Bug 746978 - sync CSP directive parsing and directive names with w3c spec - Part 2 : tests (r=sstamm)

2024-09-13 09:24:08 -07:00 · 2013-01-09 10:57:05 -08:00 · 2013-01-09 10:57:05 -08:00 · eb8709b9d8
commit eb8709b9d8
parent f79b6c84f3
9 changed files with 293 additions and 8 deletions
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@ -364,11 +364,17 @@ MOCHITEST_FILES_B = \
 		file_CSP.sjs \
 		file_CSP_main.html \
 		file_CSP_main.html^headers^ \
+		file_CSP_main_spec_compliant.html \
+		file_CSP_main_spec_compliant.html^headers^ \
 		file_CSP_main.js \
+		file_CSP_main_spec_compliant.js \
 		test_CSP_frameancestors.html \
 		file_CSP_frameancestors.sjs \
 		file_CSP_frameancestors_main.html \
 		file_CSP_frameancestors_main.js \
+		file_CSP_frameancestors_spec_compliant.sjs \
+		file_CSP_frameancestors_main_spec_compliant.html \
+		file_CSP_frameancestors_main_spec_compliant.js \
 		test_CSP_inlinescript.html \
 		file_CSP_inlinescript_main.html \
 		file_CSP_inlinescript_main.html^headers^ \
--- a/content/base/test/file_CSP_frameancestors_main_spec_compliant.html
+++ b/content/base/test/file_CSP_frameancestors_main_spec_compliant.html
@ -0,0 +1,47 @@
+<html>
+  <head>
+    <title>CSP frame ancestors tests</title>
+
+    <!-- this page shouldn't have a CSP, just the sub-pages. -->
+    <script src='file_CSP_frameancestors_main_spec_compliant.js'></script>
+
+  </head>
+  <body>
+
+<!-- These iframes will get populated by the attached javascript. -->
+<tt>  aa_allow:   /* innermost frame allows a */</tt><br/>
+<iframe id='aa_allow_spec_compliant'></iframe><br/>
+
+<tt>  aa_block:     /* innermost frame denies a */</tt><br/>
+<iframe id='aa_block_spec_compliant'></iframe><br/>
+
+<tt>  aa2_block:     /* innermost frame (view-source: URL) denies a */</tt><br/>
+<iframe id='aa2_block_spec_compliant'></iframe><br/>
+
+<tt>  ab_allow:     /* innermost frame allows a */</tt><br/>
+<iframe id='ab_allow_spec_compliant'></iframe><br/>
+
+<tt>  ab_block:     /* innermost frame denies a */</tt><br/>
+<iframe id='ab_block_spec_compliant'></iframe><br/>
+
+<tt>  aba_allow:    /* innermost frame allows b,a */</tt><br/>
+<iframe id='aba_allow_spec_compliant'></iframe><br/>
+
+<tt>  aba_block:    /* innermost frame denies b */</tt><br/>
+<iframe id='aba_block_spec_compliant'></iframe><br/>
+
+<tt>  aba2_block:   /* innermost frame denies a */</tt><br/>
+<iframe id='aba2_block_spec_compliant'></iframe><br/>
+
+<tt>  abb_allow:    /* innermost frame allows b,a */</tt><br/>
+<iframe id='abb_allow_spec_compliant'></iframe><br/>
+
+<tt>  abb_block:    /* innermost frame denies b */</tt><br/>
+<iframe id='abb_block_spec_compliant'></iframe><br/>
+
+<tt>  abb2_block:   /* innermost frame denies a */</tt><br/>
+<iframe id='abb2_block_spec_compliant'></iframe><br/>
+
+
+  </body>
+</html>
--- a/content/base/test/file_CSP_frameancestors_main_spec_compliant.js
+++ b/content/base/test/file_CSP_frameancestors_main_spec_compliant.js
@ -0,0 +1,69 @@
+// Script to populate the test frames in the frame ancestors mochitest.
+//
+function setupFrames() {
+
+  var $ = function(v) { return document.getElementById(v); }
+  var base = {
+        self: '/tests/content/base/test/file_CSP_frameancestors_spec_compliant.sjs',
+        a: 'http://mochi.test:8888/tests/content/base/test/file_CSP_frameancestors_spec_compliant.sjs',
+        b: 'http://example.com/tests/content/base/test/file_CSP_frameancestors_spec_compliant.sjs'
+  };
+
+  var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };
+
+  var innerframeuri = null;
+  var elt = null;
+
+  elt = $('aa_allow_spec_compliant');
+  elt.src = base.a + "?testid=aa_allow_spec_compliant&internalframe=aa_a&csp=" +
+            escape("default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'");
+
+  elt = $('aa_block_spec_compliant');
+  elt.src = base.a + "?testid=aa_block_spec_compliant&internalframe=aa_b&csp=" +
+            escape("default-src 'none'; frame-ancestors 'none'; script-src 'self'");
+
+  elt = $('aa2_block_spec_compliant');
+  elt.src = "view-source:" + base.a + "?testid=aa2_block_spec_compliant&internalframe=aa_b&csp=" +
+            escape("default-src 'none'; frame-ancestors 'none'; script-src 'self'");
+
+  elt = $('ab_allow_spec_compliant');
+  elt.src = base.b + "?testid=ab_allow_spec_compliant&internalframe=ab_a&csp=" +
