the target of the redirect
|
||||
// we know this is a fail
|
||||
var uri = data;
|
||||
if (uri == "http://example.com/some/fake/path")
|
||||
window.done(false);
|
||||
}
|
||||
|
||||
if(topic === "csp-on-violate-policy") {
|
||||
// something was blocked, but we are looking specifically for the redirect being blocked
|
||||
if (data == "denied redirect while sending violation report")
|
||||
window.done(true);
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
// result == true if we saw the redirect blocked notify, false if we saw the post
|
||||
// to the redirect target go out
|
||||
window.done = function(result) {
|
||||
ok(result, "a 302 redirect when posting violation report should be blocked");
|
||||
|
||||
// clean up observers and finish the test
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// save this for last so that our listeners are registered.
|
||||
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?302';
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
77
content/base/test/xcsp/test_303_redirect.html
Normal file
77
content/base/test/xcsp/test_303_redirect.html
Normal file
@ -0,0 +1,77 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
|
||||
Test that CSP violation reports are not sent when a 303 redirect is encountered
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 650386</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
<iframe id = "content_iframe"></iframe>
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
/** Test for Bug 650386 **/
|
||||
|
||||
// This is used to watch the redirect of the report POST get blocked
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI
|
||||
if(!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
// this is used to fail the test - if we see the POST to the target of the redirect
|
||||
// we know this is a fail
|
||||
var uri = data;
|
||||
if (uri == "http://example.com/some/fake/path")
|
||||
window.done(false);
|
||||
}
|
||||
|
||||
if(topic === "csp-on-violate-policy") {
|
||||
// something was blocked, but we are looking specifically for the redirect being blocked
|
||||
if (data == "denied redirect while sending violation report")
|
||||
window.done(true);
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
// result == true if we saw the redirect blocked notify, false if we saw the post
|
||||
// to the redirect target go out
|
||||
window.done = function(result) {
|
||||
ok(result, "a 303 redirect when posting violation report should be blocked");
|
||||
|
||||
// clean up observers and finish the test
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// save this for last so that our listeners are registered.
|
||||
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?303';
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
77
content/base/test/xcsp/test_307_redirect.html
Normal file
77
content/base/test/xcsp/test_307_redirect.html
Normal file
@ -0,0 +1,77 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
|
||||
Test that CSP violation reports are not sent when a 307 redirect is encountered
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 650386</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
<iframe id = "content_iframe"></iframe>
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
/** Test for Bug 650386 **/
|
||||
|
||||
// This is used to watch the redirect of the report POST get blocked
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI
|
||||
if(!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
// this is used to fail the test - if we see the POST to the target of the redirect
|
||||
// we know this is a fail
|
||||
var uri = data;
|
||||
if (uri == "http://example.com/some/fake/path")
|
||||
window.done(false);
|
||||
}
|
||||
|
||||
if(topic === "csp-on-violate-policy") {
|
||||
// something was blocked, but we are looking specifically for the redirect being blocked
|
||||
if (data == "denied redirect while sending violation report")
|
||||
window.done(true);
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
// result == true if we saw the redirect blocked notify, false if we saw the post
|
||||
// to the redirect target go out
|
||||
window.done = function(result) {
|
||||
ok(result, "a 307 redirect when posting violation report should be blocked");
|
||||
|
||||
// clean up observers and finish the test
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// save this for last so that our listeners are registered.
|
||||
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?307';
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
139
content/base/test/xcsp/test_CSP.html
Normal file
139
content/base/test/xcsp/test_CSP.html
Normal file
@ -0,0 +1,139 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Content Security Policy Connections</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
window.tests = {
|
||||
img_good: -1,
|
||||
img_bad: -1,
|
||||
style_good: -1,
|
||||
style_bad: -1,
|
||||
frame_good: -1,
|
||||
frame_bad: -1,
|
||||
script_good: -1,
|
||||
script_bad: -1,
|
||||
xhr_good: -1,
|
||||
xhr_bad: -1,
|
||||
media_good: -1,
|
||||
media_bad: -1,
|
||||
font_good: -1,
|
||||
font_bad: -1,
|
||||
object_good: -1,
|
||||
object_bad: -1,
|
||||
img_spec_compliant_good: -1,
|
||||
img_spec_compliant_bad: -1,
|
||||
style_spec_compliant_good: -1,
|
||||
style_spec_compliant_bad: -1,
|
||||
frame_spec_compliant_good: -1,
|
||||
frame_spec_compliant_bad: -1,
|
||||
script_spec_compliant_good: -1,
|
||||
script_spec_compliant_bad: -1,
|
||||
xhr_spec_compliant_good: -1,
|
||||
xhr_spec_compliant_bad: -1,
|
||||
media_spec_compliant_good: -1,
|
||||
media_spec_compliant_bad: -1,
|
||||
font_spec_compliant_good: -1,
|
||||
font_spec_compliant_bad: -1,
|
||||
object_spec_compliant_good: -1,
|
||||
object_spec_compliant_bad: -1,
|
||||
};
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
var testpat = new RegExp("testid=([a-z0-9_]+)");
|
||||
|
||||
//_good things better be allowed!
|
||||
//_bad things better be stopped!
