1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
/* Description of the test:
* We load scripts with a CSP of 'strict-dynamic' with valid
* and invalid nonces and make sure scripts are allowed/blocked
* accordingly. Different tests load inline and external scripts
* also using a CSP including http: and https: making sure
* other srcs are invalided by 'strict-dynamic'.
*/
var tests = [
{
desc: "strict-dynamic with valid nonce should be allowed",
result: "allowed",
file: "file_strict_dynamic_script_extern.html",
policy: "script-src 'strict-dynamic' 'nonce-foo' https: 'none' 'self'"
},
{
desc: "strict-dynamic with invalid nonce should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_extern.html",
policy: "script-src 'strict-dynamic' 'nonce-bar' http: http://example.com"
},
{
desc: "strict-dynamic, allowlist and invalid nonce should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_extern.html",
policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
},
{
desc: "strict-dynamic with no 'nonce-' should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_extern.html",
policy: "script-src 'strict-dynamic'"
},
// inline scripts
{
desc: "strict-dynamic with valid nonce should be allowed",
result: "allowed",
file: "file_strict_dynamic_script_inline.html",
policy: "script-src 'strict-dynamic' 'nonce-foo' https: 'none' 'self'"
},
{
desc: "strict-dynamic with invalid nonce should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_inline.html",
policy: "script-src 'strict-dynamic' 'nonce-bar' http: http://example.com"
},
{
desc: "strict-dynamic, unsafe-inline and invalid nonce should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_inline.html",
policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
},
{
desc: "strict-dynamic with no 'nonce-' should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_inline.html",
policy: "script-src 'strict-dynamic'"
},
{
desc: "strict-dynamic with DOM events should be blocked",
result: "blocked",
file: "file_strict_dynamic_script_events.html",
policy: "script-src 'strict-dynamic' 'nonce-foo'"
},
{
// marquee is a special snowflake
desc: "strict-dynamic with DOM events should be blocked (marquee)",
result: "blocked",
file: "file_strict_dynamic_script_events_marquee.html",
policy: "script-src 'strict-dynamic' 'nonce-foo'"
},
{
desc: "strict-dynamic with JS URLs should be blocked",
result: "blocked",
file: "file_strict_dynamic_js_url.html",
policy: "script-src 'strict-dynamic' 'nonce-foo'"
},
];
var counter = 0;
var curTest;
function loadNextTest() {
if (counter == tests.length) {
SimpleTest.finish();
return;
}
curTest = tests[counter++];
var src = "file_testserver.sjs?file=";
// append the file that should be served
src += escape("tests/dom/security/test/csp/" + curTest.file)
// append the CSP that should be used to serve the file
src += "&csp=" + escape(curTest.policy);
document.getElementById("testframe").addEventListener("load", test);
document.getElementById("testframe").src = src;
}
function test() {
try {
document.getElementById("testframe").removeEventListener('load', test);
var testframe = document.getElementById("testframe");
var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
is(divcontent, curTest.result, curTest.desc);
}
catch (e) {
ok(false, "ERROR: could not access content for test: '" + curTest.desc + "'");
}
loadNextTest();
}
// start running the tests
loadNextTest();
</script>
</body>
</html>
|
