/* Any copyright is dedicated to the Public Domain. * http://creativecommons.org/publicdomain/zero/1.0/ */ // Tests that the Web Console CSP messages for two META policies // are correctly displayed. See Bug 1247459. "use strict"; add_task(async function () { const bundle = Services.strings.createBundle( "chrome://global/locale/security/csp.properties" ); const TEST_URI = "data:text/html;charset=utf8,Web Console CSP violation test"; const hud = await openNewTabAndConsole(TEST_URI); await clearOutput(hud); { const TEST_VIOLATION = "https://example.com/browser/devtools/client/webconsole/" + "test/browser/test-csp-violation.html"; const CSP_VIOLATION_MSG = bundle.formatStringFromName( "CSPGenericViolation", [ "img-src https://example.com", "http://some.example.com/test.png", "img-src", ] ); const onRepeatedMessage = waitForRepeatedMessageByType( hud, CSP_VIOLATION_MSG, ".error", 2 ); await navigateTo(TEST_VIOLATION); await onRepeatedMessage; ok(true, "Received expected messages"); } await clearOutput(hud); // Testing CSP Inline Violations { const TEST_VIOLATION = "https://example.com/browser/devtools/client/webconsole/" + "test/browser/test-csp-violation-inline.html"; const CSP_VIOLATION = bundle.formatStringFromName( "CSPInlineStyleViolation", ["style-src 'self'", "style-src-elem"] ); const VIOLATION_LOCATION_HTML = "test-csp-violation-inline.html:18:1"; const VIOLATION_LOCATION_JS = "test-csp-violation-inline.html:14:25"; await navigateTo(TEST_VIOLATION); // Triggering the Violation via HTML let msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION)); let locationNode = msg.querySelector(".message-location"); info(`EXPECT ${VIOLATION_LOCATION_HTML} GOT: ${locationNode.textContent}`); Assert.equal( locationNode.textContent, VIOLATION_LOCATION_HTML, "Printed the CSP Violation with HTML Context" ); // Triggering the Violation via JS await clearOutput(hud); msg = await executeAndWaitForErrorMessage( hud, "window.violate()", CSP_VIOLATION ); locationNode = msg.node.querySelector(".message-location"); info(`EXPECT ${VIOLATION_LOCATION_JS} GOT: ${locationNode.textContent}`); Assert.equal( locationNode.textContent, VIOLATION_LOCATION_JS, "Printed the CSP Violation with JS Context" ); } await clearOutput(hud); // Testing Base URI { const TEST_VIOLATION = "https://example.com/browser/devtools/client/webconsole/" + "test/browser/test-csp-violation-base-uri.html"; const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [ "base-uri 'self'", "https://evil.com/", "base-uri", ]); const VIOLATION_LOCATION = "test-csp-violation-base-uri.html:15:25"; await navigateTo(TEST_VIOLATION); let msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION)); ok(msg, "Base-URI validation was Printed"); // Triggering the Violation via JS await clearOutput(hud); msg = await executeAndWaitForErrorMessage( hud, "window.violate()", CSP_VIOLATION ); const locationNode = msg.node.querySelector(".message-location"); console.log(locationNode.textContent); Assert.equal( locationNode.textContent, VIOLATION_LOCATION, "Base-URI validation was Printed with the Responsible JS Line" ); } await clearOutput(hud); // Testing CSP Form Action { const TEST_VIOLATION = "https://example.com/browser/devtools/client/webconsole/" + "test/browser/test-csp-violation-form-action.html"; const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [ "form-action 'self'", "https://evil.com/evil.com", "form-action", ]); const VIOLATION_LOCATION = "test-csp-violation-form-action.html:14:40"; await navigateTo(TEST_VIOLATION); const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION)); const locationNode = msg.querySelector(".message-location"); info(`EXPECT ${VIOLATION_LOCATION} GOT: ${locationNode.textContent}`); Assert.equal( locationNode.textContent, VIOLATION_LOCATION, "JS Line which Triggered the CSP-Form Action Violation was Printed" ); } await clearOutput(hud); // Testing CSP Frame Ancestors Directive { const TEST_VIOLATION = "https://example.com/browser/devtools/client/webconsole/" + "test/browser/test-csp-violation-frame-ancestor-parent.html"; const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [ "frame-ancestors 'none'", TEST_VIOLATION, "frame-ancestors", ]); await navigateTo(TEST_VIOLATION); const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION)); ok(msg, "Frame-Ancestors violation by html was printed"); } await clearOutput(hud); // Testing CSP inline event handler violations { const TEST_VIOLATION = "https://example.com/browser/devtools/client/webconsole/" + "test/browser/test-csp-violation-event-handler.html"; const CSP_VIOLATION = bundle.formatStringFromName("CSPEventHandlerScriptViolation", [ "script-src 'self'", "script-src-attr", ]) + `\nSource: document.body.textContent = 'JavaScript …`; // Future-Todo: Include line and column number. const VIOLATION_LOCATION = "test-csp-violation-event-handler.html"; await navigateTo(TEST_VIOLATION); const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION)); const locationNode = msg.querySelector(".message-location"); is( locationNode.textContent, VIOLATION_LOCATION, "Inline event handler location doesn't yet include the line/column" ); } });