forked from mozilla/gecko-dev
-
Notifications
You must be signed in to change notification settings - Fork 2
/
test_csp_bug768029.html
223 lines (191 loc) · 8.09 KB
/
test_csp_bug768029.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
-->
<head>
<meta charset="utf-8">
<title>Test for CSP on trusted/certified apps -- bug 768029</title>
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=768029">Mozilla Bug 768029</a>
<p id="display"></p>
<div id="content">
</div>
<pre id="test">
<script type="application/javascript;version=1.7">
Components.utils.import("resource://gre/modules/Services.jsm");
/** Test for Bug 768029 **/
// Note: we don't have to inspect all the different operations of CSP,
// we're just looking for specific differences in behavior that indicate
// a default CSP got applied.
const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'";
SimpleTest.waitForExplicitFinish();
var gData = [
{
app: "https://example.com/manifest.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/file_csp_bug768029.html",
statusString: "installed app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: true, style: true },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_priv.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/file_csp_bug768029.html",
statusString: "privileged app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_cert.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/file_csp_bug768029.html",
statusString: "certified app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
];
// Observer for watching allowed loads and blocked attempts
function ThingyListener(app, iframe) {
Services.obs.addObserver(this, "csp-on-violate-policy", false);
Services.obs.addObserver(this, "http-on-modify-request", false);
dump("added observers\n");
// keep track of which app ID this test is monitoring.
this._testData = app;
this._expectedResults = app.expectedTestResults;
this._resultsRecorded = { cross_origin: {}, same_origin: {}};
this._iframe = iframe;
this._countedTests = 0;
}
ThingyListener.prototype = {
observe: function(subject, topic, data) {
// make sure to only observe app-generated calls to the helper for this test.
var testpat = new RegExp("file_csp_bug768029\\.sjs");
// used to extract which kind of load this is (img, script, etc).
var typepat = new RegExp("type=([\\_a-z0-9]+)");
// used to identify whether it's cross-origin or same-origin loads
// (the applied CSP allows same-origin loads).
var originpat = new RegExp("origin=([\\_a-z0-9]+)");
if (topic === "http-on-modify-request") {
// Matching requests on this topic were allowed by the csp
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var uri = chan.URI;
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == true, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else if (topic === "csp-on-violate-policy") {
// Matching hits on this topic were blocked by the csp
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == false, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else {
// wrong topic! Nothing to do.
return;
}
this._checkForFinish();
},
_checkForFinish: function() {
// check to see if there are load tests still pending.
// (All requests triggered by the app should hit one of the
// two observer topics.)
if (this._countedTests == this._expectedResults.max_tests) {
Services.obs.removeObserver(this, "csp-on-violate-policy");
Services.obs.removeObserver(this, "http-on-modify-request");
dump("removed observers\n");
checkedCount++;
if (checkedCount == checksTodo) {
SpecialPowers.removePermission("browser", "https://example.com");
SimpleTest.finish();
} else {
gTestRunner.next();
}
}
},
// verify the status of the app
checkAppStatus: function() {
var principal = this._iframe.contentDocument.nodePrincipal;
if (this._testData.app) {
is(principal.appStatus, this._testData.appStatus,
"iframe principal's app status doesn't match the expected app status.");
this._countedTests++;
this._checkForFinish();
}
}
}
var content = document.getElementById('content');
var checkedCount = 0; // number of apps checked
var checksTodo = gData.length;
// quick check to make sure we can test apps:
is('appStatus' in document.nodePrincipal, true,
'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
function runTest() {
for (var i = 0; i < gData.length; i++) {
let data = gData[i];
var iframe = document.createElement('iframe');
// watch for successes and failures
var examiner = new ThingyListener(data, iframe);
iframe.setAttribute('mozapp', data.app);
iframe.setAttribute('mozbrowser', 'true');
iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
iframe.src = data.uri;
content.appendChild(iframe);
yield;
}
}
var gTestRunner = runTest();
// load the default CSP and pref it on
SpecialPowers.addPermission("browser", true, "https://example.com");
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
["security.mixed_content.block_active_content", false],
["security.mixed_content.block_display_content", false]]},
function() { gTestRunner.next(); });
</script>
</pre>
</body>
</html>