wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Backed out changeset bf40eebc6543 (bug 988616) on a CLOSED TREE

Browse Source
This commit is contained in:
Garrett Robinson 2014-06-04 17:52:35 -07:00
parent addb865664
commit da3bbdf56c
29 changed files with 513 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
content/base/test/csp/file_csp_redirects_main.html
View File

@ -11,7 +11,16 @@ var thisSite = "http://mochi.test:8888";
var otherSite = "http://example.com";
var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
var tests = { "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
"frame-src": thisSite+page+"?testid=frame-src&csp=1",
"img-src": thisSite+page+"?testid=img-src&csp=1",
"media-src": thisSite+page+"?testid=media-src&csp=1",
"object-src": thisSite+page+"?testid=object-src&csp=1",
"script-src": thisSite+page+"?testid=script-src&csp=1",
"style-src": thisSite+page+"?testid=style-src&csp=1",
"worker": thisSite+page+"?testid=worker&csp=1",
"xhr-src": thisSite+page+"?testid=xhr-src&csp=1",
"font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
"frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
"img-src-spec-compliant": thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
"media-src-spec-compliant": thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",

4
content/base/test/csp/file_csp_report.sjs
View File

@ -14,8 +14,8 @@ function handleRequest(request, response)
response.setHeader("Cache-Control", "no-cache", false);
// set CSP header
response.setHeader("Content-Security-Policy",
"default-src 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
response.setHeader("X-Content-Security-Policy",
"allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
false);
// content which will trigger a violation report

2
content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
View File

@ -1 +1 @@
Content-Security-Policy: default-src 'self', default-src *
X-Content-Security-Policy: default-src 'self', allow *

2
content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
View File

@ -1 +1 @@
X-Content-Security-Policy: default-src 'self' , default-src *
X-Content-Security-Policy: default-src 'self' , allow *

2
content/base/test/csp/file_redirect_content.sjs
View File

@ -25,7 +25,7 @@ function handleRequest(request, response) {
var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
response.setHeader("Content-Security-Policy", csp, false);
response.setHeader("X-Content-Security-Policy", csp, false);
// the actual file content.
// this image load will (intentionally) fail due to the CSP policy of default-src: 'self'

2
content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
View File

@ -1 +1 @@
Content-Security-Policy: default-src *; script-src 'unsafe-inline'
X-Content-Security-Policy: default-src *; options inline-script

