mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-10 11:55:49 +00:00
Bug 802872 - Mochitest verifying that CSP restricts EventSource using the connect-src directive. r=grobinson
This commit is contained in:
parent
3321581523
commit
91308095bd
@ -657,6 +657,11 @@ MOCHITEST_FILES_C= \
|
||||
file_CSP_bug663567_allows.xsl \
|
||||
file_CSP_bug663567_blocks.xml \
|
||||
file_CSP_bug663567_blocks.xml^headers^ \
|
||||
test_CSP_bug802872.html \
|
||||
file_CSP_bug802872.html \
|
||||
file_CSP_bug802872.html^headers^ \
|
||||
file_CSP_bug802872.js \
|
||||
file_CSP_bug802872.sjs \
|
||||
$(NULL)
|
||||
|
||||
# OOP tests don't work on Windows (bug 763081) or native-fennec
|
||||
|
12
content/base/test/file_CSP_bug802872.html
Normal file
12
content/base/test/file_CSP_bug802872.html
Normal file
@ -0,0 +1,12 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 802872</title>
|
||||
<!-- Including SimpleTest.js so we can use AddLoadEvent !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<script src='file_CSP_bug802872.js'></script>
|
||||
</body>
|
||||
</html>
|
1
content/base/test/file_CSP_bug802872.html^headers^
Normal file
1
content/base/test/file_CSP_bug802872.html^headers^
Normal file
@ -0,0 +1 @@
|
||||
Content-Security-Policy: default-src 'self'
|
43
content/base/test/file_CSP_bug802872.js
Normal file
43
content/base/test/file_CSP_bug802872.js
Normal file
@ -0,0 +1,43 @@
|
||||
/*
|
||||
* The policy for this test is:
|
||||
* Content-Security-Policy: default-src 'self'
|
||||
*/
|
||||
|
||||
function createAllowedEvent() {
|
||||
/*
|
||||
* Creates a new EventSource using 'http://mochi.test:8888'. Since all mochitests run on
|
||||
* 'http://mochi.test', a default-src of 'self' allows this request.
|
||||
*/
|
||||
var src_event = new EventSource("http://mochi.test:8888/tests/content/base/test/file_CSP_bug802872.sjs");
|
||||
|
||||
src_event.onmessage = function(e) {
|
||||
src_event.close();
|
||||
parent.dispatchEvent(new Event('allowedEventSrcCallbackOK'));
|
||||
}
|
||||
|
||||
src_event.onerror = function(e) {
|
||||
src_event.close();
|
||||
parent.dispatchEvent(new Event('allowedEventSrcCallbackFailed'));
|
||||
}
|
||||
}
|
||||
|
||||
function createBlockedEvent() {
|
||||
/*
|
||||
* creates a new EventSource using 'http://example.com'. This domain is not whitelisted by the
|
||||
* CSP of this page, therefore the CSP blocks this request.
|
||||
*/
|
||||
var src_event = new EventSource("http://example.com/tests/content/base/test/file_CSP_bug802872.sjs");
|
||||
|
||||
src_event.onmessage = function(e) {
|
||||
src_event.close();
|
||||
parent.dispatchEvent(new Event('blockedEventSrcCallbackOK'));
|
||||
}
|
||||
|
||||
src_event.onerror = function(e) {
|
||||
src_event.close();
|
||||
parent.dispatchEvent(new Event('blockedEventSrcCallbackFailed'));
|
||||
}
|
||||
}
|
||||
|
||||
addLoadEvent(createAllowedEvent);
|
||||
addLoadEvent(createBlockedEvent);
|
7
content/base/test/file_CSP_bug802872.sjs
Normal file
7
content/base/test/file_CSP_bug802872.sjs
Normal file
@ -0,0 +1,7 @@
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
response.setHeader("Content-Type", "text/event-stream", false);
|
||||
response.write("data: eventsource response from server!");
|
||||
response.write("\n\n");
|
||||
}
|
58
content/base/test/test_CSP_bug802872.html
Normal file
58
content/base/test/test_CSP_bug802872.html
Normal file
@ -0,0 +1,58 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 802872</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none"></div>
|
||||
<iframe style="width:100%;" id='eventframe'></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var finishedTests = 0;
|
||||
var numberOfTests = 2;
|
||||
|
||||
var checkExplicitFinish = function () {
|
||||
finishedTests++;
|
||||
if (finishedTests == numberOfTests) {
|
||||
SimpleTest.finish();
|
||||
}
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function () {
|
||||
// add event listeners for CSP-permitted EventSrc callbacks
|
||||
addEventListener('allowedEventSrcCallbackOK', function (e) {
|
||||
ok(true, "OK: CSP allows EventSource for whitelisted domain!");
|
||||
checkExplicitFinish();
|
||||
}, false);
|
||||
addEventListener('allowedEventSrcCallbackFailed', function (e) {
|
||||
ok(false, "Error: CSP blocks EventSource for whitelisted domain!");
|
||||
checkExplicitFinish();
|
||||
}, false);
|
||||
|
||||
// add event listeners for CSP-blocked EventSrc callbacks
|
||||
addEventListener('blockedEventSrcCallbackOK', function (e) {
|
||||
ok(false, "Error: CSP allows EventSource to not whitelisted domain!");
|
||||
checkExplicitFinish();
|
||||
}, false);
|
||||
addEventListener('blockedEventSrcCallbackFailed', function (e) {
|
||||
ok(true, "OK: CSP blocks EventSource for not whitelisted domain!");
|
||||
checkExplicitFinish();
|
||||
}, false);
|
||||
|
||||
// load it
|
||||
document.getElementById('eventframe').src = 'file_CSP_bug802872.html';
|
||||
}
|
||||
);
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user