+            escape("default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'");
+
+  elt = $('ab_block_spec_compliant');
+  elt.src = base.b + "?testid=ab_block_spec_compliant&internalframe=ab_b&csp=" +
+            escape("default-src 'none'; frame-ancestors 'none'; script-src 'self'");
+
+   /* .... two-level framing */
+  elt = $('aba_allow_spec_compliant');
+  innerframeuri = base.a + "?testid=aba_allow_spec_compliant&double=1&internalframe=aba_a&csp=" +
+                  escape("default-src 'none'; frame-ancestors " + host.a + " " + host.b + "; script-src 'self'");
+  elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
+
+  elt = $('aba_block_spec_compliant');
+  innerframeuri = base.a + "?testid=aba_allow_spec_compliant&double=1&internalframe=aba_b&csp=" +
+                  escape("default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'");
+  elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
+
+  elt = $('aba2_block_spec_compliant');
+  innerframeuri = base.a + "?testid=aba_allow_spec_compliant&double=1&internalframe=aba2_b&csp=" +
+                  escape("default-src 'none'; frame-ancestors " + host.b + "; script-src 'self'");
+  elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
+
+  elt = $('abb_allow_spec_compliant');
+  innerframeuri = base.b + "?testid=abb_allow_spec_compliant&double=1&internalframe=abb_a&csp=" +
+                  escape("default-src 'none'; frame-ancestors " + host.a + " " + host.b + "; script-src 'self'");
+  elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
+
+  elt = $('abb_block_spec_compliant');
+  innerframeuri = base.b + "?testid=abb_allow_spec_compliant&double=1&internalframe=abb_b&csp=" +
+                  escape("default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'");
+  elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
+
+  elt = $('abb2_block_spec_compliant');
+  innerframeuri = base.b + "?testid=abb_allow_spec_compliant&double=1&internalframe=abb2_b&csp=" +
+                  escape("default-src 'none'; frame-ancestors " + host.b + "; script-src 'self'");
+  elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
+}
+
+window.addEventListener('load', setupFrames, false);
--- a/content/base/test/file_CSP_frameancestors_spec_compliant.sjs
+++ b/content/base/test/file_CSP_frameancestors_spec_compliant.sjs
@ -0,0 +1,57 @@
+// SJS file for CSP frame ancestor mochitests
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  var isPreflight = request.method == "OPTIONS";
+
+
+  //avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // grab the desired policy from the query, and then serve a page
+  if (query['csp'])
+    response.setHeader("Content-Security-Policy",
+                        unescape(query['csp']),
+                        false);
+  if (query['scriptedreport']) {
+    // spit back a script that records that the page loaded
+    response.setHeader("Content-Type", "text/javascript", false);
+    response.write('netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");');
+    if (query['double'])
+      response.write('window.parent.parent.parent.frameLoaded("' + query['scriptedreport'] + '", ' +
+                                                       'window.location.toString());');
+    else
+      response.write('window.parent.parent.frameLoaded("' + query['scriptedreport'] + '", ' +
+                                                'window.location.toString());');
+  } else if (query['internalframe']) {
+    // spit back an internal iframe (one that might be blocked)
+    response.setHeader("Content-Type", "text/html", false);
+    response.write('<html><head>');
+    if (query['double'])
+      response.write('<script src="file_CSP_frameancestors_spec_compliant.sjs?double=1&scriptedreport=' + query['testid'] + '"></script>');
+    else
+      response.write('<script src="file_CSP_frameancestors_spec_compliant.sjs?scriptedreport=' + query['testid'] + '"></script>');
+    response.write('</head><body>');
+    response.write(unescape(query['internalframe']));
+    response.write('</body></html>');
+  } else if (query['externalframe']) {
+    // spit back an internal iframe (one that won't be blocked, and probably
+    // has no CSP)
+    response.setHeader("Content-Type", "text/html", false);
+    response.write('<html><head>');
+    response.write('</head><body>');
