1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Bug 663570 - Implement Content Security Policy via meta tag</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<iframe style="width:100%;" id="testframe"></iframe>
<script class="testbody" type="text/javascript">
/* Description of the test:
* We test all sorts of CSPs on documents, including documents with no
* CSP, with meta CSP and with meta CSP in combination with a CSP header.
*/
const TESTS = [
{
/* load image without any CSP */
query: "test1",
result: "img-loaded",
policyLen: 0,
desc: "no CSP should allow load",
},
{
/* load image where meta denies load */
query: "test2",
result: "img-blocked",
policyLen: 1,
desc: "meta (img-src 'none') should block load"
},
{
/* load image where meta allows load */
query: "test3",
result: "img-loaded",
policyLen: 1,
desc: "meta (img-src http://mochi.test) should allow load"
},
{
/* load image where meta allows but header blocks */
query: "test4", // triggers speculative load
result: "img-blocked",
policyLen: 2,
desc: "meta (img-src http://mochi.test), header (img-src 'none') should block load"
},
{
/* load image where meta blocks but header allows */
query: "test5", // triggers speculative load
result: "img-blocked",
policyLen: 2,
desc: "meta (img-src 'none'), header (img-src http://mochi.test) should block load"
},
{
/* load image where meta allows and header allows */
query: "test6", // triggers speculative load
result: "img-loaded",
policyLen: 2,
desc: "meta (img-src http://mochi.test), header (img-src http://mochi.test) should allow load"
},
{
/* load image where meta1 allows but meta2 blocks */
query: "test7",
result: "img-blocked",
policyLen: 2,
desc: "meta1 (img-src http://mochi.test), meta2 (img-src 'none') should allow blocked"
},
{
/* load image where meta1 allows and meta2 allows */
query: "test8",
result: "img-loaded",
policyLen: 2,
desc: "meta1 (img-src http://mochi.test), meta2 (img-src http://mochi.test) should allow allowed"
},
];
var curTest;
var counter = -1;
function finishTest() {
window.removeEventListener("message", receiveMessage);
SimpleTest.finish();
}
function checkResults(result) {
// make sure the image got loaded or blocked
is(result, curTest.result, curTest.query + ": " + curTest.desc);
if (curTest.policyLen != 0) {
// make sure that meta policy got not parsed and appended twice
try {
// get the csp in JSON notation from the principal
var frame = document.getElementById("testframe");
var contentDoc = SpecialPowers.wrap(frame.contentDocument);
var cspOBJ = JSON.parse(contentDoc.cspJSON);
// make sure that the speculative policy and the actual policy
// are not appended twice.
var policies = cspOBJ["csp-policies"];
is(policies.length, curTest.policyLen, curTest.query + " should have: " + curTest.policyLen + " policies");
}
catch (e) {
ok(false, "uuh, something went wrong within cspToJSON in " + curTest.query);
}
}
// move on to the next test
runNextTest();
}
// a postMessage handler used to bubble up the
// onsuccess/onerror state from within the iframe.
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
checkResults(event.data.result);
}
function runNextTest() {
if (++counter == TESTS.length) {
finishTest();
return;
}
curTest = TESTS[counter];
// load next test
document.getElementById("testframe").src = "file_meta_header_dual.sjs?" + curTest.query;
}
// start the test
SimpleTest.waitForExplicitFinish();
runNextTest();
</script>
</body>
</html>
|