|
||||
|
||||
// This is a special observer topic that is proxied from
|
||||
// http-on-modify-request in the parent process to inform us when a URI is
|
||||
// loaded
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
var uri = data;
|
||||
if (!testpat.test(uri)) return;
|
||||
var testid = testpat.exec(uri)[1];
|
||||
|
||||
window.testResult(testid,
|
||||
/_good/.test(testid),
|
||||
uri + " allowed by csp");
|
||||
}
|
||||
|
||||
if (topic === "csp-on-violate-policy") {
|
||||
// these were blocked... record that they were blocked
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
|
||||
if (!testpat.test(asciiSpec)) return;
|
||||
var testid = testpat.exec(asciiSpec)[1];
|
||||
window.testResult(testid,
|
||||
/_bad/.test(testid),
|
||||
asciiSpec + " blocked by \"" + data + "\"");
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
window.testResult = function(testname, result, msg) {
|
||||
//test already complete.... forget it... remember the first result.
|
||||
if (window.tests[testname] != -1)
|
||||
return;
|
||||
|
||||
window.tests[testname] = result;
|
||||
is(result, true, testname + ' test: ' + msg);
|
||||
|
||||
// if any test is incomplete, keep waiting
|
||||
for (var v in window.tests)
|
||||
if(tests[v] == -1)
|
||||
return;
|
||||
|
||||
// ... otherwise, finish
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true],
|
||||
// This defaults to 0 ("preload none") on mobile (B2G/Android), which
|
||||
// blocks loading the resource until the user interacts with a
|
||||
// corresponding widget, which breaks the media_* tests. We set it
|
||||
// back to the default used by desktop Firefox to get consistent
|
||||
// behavior.
|
||||
["media.preload.default", 2]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
65
content/base/test/xcsp/test_CSP_evalscript.html
Normal file
65
content/base/test/xcsp/test_CSP_evalscript.html
Normal file
@ -0,0 +1,65 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Content Security Policy "no eval" base restriction</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var evalScriptsThatRan = 0;
|
||||
var evalScriptsBlocked = 0;
|
||||
var evalScriptsTotal = 24;
|
||||
|
||||
// called by scripts that run
|
||||
var scriptRan = function(shouldrun, testname, data) {
|
||||
evalScriptsThatRan++;
|
||||
ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
// called when a script is blocked
|
||||
var scriptBlocked = function(shouldrun, testname, data) {
|
||||
evalScriptsBlocked++;
|
||||
ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
|
||||
// Check to see if all the tests have run
|
||||
var checkTestResults = function() {
|
||||
// if any test is incomplete, keep waiting
|
||||
if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
|
||||
return;
|
||||
|
||||
// ... otherwise, finish
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
|
||||
// document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,65 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Content Security Policy "no eval" in crypto.getCRMFRequest()</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var evalScriptsThatRan = 0;
|
||||
var evalScriptsBlocked = 0;
|
||||
var evalScriptsTotal = 4;
|
||||
|
||||
// called by scripts that run
|
||||
var scriptRan = function(shouldrun, testname, data) {
|
||||
evalScriptsThatRan++;
|
||||
ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
// called when a script is blocked
|
||||
var scriptBlocked = function(shouldrun, testname, data) {
|
||||
evalScriptsBlocked++;
|
||||
ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
// Check to see if all the tests have run
|
||||
var checkTestResults = function() {
|
||||
// if any test is incomplete, keep waiting
|
||||
if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
|
||||
return;
|
||||
|
||||
// ... otherwise, finish
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
|
||||
document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
136
content/base/test/xcsp/test_CSP_frameancestors.html
Normal file
136
content/base/test/xcsp/test_CSP_frameancestors.html
Normal file
@ -0,0 +1,136 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Content Security Policy Frame Ancestors directive</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
var framesThatShouldLoad = {
|
||||
aa_allow: -1, /* innermost frame allows a */
|
||||
//aa_block: -1, /* innermost frame denies a */
|
||||
ab_allow: -1, /* innermost frame allows a */
|
||||
//ab_block: -1, /* innermost frame denies a */
|
||||
aba_allow: -1, /* innermost frame allows b,a */
|
||||
//aba_block: -1, /* innermost frame denies b */
|
||||
//aba2_block: -1, /* innermost frame denies a */
|
||||
abb_allow: -1, /* innermost frame allows b,a */
|
||||
//abb_block: -1, /* innermost frame denies b */
|
||||
//abb2_block: -1, /* innermost frame denies a */
|
||||
aa_allow_spec_compliant: -1, /* innermost frame allows a *
|
||||
//aa_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
ab_allow_spec_compliant: -1, /* innermost frame allows a */
|
||||
//ab_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
aba_allow_spec_compliant: -1, /* innermost frame allows b,a */
|
||||
//aba_block_spec_compliant: -1, /* innermost frame denies b */
|
||||
//aba2_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
abb_allow_spec_compliant: -1, /* innermost frame allows b,a */
|
||||
//abb_block_spec_compliant: -1, /* innermost frame denies b */
|
||||
//abb2_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
};
|
||||
|
||||
var expectedViolationsLeft = 12;
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI, and should be either allowed or blocked.
|
||||
if (!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
if (topic === "csp-on-violate-policy") {
|
||||
//these were blocked... record that they were blocked
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
|
||||
window.frameBlocked(asciiSpec, data);
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
}
|
||||
}
|
||||
|
||||
// called when a frame is loaded
|
||||
// -- if it's not enumerated above, it should not load!
|
||||
var frameLoaded = function(testname, uri) {
|
||||
//test already complete.... forget it... remember the first result.
|
||||
if (window.framesThatShouldLoad[testname] != -1)
|
||||
return;
|
||||
|
||||
if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
|
||||
// uh-oh, we're not expecting this frame to load!