26
content/base/test/csp/mochitest.ini
View File

@ -17,9 +17,15 @@ support-files =
file_CSP_bug885433_blocks.html^headers^
file_CSP_bug888172.html
file_CSP_bug888172.sjs
file_CSP_bug916446.html
file_CSP_bug916446.html^headers^
file_CSP_evalscript_main.html
file_CSP_evalscript_main.html^headers^
file_CSP_evalscript_main.js
file_CSP_evalscript_main_allowed.js
file_CSP_evalscript_main_allowed_getCRMFRequest.js
file_CSP_evalscript_main_getCRMFRequest.html
file_CSP_evalscript_main_getCRMFRequest.html^headers^
file_CSP_evalscript_main_getCRMFRequest.js
file_CSP_evalscript_main_spec_compliant.html
file_CSP_evalscript_main_spec_compliant.html^headers^
@ -32,20 +38,32 @@ support-files =
file_CSP_evalscript_no_CSP_at_all.html
file_CSP_evalscript_no_CSP_at_all.html^headers^
file_CSP_evalscript_no_CSP_at_all.js
file_CSP_frameancestors.sjs
file_CSP_frameancestors_main.html
file_CSP_frameancestors_main.js
file_CSP_frameancestors_main_spec_compliant.html
file_CSP_frameancestors_main_spec_compliant.js
file_CSP_frameancestors_spec_compliant.sjs
file_CSP_inlinescript_main.html
file_CSP_inlinescript_main.html^headers^
file_CSP_inlinescript_main_spec_compliant.html
file_CSP_inlinescript_main_spec_compliant.html^headers^
file_CSP_inlinescript_main_spec_compliant_allowed.html
file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
file_CSP_inlinestyle_main.html
file_CSP_inlinestyle_main.html^headers^
file_CSP_inlinestyle_main_spec_compliant.html
file_CSP_inlinestyle_main_spec_compliant.html^headers^
file_CSP_inlinestyle_main_spec_compliant_allowed.html
file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
file_CSP_main.html
file_CSP_main.html^headers^
file_CSP_main.js
file_CSP_main_spec_compliant.html
file_CSP_main_spec_compliant.html^headers^
file_CSP_main_spec_compliant.js
file_bothCSPheaders.html
file_bothCSPheaders.html^headers^
file_bug836922_npolicies.html
file_bug836922_npolicies.html^headers^
file_bug836922_npolicies_ro_violation.sjs
@ -86,6 +104,8 @@ support-files =
file_CSP_bug941404_xhr.html^headers^
file_hash_source.html
file_hash_source.html^headers^
file_dual_headers_warning.html
file_dual_headers_warning.html^headers^
file_self_none_as_hostname_confusion.html
file_self_none_as_hostname_confusion.html^headers^
file_csp_testserver.sjs
@ -94,6 +114,8 @@ support-files =
file_report_uri_missing_in_report_only_header.html
file_report_uri_missing_in_report_only_header.html^headers^
file_csp_report.sjs
file_policyuri_async_fetch.html
file_policyuri_async_fetch.html^headers^
file_redirect_content.sjs
file_redirect_report.sjs
file_subframe_run_js_if_allowed.html
@ -108,6 +130,7 @@ support-files =
[test_CSP_bug802872.html]
[test_CSP_bug885433.html]
[test_CSP_bug888172.html]
[test_CSP_bug916446.html]
[test_CSP_evalscript.html]
[test_CSP_evalscript_getCRMFRequest.html]
skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
@ -115,6 +138,7 @@ skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) wi
skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
[test_CSP_inlinescript.html]
[test_CSP_inlinestyle.html]
[test_bothCSPheaders.html]
[test_bug836922_npolicies.html]
[test_bug886164.html]
[test_csp_redirects.html]
@ -125,12 +149,14 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
[test_CSP_bug941404.html]
[test_hash_source.html]
skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
[test_dual_headers_warning.html]
[test_self_none_as_hostname_confusion.html]
[test_bug949549.html]
[test_csp_regexp_parsing.html]
[test_report_uri_missing_in_report_only_header.html]
[test_csp_report.html]
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
[test_policyuri_async_fetch.html]
[test_301_redirect.html]
[test_302_redirect.html]
[test_303_redirect.html]

22
content/base/test/csp/test_CSP.html
View File

@ -10,11 +10,30 @@
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
window.tests = {
img_good: -1,
img_bad: -1,
style_good: -1,
style_bad: -1,
frame_good: -1,
frame_bad: -1,
script_good: -1,
script_bad: -1,
xhr_good: -1,
xhr_bad: -1,
media_good: -1,
media_bad: -1,
font_good: -1,
font_bad: -1,
object_good: -1,
object_bad: -1,
img_spec_compliant_good: -1,
img_spec_compliant_bad: -1,
style_spec_compliant_good: -1,
@ -111,7 +130,8 @@ SpecialPowers.pushPrefEnv(
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_main_spec_compliant.html';
document.getElementById('cspframe').src = 'file_CSP_main.html';
document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
});
</script>
</pre>

11
content/base/test/csp/test_CSP_evalscript.html
View File

@ -11,11 +11,14 @@
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var evalScriptsThatRan = 0;
var evalScriptsBlocked = 0;
var evalScriptsTotal = 16;
var evalScriptsTotal = 24;
// called by scripts that run
var scriptRan = function(shouldrun, testname, data) {
@ -51,8 +54,10 @@ SpecialPowers.pushPrefEnv(
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
// document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
});
</script>
</pre>

10
content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
View File

@ -12,13 +12,14 @@
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var evalScriptsThatRan = 0;
var evalScriptsBlocked = 0;
var evalScriptsTotal = 3;
var evalScriptsTotal = 4;
// called by scripts that run
var scriptRan = function(shouldrun, testname, data) {
@ -53,9 +54,10 @@ SpecialPowers.pushPrefEnv(
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
document.getElementById('cspframe3').src = 'file_CSP_evalscript_no_CSP_at_all.html';
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
});
</script>
</pre>

