mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-02-28 05:10:49 +00:00
Bug 663570 - Test 5: doc.write(meta csp) (r=sicking)
This commit is contained in:
parent
749afb19d4
commit
c941fd4008
28
dom/security/test/csp/file_doccomment_meta.html
Normal file
28
dom/security/test/csp/file_doccomment_meta.html
Normal file
@ -0,0 +1,28 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 663570 - Test doc.write(meta csp)</title>
|
||||
<meta charset="utf-8">
|
||||
|
||||
<!-- Use doc.write() to *un*apply meta csp -->
|
||||
<script type="application/javascript">
|
||||
document.write("<!--");
|
||||
</script>
|
||||
|
||||
<meta http-equiv="Content-Security-Policy" content= "style-src 'none'; script-src 'none'; img-src 'none'">
|
||||
-->
|
||||
|
||||
<!-- try to load a css on a page where meta CSP is commented out -->
|
||||
<link rel="stylesheet" type="text/css" href="file_docwrite_meta.css">
|
||||
|
||||
<!-- try to load a script on a page where meta CSP is commented out -->
|
||||
<script id="testscript" src="file_docwrite_meta.js"></script>
|
||||
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<!-- try to load an image on a page where meta CSP is commented out -->
|
||||
<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>
|
||||
|
||||
</body>
|
||||
</html>
|
3
dom/security/test/csp/file_docwrite_meta.css
Normal file
3
dom/security/test/csp/file_docwrite_meta.css
Normal file
@ -0,0 +1,3 @@
|
||||
body {
|
||||
background-color: rgb(255, 0, 0);
|
||||
}
|
26
dom/security/test/csp/file_docwrite_meta.html
Normal file
26
dom/security/test/csp/file_docwrite_meta.html
Normal file
@ -0,0 +1,26 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 663570 - Test doc.write(meta csp)</title>
|
||||
<meta charset="utf-8">
|
||||
|
||||
<!-- Use doc.write() to apply meta csp -->
|
||||
<script type="application/javascript">
|
||||
var metaCSP = "style-src 'none'; script-src 'none'; img-src 'none'";
|
||||
document.write("<meta http-equiv=\"Content-Security-Policy\" content=\" " + metaCSP + "\">");
|
||||
</script>
|
||||
|
||||
<!-- try to load a css which is forbidden by meta CSP -->
|
||||
<link rel="stylesheet" type="text/css" href="file_docwrite_meta.css">
|
||||
|
||||
<!-- try to load a script which is forbidden by meta CSP -->
|
||||
<script id="testscript" src="file_docwrite_meta.js"></script>
|
||||
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<!-- try to load an image which is forbidden by meta CSP -->
|
||||
<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>
|
||||
|
||||
</body>
|
||||
</html>
|
3
dom/security/test/csp/file_docwrite_meta.js
Normal file
3
dom/security/test/csp/file_docwrite_meta.js
Normal file
@ -0,0 +1,3 @@
|
||||
// set a variable on the document which we can check to verify
|
||||
// whether the external script was loaded or blocked
|
||||
document.myMetaCSPScript = "external-JS-loaded";
|
@ -148,6 +148,10 @@ support-files =
|
||||
file_redirect_worker.sjs
|
||||
file_meta_element.html
|
||||
file_meta_header_dual.sjs
|
||||
file_docwrite_meta.html
|
||||
file_doccomment_meta.html
|
||||
file_docwrite_meta.css
|
||||
file_docwrite_meta.js
|
||||
|
||||
[test_base-uri.html]
|
||||
[test_blob_data_schemes.html]
|
||||
@ -221,3 +225,4 @@ skip-if = buildapp == 'b2g' #investigate in bug 1222904
|
||||
[test_child-src_iframe.html]
|
||||
[test_meta_element.html]
|
||||
[test_meta_header_dual.html]
|
||||
[test_docwrite_meta.html]
|
||||
|
86
dom/security/test/csp/test_docwrite_meta.html
Normal file
86
dom/security/test/csp/test_docwrite_meta.html
Normal file
@ -0,0 +1,86 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 663570 - Implement Content Security Policy via meta tag</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<iframe style="width:100%;" id="writemetacspframe"></iframe>
|
||||
<iframe style="width:100%;" id="commentmetacspframe"></iframe>
|
||||
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
/* Description of the test:
|
||||
* We load two frames, where the first frame does doc.write(meta csp) and
|
||||
* the second does doc.write(comment out meta csp).
|
||||
* We make sure to reuse/invalidate preloads depending on the policy.
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var writemetacspframe = document.getElementById("writemetacspframe");
|
||||
var commentmetacspframe = document.getElementById("commentmetacspframe");
|
||||
var seenResults = 0;
|
||||
|
||||
function checkTestsDone() {
|
||||
seenResults++;
|
||||
if (seenResults < 2) {
|
||||
return;
|
||||
}
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
// document.write(<meta csp ...>) should block resources from being included in the doc
|
||||
function checkResultsBlocked() {
|
||||
writemetacspframe.removeEventListener('load', checkResultsBlocked, false);
|
||||
|
||||
// stylesheet: default background color within FF is transparent
|
||||
var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body)
|
||||
.getPropertyValue("background-color");
|
||||
is(bgcolor, "transparent", "inital background value in FF should be 'transparent'");
|
||||
|
||||
// image: make sure image is blocked
|
||||
var img = writemetacspframe.contentDocument.getElementById("testimage");
|
||||
is(img.width, 0, "image widht should be 0");
|
||||
is(img.height, 0, "image widht should be 0");
|
||||
|
||||
// script: make sure defined variable in external script is undefined
|
||||
is(writemetacspframe.contentDocument.myMetaCSPScript, undefined, "myMetaCSPScript should be 'undefined'");
|
||||
|
||||
checkTestsDone();
|
||||
}
|
||||
|
||||
// document.write(<--) to comment out meta csp should allow resources to be loaded
|
||||
// after the preload failed
|
||||
function checkResultsAllowed() {
|
||||
commentmetacspframe.removeEventListener('load', checkResultsAllowed, false);
|
||||
|
||||
// stylesheet: should be applied; bgcolor should be red
|
||||
var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue("background-color");
|
||||
is(bgcolor, "rgb(255, 0, 0)", "background should be red/rgb(255, 0, 0)");
|
||||
|
||||
// image: should be completed
|
||||
var img = commentmetacspframe.contentDocument.getElementById("testimage");
|
||||
ok(img.complete, "image should not be loaded");
|
||||
|
||||
// script: defined variable in external script should be accessible
|
||||
is(commentmetacspframe.contentDocument.myMetaCSPScript, "external-JS-loaded", "myMetaCSPScript should be 'external-JS-loaded'");
|
||||
|
||||
checkTestsDone();
|
||||
}
|
||||
|
||||
// doc.write(meta csp) should should allow preloads but should block actual loads
|
||||
writemetacspframe.src = 'file_docwrite_meta.html';
|
||||
writemetacspframe.addEventListener('load', checkResultsBlocked, false);
|
||||
|
||||
// commenting out a meta CSP should result in loaded image, script, style
|
||||
commentmetacspframe.src = 'file_doccomment_meta.html';
|
||||
commentmetacspframe.addEventListener('load', checkResultsAllowed, false);
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
x
Reference in New Issue
Block a user