1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
/*
* Description of the tests:
* Tests check that default-src can be overridden by manifest-src.
*/
/*globals Cu, is, ok*/
"use strict";
const { ManifestObtainer } = ChromeUtils.importESModule(
"resource://gre/modules/ManifestObtainer.sys.mjs"
);
const path = "/tests/dom/security/test/csp/";
const testFile = `${path}file_web_manifest.html`;
const mixedContentFile = `${path}file_web_manifest_mixed_content.html`;
const server = `${path}file_testserver.sjs`;
const defaultURL = new URL(`https://example.org${server}`);
const mixedURL = new URL(`http://mochi.test:8888${server}`);
// Enable web manifest processing.
Services.prefs.setBoolPref("dom.manifest.enabled", true);
const tests = [
// Check interaction with default-src and another origin,
// CSP allows fetching from example.org, so manifest should load.
{
expected: `CSP manifest-src overrides default-src of elsewhere.com`,
get tabURL() {
const url = new URL(defaultURL);
url.searchParams.append("file", testFile);
url.searchParams.append("cors", "*");
url.searchParams.append(
"csp",
"default-src http://elsewhere.com; manifest-src http://example.org"
);
return url.href;
},
run(manifest) {
is(manifest.name, "loaded", this.expected);
},
},
// Check interaction with default-src none,
// CSP allows fetching manifest from example.org, so manifest should load.
{
expected: `CSP manifest-src overrides default-src`,
get tabURL() {
const url = new URL(mixedURL);
url.searchParams.append("file", mixedContentFile);
url.searchParams.append("cors", "http://test:80");
url.searchParams.append(
"csp",
"default-src 'self'; manifest-src http://test:80"
);
return url.href;
},
run(manifest) {
is(manifest.name, "loaded", this.expected);
},
},
];
//jscs:disable
add_task(async function () {
//jscs:enable
const testPromises = tests.map(test => {
const tabOptions = {
gBrowser,
url: test.tabURL,
skipAnimation: true,
};
return BrowserTestUtils.withNewTab(tabOptions, browser =>
testObtainingManifest(browser, test)
);
});
await Promise.all(testPromises);
});
async function testObtainingManifest(aBrowser, aTest) {
const expectsBlocked = aTest.expected.includes("block");
const observer = expectsBlocked ? createNetObserver(aTest) : null;
// Expect an exception (from promise rejection) if there a content policy
// that is violated.
try {
const manifest = await ManifestObtainer.browserObtainManifest(aBrowser);
aTest.run(manifest);
} catch (e) {
const wasBlocked = e.message.includes(
"NetworkError when attempting to fetch resource"
);
ok(
wasBlocked,
`Expected promise rejection obtaining ${aTest.tabURL}: ${e.message}`
);
if (observer) {
await observer.untilFinished;
}
}
}
// Helper object used to observe policy violations. It waits 1 seconds
// for a response, and then times out causing its associated test to fail.
function createNetObserver(test) {
let finishedTest;
let success = false;
const finished = new Promise(resolver => {
finishedTest = resolver;
});
const timeoutId = setTimeout(() => {
if (!success) {
test.run("This test timed out.");
finishedTest();
}
}, 1000);
var observer = {
get untilFinished() {
return finished;
},
observe(subject, topic) {
SpecialPowers.removeObserver(observer, "csp-on-violate-policy");
test.run(topic);
finishedTest();
clearTimeout(timeoutId);
success = true;
},
};
SpecialPowers.addObserver(observer, "csp-on-violate-policy");
return observer;
}
|
