Bug 663570 - Test 5: doc.write(meta csp) (r=sicking)

2025-02-28 05:10:49 +00:00 · 2015-11-14 19:30:24 -08:00 · 2015-11-14 19:30:24 -08:00 · c941fd4008
commit c941fd4008
parent 749afb19d4
6 changed files with 151 additions and 0 deletions
--- a/dom/security/test/csp/file_doccomment_meta.html
+++ b/dom/security/test/csp/file_doccomment_meta.html
@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 663570 - Test doc.write(meta csp)</title>
+  <meta charset="utf-8">
+
+  <!-- Use doc.write() to *un*apply meta csp -->
+  <script type="application/javascript">
+    document.write("<!--");
+  </script>
+
+  <meta http-equiv="Content-Security-Policy" content= "style-src 'none';  script-src 'none'; img-src 'none'">
+  -->
+
+  <!-- try to load a css on a page where meta CSP is commented out -->
+  <link rel="stylesheet" type="text/css" href="file_docwrite_meta.css">
+
+  <!-- try to load a script on a page where meta CSP is commented out -->
+  <script id="testscript" src="file_docwrite_meta.js"></script>
+
+</head>
+<body>
+
+  <!-- try to load an image on a page where meta CSP is commented out -->
+  <img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>
+
+</body>
+</html>
--- a/dom/security/test/csp/file_docwrite_meta.css
+++ b/dom/security/test/csp/file_docwrite_meta.css
@ -0,0 +1,3 @@
+body {
+  background-color: rgb(255, 0, 0);
+}
--- a/dom/security/test/csp/file_docwrite_meta.html
+++ b/dom/security/test/csp/file_docwrite_meta.html
@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 663570 - Test doc.write(meta csp)</title>
+  <meta charset="utf-8">
+
+  <!-- Use doc.write() to apply meta csp -->
+  <script type="application/javascript">
+    var metaCSP = "style-src 'none';  script-src 'none'; img-src 'none'";
+    document.write("<meta http-equiv=\"Content-Security-Policy\" content=\" " + metaCSP + "\">");
+  </script>
+
+  <!-- try to load a css which is forbidden by meta CSP -->
+  <link rel="stylesheet" type="text/css" href="file_docwrite_meta.css">
+
+  <!-- try to load a script which is forbidden by meta CSP -->
+  <script id="testscript" src="file_docwrite_meta.js"></script>
+
+</head>
+<body>
+
+  <!-- try to load an image which is forbidden by meta CSP -->
+  <img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>
+
+</body>
+</html>
--- a/dom/security/test/csp/file_docwrite_meta.js
+++ b/dom/security/test/csp/file_docwrite_meta.js
@ -0,0 +1,3 @@
+// set a variable on the document which we can check to verify
+// whether the external script was loaded or blocked
+document.myMetaCSPScript = "external-JS-loaded";
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -148,6 +148,10 @@ support-files =
  file_redirect_worker.sjs
  file_meta_element.html
  file_meta_header_dual.sjs
+  file_docwrite_meta.html
+  file_doccomment_meta.html
+  file_docwrite_meta.css
+  file_docwrite_meta.js

 [test_base-uri.html]
 [test_blob_data_schemes.html]
@ -221,3 +225,4 @@ skip-if = buildapp == 'b2g' #investigate in bug 1222904
 [test_child-src_iframe.html]
 [test_meta_element.html]
 [test_meta_header_dual.html]
+[test_docwrite_meta.html]
--- a/dom/security/test/csp/test_docwrite_meta.html
+++ b/dom/security/test/csp/test_docwrite_meta.html
@ -0,0 +1,86 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 663570 - Implement Content Security Policy via meta tag</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<iframe style="width:100%;" id="writemetacspframe"></iframe>
+<iframe style="width:100%;" id="commentmetacspframe"></iframe>
+
+
+<script class="testbody" type="text/javascript">
+/* Description of the test:
+ * We load two frames, where the first frame does doc.write(meta csp) and
+ * the second does doc.write(comment out meta csp).
+ * We make sure to reuse/invalidate preloads depending on the policy.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+var writemetacspframe = document.getElementById("writemetacspframe");
+var commentmetacspframe = document.getElementById("commentmetacspframe");
+var seenResults = 0;
+
+function checkTestsDone() {
+  seenResults++;
+  if (seenResults < 2) {
+    return;
+  }
+  SimpleTest.finish();
+}
+
+// document.write(<meta csp ...>) should block resources from being included in the doc
+function checkResultsBlocked() {
+  writemetacspframe.removeEventListener('load', checkResultsBlocked, false);
+
+  // stylesheet: default background color within FF is transparent
+  var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body)
+                      .getPropertyValue("background-color");
+  is(bgcolor, "transparent", "inital background value in FF should be 'transparent'");
+
+  // image: make sure image is blocked
+  var img = writemetacspframe.contentDocument.getElementById("testimage");
+  is(img.width, 0, "image widht should be 0");
+  is(img.height, 0, "image widht should be 0");
+
+  // script: make sure defined variable in external script is undefined
+  is(writemetacspframe.contentDocument.myMetaCSPScript, undefined, "myMetaCSPScript should be 'undefined'");
+
+  checkTestsDone();
+}
+
+// document.write(<--) to comment out meta csp should allow resources to be loaded
+// after the preload failed
+function checkResultsAllowed() {
+  commentmetacspframe.removeEventListener('load', checkResultsAllowed, false);
+
+  // stylesheet: should be applied; bgcolor should be red
+  var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue("background-color");
+  is(bgcolor, "rgb(255, 0, 0)", "background should be red/rgb(255, 0, 0)");
+
+  // image: should be completed
+  var img = commentmetacspframe.contentDocument.getElementById("testimage");
+  ok(img.complete, "image should not be loaded");
+
+  // script: defined variable in external script should be accessible
+  is(commentmetacspframe.contentDocument.myMetaCSPScript, "external-JS-loaded", "myMetaCSPScript should be 'external-JS-loaded'");
+
+  checkTestsDone();
+}
+
+// doc.write(meta csp) should should allow preloads but should block actual loads
+writemetacspframe.src = 'file_docwrite_meta.html';
+writemetacspframe.addEventListener('load', checkResultsBlocked, false);
+
+// commenting out a meta CSP should result in loaded image, script, style
+commentmetacspframe.src = 'file_doccomment_meta.html';
+commentmetacspframe.addEventListener('load', checkResultsAllowed, false);
+
+</script>
+</body>
+</html>