dom/security/test/csp/test_bug909029.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

<!doctype html>
<html>
  <head>
    <title>Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src)</title>
    <script src="/tests/SimpleTest/SimpleTest.js"></script>
    <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
  </head>
  <body>
    <div id=content style="visibility:hidden">
      <iframe id=testframe1></iframe>
      <iframe id=testframe2></iframe>
    </div>
    <script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();

window.tests = {
  starExternalStylesLoaded: -1,
  starExternalImgLoaded: -1,
  noneExternalStylesBlocked: -1,
  noneExternalImgLoaded: -1,
  starInlineStyleAllowed: -1,
  starInlineScriptBlocked: -1,
  noneInlineStyleAllowed: -1,
  noneInlineScriptBlocked: -1
}

function examiner() {
  SpecialPowers.addObserver(this, "csp-on-violate-policy");
  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
}
examiner.prototype  = {
  observe(subject, topic, data) {
    var testpat = new RegExp("testid=([a-zA-Z]+)");

    if (topic === "specialpowers-http-notify-request") {
      var uri = data;
      if (!testpat.test(uri)) return;
      var testid = testpat.exec(uri)[1];
      window.testResult(testid,
                        /Loaded/.test(testid),
                        "resource loaded");
    }

    if(topic === "csp-on-violate-policy") {
      // these were blocked... record that they were blocked
      // try because the subject could be an nsIURI or an nsISupportsCString
      try {
        var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
        if (!testpat.test(asciiSpec)) return;
        var testid = testpat.exec(asciiSpec)[1];
        window.testResult(testid,
                          /Blocked/.test(testid),
                          "resource blocked by CSP");
      } catch(e) {
        // if that fails, the subject is probably a string. Strings are only
        // reported for inline and eval violations. Since we are testing those
        // via the observed effects of script on CSSOM, we can simply ignore
        // these subjects.
      }
    }
  },

  // must eventually call this to remove the listener,
  // or mochitests might get borked.
  remove() {
    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
  }
}

window.examiner = new examiner();

window.testResult = function(testname, result, msg) {
  //dump("in testResult: testname = " + testname + "\n");

  //test already complete.... forget it... remember the first result.
  if (window.tests[testname] != -1)
    return;

  window.tests[testname] = result;
  is(result, true, testname + ' test: ' + msg);

  // if any test is incomplete, keep waiting
  for (var v in window.tests)
    if(tests[v] == -1)
      return;

  // ... otherwise, finish
  window.examiner.remove();
  SimpleTest.finish();
}

// Helpers for inline script/style checks
var black = 'rgb(0, 0, 0)';
var green = 'rgb(0, 128, 0)';
function getElementColorById(doc, id) {
  return window.getComputedStyle(doc.contentDocument.getElementById(id)).color;
}

function checkInlineWithStar() {
  var testframe = document.getElementById('testframe1');
  window.testResult("starInlineStyleAllowed",
                    getElementColorById(testframe, 'inline-style') === green,
                    "Inline styles should be allowed (style-src 'unsafe-inline' with star)");
  window.testResult("starInlineScriptBlocked",
                    getElementColorById(testframe, 'inline-script') === black,
                    "Inline scripts should be blocked (style-src 'unsafe-inline' with star)");
}

function checkInlineWithNone() {
  // If a directive has 'none' in addition to other sources, 'none' is ignored
  // and the other sources are used. 'none' is only a valid source if it is
  // used by itself.
  var testframe = document.getElementById('testframe2');
  window.testResult("noneInlineStyleAllowed",
                    getElementColorById(testframe, 'inline-style') === green,
                    "Inline styles should be allowed (style-src 'unsafe-inline' with none)");
  window.testResult("noneInlineScriptBlocked",
                    getElementColorById(testframe, 'inline-script') === black,
                    "Inline scripts should be blocked (style-src 'unsafe-inline' with none)");
}

document.getElementById('testframe1').src = 'file_bug909029_star.html';
document.getElementById('testframe1').addEventListener('load', checkInlineWithStar);
document.getElementById('testframe2').src = 'file_bug909029_none.html';
document.getElementById('testframe2').addEventListener('load', checkInlineWithNone);
    </script>
  </body>
</html>