|
||||
ok(false, testname + ' framed site should not have loaded: ' + uri);
|
||||
} else {
|
||||
framesThatShouldLoad[testname] = true;
|
||||
ok(true, testname + ' framed site when allowed by csp (' + uri + ')');
|
||||
}
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
// called when a frame is blocked
|
||||
// -- we can't determine *which* frame was blocked, but at least we can count them
|
||||
var frameBlocked = function(uri, policy) {
|
||||
ok(true, 'a CSP policy blocked frame from being loaded: ' + policy);
|
||||
expectedViolationsLeft--;
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
|
||||
// Check to see if all the tests have run
|
||||
var checkTestResults = function() {
|
||||
// if any test is incomplete, keep waiting
|
||||
for (var v in framesThatShouldLoad)
|
||||
if(window.framesThatShouldLoad[v] == -1)
|
||||
return;
|
||||
|
||||
if (window.expectedViolationsLeft > 0)
|
||||
return;
|
||||
|
||||
// ... otherwise, finish
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
window.addEventListener("message", receiveMessage, false);
|
||||
|
||||
function receiveMessage(event) {
|
||||
if (event.data.call && event.data.call == 'frameLoaded')
|
||||
frameLoaded(event.data.testname, event.data.uri);
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
window.examiner = new examiner();
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// added this so the tests run even if we don't flip the pref on by default.
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
|
||||
});
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
128
content/base/test/xcsp/test_CSP_inlinescript.html
Normal file
128
content/base/test/xcsp/test_CSP_inlinescript.html
Normal file
@ -0,0 +1,128 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Content Security Policy Frame Ancestors directive</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var inlineScriptsThatRan = 0;
|
||||
var inlineScriptsBlocked = 0;
|
||||
var inlineScriptsTotal = 12;
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI, and should be either allowed or blocked.
|
||||
if (!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
if (topic === "csp-on-violate-policy") {
|
||||
var what = null;
|
||||
try {
|
||||
//these were blocked... record that they were blocked
|
||||
what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
|
||||
} catch(e) {
|
||||
//if that fails, the subject is probably a string
|
||||
what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
|
||||
}
|
||||
window.scriptBlocked(what, data);
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
}
|
||||
}
|
||||
|
||||
// called by scripts that run
|
||||
// the first argument is whether the script expects to be allowed or not.
|
||||
var scriptRan = function(result, testname, data) {
|
||||
inlineScriptsThatRan++;
|
||||
ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
// called when a script is blocked
|
||||
// -- we can't determine *which* frame was blocked, but at least we can count them
|
||||
var scriptBlocked = function(testname, data) {
|
||||
inlineScriptsBlocked++;
|
||||
ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
|
||||
// Check to see if all the tests have run
|
||||
var checkTestResults = function() {
|
||||
// if any test is incomplete, keep waiting
|
||||
if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
|
||||
return;
|
||||
|
||||
// The four scripts in the page with 'unsafe-inline' should run.
|
||||
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
|
||||
|
||||
// The other eight scripts in the other two pages should be blocked.
|
||||
is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
|
||||
|
||||
// ... otherwise, finish
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
window.examiner = new examiner();
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
function clickit() {
|
||||
var cspframe = document.getElementById('cspframe');
|
||||
var a = cspframe.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
|
||||
}
|
||||
|
||||
function clickit2() {
|
||||
var cspframe2 = document.getElementById('cspframe2');
|
||||
var a = cspframe2.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
|
||||
}
|
||||
|
||||
function clickit3() {
|
||||
var cspframe3 = document.getElementById('cspframe3');
|
||||
var a = cspframe3.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
|
||||
document.getElementById('cspframe').addEventListener('load', clickit, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
|
||||
document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe3').addEventListener('load', clickit3, false);
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
142
content/base/test/xcsp/test_CSP_inlinestyle.html
Normal file
142
content/base/test/xcsp/test_CSP_inlinestyle.html
Normal file
@ -0,0 +1,142 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Content Security Policy inline stylesheets stuff</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var done = 0;
|
||||
|
||||
// Our original CSP implementation does not block inline styles.
|
||||
function checkStyles(evt) {
|
||||
var cspframe = document.getElementById('cspframe');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
//expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should block inline
|
||||
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
|
||||
// (when it's not explicitly allowed.)
|
||||
function checkStylesSpecCompliant(evt) {
|
||||
var cspframe = document.getElementById('cspframe2');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
//expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should allow inline
|
||||
// styles when it is explicitly allowed.
|
||||
function checkStylesSpecCompliantAllowed(evt) {
|
||||
var cspframe = document.getElementById('cspframe3');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
// expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
|
||||
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
|
||||
// since it relies on executing script to set .cssText
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
function checkIfDone() {
|
||||
done++;
|
||||
if (done == 3)
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
|
||||
document.getElementById('cspframe').addEventListener('load', checkStyles, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
|
||||
document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
|
||||
}
|
||||
);
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
223
content/base/test/xcsp/test_csp_bug768029.html
Normal file
223
content/base/test/xcsp/test_csp_bug768029.html
Normal file
@ -0,0 +1,223 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
|
||||
-->
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Test for CSP on trusted/certified apps -- bug 768029</title>
|
||||
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=768029">Mozilla Bug 768029</a>
|
||||
<p id="display"></p>
|
||||
<div id="content">
|
||||
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript;version=1.7">
|
||||
|
||||
Components.utils.import("resource://gre/modules/Services.jsm");
|
||||
|
||||
/** Test for Bug 768029 **/
|
||||
|
||||
// Note: we don't have to inspect all the different operations of CSP,
|
||||
// we're just looking for specific differences in behavior that indicate
|
||||
// a default CSP got applied.
