summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_navigate_to.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/test/csp/test_navigate_to.html')
-rw-r--r--dom/security/test/csp/test_navigate_to.html158
1 files changed, 158 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_navigate_to.html b/dom/security/test/csp/test_navigate_to.html
new file mode 100644
index 0000000000..357b35bb05
--- /dev/null
+++ b/dom/security/test/csp/test_navigate_to.html
@@ -0,0 +1,158 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 1529068 Implement CSP 'navigate-to' directive</title>
+ <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+ <p id="display"></p>
+ <div id="content">
+ <iframe style="width:100%;" id="testframe"></iframe>
+ </div>
+
+<script class="testbody" type="text/javascript">
+
+/*
+ * Description of the test:
+ * We load a page with a given CSP and verify that navigations are correctly
+ * evaluated through the "navigate-to" directive.
+ */
+SpecialPowers.pushPrefEnv({"set": [["security.csp.enableNavigateTo", true]]});
+SimpleTest.waitForExplicitFinish();
+
+// Note: The final website for the navigation chain must always be: www.example.com
+var tests = [
+ {
+ result : "blocked",
+ policy : "navigate-to www.mozilla.com",
+ target : "http://www.example.com/"
+ },
+ {
+ result : "allowed",
+ policy : "navigate-to www.example.com",
+ target : "http://www.example.com/"
+ },
+ {
+ // Test path-sensitivity
+ result : "blocked",
+ policy : "navigate-to http://www.example.com/full/path/to/file",
+ target : "http://www.example.com/"
+ },
+ {
+ // Test scheme
+ result : "blocked",
+ policy : "navigate-to https://www.example.com/",
+ target : "http://www.example.com/"
+ },
+ {
+ // Redirect from tracking.example.com to www.example.com
+ result : "blocked",
+ policy : "navigate-to www.example.com",
+ target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/"
+ },
+ {
+ // Redirect from tracking.example.com to www.example.com (Explicitly allowed)
+ result : "allowed",
+ policy : "navigate-to tracking.example.com www.example.com",
+ target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/"
+ },
+ {
+ // Redirect from tracking.example.com to www.example.com ('unsafe-allow-redirects')
+ result : "allowed",
+ policy : "navigate-to 'unsafe-allow-redirects' www.example.com",
+ target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/"
+ },
+ // No path-sensitivity after redirect
+ {
+ result : "allowed",
+ policy : "navigate-to tracking.example.com http://www.example.com/full/path/to/file",
+ target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/"
+ },
+ // Multiple CSP directives, first block (origin) second allow
+ {
+ result : "allowed",
+ policy : "img-src 'none'; navigate-to www.example.com",
+ target : "http://www.example.com/"
+ },
+ // Multiple CSP directives, first allow (origin) second block
+ {
+ result : "blocked",
+ policy : "img-src www.example.com mochi.test:8888; navigate-to www.mozilla.com",
+ target : "http://www.example.com/"
+ },
+ // Multiple CSPs, first allow second block
+ {
+ result : "blocked",
+ policy : "navigate-to www.example.com",
+ policy2 : "navigate-to www.mozilla.com",
+ target : "http://www.example.com/"
+ },
+ // Multiple CSPs, first block second allow
+ {
+ result : "blocked",
+ policy : "navigate-to www.mozilla.com",
+ policy2 : "navigate-to www.example.com",
+ target : "http://www.example.com/"
+ },
+];
+
+// initializing to -1 so we start at index 0 when we start the test
+var counter = -1;
+
+function checkResult(aResult) {
+ is(aResult, tests[counter].result, "should be " + tests[counter].result + " in test " + counter +
+ "(" + tests[counter].policy + ", " + tests[counter].target + ")!");
+ loadNextTest();
+}
+
+// We use the examiner to identify requests that hit the wire and requests
+// that are blocked by CSP and bubble up the result to the including iframe
+// document (parent).
+function examiner() {
+ SpecialPowers.addObserver(this, "csp-on-violate-policy");
+}
+examiner.prototype = {
+ observe(subject, topic, data) {
+ if (topic === "csp-on-violate-policy" && data === "navigate-to") {
+ checkResult("blocked");
+ }
+
+ },
+ remove() {
+ SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+ }
+}
+window.NavigationActionExaminer = new examiner();
+// We use iframe onload to check if requests are not blocked by CSP
+var iframe = document.getElementById("testframe");
+iframe.onload = function() {
+ checkResult("allowed");
+}
+
+function loadNextTest() {
+ counter++;
+ if (counter == tests.length) {
+ window.NavigationActionExaminer.remove();
+ SimpleTest.finish();
+ return;
+ }
+
+ var src = "file_navigate_to.sjs";
+ // append the CSP that should be used to serve the file
+ src += "?csp=" + escape(tests[counter].policy);
+ if( tests[counter].policy2 ) {
+ src += "&csp2=" + escape(tests[counter].policy2);
+ }
+ src += "&target=" + escape(tests[counter].target);
+
+ iframe.src = src;
+}
+
+// start running the tests
+loadNextTest();
+
+</script>
+</body>
+</html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 10:52:01 +0000