diff options
Diffstat (limited to 'dom/security/test/sri')
40 files changed, 891 insertions, 0 deletions
diff --git a/dom/security/test/sri/file_bug_1271796.css b/dom/security/test/sri/file_bug_1271796.css new file mode 100644 index 0000000000..c0928f2cf0 --- /dev/null +++ b/dom/security/test/sri/file_bug_1271796.css @@ -0,0 +1,2 @@ +/*! Simple test for bug 1271796 */ +p::before { content: "\2014"; } diff --git a/dom/security/test/sri/iframe_script_crossdomain.html b/dom/security/test/sri/iframe_script_crossdomain.html new file mode 100644 index 0000000000..fe91834db5 --- /dev/null +++ b/dom/security/test/sri/iframe_script_crossdomain.html @@ -0,0 +1,135 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> +</head> +<body> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> + +<script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + + window.hasCORSLoaded = false; + window.hasNonCORSLoaded = false; + + function good_nonsriLoaded() { + ok(true, "Non-eligible non-SRI resource was loaded correctly."); + } + function bad_nonsriBlocked() { + ok(false, "Non-eligible non-SRI resources should be loaded!"); + } + + function good_nonCORSInvalidBlocked() { + ok(true, "A non-CORS resource with invalid metadata was correctly blocked."); + } + function bad_nonCORSInvalidLoaded() { + ok(false, "Non-CORS resources with invalid metadata should be blocked!"); + } + + window.onerrorCalled = false; + window.onloadCalled = false; + + function bad_onloadCalled() { + window.onloadCalled = true; + } + + function good_onerrorCalled() { + window.onerrorCalled = true; + } + + function good_incorrect301Blocked() { + ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly."); + } + function bad_incorrect301Loaded() { + ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!"); + } + + function good_correct301Blocked() { + ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly."); + } + function bad_correct301Loaded() { + ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!"); + } + + function good_correctDataLoaded() { + ok(true, "Since data: URLs are same-origin, they should be loaded."); + } + function bad_correctDataBlocked() { + todo(false, "We should not block scripts in data: URIs!"); + } + function good_correctDataCORSLoaded() { + ok(true, "A data: URL with a CORS load was loaded correctly."); + } + function bad_correctDataCORSBlocked() { + ok(false, "We should not BLOCK scripts!"); + } + + window.onload = function() { + SimpleTest.finish() + } +</script> + +<!-- cors-enabled. should be loaded --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js" + crossorigin="" + integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script> + +<!-- not cors-enabled. should be blocked --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js" + crossorigin="anonymous" + integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94=" + onload="bad_onloadCalled()" + onerror="good_onerrorCalled()"></script> + +<!-- non-cors but not actually using SRI. should trigger onload --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js" + integrity=" " + onload="good_nonsriLoaded()" + onerror="bad_nonsriBlocked()"></script> + +<!-- non-cors with invalid metadata --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js" + integrity="sha256-bogus" + onload="bad_nonCORSInvalidLoaded()" + onerror="good_nonCORSInvalidBlocked()"></script> + +<!-- non-cors that's same-origin initially but redirected to another origin --> +<script src="script_301.js" + integrity="sha384-invalid" + onerror="good_incorrect301Blocked()" + onload="bad_incorrect301Loaded()"></script> + +<!-- non-cors that's same-origin initially but redirected to another origin --> +<script src="script_301.js" + integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3" + onerror="good_correct301Blocked()" + onload="bad_correct301Loaded()"></script> + +<!-- data: URLs are same-origin --> +<script src="data:,console.log('data:valid');" + integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg=" + onerror="bad_correctDataBlocked()" + onload="good_correctDataLoaded()"></script> + +<!