dom/security/test/csp/test_hash_source.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

<!DOCTYPE HTML>
<html>
<head>
  <title>Test CSP 1.1 hash-source for inline scripts and styles</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <script src="/tests/SimpleTest/EventUtils.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="visibility:hidden">
  <iframe style="width:100%;" id='cspframe'></iframe>
</div>
<script class="testbody" type="text/javascript">

function cleanup() {
  // finish the tests
  SimpleTest.finish();
}

function checkInline () {
  var cspframe = document.getElementById('cspframe').contentDocument;

  var inlineScriptTests = {
    'inline-script-valid-hash': {
      shouldBe: 'allowed',
      message:  'Inline script with valid hash should be allowed'
    },
    'inline-script-invalid-hash': {
      shouldBe: 'blocked',
      message: 'Inline script with invalid hash should be blocked'
    },
    'inline-script-invalid-hash-valid-nonce': {
      shouldBe: 'allowed',
      message: 'Inline script with invalid hash and valid nonce should be allowed'
    },
    'inline-script-valid-hash-invalid-nonce': {
      shouldBe: 'allowed',
      message: 'Inline script with valid hash and invalid nonce should be allowed'
    },
    'inline-script-invalid-hash-invalid-nonce': {
      shouldBe: 'blocked',
      message: 'Inline script with invalid hash and invalid nonce should be blocked'
    },
    'inline-script-valid-sha512-hash': {
      shouldBe: 'allowed',
      message: 'Inline script with a valid sha512 hash should be allowed'
    },
    'inline-script-valid-sha384-hash': {
      shouldBe: 'allowed',
      message: 'Inline script with a valid sha384 hash should be allowed'
    },
    'inline-script-valid-sha1-hash': {
      shouldBe: 'blocked',
      message: 'Inline script with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'
    },
    'inline-script-valid-md5-hash': {
      shouldBe: 'blocked',
      message: 'Inline script with a valid md5 hash should be blocked, because md5 is not a valid hash function'
    }
  }

  for (testId in inlineScriptTests) {
    var test = inlineScriptTests[testId];
    is(cspframe.getElementById(testId).innerHTML, test.shouldBe, test.message);
  }

  // Inline style tries to change an element's color to green. If blocked, the
  // element's color will be the default black.
  var green = "rgb(0, 128, 0)";
  var black = "rgb(0, 0, 0)";

  var getElementColorById = function (id) {
    return window.getComputedStyle(cspframe.getElementById(id)).color;
  };

  var inlineStyleTests = {
    'inline-style-valid-hash': {
      shouldBe: green,
      message: 'Inline style with valid hash should be allowed'
    },
    'inline-style-invalid-hash': {
      shouldBe: black,
      message: 'Inline style with invalid hash should be blocked'
    },
    'inline-style-invalid-hash-valid-nonce': {
      shouldBe: green,
      message: 'Inline style with invalid hash and valid nonce should be allowed'
    },
    'inline-style-valid-hash-invalid-nonce': {
      shouldBe: green,
      message: 'Inline style with valid hash and invalid nonce should be allowed'
    },
    'inline-style-invalid-hash-invalid-nonce' : {
      shouldBe: black,
      message: 'Inline style with invalid hash and invalid nonce should be blocked'
    },
    'inline-style-valid-sha512-hash': {
      shouldBe: green,
      message: 'Inline style with a valid sha512 hash should be allowed'
    },
    'inline-style-valid-sha384-hash': {
      shouldBe: green,
      message: 'Inline style with a valid sha384 hash should be allowed'
    },
    'inline-style-valid-sha1-hash': {
      shouldBe: black,
      message: 'Inline style with a valid sha1 hash should be blocked, because sha1 is not a valid hash function'
    },
    'inline-style-valid-md5-hash': {
      shouldBe: black,
      message: 'Inline style with a valid md5 hash should be blocked, because md5 is not a valid hash function'
    }
  }

  for (testId in inlineStyleTests) {
    var test = inlineStyleTests[testId];
    is(getElementColorById(testId), test.shouldBe, test.message);
  }

  cleanup();
}

//////////////////////////////////////////////////////////////////////
// set up and go
SimpleTest.waitForExplicitFinish();

// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_hash_source.html';
document.getElementById('cspframe').addEventListener('load', checkInline);
</script>
</pre>
</body>
</html>