18
content/base/test/csp/test_CSP_frameancestors.html
View File

@ -10,11 +10,24 @@
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
var framesThatShouldLoad = {
aa_allow: -1, /* innermost frame allows a */
//aa_block: -1, /* innermost frame denies a */
ab_allow: -1, /* innermost frame allows a */
//ab_block: -1, /* innermost frame denies a */
aba_allow: -1, /* innermost frame allows b,a */
//aba_block: -1, /* innermost frame denies b */
//aba2_block: -1, /* innermost frame denies a */
abb_allow: -1, /* innermost frame allows b,a */
//abb_block: -1, /* innermost frame denies b */
//abb2_block: -1, /* innermost frame denies a */
aa_allow_spec_compliant: -1, /* innermost frame allows a *
//aa_block_spec_compliant: -1, /* innermost frame denies a */
ab_allow_spec_compliant: -1, /* innermost frame allows a */
@ -27,7 +40,7 @@ var framesThatShouldLoad = {
//abb2_block_spec_compliant: -1, /* innermost frame denies a */
};
var expectedViolationsLeft = 6;
var expectedViolationsLeft = 12;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
@ -113,7 +126,8 @@ SpecialPowers.pushPrefEnv(
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main_spec_compliant.html';
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
});
</script>

33
content/base/test/csp/test_CSP_inlinescript.html
View File

@ -11,13 +11,16 @@
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var inlineScriptsThatRan = 0;
var inlineScriptsBlocked = 0;
var inlineScriptsTotal = 8;
var inlineScriptsTotal = 12;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
@ -76,8 +79,8 @@ var checkTestResults = function() {
// The four scripts in the page with 'unsafe-inline' should run.
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
// The four scripts in the other page should be blocked.
is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
// The other eight scripts in the other two pages should be blocked.
is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
// ... otherwise, finish
window.examiner.remove();
@ -89,10 +92,10 @@ var checkTestResults = function() {
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
function clickit1() {
var cspframe1 = document.getElementById('cspframe1');
var a = cspframe1.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
function clickit() {
var cspframe = document.getElementById('cspframe');
var a = cspframe.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
}
function clickit2() {
@ -101,15 +104,23 @@ function clickit2() {
sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
}
function clickit3() {
var cspframe3 = document.getElementById('cspframe3');
var a = cspframe3.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe1').src = 'file_CSP_inlinescript_main_spec_compliant.html';
document.getElementById('cspframe1').addEventListener('load', clickit1, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
document.getElementById('cspframe').addEventListener('load', clickit, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
document.getElementById('cspframe3').addEventListener('load', clickit3, false);
});
</script>
</pre>

135
content/base/test/csp/test_CSP_inlinestyle.html
View File

@ -10,68 +10,33 @@
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
//////////////////////////////////////////////////////////////////////
// set up and go
SimpleTest.waitForExplicitFinish();
var done = 0;
// When a CSP 1.0 compliant policy is specified we should block inline
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
// (when it's not explicitly allowed.)
function checkStylesSpecCompliant(evt) {
var cspframe = document.getElementById('cspframe1');
// Our original CSP implementation does not block inline styles.
function checkStyles(evt) {
var cspframe = document.getElementById('cspframe');
var color;
// black means the style wasn't applied. green colors are used for styles
//expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
checkIfDone();
}
// When a CSP 1.0 compliant policy is specified we should allow inline
// styles when it is explicitly allowed.
function checkStylesSpecCompliantAllowed(evt) {
var cspframe = document.getElementById('cspframe2');
var color;
// black means the style wasn't applied. green colors are used for styles
// expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
// since it relies on executing script to set .cssText
color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
@ -81,8 +46,72 @@ function checkStylesSpecCompliantAllowed(evt) {
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
checkIfDone();
}
color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
// When a CSP 1.0 compliant policy is specified we should block inline
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
// (when it's not explicitly allowed.)
function checkStylesSpecCompliant(evt) {
var cspframe = document.getElementById('cspframe2');
var color;
// black means the style wasn't applied. green colors are used for styles
//expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
checkIfDone();
}
// When a CSP 1.0 compliant policy is specified we should allow inline
// styles when it is explicitly allowed.
function checkStylesSpecCompliantAllowed(evt) {
var cspframe = document.getElementById('cspframe3');
var color;
// black means the style wasn't applied. green colors are used for styles
// expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
// since it relies on executing script to set .cssText
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
checkIfDone();
@ -90,7 +119,7 @@ function checkStylesSpecCompliantAllowed(evt) {
function checkIfDone() {
done++;
if (done == 2)
if (done == 3)
SimpleTest.finish();
}
@ -99,10 +128,12 @@ SpecialPowers.pushPrefEnv(
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe1').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
document.getElementById('cspframe1').addEventListener('load', checkStylesSpecCompliant, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliantAllowed, false);
document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
document.getElementById('cspframe').addEventListener('load', checkStyles, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
}
);
</script>