|
||||
const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
|
||||
const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'";
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var gData = [
|
||||
{
|
||||
app: "https://example.com/manifest.webapp",
|
||||
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
|
||||
origin: "https://example.com",
|
||||
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
|
||||
statusString: "installed app",
|
||||
expectedTestResults: {
|
||||
max_tests: 7, /* number of bools below plus one for the status check */
|
||||
cross_origin: { img: true, script: true, style: true },
|
||||
same_origin: { img: true, script: true, style: true },
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
app: "https://example.com/manifest_priv.webapp",
|
||||
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
|
||||
origin: "https://example.com",
|
||||
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
|
||||
statusString: "privileged app",
|
||||
expectedTestResults: {
|
||||
max_tests: 7, /* number of bools below plus one for the status check */
|
||||
cross_origin: { img: true, script: false, style: false },
|
||||
same_origin: { img: true, script: true, style: true },
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
app: "https://example.com/manifest_cert.webapp",
|
||||
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
|
||||
origin: "https://example.com",
|
||||
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
|
||||
statusString: "certified app",
|
||||
expectedTestResults: {
|
||||
max_tests: 7, /* number of bools below plus one for the status check */
|
||||
cross_origin: { img: true, script: false, style: false },
|
||||
same_origin: { img: true, script: true, style: true },
|
||||
},
|
||||
},
|
||||
];
|
||||
|
||||
// Observer for watching allowed loads and blocked attempts
|
||||
function ThingyListener(app, iframe) {
|
||||
Services.obs.addObserver(this, "csp-on-violate-policy", false);
|
||||
Services.obs.addObserver(this, "http-on-modify-request", false);
|
||||
dump("added observers\n");
|
||||
// keep track of which app ID this test is monitoring.
|
||||
this._testData = app;
|
||||
this._expectedResults = app.expectedTestResults;
|
||||
this._resultsRecorded = { cross_origin: {}, same_origin: {}};
|
||||
this._iframe = iframe;
|
||||
this._countedTests = 0;
|
||||
}
|
||||
ThingyListener.prototype = {
|
||||
|
||||
observe: function(subject, topic, data) {
|
||||
// make sure to only observe app-generated calls to the helper for this test.
|
||||
var testpat = new RegExp("file_csp_bug768029\\.sjs");
|
||||
|
||||
// used to extract which kind of load this is (img, script, etc).
|
||||
var typepat = new RegExp("type=([\\_a-z0-9]+)");
|
||||
|
||||
// used to identify whether it's cross-origin or same-origin loads
|
||||
// (the applied CSP allows same-origin loads).
|
||||
var originpat = new RegExp("origin=([\\_a-z0-9]+)");
|
||||
|
||||
if (topic === "http-on-modify-request") {
|
||||
// Matching requests on this topic were allowed by the csp
|
||||
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
|
||||
var uri = chan.URI;
|
||||
// ignore irrelevent URIs
|
||||
if (!testpat.test(uri.asciiSpec)) return;
|
||||
|
||||
var loadType = typepat.exec(uri.asciiSpec)[1];
|
||||
var originType = originpat.exec(uri.asciiSpec)[1];
|
||||
|
||||
// skip duplicate hits to this topic (potentially document loads
|
||||
// may generate duplicate loads.
|
||||
if (this._resultsRecorded[originType] &&
|
||||
this._resultsRecorded[originType][loadType]) {
|
||||
return;
|
||||
}
|
||||
var message = originType + " : " + loadType + " should be " +
|
||||
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
|
||||
ok(this._expectedResults[originType][loadType] == true, message);
|
||||
this._resultsRecorded[originType][loadType] = true;
|
||||
this._countedTests++;
|
||||
}
|
||||
else if (topic === "csp-on-violate-policy") {
|
||||
// Matching hits on this topic were blocked by the csp
|
||||
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
|
||||
// ignore irrelevent URIs
|
||||
if (!testpat.test(uri.asciiSpec)) return;
|
||||
|
||||
var loadType = typepat.exec(uri.asciiSpec)[1];
|
||||
var originType = originpat.exec(uri.asciiSpec)[1];
|
||||
|
||||
// skip duplicate hits to this topic (potentially document loads
|
||||
// may generate duplicate loads.
|
||||
if (this._resultsRecorded[originType] &&
|
||||
this._resultsRecorded[originType][loadType]) {
|
||||
return;
|
||||
}
|
||||
|
||||
var message = originType + " : " + loadType + " should be " +
|
||||
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
|
||||
ok(this._expectedResults[originType][loadType] == false, message);
|
||||
this._resultsRecorded[originType][loadType] = true;
|
||||
this._countedTests++;
|
||||
}
|
||||
else {
|
||||
// wrong topic! Nothing to do.
|
||||
return;
|
||||
}
|
||||
|
||||
this._checkForFinish();
|
||||
},
|
||||
|
||||
_checkForFinish: function() {
|
||||
// check to see if there are load tests still pending.
|
||||
// (All requests triggered by the app should hit one of the
|
||||
// two observer topics.)
