summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_bug836922_npolicies.html
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /dom/security/test/csp/test_bug836922_npolicies.html
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dom/security/test/csp/test_bug836922_npolicies.html')
-rw-r--r--dom/security/test/csp/test_bug836922_npolicies.html235
1 files changed, 235 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_bug836922_npolicies.html b/dom/security/test/csp/test_bug836922_npolicies.html
new file mode 100644
index 0000000000..e418969e3d
--- /dev/null
+++ b/dom/security/test/csp/test_bug836922_npolicies.html
@@ -0,0 +1,235 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test for Content Security Policy multiple policy support (regular and Report-Only mode)</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+
+<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/dom/security/test/csp/";
+
+// These are test results: verified indicates whether or not the test has run.
+// true/false is the pass/fail result.
+window.loads = {
+ css_self: {expected: true, verified: false},
+ img_self: {expected: false, verified: false},
+ script_self: {expected: true, verified: false},
+};
+
+window.violation_reports = {
+ css_self:
+ {expected: 0, expected_ro: 0}, /* totally fine */
+ img_self:
+ {expected: 1, expected_ro: 0}, /* violates enforced CSP */
+ script_self:
+ {expected: 0, expected_ro: 1}, /* violates report-only */
+};
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire. This also watches for violation reports to go out.
+function examiner() {
+ SpecialPowers.addObserver(this, "csp-on-violate-policy");
+ SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
+}
+examiner.prototype = {
+ observe(subject, topic, data) {
+ var testpat = new RegExp("testid=([a-z0-9_]+)");
+
+ if (topic === "specialpowers-http-notify-request") {
+ var uri = data;
+ if (!testpat.test(uri)) return;
+ var testid = testpat.exec(uri)[1];
+
+ // violation reports don't come through here, but the requested resources do
+ // if the test has already finished, move on. Some things throw multiple
+ // requests (preloads and such)
+ try {
+ if (window.loads[testid].verified) return;
+ } catch(e) { return; }
+
+ // these are requests that were allowed by CSP
+ var testid = testpat.exec(uri)[1];
+ window.testResult(testid, 'allowed', uri + " allowed by csp");
+ }
+
+ if(topic === "csp-on-violate-policy") {
+ // if the violated policy was report-only, the resource will still be
+ // loaded even if this topic is notified.
+ var asciiSpec = SpecialPowers.getPrivilegedProps(
+ SpecialPowers.do_QueryInterface(subject, "nsIURI"),
+ "asciiSpec");
+ if (!testpat.test(asciiSpec)) return;
+ var testid = testpat.exec(asciiSpec)[1];
+
+ // if the test has already finished, move on.
+ try {
+ if (window.loads[testid].verified) return;
+ } catch(e) { return; }
+
+ // record the ones that were supposed to be blocked, but don't use this
+ // as an indicator for tests that are not blocked but do generate reports.
+ // We skip recording the result if the load is expected since a
+ // report-only policy will generate a request *and* a violation note.
+ if (!window.loads[testid].expected) {
+ window.testResult(testid,
+ 'blocked',
+ asciiSpec + " blocked by \"" + data + "\"");
+ }
+ }
+
+ // if any test is unverified, keep waiting
+ for (var v in window.loads) {
+ if(!window.loads[v].verified) {
+ return;
+ }
+ }
+
+ window.bug836922examiner.remove();
+ window.resultPoller.pollForFinish();
+ },
+
+ // must eventually call this to remove the listener,
+ // or mochitests might get borked.
+ remove() {
+ SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+ SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+ }
+}
+window.bug836922examiner = new examiner();
+
+
+// Poll for results and see if enough reports came in. Keep trying
+// for a few seconds before failing with lack of reports.
+// Have to do this because there's a race between the async reporting
+// and this test finishing, and we don't want to win the race.
+window.resultPoller = {
+
+ POLL_ATTEMPTS_LEFT: 14,
+
+ pollForFinish() {
+ var vr = resultPoller.tallyReceivedReports();
+ if (resultPoller.verifyReports(vr, resultPoller.POLL_ATTEMPTS_LEFT < 1)) {
+ // report success condition.
+ resultPoller.resetReportServer();
+ SimpleTest.finish();
+ } else {
+ resultPoller.POLL_ATTEMPTS_LEFT--;
+ // try again unless we reached the threshold.