3
content/base/test/csp/test_csp_bug768029.html
View File

@ -213,8 +213,7 @@ SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
["security.mixed_content.block_active_content", false],
["security.mixed_content.block_display_content", false],
["security.csp.speccompliant", true]]},
["security.mixed_content.block_display_content", false]]},
function() { gTestRunner.next(); });

5
content/base/test/csp/test_csp_bug773891.html
View File

@ -1,7 +1,7 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=773891
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
-->
<head>
<meta charset="utf-8">
@ -218,8 +218,7 @@ SpecialPowers.addPermission("browser", true, "https://example.com");
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
["security.csp.speccompliant", true]]},
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
function() { gTestRunner.next(); });

20
content/base/test/csp/test_csp_redirects.html
View File

@ -68,7 +68,25 @@ examiner.prototype = {
window.examiner = new examiner();
// contains { test_frame_id : expected_result }
var testExpectedResults = { "font-src-spec-compliant": true,
var testExpectedResults = { "font-src": true,
"font-src-redir": false,
"frame-src": true,
"frame-src-redir": false,
"img-src": true,
"img-src-redir": false,
"media-src": true,
"media-src-redir": false,
"object-src": true,
"object-src-redir": false,
"script-src": true,
"script-src-redir": false,
"style-src": true,
"style-src-redir": false,
"worker": true,
"worker-redir": false,
"xhr-src": true,
"xhr-src-redir": false,
"font-src-spec-compliant": true,
"font-src-redir-spec-compliant": false,
"frame-src-spec-compliant": true,
"frame-src-redir-spec-compliant": false,

1
content/base/test/moz.build
View File

@ -6,7 +6,6 @@
TEST_TOOL_DIRS += [
'csp',
'xcsp',
'websocket_hybi',
]

2
content/base/test/xcsp/file_CSP.css
View File

@ -12,7 +12,7 @@
}
@font-face {
font-family: "arbitrary_bad";
src: url('http://example.org/tests/content/base/test/xcsp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
}
.div_arbitrary_good { font-family: "arbitrary_good"; }

6
content/base/test/xcsp/file_CSP_frameancestors_main.js
View File

@ -4,9 +4,9 @@ function setupFrames() {
var $ = function(v) { return document.getElementById(v); }
var base = {
self: '/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
a: 'http://mochi.test:8888/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
b: 'http://example.com/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs'
self: '/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
a: 'http://mochi.test:8888/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
b: 'http://example.com/tests/content/base/test/csp/file_CSP_frameancestors.sjs'
};
var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };

11
content/base/test/xcsp/file_csp_redirects_main.html
View File

@ -9,7 +9,7 @@
<script>
var thisSite = "http://mochi.test:8888";
var otherSite = "http://example.com";
var page = "/tests/content/base/test/xcsp/file_csp_redirects_page.sjs";
var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
"frame-src": thisSite+page+"?testid=frame-src&csp=1",
@ -20,6 +20,15 @@ var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
"style-src": thisSite+page+"?testid=style-src&csp=1",
"worker": thisSite+page+"?testid=worker&csp=1",
"xhr-src": thisSite+page+"?testid=xhr-src&csp=1",
"font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
"frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
"img-src-spec-compliant": thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
"media-src-spec-compliant": thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
"object-src-spec-compliant": thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
"script-src-spec-compliant": thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
"style-src-spec-compliant": thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
"worker-spec-compliant": thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
"xhr-src-spec-compliant": thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
};
var container = document.getElementById("container");

