Bug 663570 - Test 2: meta and header dual test (r=sicking)

dom/security/test/csp/file_meta_header_dual.sjs

@@ -0,0 +1,98 @@
+// Custom *.sjs file specifically for the needs of Bug:
+// Bug 663570 - Implement Content Security Policy via meta tag
+
+const HTML_HEAD =
+  "<!DOCTYPE HTML>" +
+  "<html>" +
+  "<head>" +
+  "<meta charset='utf-8'>" +
+  "<title>Bug 663570 - Implement Content Security Policy via <meta> tag</title>";
+
+const HTML_BODY =
+  "</head>" +
+  "<body>" +
+  "<img id='testimage' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png'></img>" +
+  "<script type='application/javascript'>" +
+  "  var myImg = document.getElementById('testimage');" +
+  "  myImg.onload = function(e) {" +
+  "    window.parent.postMessage({result: 'img-loaded'}, '*');" +
+  "  };" +
+  "  myImg.onerror = function(e) { " +
+  "    window.parent.postMessage({result: 'img-blocked'}, '*');" +
+  "  };" +
+  "</script>" +
+  "</body>" +
+  "</html>";
+
+const META_CSP_BLOCK_IMG =
+  "<meta http-equiv=\"Content-Security-Policy\" content=\"img-src 'none'\">";
+
+const META_CSP_ALLOW_IMG =
+  "<meta http-equiv=\"Content-Security-Policy\" content=\"img-src http://mochi.test:8888;\">";
+
+const HEADER_CSP_BLOCK_IMG = "img-src 'none';";
+
+const HEADER_CSP_ALLOW_IMG = "img-src http://mochi.test:8888";
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+  var queryString = request.queryString;
+
+  if (queryString === "test1") {
+    /* load image without any CSP */
+    response.write(HTML_HEAD + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test2") {
+    /* load image where meta denies load */
+    response.write(HTML_HEAD + META_CSP_BLOCK_IMG + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test3") {
+    /* load image where meta allows load */
+    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test4") {
+    /* load image where meta allows but header blocks */
+    response.setHeader("Content-Security-Policy", HEADER_CSP_BLOCK_IMG, false);
+    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test5") {
+    /* load image where meta blocks but header allows */
+    response.setHeader("Content-Security-Policy", HEADER_CSP_ALLOW_IMG, false);
+    response.write(HTML_HEAD + META_CSP_BLOCK_IMG + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test6") {
+    /* load image where meta allows and header allows */
+    response.setHeader("Content-Security-Policy", HEADER_CSP_ALLOW_IMG, false);
+    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test7") {
+    /* load image where meta1 allows but meta2 blocks */
+    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + META_CSP_BLOCK_IMG + HTML_BODY);
+    return;
+  }
+
+  if (queryString === "test8") {
+    /* load image where meta1 allows and meta2 allows */
+    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + META_CSP_ALLOW_IMG + HTML_BODY);
+    return;
+  }
+
+  // we should never get here, but just in case, return
+  // something unexpected
+  response.write("do'h");
+}

dom/security/test/csp/mochitest.ini

@@ -146,6 +146,7 @@ support-files =
   file_child-src_shared_worker.js
   file_redirect_worker.sjs
   file_meta_element.html
+  file_meta_header_dual.sjs
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -218,3 +219,4 @@ skip-if = buildapp == 'b2g' #investigate in bug 1222904
 [test_child-src_worker-redirect.html]
 [test_child-src_iframe.html]
 [test_meta_element.html]
+[test_meta_header_dual.html]

dom/security/test/csp/test_meta_header_dual.html

@@ -0,0 +1,137 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 663570 - Implement Content Security Policy via meta tag</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We test all sorts of CSPs on documents, including documents with no
+ * CSP, with meta CSP and with meta CSP in combination with a CSP header.
+ */
+
+const TESTS = [
+  {
+    /* load image without any CSP */
+    query: "test1",
+    result: "img-loaded",
+    policyLen: 0,
+    desc: "no CSP should allow load",
+  },
+  {
+    /* load image where meta denies load */
+    query: "test2",
+    result: "img-blocked",
+    policyLen: 1,
+    desc: "meta (img-src 'none') should block load"
+  },
+  {
+    /* load image where meta allows load */
+    query: "test3",
+    result: "img-loaded",
+    policyLen: 1,
+    desc: "meta (img-src http://mochi.test) should allow load"
+  },
+  {
+    /* load image where meta allows but header blocks */
+    query: "test4", // triggers speculative load
+    result: "img-blocked",
+    policyLen: 2,
+    desc: "meta (img-src http://mochi.test), header (img-src 'none') should block load"
+  },
+  {
+    /* load image where meta blocks but header allows */
+    query: "test5", // triggers speculative load
+    result: "img-blocked",
+    policyLen: 2,
+    desc: "meta (img-src 'none'), header (img-src http://mochi.test) should block load"
+  },
+  {
+    /* load image where meta allows and header allows */
+    query: "test6", // triggers speculative load
+    result: "img-loaded",
+    policyLen: 2,
+    desc: "meta (img-src http://mochi.test), header (img-src http://mochi.test) should allow load"
+  },
+  {
+    /* load image where meta1 allows but meta2 blocks */
+    query: "test7",
+    result: "img-blocked",
+    policyLen: 2,
+    desc: "meta1 (img-src http://mochi.test), meta2 (img-src 'none') should allow blocked"
+  },
+  {
+    /* load image where meta1 allows and meta2 allows */
+    query: "test8",
+    result: "img-loaded",
+    policyLen: 2,
+    desc: "meta1 (img-src http://mochi.test), meta2 (img-src http://mochi.test) should allow allowed"
+  },
+];
+
+var curTest;
+var counter = -1;
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage, false);
+  SimpleTest.finish();
+}
+
+function checkResults(result) {
+  // make sure the image got loaded or blocked
+  is(result, curTest.result, curTest.query + ": " + curTest.desc);
+
+  if (curTest.policyLen != 0) {
+    // make sure that meta policy got not parsed and appended twice
+    try {
+      // get the csp in JSON notation from the principal
+      var frame = document.getElementById("testframe");
+      var principal = SpecialPowers.wrap(frame.contentDocument).nodePrincipal;
+      var cspJSON = principal.cspJSON;
+      var cspOBJ = JSON.parse(cspJSON);
+
+      // make sure that the speculative policy and the actual policy
+      // are not appended twice.
+      var policies = cspOBJ["csp-policies"];
+      is(policies.length, curTest.policyLen, curTest.query + " should have: " + curTest.policyLen + " policies");
+    }
+    catch (e) {
+      ok(false, "uuh, something went wrong within cspToJSON in " + curTest.query);
+    }
+  }
+  // move on to the next test
+  runNextTest();
+}
+
+// a postMessage handler used to bubble up the
+// onsuccess/onerror state from within the iframe.
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+function runNextTest() {
+  if (++counter == TESTS.length) {
+    finishTest();
+    return;
+  }
+  curTest = TESTS[counter];
+  // load next test
+  document.getElementById("testframe").src = "file_meta_header_dual.sjs?" + curTest.query;
+}
+
+// start the test
+SimpleTest.waitForExplicitFinish();
+runNextTest();
+
+</script>
+</body>
+</html>