-- not cors-enabled with data: URLs. should trigger onload --> +<script src="data:,console.log('data:valid');" + crossorigin="anonymous" + integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg=" + onerror="bad_correctDataCORSBlocked()" + onload="good_correctDataCORSLoaded()"></script> + +<script> + ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash"); + ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked"); + ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain"); + ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain"); +</script> +</body> +</html> diff --git a/dom/security/test/sri/iframe_script_sameorigin.html b/dom/security/test/sri/iframe_script_sameorigin.html new file mode 100644 index 0000000000..8c1994fec4 --- /dev/null +++ b/dom/security/test/sri/iframe_script_sameorigin.html @@ -0,0 +1,249 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashLoaded() { + ok(true, "A script was correctly loaded when integrity matched") + } + function bad_correctHashBlocked() { + ok(false, "We should load scripts with hashes that match!"); + } + + function good_correctHashArrayLoaded() { + ok(true, "A script was correctly loaded when one of the hashes in the integrity attribute matched") + } + function bad_correctHashArrayBlocked() { + ok(false, "We should load scripts with at least one hash that match!"); + } + + function good_emptyIntegrityLoaded() { + ok(true, "A script was correctly loaded when the integrity attribute was empty") + } + function bad_emptyIntegrityBlocked() { + ok(false, "We should load scripts with empty integrity attributes!"); + } + + function good_whitespaceIntegrityLoaded() { + ok(true, "A script was correctly loaded when the integrity attribute only contained whitespace") + } + function bad_whitespaceIntegrityBlocked() { + ok(false, "We should load scripts with integrity attributes containing only whitespace!"); + } + + function good_incorrectHashBlocked() { + ok(true, "A script was correctly blocked, because the hash digest was wrong"); + } + function bad_incorrectHashLoaded() { + ok(false, "We should not load scripts with hashes that do not match the content!"); + } + + function good_incorrectHashArrayBlocked() { + ok(true, "A script was correctly blocked, because all the hashes were wrong"); + } + function bad_incorrectHashArrayLoaded() { + ok(false, "We should not load scripts when none of the hashes match the content!"); + } + + function good_incorrectHashLengthBlocked() { + ok(true, "A script was correctly blocked, because the hash length was wrong"); + } + function bad_incorrectHashLengthLoaded() { + ok(false, "We should not load scripts with hashes that don't have the right length!"); + } + + function bad_incorrectHashFunctionBlocked() { + ok(false, "We should load scripts with invalid/unsupported hash functions!"); + } + function good_incorrectHashFunctionLoaded() { + ok(true, "A script was correctly loaded, despite the hash function being invalid/unsupported."); + } + + function bad_missingHashFunctionBlocked() { + ok(false, "We should load scripts with missing hash functions!"); + } + function good_missingHashFunctionLoaded() { + ok(true, "A script was correctly loaded, despite a missing hash function."); + } + + function bad_missingHashValueBlocked() { + ok(false, "We should load scripts with missing hash digests!"); + } + function good_missingHashValueLoaded() { + ok(true, "A script was correctly loaded, despite the missing hash digest."); + } + + function good_401Blocked() { + ok(true, "A script was not loaded because of 401 response."); + } + function bad_401Loaded() { + ok(false, "We should nt load scripts with a 401 response!"); + } + + function good_valid302Loaded() { + ok(true, "A script was loaded successfully despite a 302 response."); + } + function bad_valid302Blocked() { + ok(false, "We should load scripts with a 302 response and the right hash!"); + } + + function good_invalid302Blocked() { + ok(true, "A script was blocked successfully after a 302 response."); + } + function bad_invalid302Loaded() { + ok(false, "We should not load scripts with a 302 response and the wrong hash!"); + } + + function good_validBlobLoaded() { + ok(true, "A script was loaded successfully from a blob: URL."); + } + function bad_validBlobBlocked() { + ok(false, "We should load scripts using blob: URLs with the right hash!"); + } + + function good_invalidBlobBlocked() { + ok(true, "A script was blocked successfully from a blob: URL."); + } + function bad_invalidBlobLoaded() { + ok(false, "We should not load scripts using blob: URLs with the wrong hash!"); + } +</script> +</head> +<body> + <!-- valid hash. should trigger onload --> + <!-- the hash value comes from running this command: + cat script.js | openssl dgst -sha256 -binary | openssl enc -base64 -A + --> + <script src="script.