|
||||
if (this._countedTests == this._expectedResults.max_tests) {
|
||||
Services.obs.removeObserver(this, "csp-on-violate-policy");
|
||||
Services.obs.removeObserver(this, "http-on-modify-request");
|
||||
dump("removed observers\n");
|
||||
checkedCount++;
|
||||
if (checkedCount == checksTodo) {
|
||||
SpecialPowers.removePermission("browser", "https://example.com");
|
||||
SimpleTest.finish();
|
||||
} else {
|
||||
gTestRunner.next();
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
// verify the status of the app
|
||||
checkAppStatus: function() {
|
||||
var principal = this._iframe.contentDocument.nodePrincipal;
|
||||
if (this._testData.app) {
|
||||
is(principal.appStatus, this._testData.appStatus,
|
||||
"iframe principal's app status doesn't match the expected app status.");
|
||||
this._countedTests++;
|
||||
this._checkForFinish();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var content = document.getElementById('content');
|
||||
var checkedCount = 0; // number of apps checked
|
||||
var checksTodo = gData.length;
|
||||
|
||||
// quick check to make sure we can test apps:
|
||||
is('appStatus' in document.nodePrincipal, true,
|
||||
'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
|
||||
|
||||
function runTest() {
|
||||
for (var i = 0; i < gData.length; i++) {
|
||||
let data = gData[i];
|
||||
var iframe = document.createElement('iframe');
|
||||
|
||||
// watch for successes and failures
|
||||
var examiner = new ThingyListener(data, iframe);
|
||||
|
||||
iframe.setAttribute('mozapp', data.app);
|
||||
iframe.setAttribute('mozbrowser', 'true');
|
||||
iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
|
||||
iframe.src = data.uri;
|
||||
|
||||
content.appendChild(iframe);
|
||||
|
||||
yield undefined;
|
||||
}
|
||||
}
|
||||
|
||||
var gTestRunner = runTest();
|
||||
|
||||
// load the default CSP and pref it on
|
||||
SpecialPowers.addPermission("browser", true, "https://example.com");
|
||||
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
|
||||
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
|
||||
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
|
||||
["security.mixed_content.block_active_content", false],
|
||||
["security.mixed_content.block_display_content", false]]},
|
||||
function() { gTestRunner.next(); });
|
||||
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
228
content/base/test/xcsp/test_csp_bug773891.html
Normal file
228
content/base/test/xcsp/test_csp_bug773891.html
Normal file
@ -0,0 +1,228 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
|
||||
-->
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
|
||||
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=773891">Mozilla Bug 773891</a>
|
||||
<p id="display"></p>
|
||||
<div id="content">
|
||||
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript;version=1.7">
|
||||
|
||||
Components.utils.import("resource://gre/modules/Services.jsm");
|
||||
|
||||
/** Test for Bug 773891 **/
|
||||
|
||||
// Note: we don't have to inspect all the different operations of CSP,
|
||||
// we're just looking for specific differences in behavior that indicate
|
||||
// a default CSP got applied.
|
||||
const DEFAULT_CSP_PRIV = "default-src *; script-src *; style-src 'self' 'unsafe-inline'; object-src 'none'";
|
||||
const DEFAULT_CSP_CERT = "default-src *; script-src *; style-src 'self'; object-src 'none'";
|
||||
|
||||
const MANIFEST_CSP_PRIV = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
|
||||
const MANIFEST_CSP_INST = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
|
||||
const MANIFEST_CSP_CERT = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var gData = [
|
||||
|
||||
{
|
||||
app: "https://example.com/manifest_csp_inst.webapp",
|
||||
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
|
||||
csp: MANIFEST_CSP_INST,
|
||||
origin: "https://example.com",
|
||||
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
|
||||
statusString: "installed app",
|
||||
expectedTestResults: {
|
||||
max_tests: 7, /* number of bools below plus one for the status check */
|
||||
cross_origin: { img: true, script: false, style: false },
|
||||
same_origin: { img: true, script: true, style: true },
|
||||
},
|
||||
},
|
||||
{
|
||||
app: "https://example.com/manifest_csp_cert.webapp",
|
||||
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
|
||||
csp: MANIFEST_CSP_CERT,
|
||||
origin: "https://example.com",
|
||||
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
|
||||
statusString: "certified app",
|
||||
expectedTestResults: {
|
||||
max_tests: 7, /* number of bools below plus one for the status check */
|
||||
cross_origin: { img: true, script: false, style: false },
|
||||
same_origin: { img: true, script: true, style: true },
|
||||
},
|
||||
},
|
||||
{
|
||||
app: "https://example.com/manifest_csp_priv.webapp",
|
||||
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
|
||||
csp: MANIFEST_CSP_PRIV,
|
||||
origin: "https://example.com",
|
||||
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
|
||||
statusString: "privileged app",
|
||||
expectedTestResults: {
|
||||
max_tests: 7, /* number of bools below plus one for the status check */
|
||||
cross_origin: { img: true, script: false, style: false },
|
||||
same_origin: { img: true, script: true, style: true },
|
||||
},
|
||||
},
|
||||
];
|
||||
|
||||
// Observer for watching allowed loads and blocked attempts
|
||||
function ThingyListener(app, iframe) {
|
||||
Services.obs.addObserver(this, "csp-on-violate-policy", false);
|
||||
Services.obs.addObserver(this, "http-on-modify-request", false);
|
||||
dump("added observers\n");
|
||||
// keep track of which app ID this test is monitoring.
