bug 515443 missing test files

2024-10-15 22:35:43 +00:00 · 2010-03-08 01:57:10 -08:00 · 2010-03-08 01:57:10 -08:00 · e84d96e645
commit e84d96e645
parent a22f056955
4 changed files with 216 additions and 0 deletions
--- a/content/base/test/file_CSP_evalscript.sjs
+++ b/content/base/test/file_CSP_evalscript.sjs
@ -0,0 +1,30 @@
+// SJS file for CSP eval script mochitests
+
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  //avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  if ("main" in query) {
+    var xhr = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"]  
+                   .createInstance(Components.interfaces.nsIXMLHttpRequest);
+    //serve the main page with a CSP header!
+    // -- anything served from 'self' (localhost:8888) will be allowed,
+    // -- anything served from other hosts (example.com:80) will be blocked.
+    // -- XHR tests are set up in the file_CSP_main.js file which is sourced.
+    response.setHeader("X-Content-Security-Policy", 
+                       "allow 'self'",
+                       false);
+    xhr.open("GET", "http://localhost:8888/tests/content/base/test/file_CSP_evalscript_main.html", false);
+    xhr.send(null);
+    if(xhr.status == 200) {
+      response.write(xhr.responseText);
+    }
+  }
+}
--- a/content/base/test/file_CSP_evalscript_main.html
+++ b/content/base/test/file_CSP_evalscript_main.html
@ -0,0 +1,12 @@
+<html>
+  <head>
+    <title>CSP eval script tests</title>
+    <script type="application/javascript"
+             src="file_CSP_evalscript_main.js"></script>
+  </head>
+  <body>
+
+    Foo.
+
+  </body>
+</html>
--- a/content/base/test/file_CSP_evalscript_main.js
+++ b/content/base/test/file_CSP_evalscript_main.js
@ -0,0 +1,112 @@
+// some javascript for the CSP eval() tests
+
+function logResult(str, passed) {
+  var elt = document.createElement('div');
+  var color = passed ? "#cfc;" : "#fcc";
+  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
+  elt.innerHTML = str;
+  document.body.appendChild(elt);
+}
+
+
+// callback for when stuff is allowed by CSP
+var onevalexecuted = (function(window) {
+    return function(shouldrun, what, data) {
+      window.parent.scriptRan(shouldrun, what, data);
+      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
+    };})(window);
+
+// callback for when stuff is blocked
+var onevalblocked = (function(window) {
+    return function(shouldrun, what, data) {
+      window.parent.scriptBlocked(shouldrun, what, data);
+      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
+    };})(window);
+
+
+// Defer until document is loaded so that we can write the pretty result boxes
+// out.
+addEventListener('load', function() {
+
+  // setTimeout(String) test  -- should pass
+  try {
+    setTimeout('onevalexecuted(false, "setTimeout(String)", "setTimeout with a string was enabled.");', 10);
+  } catch (e) {
+    onevalblocked(false, "setTimeout(String)",
+                  "setTimeout with a string was blocked");
+  }
+
+  // setTimeout(function) test  -- should pass
+  try {
+    setTimeout(function() {
+          onevalexecuted(true, "setTimeout(function)",
+                        "setTimeout with a function was enabled.")
+        }, 10);
+  } catch (e) {
+    onevalblocked(true, "setTimeout(function)",
+                  "setTimeout with a function was blocked");
+  }
+
+  // eval() test
+  try {
+    eval('onevalexecuted(false, "eval(String)", "eval() was enabled.");');
+  } catch (e) {
+    onevalblocked(false, "eval(String)",
+                  "eval() was blocked");
+  }
+
+  // eval(foo,bar) test
+  try {
+    eval('onevalexecuted(false, "eval(String,scope)", "eval() was enabled.");',1);
+  } catch (e) {
+    onevalblocked(false, "eval(String,object)",
+                  "eval() with scope was blocked");
+  }
+
+  // [foo,bar].sort(eval) test
+  try {
+    ['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
+  } catch (e) {
+    onevalblocked(false, "[String, obj].sort(eval)",
+                  "eval() with scope via sort was blocked");
+  }
+
+  // [].sort.call([foo,bar], eval) test
+  try {
+    [].sort.call(['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
+  } catch (e) {
+    onevalblocked(false, "[].sort.call([String, obj], eval)",
+                  "eval() with scope via sort/call was blocked");
+  }
+
+  // new Function() test
+  try {
+    var fcn = new Function('onevalexecuted(false, "new Function(String)", "new Function(String) was enabled.");');
+    fcn();
+  } catch (e) {
+    onevalblocked(false, "new Function(String)",
+                  "new Function(String) was blocked.");
+  }
+
+  // setTimeout(eval, 0, str)
+  {
+    // error is not catchable here, instead, we're going to side-effect
+    // 'worked'.
+    var worked = false;
+
+    setTimeout(eval, 0, 'worked = true');
+    setTimeout(function(worked) {
+                  if (worked) {
+                    onevalexecuted(false, "setTimeout(eval, 0, str)",
+                                    "setTimeout(eval, 0, string) was enabled.");
+                  } else {
+                    onevalblocked(false, "setTimeout(eval, 0, str)",
+                                        "setTimeout(eval, 0, str) was blocked.");
+                  }
+                }, 0, worked);
+  }
+
+}, false);
+
+
+
--- a/content/base/test/test_CSP_evalscript.html
+++ b/content/base/test/test_CSP_evalscript.html
@ -0,0 +1,62 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy "no eval" base restriction</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+  
+</div>
+
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/";
+
+var evalScriptsThatRan = 0;
+var evalScriptsBlocked = 0;
+var evalScriptsTotal = 8;
+
+
+// called by scripts that run
+var scriptRan = function(shouldrun, testname, data) {
+  evalScriptsThatRan++;
+  ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+// called when a script is blocked
+var scriptBlocked = function(shouldrun, testname, data) {
+  evalScriptsBlocked++;
+  ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+
+// Check to see if all the tests have run
+var checkTestResults = function() {
+  // if any test is incomplete, keep waiting
+  if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
+    return;
+
+  // ... otherwise, finish
+  SimpleTest.finish();
+}
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+// ... this loads the testbed of good and bad requests.
+document.getElementById('cspframe').src = 'file_CSP_evalscript.sjs?main';
+
+</script>
+</pre>
+</body>
+</html>