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- valid sha512 hash. should trigger onload --> + <script src="script.js" + integrity="sha512-mzSqH+vC6qrXX46JX2WEZ0FtY/lGj/5+5yYCBlk0jfYHLm0vP6XgsURbq83mwMApsnwbDLXdgjp5J8E93GT6Mw==?ignore=this" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- one valid sha256 hash. should trigger onload --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_correctHashArrayBlocked()" + onload="good_correctHashArrayLoaded()"></script> + + <!-- empty integrity. should trigger onload --> + <script src="script.js" + integrity="" + onerror="bad_emptyIntegrityBlocked()" + onload="good_emptyIntegrityLoaded()"></script> + + <!-- whitespace integrity. should trigger onload --> + <script src="script.js" + integrity=" + +" + onerror="bad_whitespaceIntegrityBlocked()" + onload="good_whitespaceIntegrityLoaded()"></script> + + <!-- invalid sha256 hash but valid sha384 hash. should trigger onload --> + <script src="script.js" + integrity="sha256-bogus sha384-zDCkvKOHXk8mM6Nk07oOGXGME17PA4+ydFw+hq0r9kgF6ZDYFWK3fLGPEy7FoOAo?" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- valid sha256 and invalid sha384. should trigger onerror --> + <script src="script.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha384-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_incorrectHashLengthBlocked()" + onload="bad_incorrectHashLengthLoaded()"></script> + + <!-- invalid hash. should trigger onerror --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"></script> + + <!-- invalid hashes. should trigger onerror --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-ZkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-zkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"></script> + + <!-- invalid hash function. should trigger onload --> + <script src="script.js" + integrity="rot13-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_incorrectHashFunctionBlocked()" + onload="good_incorrectHashFunctionLoaded()"></script> + + <!-- missing hash function. should trigger onload --> + <script src="script.js" + integrity="RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_missingHashFunctionBlocked()" + onload="good_missingHashFunctionLoaded()"></script> + + <!-- missing hash value. should trigger onload --> + <script src="script.js" + integrity="sha512-" + onerror="bad_missingHashValueBlocked()" + onload="good_missingHashValueLoaded()"></script> + + <!-- 401 response. should trigger onerror --> + <script src="script_401.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_401Blocked()" + onload="bad_401Loaded()"></script> + + <!-- valid sha256 after a redirection. should trigger onload --> + <script src="script_302.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_valid302Blocked()" + onload="good_valid302Loaded()"></script> + + <!-- invalid sha256 after a redirection. should trigger onerror --> + <script src="script_302.js" + integrity="sha256-JSi74NSN8WQNr9syBGmNg2APJp9PnHUO5ioZo5hmIiQ=" + onerror="good_invalid302Blocked()" + onload="bad_invalid302Loaded()"></script> + + <!-- valid sha256 for a blob: URL --> + <script> + var blob = new Blob(["console.log('blob:valid');"], + {type:"application/javascript"}); + var script = document.createElement('script'); + script.setAttribute('src', URL.createObjectURL(blob)); + script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ='); + script.onerror = bad_validBlobBlocked; + script.onload = good_validBlobLoaded; + var head = document.getElementsByTagName('head').item(0); + head.appendChild(script); + </script> + + <!-- invalid sha256 for a blob: URL --> + <script> + var blob = new Blob(["console.log('blob:invalid');"], + {type:"application/javascript"}); + var script = document.createElement('script'); + script.setAttribute('src', URL.createObjectURL(blob)); + script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ='); + script.onerror = good_invalidBlobBlocked; + script.onload = bad_invalidBlobLoaded; + var head = document.getElementsByTagName('head').item(0); + head.appendChild(script); + </script> + +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/iframe_style_crossdomain.html b/dom/security/test/sri/iframe_style_crossdomain.html new file mode 100644 index 0000000000..f5eb57cbe7 --- /dev/null +++ b/dom/security/test/sri/iframe_style_crossdomain.html @@ -0,0 +1,117 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + function check_styles() { + var redText = document.getElementById('red-text'); + var greenText = document.getElementById('green-text'); + var blueText = document.getElementById('blue-text'); + var redTextColor = window.getComputedStyle(redText).getPropertyValue('color'); + var greenTextColor = window.getComputedStyle(greenText).getPropertyValue('color'); + var blueTextColor = window.getComputedStyle(blueText).getPropertyValue('color'); + ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red."); + ok(greenTextColor == 'rgb(0, 255, 0)', "The second part should be green."); + ok(blueTextColor == 'rgb(0, 0, 255)', "The third part should be blue."); + } + + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + check_styles(); + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashCORSLoaded() { + ok(true, "A CORS cross-domain stylesheet with correct hash was correctly loaded."); + } + function bad_correctHashCORSBlocked() { + ok(false, "We should load CORS cross-domain stylesheets with hashes that match!"); + } + function good_correctHashBlocked() { + ok(true, "A non-CORS cross-domain stylesheet with correct hash was correctly blocked."); + } + function bad_correctHashLoaded() { + ok(false, "We should block non-CORS cross-domain stylesheets with hashes that match!"); + } + + function good_incorrectHashBlocked() { + ok(true, "A non-CORS cross-domain stylesheet with incorrect hash was correctly blocked."); + } + function bad_incorrectHashLoaded() { + ok(false, "We should load non-CORS cross-domain stylesheets with incorrect hashes!"); + } + + function bad_correctDataBlocked() { + ok(false, "We should not block non-CORS cross-domain stylesheets in data: URI!"); + } + function good_correctDataLoaded() { + ok(true, "A non-CORS cross-domain stylesheet with data: URI was correctly loaded."); + } + function bad_correctDataCORSBlocked() { + ok(false, "We should not block CORS stylesheets in data: URI!"); + } + function good_correctDataCORSLoaded() { + ok(true, "A CORS stylesheet with data: URI was correctly loaded."); + } + + function good_correctHashOpaqueBlocked() { + ok(true, "A non-CORS(Opaque) cross-domain stylesheet with correct hash was correctly blocked."); + } + function bad_correctHashOpaqueLoaded() { + ok(false, "We should not load non-CORS(Opaque) cross-domain stylesheets with correct hashes!"); + } + </script> + + <!-- valid CORS sha256 hash --> + <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css" + crossorigin="anonymous" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="bad_correctHashCORSBlocked()" + onload="good_correctHashCORSLoaded()"> + + <!-- valid non-CORS sha256 hash --> + <link rel="stylesheet" href="style_301.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="good_correctHashBlocked()" + onload="bad_correctHashLoaded()"> + + <!-- invalid non-CORS sha256 hash --> + <link rel="stylesheet" href="style_301.css?again" + integrity="sha256-bogus" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"> + + <!-- valid non-CORS sha256 hash in a data: URL --> + <link rel="stylesheet" href="data:text/css,.green-text{color:rgb(0, 255, 0)}" + integrity="sha256-EhVtGGyovvffvYdhyqJxUJ/ekam7zlxxo46iM13cwP0=" + onerror="bad_correctDataBlocked()" + onload="good_correctDataLoaded()"> + + <!-- valid CORS sha256 hash in a data: URL --> + <link rel="stylesheet" href="data:text/css,.blue-text{color:rgb(0, 0, 255)}" + crossorigin="anonymous" + integrity="sha256-m0Fs2hNSyPOn1030Dp+c8pJFHNmwpeTbB+8J/DcqLss=" + onerror="bad_correctDataCORSBlocked()" + onload="good_correctDataCORSLoaded()"> + + <!-- valid non-CORS sha256 hash --> + <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="good_correctHashOpaqueBlocked()" + onload="bad_correctHashOpaqueLoaded()"> +</head> +<body> +<p><span id="red-text">This should be red</span> but + <span id="green-text" class="green-text">this should be green</span> and + <span id="blue-text" class="blue-text">this should be blue</span></p> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/iframe_style_sameorigin.html b/dom/security/test/sri/iframe_style_sameorigin.html new file mode 100644 index 0000000000..52ebd10d9b --- /dev/null +++ b/dom/security/test/sri/iframe_style_sameorigin.html @@ -0,0 +1,164 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + function check_styles() { + var redText = document.getElementById('red-text'); + var blueText = document.getElementById('blue-text-element'); + var blackText1 = document.getElementById('black-text'); + var blackText2 = document.getElementById('black-text-2'); + var redTextColor = window.getComputedStyle(redText).getPropertyValue('color'); + var blueTextColor = window.getComputedStyle(blueText).getPropertyValue('color'); + var blackTextColor1 = window.getComputedStyle(blackText1).getPropertyValue('color'); + var blackTextColor2 = window.getComputedStyle(blackText2).getPropertyValue('color'); + ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red."); + ok(blueTextColor == 'rgb(0, 0, 255)', "The second part should be blue."); + ok(blackTextColor1 == 'rgb(0, 0, 0)', "The second last part should still be black."); + ok(blackTextColor2 == 'rgb(0, 0, 0)', "The last part should still be black."); + } + + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + check_styles(); + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashLoaded() { + ok(true, "A stylesheet was correctly loaded when integrity matched"); + } + function bad_correctHashBlocked() { + ok(false, "We should load stylesheets with hashes that match!"); + } + + function good_emptyIntegrityLoaded() { + ok(true, "A stylesheet was correctly loaded when the integrity attribute was empty"); + } + function bad_emptyIntegrityBlocked() { + ok(false, "We should load stylesheets with empty integrity attributes!"); + } + + function good_incorrectHashBlocked() { + ok(true, "A stylesheet was correctly blocked, because the hash digest was wrong"); + } + function bad_incorrectHashLoaded() { + ok(false, "We should not load stylesheets with hashes that do not match the content!"); + } + + function good_validBlobLoaded() { + ok(true, "A stylesheet was loaded successfully from a blob: URL with the right hash."); + } + function bad_validBlobBlocked() { + ok(false, "We should load stylesheets using blob: URLs with the right hash!"); + } + function good_invalidBlobBlocked() { + ok(true, "A stylesheet was blocked successfully from a blob: URL with an invalid hash."); + } + function bad_invalidBlobLoaded() { + ok(false, "We should not load stylesheets using blob: URLs when they have the wrong hash!"); + } + + function good_correctUTF8HashLoaded() { + ok(true, "A UTF8 stylesheet was correctly loaded when integrity matched"); + } + function bad_correctUTF8HashBlocked() { + ok(false, "We should load UTF8 stylesheets with hashes that match!"); + } + function good_correctUTF8BOMHashLoaded() { + ok(true, "A UTF8 stylesheet (with BOM) was correctly loaded when integrity matched"); + } + function bad_correctUTF8BOMHashBlocked() { + ok(false, "We should load UTF8 (with BOM) stylesheets with hashes that match!"); + } + function good_correctUTF8ishHashLoaded() { + ok(true, "A UTF8ish stylesheet was correctly loaded when integrity matched"); + } + function bad_correctUTF8ishHashBlocked() { + ok(false, "We should load UTF8ish stylesheets with hashes that match!"); + } + </script> + + <!-- valid sha256 hash. should trigger onload --> + <link rel="stylesheet" href="style1.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"> + + <!-- empty metadata. should trigger onload --> + <link rel="stylesheet" href="style2.css" + integrity="" + onerror="bad_emptyIntegrityBlocked()" + onload="good_emptyIntegrityLoaded()"> + + <!-- invalid sha256 hash. should trigger onerror --> + <link rel="stylesheet" href="style3.css" + integrity="sha256-bogus" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"> + + <!-- valid sha384 hash of a utf8 file. should trigger onload --> + <link rel="stylesheet" href="style4.css" + integrity="sha384-13rt+j7xMDLhohLukb7AZx8lDGS3hkahp0IoeuyvxSNVPyc1QQmTDcwXGhQZjoMH" + onerror="bad_correctUTF8HashBlocked()" + onload="good_correctUTF8HashLoaded()"> + + <!-- valid sha384 hash of a utf8 file with a BOM. should trigger onload --> + <link rel="stylesheet" href="style5.css" + integrity="sha384-udAqVKPIHf/OD1isAYKrgzsog/3Q6lSEL2nKhtLSTmHryiae0+y6x1akeTzEF446" + onerror="bad_correctUTF8BOMHashBlocked()" + onload="good_correctUTF8BOMHashLoaded()"> + + <!-- valid sha384 hash of a utf8 file with the wrong charset. should trigger onload --> + <link rel="stylesheet" href="style6.css" + integrity="sha384-Xli4ROFoVGCiRgXyl7y8jv5Vm2yuqj+8tkNL3cUI7AHaCocna75JLs5xID437W6C" + onerror="bad_correctUTF8ishHashBlocked()" + onload="good_correctUTF8ishHashLoaded()"> +</head> +<body> + +<!-- valid sha256 for a blob: URL --> +<script> + var blob = new Blob(['.blue-text{color:blue}'], + {type: 'text/css'}); + var link = document.createElement('link'); + link.rel = 'stylesheet'; + link.href = window.URL.createObjectURL(blob); + link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM='); + link.onerror = bad_validBlobBlocked; + link.onload = good_validBlobLoaded; + document.body.appendChild(link); +</script> + +<!