+ setTimeout(resultPoller.pollForFinish, 100);
+ }
+ },
+
+ resetReportServer() {
+ var xhr = new XMLHttpRequest();
+ var xhr_ro = new XMLHttpRequest();
+ xhr.open("GET", "file_bug836922_npolicies_violation.sjs?reset", false);
+ xhr_ro.open("GET", "file_bug836922_npolicies_ro_violation.sjs?reset", false);
+ xhr.send(null);
+ xhr_ro.send(null);
+ },
+
+ tallyReceivedReports() {
+ var xhr = new XMLHttpRequest();
+ var xhr_ro = new XMLHttpRequest();
+ xhr.open("GET", "file_bug836922_npolicies_violation.sjs?results", false);
+ xhr_ro.open("GET", "file_bug836922_npolicies_ro_violation.sjs?results", false);
+ xhr.send(null);
+ xhr_ro.send(null);
+
+ var received = JSON.parse(xhr.responseText);
+ var received_ro = JSON.parse(xhr_ro.responseText);
+
+ var results = {enforced: {}, reportonly: {}};
+ for (var r in window.violation_reports) {
+ results.enforced[r] = 0;
+ results.reportonly[r] = 0;
+ }
+
+ for (var r in received) {
+ results.enforced[r] += received[r];
+ }
+ for (var r in received_ro) {
+ results.reportonly[r] += received_ro[r];
+ }
+
+ return results;
+ },
+
+ verifyReports(receivedCounts, lastAttempt) {
+ for (var r in window.violation_reports) {
+ var exp = window.violation_reports[r].expected;
+ var exp_ro = window.violation_reports[r].expected_ro;
+ var rec = receivedCounts.enforced[r];
+ var rec_ro = receivedCounts.reportonly[r];
+
+ // if this test breaks, these are helpful dumps:
+ //dump(">>> Verifying " + r + "\n");
+ //dump(" > Expected: " + exp + " / " + exp_ro + " (ro)\n");
+ //dump(" > Received: " + rec + " / " + rec_ro + " (ro) \n");
+
+ // in all cases, we're looking for *at least* the expected number of
+ // reports of each type (there could be more in some edge cases).
+ // If there are not enough, we keep waiting and poll the server again
+ // later. If there are enough, we can successfully finish.
+
+ if (exp == 0)
+ is(rec, 0,
+ "Expected zero enforced-policy violation " +
+ "reports for " + r + ", got " + rec);
+ else if (lastAttempt)
+ ok(rec >= exp,
+ "Received (" + rec + "/" + exp + ") " +
+ "enforced-policy reports for " + r);
+ else if (rec < exp)
+ return false; // continue waiting for more
+
+ if(exp_ro == 0)
+ is(rec_ro, 0,
+ "Expected zero report-only-policy violation " +
+ "reports for " + r + ", got " + rec_ro);
+ else if (lastAttempt)
+ ok(rec_ro >= exp_ro,
+ "Received (" + rec_ro + "/" + exp_ro + ") " +
+ "report-only-policy reports for " + r);
+ else if (rec_ro < exp_ro)
+ return false; // continue waiting for more
+ }
+
+ // if we complete the loop, we've found all of the violation
+ // reports we expect.
+ if (lastAttempt) return true;
+
+ // Repeat successful tests once more to record successes via ok()
+ return resultPoller.verifyReports(receivedCounts, true);
+ }
+};
+
+window.testResult = function(testname, result, msg) {
+ // otherwise, make sure the allowed ones are expected and blocked ones are not.
+ if (window.loads[testname].expected) {
+ is(result, 'allowed', ">> " + msg);
+ } else {
+ is(result, 'blocked', ">> " + msg);
+ }
+ window.loads[testname].verified = true;
+}
+
+
+SimpleTest.waitForExplicitFinish();
+SimpleTest.requestFlakyTimeout("untriaged");
+
+// save this for last so that our listeners are registered.
+// ... this loads the testbed of good and bad requests.
+document.getElementById('cspframe').src = 'http://mochi.test:8888' + path + 'file_bug836922_npolicies.html';
+
+</script>
+</pre>
+</body>
+</html>