summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_bug1764343.html
blob: 1af9a710fe80d1fae74ea7e294b463a5baefe004 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Bug 1764343 - CSP inheritance for same-origin iframes</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

  <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'nonce-parent' 'nonce-a' 'nonce-b' 'nonce-c'; img-src 'self' data:">
</head>
<body>
  <iframe id="sameOriginMetaFrame"></iframe>
  <iframe id="aboutBlankMetaFrame"></iframe>
<script nonce='parent'>
SimpleTest.waitForExplicitFinish();

const NEW_HTML =`
  <head>
    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-a' 'nonce-c' 'nonce-d';">
  </head>
  <body>
    <style>
      body { background-color: rgb(255, 0, 0); }
    </style>
    <script nonce="a">
      document.a = true;
    <\/script>
    <script nonce="b">
      document.b = true;
    <\/script>
    <script nonce="c">
      document.c = true;
    <\/script>
    <script nonce="d">
      document.d = true;
    <\/script>
    <img id="testInlineImage"></img>
  </body>
  `;

// test file's CSP meta tags shouldn't overwrite same-origin iframe's CSP meta tags
async function testBlocked() {
  info("testBlocked");

  let sameOriginMetaFrame = document.getElementById("sameOriginMetaFrame");
  let onFrameLoad = new Promise(resolve => {
    sameOriginMetaFrame.addEventListener('load', resolve, {once: true});
  });
  sameOriginMetaFrame.src = 'file_bug1764343.html';
  await onFrameLoad;

  let doc = sameOriginMetaFrame.contentDocument;
  doc.open();
  doc.write(NEW_HTML);

  let bgcolor = window.getComputedStyle(doc.body).getPropertyValue("background-color");
  is(bgcolor, "rgba(0, 0, 0, 0)", "inital background value in FF should be 'transparent'");

  let img = doc.getElementById("testInlineImage");
  let onImgError = new Promise(resolve => {
    img.addEventListener('error', resolve, {once: true});
  });
  img.src = "//mochi.test:8888/tests/image/test/mochitest/blue.png";
  await onImgError;
  is(img.complete, false, "image should not be loaded");

  // Make sure that CSP policy can further restrict (no 'nonce-b'), but not weak (adding 'nonce-c' or 'nonce-d')
  is(doc.a, true, "doc.a should be true (script 'nonce-a' allowed)");
  is(doc.b, undefined, "doc.b should be undefined (script 'nonce-b' blocked)");
  is(doc.c, undefined, "doc.c should be undefined (script 'nonce-c' blocked)");
  is(doc.d, undefined, "doc.d should be undefined (script 'nonce-d' blocked)");
}

  // test file's CSP meta tags should apply to about blank iframe's CSP meta tags
async function testNotBlocked() {
  info("testNotBlocked");

  let aboutBlankMetaFrame = document.getElementById("aboutBlankMetaFrame");
  let onFrameLoad = new Promise(resolve => {
    aboutBlankMetaFrame.addEventListener('load', resolve, {once: true});
  });
  aboutBlankMetaFrame.src = 'about:blank';
  await onFrameLoad;

  let doc = aboutBlankMetaFrame.contentDocument;
  doc.open();
  doc.write(NEW_HTML);

  let bgcolor = window.getComputedStyle(doc.body).getPropertyValue("background-color");
  is(bgcolor, "rgb(255, 0, 0)", "background value should be updated to red");

  let img = doc.getElementById("testInlineImage");
  let onImgLoad = new Promise(resolve => {
    img.addEventListener('load', resolve, {once: true});
  });
  img.src = "//mochi.test:8888/tests/image/test/mochitest/blue.png";
  await onImgLoad;
  is(img.complete, true, "image should be loaded");

  // New HTML contains 'nonce-a/c/d' and no CSP in about:blank.
  // (Can not weaken parent with 'nonce-d')
  is(doc.a, true, "doc.a should be true (script 'nonce-a' allowed)");
  is(doc.b, undefined, "doc.b should be undefined (script 'nonce-b' blocked)");
  is(doc.c, true, "doc.c should be true (script 'nonce-c' allowed)");
  is(doc.d, undefined, "doc.d should be true (script 'nonce-d' blocked)");
}

(async function () {
  await testBlocked();
  await testNotBlocked();
  SimpleTest.finish();
})();
</script>
</body>
</html>