-- invalid sha256 for a blob: URL --> +<script> + var blob = new Blob(['.black-text{color:blue}'], + {type: 'text/css'}); + var link = document.createElement('link'); + link.rel = 'stylesheet'; + link.href = window.URL.createObjectURL(blob); + link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM='); + link.onerror = good_invalidBlobBlocked; + link.onload = bad_invalidBlobLoaded; + document.body.appendChild(link); +</script> + +<p><span id="red-text">This should be red </span>, + <span id="purple-text">this should be purple</span>, + <span id="brown-text">this should be brown</span>, + <span id="orange-text">this should be orange</span>, and + <span class="blue-text" id="blue-text-element">this should be blue.</span> + However, <span id="black-text">this should stay black</span> and + <span class="black-text" id="black-text-2">this should also stay black.</span> +</p> + +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/mochitest.ini b/dom/security/test/sri/mochitest.ini new file mode 100644 index 0000000000..38bbc5f98e --- /dev/null +++ b/dom/security/test/sri/mochitest.ini @@ -0,0 +1,46 @@ +[DEFAULT] +support-files = + file_bug_1271796.css + iframe_script_crossdomain.html + iframe_script_sameorigin.html + iframe_style_crossdomain.html + iframe_style_sameorigin.html + script_crossdomain1.js + script_crossdomain1.js^headers^ + script_crossdomain2.js + script_crossdomain3.js + script_crossdomain3.js^headers^ + script_crossdomain4.js + script_crossdomain4.js^headers^ + script_crossdomain5.js + script_crossdomain5.js^headers^ + script.js + script.js^headers^ + script_301.js + script_301.js^headers^ + script_302.js + script_302.js^headers^ + script_401.js + script_401.js^headers^ + style1.css + style1.css^headers^ + style2.css + style3.css + style4.css + style4.css^headers^ + style5.css + style6.css + style6.css^headers^ + style_301.css + style_301.css^headers^ + +[test_script_sameorigin.html] +[test_script_crossdomain.html] +skip-if = + http3 +[test_style_crossdomain.html] +skip-if = + http3 +[test_style_sameorigin.html] +[test_bug_1271796.html] +[test_bug_1364262.html] diff --git a/dom/security/test/sri/script.js b/dom/security/test/sri/script.js new file mode 100644 index 0000000000..8fd8f96b2f --- /dev/null +++ b/dom/security/test/sri/script.js @@ -0,0 +1 @@ +var load=true; diff --git a/dom/security/test/sri/script.js^headers^ b/dom/security/test/sri/script.js^headers^ new file mode 100644 index 0000000000..b77232d81d --- /dev/null +++ b/dom/security/test/sri/script.js^headers^ @@ -0,0 +1 @@ +Cache-control: public diff --git a/dom/security/test/sri/script_301.js b/dom/security/test/sri/script_301.js new file mode 100644 index 0000000000..9a95de77cf --- /dev/null +++ b/dom/security/test/sri/script_301.js @@ -0,0 +1 @@ +var load=false; diff --git a/dom/security/test/sri/script_301.js^headers^ b/dom/security/test/sri/script_301.js^headers^ new file mode 100644 index 0000000000..efbfb73346 --- /dev/null +++ b/dom/security/test/sri/script_301.js^headers^ @@ -0,0 +1,2 @@ +HTTP 301 Moved Permanently +Location: http://example.com/tests/dom/security/test/sri/script_crossdomain5.js diff --git a/dom/security/test/sri/script_302.js b/dom/security/test/sri/script_302.js new file mode 100644 index 0000000000..9a95de77cf --- /dev/null +++ b/dom/security/test/sri/script_302.js @@ -0,0 +1 @@ +var load=false; diff --git a/dom/security/test/sri/script_302.js^headers^ b/dom/security/test/sri/script_302.js^headers^ new file mode 100644 index 0000000000..05a545a6a1 --- /dev/null +++ b/dom/security/test/sri/script_302.js^headers^ @@ -0,0 +1,2 @@ +HTTP 302 Found +Location: /tests/dom/security/test/sri/script.js diff --git a/dom/security/test/sri/script_401.js b/dom/security/test/sri/script_401.js new file mode 100644 index 0000000000..8fd8f96b2f --- /dev/null +++ b/dom/security/test/sri/script_401.js @@ -0,0 +1 @@ +var load=true; diff --git a/dom/security/test/sri/script_401.js^headers^ b/dom/security/test/sri/script_401.js^headers^ new file mode 100644 index 0000000000..889fbe081a --- /dev/null +++ b/dom/security/test/sri/script_401.js^headers^ @@ -0,0 +1,2 @@ +HTTP 401 Authorization Required +Cache-control: public diff --git a/dom/security/test/sri/script_crossdomain1.js b/dom/security/test/sri/script_crossdomain1.js new file mode 100644 index 0000000000..1f17a6db24 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain1.js @@ -0,0 +1,4 @@ +/* + * this file should be loaded, because it has CORS enabled. +*/ +window.hasCORSLoaded = true; diff --git a/dom/security/test/sri/script_crossdomain1.js^headers^ b/dom/security/test/sri/script_crossdomain1.js^headers^ new file mode 100644 index 0000000000..3a6a85d894 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain1.