+    response.write(unescape(query['externalframe']));
+    response.write('</body></html>');
+  } else {
+    // default case: error.
+    response.setHeader("Content-Type", "text/html", false);
+    response.write('<html><body>');
+    response.write("ERROR: not sure what to serve.");
+    response.write('</body></html>');
+  }
+}
--- a/content/base/test/file_CSP_main_spec_compliant.html
+++ b/content/base/test/file_CSP_main_spec_compliant.html
@ -0,0 +1,55 @@
+<html>
+  <head>
+    <link rel='stylesheet' type='text/css'
+          href='http://example.org/tests/content/base/test/file_CSP.sjs?testid=style_spec_compliant_bad&type=text/css' />
+    <link rel='stylesheet' type='text/css'
+          href='file_CSP.sjs?testid=style_spec_compliant_good&type=text/css' />
+
+
+    <style>
+      /* CSS font embedding tests */
+      @font-face {
+        font-family: "arbitrary_good";
+        src: url('file_CSP.sjs?testid=font_spec_compliant_good&type=application/octet-stream');
+      }
+      @font-face {
+        font-family: "arbitrary_bad";
+        src: url('http://example.org/tests/content/base/test/file_CSP.sjs?testid=font_spec_compliant_bad&type=application/octet-stream');
+      }
+
+      .div_arbitrary_good { font-family: "arbitrary_good"; }
+      .div_arbitrary_bad { font-family: "arbitrary_bad"; }
+    </style>
+  </head>
+  <body>
+    <!-- these should be stopped by CSP.  :) -->
+    <img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_spec_compliant_bad&type=img/png"> </img>
+    <audio src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=media_spec_compliant_bad&type=audio/vorbis"></audio>
+    <script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script_spec_compliant_bad&type=text/javascript'></script>
+    <iframe src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=frame_spec_compliant_bad&content=FAIL'></iframe>
+    <object width="10" height="10">
+      <param name="movie" value="http://example.org/tests/content/base/test/file_CSP.sjs?testid=object_spec_compliant_bad&type=application/x-shockwave-flash">
+      <embed src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=object_spec_compliant_bad&type=application/x-shockwave-flash"></embed>
+    </object>
+
+    <!-- these should load ok.  :) -->
+    <img src="file_CSP.sjs?testid=img_spec_compliant_good&type=img/png" />
+    <audio src="file_CSP.sjs?testid=media_spec_compliant_good&type=audio/vorbis"></audio>
+    <script src='file_CSP.sjs?testid=script_spec_compliant_good&type=text/javascript'></script>
+    <iframe src='file_CSP.sjs?testid=frame_spec_compliant_good&content=PASS'></iframe>
+
+    <object width="10" height="10">
+      <param name="movie" value="file_CSP.sjs?testid=object_spec_compliant_good&type=application/x-shockwave-flash">
+      <embed src="file_CSP.sjs?testid=object_spec_compliant_good&type=application/x-shockwave-flash"></embed>
+    </object>
+
+    <!-- XHR tests... they're taken care of in this script,
+         and since the URI doesn't have any 'testid' values,
+         it will just be ignored by the test framework.  -->
+    <script src='file_CSP_main_spec_compliant.js'></script>
+
+    <!-- Support elements for the @font-face test -->
+    <div class="div_arbitrary_good">arbitrary good</div>
+    <div class="div_arbitrary_bad">arbitrary_bad</div>
+  </body>
+</html>
--- a/content/base/test/file_CSP_main_spec_compliant.html^headers^
+++ b/content/base/test/file_CSP_main_spec_compliant.html^headers^
@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' ; style-src 'unsafe-inline' 'self'
--- a/content/base/test/file_CSP_main_spec_compliant.js
+++ b/content/base/test/file_CSP_main_spec_compliant.js
@ -0,0 +1,16 @@
+// some javascript for the CSP XHR tests
+//
+
+try {
+  var xhr_good = new XMLHttpRequest();
+  var xhr_good_uri ="http://mochi.test:8888/tests/content/base/test/file_CSP.sjs?testid=xhr_spec_compliant_good";
+  xhr_good.open("GET", xhr_good_uri, true);
+  xhr_good.send(null);
+} catch(e) {}
+
+try {
+  var xhr_bad = new XMLHttpRequest();
+  var xhr_bad_uri ="http://example.com/tests/content/base/test/file_CSP.sjs?testid=xhr_spec_compliant_bad";
+  xhr_bad.open("GET", xhr_bad_uri, true);
+  xhr_bad.send(null);
+} catch(e) {}
--- a/content/base/test/test_CSP.html
+++ b/content/base/test/test_CSP.html
@ -13,6 +13,7 @@
 </div>