|
||||
this._testData = app;
|
||||
this._expectedResults = app.expectedTestResults;
|
||||
this._resultsRecorded = { cross_origin: {}, same_origin: {}};
|
||||
this._iframe = iframe;
|
||||
this._countedTests = 0;
|
||||
}
|
||||
ThingyListener.prototype = {
|
||||
|
||||
observe: function(subject, topic, data) {
|
||||
// make sure to only observe app-generated calls to the helper for this test.
|
||||
var testpat = new RegExp("file_csp_bug773891\\.sjs");
|
||||
|
||||
// used to extract which kind of load this is (img, script, etc).
|
||||
var typepat = new RegExp("type=([\\_a-z0-9]+)");
|
||||
|
||||
// used to identify whether it's cross-origin or same-origin loads
|
||||
// (the applied CSP allows same-origin loads).
|
||||
var originpat = new RegExp("origin=([\\_a-z0-9]+)");
|
||||
|
||||
if (topic === "http-on-modify-request") {
|
||||
// Matching requests on this topic were allowed by the csp
|
||||
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
|
||||
var uri = chan.URI;
|
||||
// ignore irrelevent URIs
|
||||
if (!testpat.test(uri.asciiSpec)) return;
|
||||
|
||||
var loadType = typepat.exec(uri.asciiSpec)[1];
|
||||
var originType = originpat.exec(uri.asciiSpec)[1];
|
||||
|
||||
// skip duplicate hits to this topic (potentially document loads
|
||||
// may generate duplicate loads.
|
||||
if (this._resultsRecorded[originType] &&
|
||||
this._resultsRecorded[originType][loadType]) {
|
||||
return;
|
||||
}
|
||||
var message = originType + " : " + loadType + " should be " +
|
||||
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
|
||||
ok(this._expectedResults[originType][loadType] == true, message);
|
||||
this._resultsRecorded[originType][loadType] = true;
|
||||
this._countedTests++;
|
||||
}
|
||||
else if (topic === "csp-on-violate-policy") {
|
||||
// Matching hits on this topic were blocked by the csp
|
||||
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
|
||||
// ignore irrelevent URIs
|
||||
if (!testpat.test(uri.asciiSpec)) return;
|
||||
|
||||
var loadType = typepat.exec(uri.asciiSpec)[1];
|
||||
var originType = originpat.exec(uri.asciiSpec)[1];
|
||||
|
||||
// skip duplicate hits to this topic (potentially document loads
|
||||
// may generate duplicate loads.
|
||||
if (this._resultsRecorded[originType] &&
|
||||
this._resultsRecorded[originType][loadType]) {
|
||||
return;
|
||||
}
|
||||
|
||||
var message = originType + " : " + loadType + " should be " +
|
||||
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
|
||||
ok(this._expectedResults[originType][loadType] == false, message);
|
||||
this._resultsRecorded[originType][loadType] = true;
|
||||
this._countedTests++;
|
||||
}
|
||||
else {
|
||||
// wrong topic! Nothing to do.
|
||||
return;
|
||||
}
|
||||
|
||||
this._checkForFinish();
|
||||
},
|
||||
|
||||
_checkForFinish: function() {
|
||||
// check to see if there are load tests still pending.
|
||||
// (All requests triggered by the app should hit one of the
|
||||
// two observer topics.)
|
||||
if (this._countedTests == this._expectedResults.max_tests) {
|
||||
Services.obs.removeObserver(this, "csp-on-violate-policy");
|
||||
Services.obs.removeObserver(this, "http-on-modify-request");
|
||||
dump("removed observers\n");
|
||||
checkedCount++;
|
||||
if (checkedCount == checksTodo) {
|
||||
SpecialPowers.removePermission("browser", "https://example.com");
|
||||
SimpleTest.finish();
|
||||
} else {
|
||||
gTestRunner.next();
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
// verify the status of the app
|
||||
checkAppStatus: function() {
|
||||
var principal = this._iframe.contentDocument.nodePrincipal;
|
||||
if (this._testData.app) {
|
||||
is(principal.appStatus, this._testData.appStatus,
|
||||
"iframe principal's app status doesn't match the expected app status.");
|
||||
this._countedTests++;
|
||||
this._checkForFinish();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var content = document.getElementById('content');
|
||||
var checkedCount = 0; // number of apps checked
|
||||
var checksTodo = gData.length;
|
||||
|
||||
// quick check to make sure we can test apps:
|
||||
is('appStatus' in document.nodePrincipal, true,
|
||||
'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
|
||||
|
||||
function runTest() {
|
||||
for (var i = 0; i < gData.length; i++) {
|
||||
let data = gData[i];
|
||||
var iframe = document.createElement('iframe');
|
||||
|
||||
// watch for successes and failures
|
||||
var examiner = new ThingyListener(data, iframe);
|
||||
|
||||
iframe.setAttribute('mozapp', data.app);
|
||||
iframe.setAttribute('mozbrowser', 'true');
|
||||
iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
|
||||
iframe.src = data.uri;
|
||||
|
||||
content.appendChild(iframe);
|
||||
|
||||
yield undefined;
|
||||
}
|
||||
}
|
||||
|
||||
var gTestRunner = runTest();
|
||||
|
||||
// load the default CSP and pref it on
|
||||
SpecialPowers.addPermission("browser", true, "https://example.com");
|
||||
|
||||
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
|
||||
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
|
||||
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
|
||||
function() { gTestRunner.next(); });
|
||||
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
148
content/base/test/xcsp/test_csp_redirects.html
Normal file
148
content/base/test/xcsp/test_csp_redirects.html
Normal file
@ -0,0 +1,148 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Tests for Content Security Policy during redirects</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
|
||||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id="harness"></iframe>
|
||||
<pre id="log"></pre>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// debugging
|
||||
function log(s) {
|
||||
return;
|
||||
dump("**" + s + "\n");
|
||||
var log = document.getElementById("log");
|
||||
log.textContent = log.textContent+s+"\n";
|
||||
}
|
||||
|
||||
// used to watch if requests are blocked by CSP or allowed through
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
var testpat = new RegExp("testid=([a-z0-9-]+)");
|
||||
var asciiSpec;
|
||||
var testid;
|
||||
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
// request was sent
|
||||
var allowedUri = data;
|
||||
if (!testpat.test(allowedUri)) return;
|
||||
testid = testpat.exec(allowedUri)[1];
|
||||
if (testExpectedResults[testid] == "completed") return;
|
||||
log("allowed: "+allowedUri);
|
||||
window.testResult(testid, allowedUri, true);
|
||||
}
|
||||
|
||||
else if (topic === "csp-on-violate-policy") {
|
||||
// request was blocked
|
||||
asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
|
||||
if (!testpat.test(asciiSpec)) return;
|
||||
testid = testpat.exec(asciiSpec)[1];
|
||||
// had to add this check because http-on-modify-request can fire after
|
||||
// csp-on-violate-policy, apparently, even though the request does
|
||||
// not hit the wire.
