Bug 802872 - Mochitest verifying that CSP restricts EventSource using the connect-src directive. r=grobinson

2024-10-10 11:55:49 +00:00 · 2013-08-12 17:22:44 -07:00 · 2013-08-12 17:22:44 -07:00 · 91308095bd
commit 91308095bd
parent 3321581523
6 changed files with 126 additions and 0 deletions
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@ -657,6 +657,11 @@ MOCHITEST_FILES_C= \
 		file_CSP_bug663567_allows.xsl \
 		file_CSP_bug663567_blocks.xml \
 		file_CSP_bug663567_blocks.xml^headers^ \
+		test_CSP_bug802872.html \
+		file_CSP_bug802872.html \
+		file_CSP_bug802872.html^headers^ \
+		file_CSP_bug802872.js \
+		file_CSP_bug802872.sjs \
 		$(NULL)

 # OOP tests don't work on Windows (bug 763081) or native-fennec
--- a/content/base/test/file_CSP_bug802872.html
+++ b/content/base/test/file_CSP_bug802872.html
@ -0,0 +1,12 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 802872</title>
+  <!-- Including SimpleTest.js so we can use AddLoadEvent !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <script src='file_CSP_bug802872.js'></script>
+</body>
+</html>
--- a/content/base/test/file_CSP_bug802872.html^headers^
+++ b/content/base/test/file_CSP_bug802872.html^headers^
@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'
--- a/content/base/test/file_CSP_bug802872.js
+++ b/content/base/test/file_CSP_bug802872.js
@ -0,0 +1,43 @@
+/*
+ *   The policy for this test is:
+ *   Content-Security-Policy: default-src 'self'
+ */
+
+function createAllowedEvent() {
+  /*
+   * Creates a new EventSource using 'http://mochi.test:8888'. Since all mochitests run on
+   * 'http://mochi.test', a default-src of 'self' allows this request.
+   */
+  var src_event = new EventSource("http://mochi.test:8888/tests/content/base/test/file_CSP_bug802872.sjs");
+
+  src_event.onmessage = function(e) {
+    src_event.close();
+    parent.dispatchEvent(new Event('allowedEventSrcCallbackOK'));
+  }
+
+  src_event.onerror = function(e) {
+    src_event.close();
+    parent.dispatchEvent(new Event('allowedEventSrcCallbackFailed'));
+  }
+}
+
+function createBlockedEvent() {
+  /*
+   * creates a new EventSource using 'http://example.com'. This domain is not whitelisted by the 
+   * CSP of this page, therefore the CSP blocks this request.
+   */
+  var src_event = new EventSource("http://example.com/tests/content/base/test/file_CSP_bug802872.sjs");
+
+  src_event.onmessage = function(e) {
+    src_event.close();
+    parent.dispatchEvent(new Event('blockedEventSrcCallbackOK'));
+  }
+
+  src_event.onerror = function(e) {
+    src_event.close();
+    parent.dispatchEvent(new Event('blockedEventSrcCallbackFailed'));
+  }
+}
+
+addLoadEvent(createAllowedEvent);
+addLoadEvent(createBlockedEvent);
--- a/content/base/test/file_CSP_bug802872.sjs
+++ b/content/base/test/file_CSP_bug802872.sjs
@ -0,0 +1,7 @@
+function handleRequest(request, response)
+{
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/event-stream", false);
+  response.write("data: eventsource response from server!");
+  response.write("\n\n");
+}
--- a/content/base/test/test_CSP_bug802872.html
+++ b/content/base/test/test_CSP_bug802872.html
@ -0,0 +1,58 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 802872</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <p id="display"></p>
+  <div id="content" style="display: none"></div>
+  <iframe style="width:100%;" id='eventframe'></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+var finishedTests = 0;
+var numberOfTests = 2;
+
+var checkExplicitFinish = function () {
+  finishedTests++;
+  if (finishedTests == numberOfTests) {
+     SimpleTest.finish();
+  }
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function () {
+    // add event listeners for CSP-permitted EventSrc callbacks
+    addEventListener('allowedEventSrcCallbackOK', function (e) {
+      ok(true, "OK: CSP allows EventSource for whitelisted domain!");
+      checkExplicitFinish();
+    }, false);
+    addEventListener('allowedEventSrcCallbackFailed', function (e) {
+      ok(false, "Error: CSP blocks EventSource for whitelisted domain!");
+      checkExplicitFinish();
+    }, false);
+
+    // add event listeners for CSP-blocked EventSrc callbacks
+    addEventListener('blockedEventSrcCallbackOK', function (e) {
+      ok(false, "Error: CSP allows EventSource to not whitelisted domain!");
+      checkExplicitFinish();
+    }, false);
+    addEventListener('blockedEventSrcCallbackFailed', function (e) {
+      ok(true, "OK: CSP blocks EventSource for not whitelisted domain!");
+      checkExplicitFinish();
+    }, false);
+
+    // load it
+    document.getElementById('eventframe').src = 'file_CSP_bug802872.html';
+  }
+);
+
+</script>
+</body>
+</html>