 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">

 var path = "/tests/content/base/test/";
@ -36,6 +37,22 @@ window.tests = {
  font_bad: -1,
  object_good: -1,
  object_bad: -1,
+  img_spec_compliant_good: -1,
+  img_spec_compliant_bad: -1,
+  style_spec_compliant_good: -1,
+  style_spec_compliant_bad: -1,
+  frame_spec_compliant_good: -1,
+  frame_spec_compliant_bad: -1,
+  script_spec_compliant_good: -1,
+  script_spec_compliant_bad: -1,
+  xhr_spec_compliant_good: -1,
+  xhr_spec_compliant_bad: -1,
+  media_spec_compliant_good: -1,
+  media_spec_compliant_bad: -1,
+  font_spec_compliant_good: -1,
+  font_spec_compliant_bad: -1,
+  object_spec_compliant_good: -1,
+  object_spec_compliant_bad: -1,
 };


@ -65,10 +82,10 @@ examiner.prototype  = {
      var uri = subject.QueryInterface(Components.interfaces.nsIHttpChannel).URI;
      if (!testpat.test(uri.asciiSpec)) return;
      var testid = testpat.exec(uri.asciiSpec)[1];
+
      window.testResult(testid,
                        /_good/.test(testid),
                        uri.asciiSpec + " allowed by csp");
-
    }

    if(topic === "csp-on-violate-policy") {
@ -96,7 +113,6 @@ examiner.prototype  = {
 window.examiner = new examiner();

 window.testResult = function(testname, result, msg) {
-
  //test already complete.... forget it... remember the first result.
  if (window.tests[testname] != -1)
    return;
--- a/content/base/test/test_CSP_frameancestors.html
+++ b/content/base/test/test_CSP_frameancestors.html
@ -13,6 +13,7 @@
 </div>

 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">

 var path = "/tests/content/base/test/";
@ -31,9 +32,20 @@ var framesThatShouldLoad = {
  abb_allow: -1,   /* innermost frame allows b,a */
  //abb_block: -1,   /* innermost frame denies b */
  //abb2_block: -1,  /* innermost frame denies a */
+  aa_allow_spec_compliant: -1,    /* innermost frame allows a *
+  //aa_block_spec_compliant: -1,    /* innermost frame denies a */
+  //aa2_block_spec_compliant: -1,    /* innermost frame denies a */
+  ab_allow_spec_compliant: -1,    /* innermost frame allows a */
+  //ab_block_spec_compliant: -1,    /* innermost frame denies a */
+  aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
+  //aba_block_spec_compliant: -1,   /* innermost frame denies b */
+  //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
+  abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
+  //abb_block_spec_compliant: -1,   /* innermost frame denies b */
+  //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };

-var expectedViolationsLeft = 7;
+var expectedViolationsLeft = 14;

 // This is used to watch the blocked data bounce off CSP and allowed data 
 // get sent out to the wire.
@ -94,10 +106,10 @@ var frameBlocked = function(uri, policy) {
 var checkTestResults = function() {
  // if any test is incomplete, keep waiting
  for (var v in framesThatShouldLoad)
-    if(framesThatShouldLoad[v] == -1)
+    if(window.framesThatShouldLoad[v] == -1)
      return;

-  if (expectedViolationsLeft > 0)
+  if (window.expectedViolationsLeft > 0)
    return;

  // ... otherwise, finish
@ -110,9 +122,15 @@ var checkTestResults = function() {
 window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();

-// save this for last so that our listeners are registered.
-// ... this loads the testbed of good and bad requests.
-document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
+// added this so the tests run even if we don't flip the pref on by default.
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function() {
+    // save this for last so that our listeners are registered.
+    // ... this loads the testbed of good and bad requests.
+    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
+    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
+  });

 </script>
 </pre>
				`@ -0,0 +1 @@`
				`Content-Security-Policy: default-src 'self' ; style-src 'unsafe-inline' 'self'`