|
||||
if (testExpectedResults[testid] == "completed") return;
|
||||
log("BLOCKED: "+asciiSpec);
|
||||
window.testResult(testid, asciiSpec, false);
|
||||
}
|
||||
},
|
||||
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
window.examiner = new examiner();
|
||||
|
||||
// contains { test_frame_id : expected_result }
|
||||
var testExpectedResults = { "font-src": true,
|
||||
"font-src-redir": false,
|
||||
"frame-src": true,
|
||||
"frame-src-redir": false,
|
||||
"img-src": true,
|
||||
"img-src-redir": false,
|
||||
"media-src": true,
|
||||
"media-src-redir": false,
|
||||
"object-src": true,
|
||||
"object-src-redir": false,
|
||||
"script-src": true,
|
||||
"script-src-redir": false,
|
||||
"style-src": true,
|
||||
"style-src-redir": false,
|
||||
"worker": true,
|
||||
"worker-redir": false,
|
||||
"xhr-src": true,
|
||||
"xhr-src-redir": false,
|
||||
"font-src-spec-compliant": true,
|
||||
"font-src-redir-spec-compliant": false,
|
||||
"frame-src-spec-compliant": true,
|
||||
"frame-src-redir-spec-compliant": false,
|
||||
"img-src-spec-compliant": true,
|
||||
"img-src-redir-spec-compliant": false,
|
||||
"media-src-spec-compliant": true,
|
||||
"media-src-redir-spec-compliant": false,
|
||||
"object-src-spec-compliant": true,
|
||||
"object-src-redir-spec-compliant": false,
|
||||
"script-src-spec-compliant": true,
|
||||
"script-src-redir-spec-compliant": false,
|
||||
"style-src-spec-compliant": true,
|
||||
"style-src-redir-spec-compliant": false,
|
||||
"worker-spec-compliant": true,
|
||||
"worker-redir-spec-compliant": false,
|
||||
"xhr-src-spec-compliant": true,
|
||||
"xhr-src-redir-spec-compliant": false,
|
||||
};
|
||||
|
||||
// takes the name of the test, the URL that was tested, and whether the
|
||||
// load occurred
|
||||
var testResult = function(testName, url, result) {
|
||||
log(" testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
|
||||
is(result, testExpectedResults[testName], testName+" test: "+url);
|
||||
|
||||
// mark test as completed
|
||||
testExpectedResults[testName] = "completed";
|
||||
|
||||
// don't finish until we've run all the tests
|
||||
for (var t in testExpectedResults) {
|
||||
if (testExpectedResults[t] != "completed") {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true],
|
||||
// This defaults to 0 ("preload none") on mobile (B2G/Android), which
|
||||
// blocks loading the resource until the user interacts with a
|
||||
// corresponding widget, which breaks the media_* tests. We set it
|
||||
// back to the default used by desktop Firefox to get consistent
|
||||
// behavior.
|
||||
["media.preload.default", 2]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById("harness").src = "file_csp_redirects_main.html";
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
||||
</body>
|
||||
</html>
|
108
content/base/test/xcsp/test_csp_report.html
Normal file
108
content/base/test/xcsp/test_csp_report.html
Normal file
@ -0,0 +1,108 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=548193
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 548193</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
|
||||
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
// This is used to watch requests go out so we can see if the report is
|
||||
// sent correctly
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "http-on-opening-request", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI
|
||||
if (!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
const reportURI = "http://mochi.test:8888/csp-report.cgi";
|
||||
|
||||
if (topic === "http-on-opening-request") {
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
|
||||
if (asciiSpec !== reportURI) return;
|
||||
|
||||
// Verify that the report was properly formatted.
|
||||
// We'll parse the report text as JSON and verify that the properties
|
||||
// have expected values.