96
content/base/test/xcsp/mochitest.ini
View File

@ -2,29 +2,84 @@
support-files =
file_CSP.css
file_CSP.sjs
file_CSP_bug663567.xsl
file_CSP_bug663567_allows.xml
file_CSP_bug663567_allows.xml^headers^
file_CSP_bug663567_blocks.xml
file_CSP_bug663567_blocks.xml^headers^
file_CSP_bug802872.html
file_CSP_bug802872.html^headers^
file_CSP_bug802872.js
file_CSP_bug802872.sjs
file_CSP_bug885433_allows.html
file_CSP_bug885433_allows.html^headers^
file_CSP_bug885433_blocks.html
file_CSP_bug885433_blocks.html^headers^
file_CSP_bug888172.html
file_CSP_bug888172.sjs
file_CSP_bug916446.html
file_CSP_bug916446.html^headers^
file_CSP_evalscript_main.html
file_CSP_evalscript_main.html^headers^
file_CSP_evalscript_main.js
file_CSP_evalscript_main_allowed.js
file_CSP_evalscript_main_allowed_getCRMFRequest.js
file_CSP_evalscript_main_getCRMFRequest.html
file_CSP_evalscript_main_getCRMFRequest.html^headers^
file_CSP_evalscript_main_getCRMFRequest.js
file_CSP_evalscript_main_spec_compliant.html
file_CSP_evalscript_main_spec_compliant.html^headers^
file_CSP_evalscript_main_spec_compliant_allowed.html
file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
file_CSP_evalscript_no_CSP_at_all.html
file_CSP_evalscript_no_CSP_at_all.html^headers^
file_CSP_evalscript_no_CSP_at_all.js
file_CSP_frameancestors.sjs
file_CSP_frameancestors_main.html
file_CSP_frameancestors_main.js
file_CSP_frameancestors_main_spec_compliant.html
file_CSP_frameancestors_main_spec_compliant.js
file_CSP_frameancestors_spec_compliant.sjs
file_CSP_inlinescript_main.html
file_CSP_inlinescript_main.html^headers^
file_CSP_inlinescript_main_spec_compliant.html
file_CSP_inlinescript_main_spec_compliant.html^headers^
file_CSP_inlinescript_main_spec_compliant_allowed.html
file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
file_CSP_inlinestyle_main.html
file_CSP_inlinestyle_main.html^headers^
file_CSP_inlinestyle_main_spec_compliant.html
file_CSP_inlinestyle_main_spec_compliant.html^headers^
file_CSP_inlinestyle_main_spec_compliant_allowed.html
file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
file_CSP_main.html
file_CSP_main.html^headers^
file_CSP_main.js
file_CSP_main_spec_compliant.html
file_CSP_main_spec_compliant.html^headers^
file_CSP_main_spec_compliant.js
file_bothCSPheaders.html
file_bothCSPheaders.html^headers^
file_bug836922_npolicies.html
file_bug836922_npolicies.html^headers^
file_bug836922_npolicies_ro_violation.sjs
file_bug836922_npolicies_violation.sjs
file_bug886164.html
file_bug886164.html^headers^
file_bug886164_2.html
file_bug886164_2.html^headers^
file_bug886164_3.html
file_bug886164_3.html^headers^
file_bug886164_4.html
file_bug886164_4.html^headers^
file_bug886164_5.html
file_bug886164_5.html^headers^
file_bug886164_6.html
file_bug886164_6.html^headers^
file_csp_bug768029.html
file_csp_bug768029.sjs
file_csp_bug773891.html
@ -32,8 +87,32 @@ support-files =
file_csp_redirects_main.html
file_csp_redirects_page.sjs
file_csp_redirects_resource.sjs
file_CSP_bug910139.sjs
file_CSP_bug910139.xml
file_CSP_bug910139.xsl
file_CSP_bug909029_star.html
file_CSP_bug909029_star.html^headers^
file_CSP_bug909029_none.html
file_CSP_bug909029_none.html^headers^
file_policyuri_regression_from_multipolicy.html
file_policyuri_regression_from_multipolicy.html^headers^
file_policyuri_regression_from_multipolicy_policy
file_nonce_source.html
file_nonce_source.html^headers^
file_CSP_bug941404.html
file_CSP_bug941404_xhr.html
file_CSP_bug941404_xhr.html^headers^
file_hash_source.html
file_hash_source.html^headers^
file_dual_headers_warning.html
file_dual_headers_warning.html^headers^
file_self_none_as_hostname_confusion.html
file_self_none_as_hostname_confusion.html^headers^
file_csp_testserver.sjs
file_csp_regexp_parsing.html
file_csp_regexp_parsing.js
file_report_uri_missing_in_report_only_header.html
file_report_uri_missing_in_report_only_header.html^headers^
file_csp_report.sjs
file_policyuri_async_fetch.html
file_policyuri_async_fetch.html^headers^
@ -47,6 +126,10 @@ support-files =
file_multi_policy_injection_bypass_2.html^headers^
[test_CSP.html]
[test_CSP_bug663567.html]
[test_CSP_bug802872.html]
[test_CSP_bug885433.html]
[test_CSP_bug888172.html]
[test_CSP_bug916446.html]
[test_CSP_evalscript.html]
[test_CSP_evalscript_getCRMFRequest.html]
@ -56,8 +139,21 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
[test_CSP_inlinescript.html]
[test_CSP_inlinestyle.html]
[test_bothCSPheaders.html]
[test_bug836922_npolicies.html]
[test_bug886164.html]
[test_csp_redirects.html]
[test_CSP_bug910139.html]
[test_CSP_bug909029.html]
[test_policyuri_regression_from_multipolicy.html]
[test_nonce_source.html]
[test_CSP_bug941404.html]
[test_hash_source.html]
skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
[test_dual_headers_warning.html]
[test_self_none_as_hostname_confusion.html]
[test_bug949549.html]
[test_csp_regexp_parsing.html]
[test_report_uri_missing_in_report_only_header.html]
[test_csp_report.html]
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
[test_policyuri_async_fetch.html]