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/script_crossdomain2.js b/dom/security/test/sri/script_crossdomain2.js new file mode 100644 index 0000000000..4b0208ab34 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain2.js @@ -0,0 +1,5 @@ +/* + * this file should not be loaded, because it does not have CORS + * enabled. + */ +window.hasNonCORSLoaded = true; diff --git a/dom/security/test/sri/script_crossdomain3.js b/dom/security/test/sri/script_crossdomain3.js new file mode 100644 index 0000000000..eed05d59b7 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain3.js @@ -0,0 +1 @@ +// This script intentionally left blank diff --git a/dom/security/test/sri/script_crossdomain3.js^headers^ b/dom/security/test/sri/script_crossdomain3.js^headers^ new file mode 100644 index 0000000000..3a6a85d894 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain3.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/script_crossdomain4.js b/dom/security/test/sri/script_crossdomain4.js new file mode 100644 index 0000000000..eed05d59b7 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain4.js @@ -0,0 +1 @@ +// This script intentionally left blank diff --git a/dom/security/test/sri/script_crossdomain4.js^headers^ b/dom/security/test/sri/script_crossdomain4.js^headers^ new file mode 100644 index 0000000000..3a6a85d894 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain4.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/script_crossdomain5.js b/dom/security/test/sri/script_crossdomain5.js new file mode 100644 index 0000000000..eed05d59b7 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain5.js @@ -0,0 +1 @@ +// This script intentionally left blank diff --git a/dom/security/test/sri/script_crossdomain5.js^headers^ b/dom/security/test/sri/script_crossdomain5.js^headers^ new file mode 100644 index 0000000000..cb762eff80 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain5.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: * diff --git a/dom/security/test/sri/style1.css b/dom/security/test/sri/style1.css new file mode 100644 index 0000000000..c7ab9ecffa --- /dev/null +++ b/dom/security/test/sri/style1.css @@ -0,0 +1,3 @@ +#red-text { + color: red; +} diff --git a/dom/security/test/sri/style1.css^headers^ b/dom/security/test/sri/style1.css^headers^ new file mode 100644 index 0000000000..3a6a85d894 --- /dev/null +++ b/dom/security/test/sri/style1.css^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/style2.css b/dom/security/test/sri/style2.css new file mode 100644 index 0000000000..9eece75e5b --- /dev/null +++ b/dom/security/test/sri/style2.css @@ -0,0 +1 @@ +; A valid but somewhat uninteresting stylesheet diff --git a/dom/security/test/sri/style3.css b/dom/security/test/sri/style3.css new file mode 100644 index 0000000000..b64fa3b749 --- /dev/null +++ b/dom/security/test/sri/style3.css @@ -0,0 +1,3 @@ +#black-text { + color: green; +} diff --git a/dom/security/test/sri/style4.css b/dom/security/test/sri/style4.css new file mode 100644 index 0000000000..eab83656ed --- /dev/null +++ b/dom/security/test/sri/style4.css @@ -0,0 +1,4 @@ +/* François was here. */ +#purple-text { + color: purple; +} diff --git a/dom/security/test/sri/style4.css^headers^ b/dom/security/test/sri/style4.css^headers^ new file mode 100644 index 0000000000..e13897f157 --- /dev/null +++ b/dom/security/test/sri/style4.css^headers^ @@ -0,0 +1 @@ +Content-Type: text/css; charset=utf-8 diff --git a/dom/security/test/sri/style5.css b/dom/security/test/sri/style5.css new file mode 100644 index 0000000000..5d59134cc6 --- /dev/null +++ b/dom/security/test/sri/style5.css @@ -0,0 +1,4 @@ +/* François was here. */ +#orange-text { + color: orange; +} diff --git a/dom/security/test/sri/style6.css b/dom/security/test/sri/style6.css new file mode 100644 index 0000000000..569557694d --- /dev/null +++ b/dom/security/test/sri/style6.css @@ -0,0 +1,4 @@ +/* François was here. */ +#brown-text { + color: brown; +} diff --git a/dom/security/test/sri/style6.css^headers^ b/dom/security/test/sri/style6.css^headers^ new file mode 100644 index 0000000000..d866aa5224 --- /dev/null +++ b/dom/security/test/sri/style6.css^headers^ @@ -0,0 +1 @@ +Content-Type: text/css; charset=iso-8859-8 diff --git a/dom/security/test/sri/style_301.css b/dom/security/test/sri/style_301.css new file mode 100644 index 0000000000..c7ab9ecffa --- /dev/null +++ b/dom/security/test/sri/style_301.css @@ -0,0 +1,3 @@ +#red-text { + color: red; +} diff --git a/dom/security/test/sri/style_301.css^headers^ b/dom/security/test/sri/style_301.css^headers^ new file mode 100644 index 0000000000..c5b78ee04b --- /dev/null +++ b/dom/security/test/sri/style_301.css^headers^ @@ -0,0 +1,2 @@ +HTTP 301 Moved Permanently +Location: http://example.com/tests/dom/security/test/sri/style1.css diff --git a/dom/security/test/sri/test_bug_1271796.html b/dom/security/test/sri/test_bug_1271796.html new file mode 100644 index 0000000000..9c74cc64ea --- /dev/null +++ b/dom/security/test/sri/test_bug_1271796.html @@ -0,0 +1,30 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + + function good_shouldLoadEncodingProblem() { + ok(true, "Problematically encoded file correctly loaded.") + }; + function bad_shouldntEncounterBug1271796() { + ok(false, "Problematically encoded should load!") + } + window.onload = function() { + SimpleTest.finish(); + } + </script> + <link rel="stylesheet" href="file_bug_1271796.css" crossorigin="anonymous" + integrity="sha384-8Xl0mTN4S2QZ5xeliG1sd4Ar9o1xMw6JoJy9RNjyHGQDha7GiLxo8l1llwLVgTNG" + onload="good_shouldLoadEncodingProblem();" + onerror="bad_shouldntEncounterBug1271796();"> +</head> +<body> +<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1271796">Bug 1271796</a><br> +<p>This text is prepended by emdash if css has loaded</p> +</body> +</html> diff --git a/dom/security/test/sri/test_bug_1364262.html b/dom/security/test/sri/test_bug_1364262.html new file mode 100644 index 0000000000..cf77c7dac1 --- /dev/null +++ b/dom/security/test/sri/test_bug_1364262.html @@ -0,0 +1,34 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + SimpleTest.setExpected(["pass", 1]); + + function good_correctlyBlockedStylesheet() { + ok(true, "Non-base64 hash blocked the load.") + }; + function bad_shouldNotLoadStylesheet() { + ok(false, "Non-base64 hashes should not load!") + } + window.onload = function() { + SimpleTest.finish(); + } + + let link = document.createElement('link'); + document.head.appendChild(link); + link.setAttribute('rel', 'stylesheet'); + link.onerror = good_correctlyBlockedStylesheet; + link.onload = bad_shouldNotLoadStylesheet; + link.integrity = 'sha512-\uD89D\uDF05\uD89D\uDEE6'; + link.setAttribute('href', 'data:text/css;small[contenteditable^="false"], summary { }'); + </script> +</head> +<body> + <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1364262">Bug 1364262</a> +</body> +</html> diff --git a/dom/security/test/sri/test_script_crossdomain.html b/dom/security/test/sri/test_script_crossdomain.html new file mode 100644 index 0000000000..2f9b27bfa4 --- /dev/null +++ b/dom/security/test/sri/test_script_crossdomain.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Cross-domain script tests for Bug 992096</title> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_script_crossdomain.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_script_sameorigin.html b/dom/security/test/sri/test_script_sameorigin.html new file mode 100644 index 0000000000..d975132a2e --- /dev/null +++ b/dom/security/test/sri/test_script_sameorigin.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Same-origin script tests for Bug 992096</title> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_script_sameorigin.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_style_crossdomain.html b/dom/security/test/sri/test_style_crossdomain.html new file mode 100644 index 0000000000..eb4dac4cc4 --- /dev/null +++ b/dom/security/test/sri/test_style_crossdomain.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Cross-domain stylesheet tests for Bug 1196740</title> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1196740">Mozilla Bug 1196740</a> +<div> + <iframe src="iframe_style_crossdomain.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_style_sameorigin.html b/dom/security/test/sri/test_style_sameorigin.html new file mode 100644 index 0000000000..9b85eaf71b --- /dev/null +++ b/dom/security/test/sri/test_style_sameorigin.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Same-origin stylesheet tests for Bug 992096</title> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_style_sameorigin.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> |