|
||||
var reportText = "{}";
|
||||
try {
|
||||
var uploadStream = SpecialPowers.wrap(SpecialPowers.do_QueryInterface(subject, "nsIUploadChannel")).uploadStream;
|
||||
|
||||
if (uploadStream) {
|
||||
// get the bytes from the request body
|
||||
var binstream = SpecialPowers.Cc["@mozilla.org/binaryinputstream;1"]
|
||||
.createInstance(SpecialPowers.Ci.nsIBinaryInputStream);
|
||||
binstream.setInputStream(uploadStream);
|
||||
|
||||
var segments = [];
|
||||
for (var count = uploadStream.available(); count; count = uploadStream.available()) {
|
||||
var data = binstream.readBytes(count);
|
||||
segments.push(data);
|
||||
}
|
||||
|
||||
var reportText = segments.join("");
|
||||
// rewind stream as we are supposed to - there will be an assertion later if we don't.
|
||||
SpecialPowers.do_QueryInterface(uploadStream, "nsISeekableStream").seek(SpecialPowers.Ci.nsISeekableStream.NS_SEEK_SET, 0);
|
||||
}
|
||||
}
|
||||
catch(e) {}
|
||||
|
||||
var reportObj = JSON.parse(reportText);
|
||||
|
||||
// test for the proper values in the report object
|
||||
window.checkResults(reportObj);
|
||||
|
||||
// finish up
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
},
|
||||
|
||||
// remove the listener
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "http-on-opening-request");
|
||||
}
|
||||
}
|
||||
|
||||
// content file that triggers a violation report
|
||||
var testFile = "file_csp_report.sjs";
|
||||
|
||||
window.checkResults = function(reportObj) {
|
||||
var cspReport = reportObj["csp-report"];
|
||||
// correct violating request
|
||||
is(cspReport["document-uri"],
|
||||
"http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
|
||||
"Incorrect violating request");
|
||||
// correct blocked-uri
|
||||
is(cspReport["blocked-uri"],
|
||||
"http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png",
|
||||
"Incorrect blocked uri");
|
||||
// correct violated-directive
|
||||
is(cspReport["violated-directive"], "default-src http://mochi.test:8888",
|
||||
"Incorrect violated directive");
|
||||
// not practical to test request-headers as header names and values will
|
||||
// change with the trunk
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// load the resource which will generate a CSP violation report
|
||||
document.getElementById("cspframe").src = testFile;
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
121
content/base/test/xcsp/test_multi_policy_injection_bypass.html
Normal file
121
content/base/test/xcsp/test_multi_policy_injection_bypass.html
Normal file
@ -0,0 +1,121 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 717511</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
|
||||
|
||||
</div>
|
||||
|
||||
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
// This is not exhaustive, just double-checking the 'self' vs * policy conflict in the two HTTP headers.
|
||||
window.tests = {
|
||||
img_good: -1,
|
||||
img_bad: -1,
|
||||
script_good: -1,
|
||||
script_bad: -1,
|
||||
img2_good: -1,
|
||||
img2_bad: -1,
|
||||
script2_good: -1,
|
||||
script2_bad: -1,
|
||||
};
|
||||
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
var testpat = new RegExp("testid=([a-z0-9_]+)");
|
||||
|
||||
//_good things better be allowed!
|
||||
//_bad things better be stopped!
|
||||
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
//these things were allowed by CSP
|
||||
var asciiSpec = data;
|
||||
if (!testpat.test(asciiSpec)) return;
|
||||
var testid = testpat.exec(asciiSpec)[1];
|
||||
window.testResult(testid,
|
||||
/_good/.test(testid),
|
||||
asciiSpec + " allowed by csp");
|
||||
|
||||
}
|
||||
|
||||
if(topic === "csp-on-violate-policy") {
|
||||
// subject should be an nsIURI for csp-on-violate-policy
|
||||
if (!SpecialPowers.can_QI(subject)) {
|
||||
return;
|
||||
}
|
||||
|
||||
//these were blocked... record that they were blocked
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(
|
||||
SpecialPowers.do_QueryInterface(subject, "nsIURI"),
|
||||
"asciiSpec");
|
||||
if (!testpat.test(asciiSpec)) return;
|
||||
var testid = testpat.exec(asciiSpec)[1];
|
||||
window.testResult(testid,
|
||||
/_bad/.test(testid),
|
||||
asciiSpec + " blocked by \"" + data + "\"");
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
window.testResult = function(testname, result, msg) {
|
||||
|
||||
//test already complete.... forget it... remember the first result.
|
||||
if (window.tests[testname] != -1)
|
||||
return;
|
||||
|
||||
window.tests[testname] = result;
|
||||
is(result, true, testname + ' test: ' + msg);
|
||||
|
||||
// if any test is incomplete, keep waiting
|
||||
for (var v in window.tests)
|
||||
if(tests[v] == -1)
|
||||
return;
|
||||
|
||||
// ... otherwise, finish
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
|
||||
document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html';
|
||||
document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html';
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
32
content/base/test/xcsp/test_subframe_run_js_if_allowed.html
Normal file
32
content/base/test/xcsp/test_subframe_run_js_if_allowed.html
Normal file
@ -0,0 +1,32 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=702439
|
||||
|
||||
This test verifies that child iframes of CSP documents are
|
||||
permitted to execute javascript: URLs assuming the policy
|
||||
allows this.
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 702439</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<script class="testbody" type="text/javascript">
|
||||
var javascript_link_ran = false;
|
||||
|
||||
// check that the script in the child frame's javascript: URL ran
|
||||
function checkResult()
|
||||
{
|
||||
is(javascript_link_ran, true,
|
||||
"javascript URL didn't execute");
|
||||
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
</script>
|
||||
<iframe id="i" src="file_subframe_run_js_if_allowed.html"></iframe>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user