20
content/base/test/xcsp/test_CSP.html
View File

@ -10,8 +10,11 @@
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
window.tests = {
@ -31,6 +34,22 @@ window.tests = {
font_bad: -1,
object_good: -1,
object_bad: -1,
img_spec_compliant_good: -1,
img_spec_compliant_bad: -1,
style_spec_compliant_good: -1,
style_spec_compliant_bad: -1,
frame_spec_compliant_good: -1,
frame_spec_compliant_bad: -1,
script_spec_compliant_good: -1,
script_spec_compliant_bad: -1,
xhr_spec_compliant_good: -1,
xhr_spec_compliant_bad: -1,
media_spec_compliant_good: -1,
media_spec_compliant_bad: -1,
font_spec_compliant_good: -1,
font_spec_compliant_bad: -1,
object_spec_compliant_good: -1,
object_spec_compliant_bad: -1,
};
// This is used to watch the blocked data bounce off CSP and allowed data
@ -112,6 +131,7 @@ SpecialPowers.pushPrefEnv(
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_main.html';
document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
});
</script>
</pre>

9
content/base/test/xcsp/test_CSP_evalscript.html
View File

@ -10,11 +10,15 @@
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var evalScriptsThatRan = 0;
var evalScriptsBlocked = 0;
var evalScriptsTotal = 8;
var evalScriptsTotal = 24;
// called by scripts that run
var scriptRan = function(shouldrun, testname, data) {
@ -51,6 +55,9 @@ SpecialPowers.pushPrefEnv(
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
// document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
});
</script>
</pre>

8
content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
View File

@ -11,13 +11,15 @@
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var evalScriptsThatRan = 0;
var evalScriptsBlocked = 0;
var evalScriptsTotal = 2;
var evalScriptsTotal = 4;
// called by scripts that run
var scriptRan = function(shouldrun, testname, data) {
@ -53,7 +55,9 @@ SpecialPowers.pushPrefEnv(
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_no_CSP_at_all.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
});
</script>
</pre>

16
content/base/test/xcsp/test_CSP_frameancestors.html
View File

@ -10,8 +10,11 @@
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
var framesThatShouldLoad = {
@ -25,9 +28,19 @@ var framesThatShouldLoad = {
abb_allow: -1, /* innermost frame allows b,a */
//abb_block: -1, /* innermost frame denies b */
//abb2_block: -1, /* innermost frame denies a */
aa_allow_spec_compliant: -1, /* innermost frame allows a *
//aa_block_spec_compliant: -1, /* innermost frame denies a */
ab_allow_spec_compliant: -1, /* innermost frame allows a */
//ab_block_spec_compliant: -1, /* innermost frame denies a */
aba_allow_spec_compliant: -1, /* innermost frame allows b,a */
//aba_block_spec_compliant: -1, /* innermost frame denies b */
//aba2_block_spec_compliant: -1, /* innermost frame denies a */
abb_allow_spec_compliant: -1, /* innermost frame allows b,a */
//abb_block_spec_compliant: -1, /* innermost frame denies b */
//abb2_block_spec_compliant: -1, /* innermost frame denies a */
};
var expectedViolationsLeft = 6;
var expectedViolationsLeft = 12;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
@ -114,6 +127,7 @@ SpecialPowers.pushPrefEnv(
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
});
</script>

