Bug 1173708 - Fix intermittent test_inlinescript error. r=dveditz

This commit is contained in:
Christoph Kerschbaumer 2015-07-20 11:25:24 -07:00
parent 3bd48f32ec
commit edad68503a
7 changed files with 98 additions and 111 deletions

View File

@ -0,0 +1,15 @@
<html>
<head>
<title>CSP inline script tests</title>
</head>
<body onload="window.parent.postMessage('body-onload-fired', '*')">
<script type="text/javascript">
window.parent.postMessage("text-node-fired", "*");
</script>
<iframe src='javascript:window.parent.parent.postMessage("javascript-uri-fired", "*")'></iframe>
<a id='anchortoclick' href='javascript:window.parent.postMessage("javascript-uri-anchor-fired", "*")'>testlink</a>
</body>
</html>

View File

@ -1,15 +0,0 @@
<html>
<head>
<title>CSP inline script tests</title>
</head>
<body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">
<script type="text/javascript">
window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");
</script>
<iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")' ></iframe>
<a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
</body>
</html>

View File

@ -1,2 +0,0 @@
Content-Security-Policy: default-src 'self'
Cache-Control: no-cache

View File

@ -1,16 +0,0 @@
<html>
<head>
<title>CSP inline script tests</title>
</head>
<body onload="window.parent.scriptRan(true, 'eventattr', 'event attribute in body tag fired')">
<script type="text/javascript">
//alert(window.parent.scriptRan);
window.parent.scriptRan(true, "textnode", "text node in a script tag executed.");
</script>
<iframe src='javascript:window.parent.parent.scriptRan(true, "jsuri", "javascript: uri in image tag")'></iframe>
<a id='anchortoclick' href='javascript:window.parent.scriptRan(true, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
</body>
</html>

View File

@ -1,2 +0,0 @@
Content-Security-Policy: default-src 'self' ; script-src 'self' 'unsafe-inline'
Cache-Control: no-cache

View File

@ -31,10 +31,7 @@ support-files =
file_frameancestors_main.html
file_frameancestors_main.js
file_frameancestors.sjs
file_inlinescript_main.html
file_inlinescript_main.html^headers^
file_inlinescript_main_allowed.html
file_inlinescript_main_allowed.html^headers^
file_inlinescript.html
file_inlinestyle_main.html
file_inlinestyle_main.html^headers^
file_inlinestyle_main_allowed.html

View File

@ -1,6 +1,7 @@
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Test for Content Security Policy Frame Ancestors directive</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
@ -10,14 +11,30 @@
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='testframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var inlineScriptsThatRan = 0;
var inlineScriptsBlocked = 0;
var inlineScriptsTotal = 8;
var tests = [
{
/* test allowed */
csp: "default-src 'self'; script-src 'self' 'unsafe-inline'",
results: ["body-onload-fired", "text-node-fired",
"javascript-uri-fired", "javascript-uri-anchor-fired"],
desc: "allow inline scripts",
received: 0, // counter to make sure we received all 4 reports
},
{
/* test blocked */
csp: "default-src 'self'",
results: ["inline-script-blocked"],
desc: "block inline scripts",
received: 0, // counter to make sure we received all 4 reports
}
];
var counter = 0;
var curTest;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
@ -26,88 +43,81 @@ function examiner() {
}
examiner.prototype = {
observe: function(subject, topic, data) {
// subject should be an nsURI, and should be either allowed or blocked.
if (!SpecialPowers.can_QI(subject))
if (topic !== "csp-on-violate-policy") {
return;
if (topic === "csp-on-violate-policy") {
var what = null;
try {
//these were blocked... record that they were blocked
what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
} catch(e) {
//if that fails, the subject is probably a string
what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
}
window.scriptBlocked(what, data);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
var what = SpecialPowers.getPrivilegedProps(SpecialPowers.
do_QueryInterface(subject, "nsISupportsCString"), "data");
if (!what.includes("Inline Script had invalid hash") &&
!what.includes("Inline Scripts will not execute")) {
return;
}
window.checkResults("inline-script-blocked");
},
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
}
}
// called by scripts that run
// the first argument is whether the script expects to be allowed or not.
var scriptRan = function(result, testname, data) {
inlineScriptsThatRan++;
ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
checkTestResults();
}
// called when a script is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var scriptBlocked = function(testname, data) {
inlineScriptsBlocked++;
ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
// if any test is incomplete, keep waiting
if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
return;
// The four scripts in the page with 'unsafe-inline' should run.
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
// The four scripts in the other page should be blocked.
is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
// ... otherwise, finish
function finishTest() {
window.examiner.remove();
window.removeEventListener("message", receiveMessage, false);
SimpleTest.finish();
}
//////////////////////////////////////////////////////////////////////
// set up and go
// Check to see if all the tests have run
var checkResults = function(result) {
var index = curTest.results.indexOf(result);
isnot(index, -1, "should find result (" + result +") within test: " + curTest.desc);
if (index > -1) {
curTest.received += 1;
}
// make sure we receive all the 4 reports for the 4 inline scripts
if (curTest.received < 4) {
return;
}
if (counter < tests.length) {
loadNextTest();
return;
}
finishTest();
}
// a postMessage handler that is used to bubble up results from the testframe
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event) {
checkResults(event.data);
}
function clickit() {
document.getElementById("testframe").removeEventListener('load', clickit, false);
var testframe = document.getElementById('testframe');
var a = testframe.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, testframe.contentWindow);
}
function loadNextTest() {
curTest = tests[counter++];
var src = "file_testserver.sjs?file=";
// append the file that should be served
src += escape("tests/dom/security/test/csp/file_inlinescript.html");
// append the CSP that should be used to serve the file
src += "&csp=" + escape(curTest.csp);
document.getElementById("testframe").src = src;
document.getElementById("testframe").addEventListener("load", clickit, false);
}
// set up the test and go
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
loadNextTest();
function clickit1() {
var cspframe1 = document.getElementById('cspframe1');
var a = cspframe1.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
}
function clickit2() {
var cspframe2 = document.getElementById('cspframe2');
var a = cspframe2.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
}
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe1').src = 'file_inlinescript_main.html';
document.getElementById('cspframe1').addEventListener('load', clickit1, false);
document.getElementById('cspframe2').src = 'file_inlinescript_main_allowed.html';
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
</script>
</pre>
</body>
</html>