Bug 910139 - Tests for new nsIContentPolicy TYPE_XSLT via CSP. r=grobinson

2024-10-15 06:15:43 +00:00 · 2013-09-11 12:43:14 -07:00 · 2013-09-11 12:43:14 -07:00 · 2c8afac51c
commit 2c8afac51c
parent 9c4e72b4ed
5 changed files with 182 additions and 0 deletions
--- a/content/base/test/csp/file_CSP_bug910139.sjs
+++ b/content/base/test/csp/file_CSP_bug910139.sjs
@ -0,0 +1,52 @@
+// Server side js file for bug 910139, see file test_CSP_bug910139.html for details.
+
+Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+function loadResponseFromFile(path) {
+  var testHTMLFile =
+    Components.classes["@mozilla.org/file/directory_service;1"].
+    getService(Components.interfaces.nsIProperties).
+    get("CurWorkD", Components.interfaces.nsILocalFile);
+  var dirs = path.split("/");
+  for (var i = 0; i < dirs.length; i++) {
+    testHTMLFile.append(dirs[i]);
+  }
+  var testHTMLFileStream =
+    Components.classes["@mozilla.org/network/file-input-stream;1"].
+    createInstance(Components.interfaces.nsIFileInputStream);
+  testHTMLFileStream.init(testHTMLFile, -1, 0, 0);
+  var testHTML = NetUtil.readInputStreamToString(testHTMLFileStream, testHTMLFileStream.available());
+  return testHTML;
+}
+
+var policies = [
+  "default-src 'self'; script-src 'self'",       // CSP for checkAllowed
+  "default-src 'self'; script-src *.example.com" // CSP for checkBlocked
+]
+
+function getPolicy() {
+  var index;
+  // setState only accepts strings as arguments
+  if (!getState("counter")) {
+    index = 0;
+    setState("counter", index.toString());
+  }
+  else {
+    index = parseInt(getState("counter"));
+    ++index;
+    setState("counter", index.toString());
+  }
+  return policies[index];
+}
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // set the required CSP
+  response.setHeader("Content-Security-Policy", getPolicy(), false);
+
+  // return the requested XML file.
+  response.write(loadResponseFromFile("tests/content/base/test/csp/file_CSP_bug910139.xml"));
+}
--- a/content/base/test/csp/file_CSP_bug910139.xml
+++ b/content/base/test/csp/file_CSP_bug910139.xml
@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
+<catalog>
+	<cd>
+		<title>Empire Burlesque</title>
+		<artist>Bob Dylan</artist>
+		<country>USA</country>
+		<company>Columbia</company>
+		<price>10.90</price>
+		<year>1985</year>
+	</cd>
+	<cd>
+		<title>Hide your heart</title>
+		<artist>Bonnie Tyler</artist>
+		<country>UK</country>
+		<company>CBS Records</company>
+		<price>9.90</price>
+		<year>1988</year>
+	</cd>
+	<cd>
+		<title>Greatest Hits</title>
+		<artist>Dolly Parton</artist>
+		<country>USA</country>
+		<company>RCA</company>
+		<price>9.90</price>
+		<year>1982</year>
+	</cd>
+</catalog>
--- a/content/base/test/csp/file_CSP_bug910139.xsl
+++ b/content/base/test/csp/file_CSP_bug910139.xsl
@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!-- Edited by XMLSpy® -->
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:template match="/">
+  <html>
+  <body>
+  <h2 id="xsltheader">this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!</h2>
+    <table border="1">
+      <tr bgcolor="#990099">
+        <th>Title</th>
+        <th>Artist</th>
+        <th>Price</th>
+      </tr>
+      <xsl:for-each select="catalog/cd">
+      <tr>
+        <td><xsl:value-of select="title"/></td>
+        <td><xsl:value-of select="artist"/></td>
+        <td><xsl:value-of select="price"/></td>
+      </tr>
+      </xsl:for-each>
+    </table>
+  </body>
+  </html>
+</xsl:template>
+</xsl:stylesheet>
+
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@ -75,6 +75,9 @@ support-files =
  file_csp_redirects_main.html
  file_csp_redirects_page.sjs
  file_csp_redirects_resource.sjs
+  file_CSP_bug910139.sjs
+  file_CSP_bug910139.xml
+  file_CSP_bug910139.xsl

 [test_CSP.html]
 [test_CSP_bug663567.html]
@ -90,3 +93,4 @@ support-files =
 [test_bothCSPheaders.html]
 [test_bug836922_npolicies.html]
 [test_csp_redirects.html]
+[test_CSP_bug910139.html]
--- a/content/base/test/csp/test_CSP_bug910139.html
+++ b/content/base/test/csp/test_CSP_bug910139.html
@ -0,0 +1,71 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSP should block XSLT as script, not as style</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <p id="display"></p>
+  <div id="content" style="display: none"></div>
+  <iframe style="width:100%;" id='xsltframe'></iframe>
+  <iframe style="width:100%;" id='xsltframe2'></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+// define the expected output of this test
+var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
+
+function checkAllowed () {
+  /*   The policy for this test is:
+   *   Content-Security-Policy: default-src 'self'; script-src 'self'
+   *
+   *   we load the xsl file using:
+   *   <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
+   */
+  try {
+    var cspframe = document.getElementById('xsltframe');
+    var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
+    is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
+  }
+  catch (e) {
+    ok(false, "Error: could not access content in xsltframe!")
+  }
+
+  // continue with the next test
+  document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
+  document.getElementById('xsltframe2').src = 'file_CSP_bug910139.sjs';
+}
+
+function checkBlocked () {
+  /*   The policy for this test is:
+   *   Content-Security-Policy: default-src 'self'; script-src *.example.com
+   *
+   *   we load the xsl file using:
+   *   <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
+   */
+  try {
+    var cspframe = document.getElementById('xsltframe2');
+    var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
+    is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
+  }
+  catch (e) {
+    ok(false, "Error: could not access content in xsltframe2!")
+  }
+  SimpleTest.finish();
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function () {
+    document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
+    document.getElementById('xsltframe').src = 'file_CSP_bug910139.sjs';
+  }
+);
+
+</script>
+</body>
+</html>