mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 19:04:45 +00:00
Bug 921493 - CSP: test whitelisting of scheme-relative sources (r=dveditz)
--HG-- extra : rebase_source : 3f350bd1dc01b02a30356410eeaaaa6b8cc06137
This commit is contained in:
parent
9eafc85845
commit
3575125d2a
1
dom/base/test/csp/file_scheme_relative_sources.js
Normal file
1
dom/base/test/csp/file_scheme_relative_sources.js
Normal file
@ -0,0 +1 @@
|
||||
document.getElementById("testdiv").innerHTML = "allowed";
|
42
dom/base/test/csp/file_scheme_relative_sources.sjs
Normal file
42
dom/base/test/csp/file_scheme_relative_sources.sjs
Normal file
@ -0,0 +1,42 @@
|
||||
/**
|
||||
* Custom *.sjs specifically for the needs of
|
||||
* Bug 921493 - CSP: test whitelisting of scheme-relative sources
|
||||
*/
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
Components.utils.importGlobalProperties(["URLSearchParams"]);
|
||||
let query = new URLSearchParams(request.queryString);
|
||||
|
||||
let scheme = query.get("scheme");
|
||||
let policy = query.get("policy");
|
||||
|
||||
let linkUrl = scheme +
|
||||
"://example.com/tests/dom/base/test/csp/file_scheme_relative_sources.js";
|
||||
|
||||
let html = "<!DOCTYPE HTML>" +
|
||||
"<html>" +
|
||||
"<head>" +
|
||||
"<title>test schemeless sources within CSP</title>" +
|
||||
"</head>" +
|
||||
"<body> " +
|
||||
"<div id='testdiv'>blocked</div>" +
|
||||
// try to load a scheme relative script
|
||||
"<script src='" + linkUrl + "'></script>" +
|
||||
// have an inline script that reports back to the parent whether
|
||||
// the script got loaded or not from within the sandboxed iframe.
|
||||
"<script type='application/javascript'>" +
|
||||
"window.onload = function() {" +
|
||||
"var inner = document.getElementById('testdiv').innerHTML;" +
|
||||
"window.parent.postMessage({ result: inner }, '*');" +
|
||||
"}" +
|
||||
"</script>" +
|
||||
"</body>" +
|
||||
"</html>";
|
||||
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
response.setHeader("Content-Security-Policy", policy, false);
|
||||
|
||||
response.write(html);
|
||||
}
|
@ -84,6 +84,8 @@ support-files =
|
||||
file_hash_source.html
|
||||
file_dual_header_testserver.sjs
|
||||
file_hash_source.html^headers^
|
||||
file_scheme_relative_sources.js
|
||||
file_scheme_relative_sources.sjs
|
||||
file_ignore_unsafe_inline.html
|
||||
file_self_none_as_hostname_confusion.html
|
||||
file_self_none_as_hostname_confusion.html^headers^
|
||||
@ -140,6 +142,8 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
|
||||
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observers are not available in child processes
|
||||
[test_hash_source.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
|
||||
[test_scheme_relative_sources.html]
|
||||
skip-if = buildapp == 'b2g' #no ssl support
|
||||
[test_ignore_unsafe_inline.html]
|
||||
[test_self_none_as_hostname_confusion.html]
|
||||
[test_bug949549.html]
|
||||
|
91
dom/base/test/csp/test_scheme_relative_sources.html
Normal file
91
dom/base/test/csp/test_scheme_relative_sources.html
Normal file
@ -0,0 +1,91 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 921493 - CSP: test whitelisting of scheme-relative sources</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<iframe style="width:100%;" id="testframe"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
/* Description of the test:
|
||||
* We load http and https pages and verify that scheme relative sources
|
||||
* are allowed unless its a downgrade from https -> http.
|
||||
*
|
||||
* Please note that the policy contains 'unsafe-inline' so we can use
|
||||
* an inline script to query the result from within the sandboxed iframe
|
||||
* and report it back to the parent document.
|
||||
*/
|
||||
|
||||
var POLICY = "default-src 'none'; script-src 'unsafe-inline' example.com;";
|
||||
|
||||
var tests = [
|
||||
{
|
||||
description: "http -> http",
|
||||
from: "http",
|
||||
to: "http",
|
||||
result: "allowed",
|
||||
},
|
||||
{
|
||||
description: "http -> https",
|
||||
from: "http",
|
||||
to: "https",
|
||||
result: "allowed",
|
||||
},
|
||||
{
|
||||
description: "https -> https",
|
||||
from: "https",
|
||||
to: "https",
|
||||
result: "allowed",
|
||||
},
|
||||
{
|
||||
description: "https -> http",
|
||||
from: "https",
|
||||
to: "http",
|
||||
result: "blocked",
|
||||
}
|
||||
];
|
||||
|
||||
var counter = 0;
|
||||
var curTest;
|
||||
|
||||
function loadNextTest() {
|
||||
if (counter == tests.length) {
|
||||
window.removeEventListener("message", receiveMessage, false);
|
||||
SimpleTest.finish();
|
||||
return;
|
||||
}
|
||||
|
||||
curTest = tests[counter++];
|
||||
|
||||
var src = curTest.from +
|
||||
"://example.com/tests/dom/base/test/csp/file_scheme_relative_sources.sjs" +
|
||||
"?scheme=" + curTest.to +
|
||||
"&policy=" + escape(POLICY);
|
||||
|
||||
document.getElementById("testframe").src = src;
|
||||
}
|
||||
|
||||
// using a postMessage handler to report the result back from
|
||||
// within the sandboxed iframe without 'allow-same-origin'.
|
||||
window.addEventListener("message", receiveMessage, false);
|
||||
|
||||
function receiveMessage(event) {
|
||||
|
||||
is(event.data.result, curTest.result,
|
||||
"should be " + curTest.result + " in test (" + curTest.description + ")!");
|
||||
|
||||
loadNextTest();
|
||||
}
|
||||
|
||||
// get the test started
|
||||
loadNextTest();
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user