41
content/base/test/xcsp/test_CSP_inlinescript.html
View File

@ -12,10 +12,15 @@
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var inlineScriptsThatRan = 0;
var inlineScriptsBlocked = 0;
var inlineScriptsTotal = 4;
var inlineScriptsTotal = 12;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
@ -48,6 +53,14 @@ examiner.prototype = {
}
}
// called by scripts that run
// the first argument is whether the script expects to be allowed or not.
var scriptRan = function(result, testname, data) {
inlineScriptsThatRan++;
ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
checkTestResults();
}
// called when a script is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var scriptBlocked = function(testname, data) {
@ -56,14 +69,18 @@ var scriptBlocked = function(testname, data) {
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
// if any test is incomplete, keep waiting
if (inlineScriptsBlocked < inlineScriptsTotal)
if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
return;
// The other four scripts in the other two pages should be blocked.
is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
// The four scripts in the page with 'unsafe-inline' should run.
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
// The other eight scripts in the other two pages should be blocked.
is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
// ... otherwise, finish
window.examiner.remove();
@ -81,6 +98,18 @@ function clickit() {
sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
}
function clickit2() {
var cspframe2 = document.getElementById('cspframe2');
var a = cspframe2.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
}
function clickit3() {
var cspframe3 = document.getElementById('cspframe3');
var a = cspframe3.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
@ -88,6 +117,10 @@ SpecialPowers.pushPrefEnv(
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
document.getElementById('cspframe').addEventListener('load', clickit, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
document.getElementById('cspframe3').addEventListener('load', clickit3, false);
});
</script>
</pre>

79
content/base/test/xcsp/test_CSP_inlinestyle.html
View File

@ -11,8 +11,13 @@
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
//////////////////////////////////////////////////////////////////////
// set up and go
SimpleTest.waitForExplicitFinish();
@ -44,9 +49,77 @@ function checkStyles(evt) {
checkIfDone();
}
// When a CSP 1.0 compliant policy is specified we should block inline
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
// (when it's not explicitly allowed.)
function checkStylesSpecCompliant(evt) {
var cspframe = document.getElementById('cspframe2');
var color;
// black means the style wasn't applied. green colors are used for styles
//expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
checkIfDone();
}
// When a CSP 1.0 compliant policy is specified we should allow inline
// styles when it is explicitly allowed.
function checkStylesSpecCompliantAllowed(evt) {
var cspframe = document.getElementById('cspframe3');
var color;
// black means the style wasn't applied. green colors are used for styles
// expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
// since it relies on executing script to set .cssText
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
checkIfDone();
}
function checkIfDone() {
done++;
if (done == 1)
if (done == 3)
SimpleTest.finish();
}
@ -57,6 +130,10 @@ SpecialPowers.pushPrefEnv(
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
document.getElementById('cspframe').addEventListener('load', checkStyles, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
}
);
</script>

18
content/base/test/xcsp/test_csp_redirects.html
View File

@ -86,6 +86,24 @@ var testExpectedResults = { "font-src": true,
"worker-redir": false,
"xhr-src": true,
"xhr-src-redir": false,
"font-src-spec-compliant": true,
"font-src-redir-spec-compliant": false,
"frame-src-spec-compliant": true,
"frame-src-redir-spec-compliant": false,
"img-src-spec-compliant": true,
"img-src-redir-spec-compliant": false,
"media-src-spec-compliant": true,
"media-src-redir-spec-compliant": false,
"object-src-spec-compliant": true,
"object-src-redir-spec-compliant": false,
"script-src-spec-compliant": true,
"script-src-redir-spec-compliant": false,
"style-src-spec-compliant": true,
"style-src-redir-spec-compliant": false,
"worker-spec-compliant": true,
"worker-redir-spec-compliant": false,
"xhr-src-spec-compliant": true,
"xhr-src-redir-spec-compliant": false,
};
// takes the name of the test, the URL that was tested, and whether the

2
content/base/test/xcsp/test_csp_report.html
View File

@ -82,7 +82,7 @@ window.checkResults = function(reportObj) {
var cspReport = reportObj["csp-report"];
// correct violating request
is(cspReport["document-uri"],
"http://mochi.test:8888/tests/content/base/test/xcsp/" + testFile,
"http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
"Incorrect violating request");
// correct blocked-uri
is(cspReport["blocked-uri"],