Bug 1370468 - frame-ancestor tests added for userpass r=ckerschb,fkiefer
authorvinoth <cegvinoth@gmail.com>
Wed, 30 Aug 2017 15:58:20 +0200
changeset 401226 39716502b1f1454ed21b72cf577e5da2770dc08c
parent 401225 4a354c4ded0630dede088c0374f406c6dc556f1c
child 401227 c42ad5edc8833c30c2cedcc3229ce66784f237d9
push id58767
push userfranziskuskiefer@gmail.com
push dateMon, 29 Jan 2018 12:03:50 +0000
treeherderautoland@39716502b1f1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb, fkiefer
bugs1370468
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1370468 - frame-ancestor tests added for userpass r=ckerschb,fkiefer MozReview-Commit-ID: 4wW24JnxaKh
dom/security/test/csp/file_frameancestors_userpass.html
dom/security/test/csp/file_frameancestors_userpass_frame_a.html
dom/security/test/csp/file_frameancestors_userpass_frame_b.html
dom/security/test/csp/file_frameancestors_userpass_frame_c.html
dom/security/test/csp/file_frameancestors_userpass_frame_c.html^headers^
dom/security/test/csp/file_frameancestors_userpass_frame_d.html
dom/security/test/csp/file_frameancestors_userpass_frame_d.html^headers^
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_frameancestors_userpass.html
dom/security/test/gtest/TestCSPParser.cpp
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass.html
@@ -0,0 +1,10 @@
+<html>
+<head>
+  <title>CSP frame ancestors tests</title>
+</head>
+<body>
+  <tt>Nested Frames</tt><br/>
+  <iframe src='http://sampleuser:samplepass@mochi.test:8888/tests/dom/security/test/csp/file_frameancestors_userpass_frame_a.html'></iframe><br/>
+  <iframe src='http://sampleuser:samplepass@example.com/tests/dom/security/test/csp/file_frameancestors_userpass_frame_b.html'></iframe><br/>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass_frame_a.html
@@ -0,0 +1,12 @@
+<html>
+<head>
+  <title>Nested frame</title>
+  <script>
+  parent.parent.postMessage({call: "frameLoaded", testname: "frame_a", uri: window.location.toString()}, "*");
+  </script>
+</head>
+<body>
+  <tt>IFRAME A</tt><br/>
+  <iframe src='http://sampleuser:samplepass@mochi.test:8888/tests/dom/security/test/csp/file_frameancestors_userpass_frame_c.html'></iframe><br/>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass_frame_b.html
@@ -0,0 +1,12 @@
+<html>
+<head>
+  <title>Nested frame</title>
+  <script>
+  parent.parent.postMessage({call: "frameLoaded", testname: "frame_b", uri: window.location.toString()}, "*");
+  </script>
+</head>
+<body>
+  <tt>IFRAME B</tt><br/>
+  <iframe src='http://sampleuser:samplepass@example.com/tests/dom/security/test/csp/file_frameancestors_userpass_frame_d.html'></iframe><br/>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass_frame_c.html
@@ -0,0 +1,8 @@
+<html>
+<head>
+  <title>Nested frame</title>
+</head>
+<body>
+  Nested frame C content
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass_frame_c.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'none'; frame-ancestors http://mochi.test:8888/ ; script-src 'self';
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass_frame_d.html
@@ -0,0 +1,8 @@
+<html>
+<head>
+  <title>Nested frame</title>
+</head>
+<body>
+  Nested frame D content
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frameancestors_userpass_frame_d.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'none'; frame-ancestors http://sampleuser:samplepass@example.com/ ; script-src 'self';
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -26,16 +26,23 @@ support-files =
   file_evalscript_main_allowed.js
   file_evalscript_main.html
   file_evalscript_main.html^headers^
   file_evalscript_main_allowed.html
   file_evalscript_main_allowed.html^headers^
   file_frameancestors_main.html
   file_frameancestors_main.js
   file_frameancestors.sjs
+  file_frameancestors_userpass.html
+  file_frameancestors_userpass_frame_a.html
+  file_frameancestors_userpass_frame_b.html
+  file_frameancestors_userpass_frame_c.html
+  file_frameancestors_userpass_frame_c.html^headers^
+  file_frameancestors_userpass_frame_d.html
+  file_frameancestors_userpass_frame_d.html^headers^
   file_inlinescript.html
   file_inlinestyle_main.html
   file_inlinestyle_main.html^headers^
   file_inlinestyle_main_allowed.html
   file_inlinestyle_main_allowed.html^headers^
   file_invalid_source_expression.html
   file_main.html
   file_main.html^headers^
@@ -233,16 +240,17 @@ support-files =
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
 [test_bug885433.html]
 [test_bug888172.html]
 [test_evalscript.html]
 [test_frameancestors.html]
+[test_frameancestors_userpass.html]
 skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_inlinescript.html]
 [test_inlinestyle.html]
 [test_invalid_source_expression.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
 [test_redirects.html]
 [test_bug910139.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_frameancestors_userpass.html
@@ -0,0 +1,141 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Userpass in Frame Ancestors directive</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<script class="testbody" type="text/javascript">
+
+// These are test results: -1 means it hasn't run,
+// true/false is the pass/fail result.
+var framesThatShouldLoad = {
+  frame_a: -1,    /* frame a allowed */
+  frame_b: -1,    /* frame b allowed */
+};
+
+// Number of tests that pass for this file should be 1
+var expectedViolationsLeft = 1;
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy");
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI... though could be null since CSP
+    // prohibits cross-origin URI reporting during frame ancestors checks.
+    if (subject && !SpecialPowers.can_QI(subject))
+      return;
+
+    var asciiSpec = subject;
+
+    try {
+      asciiSpec = SpecialPowers.getPrivilegedProps(
+                    SpecialPowers.do_QueryInterface(subject, "nsIURI"),
+                    "asciiSpec");
+
+      // skip checks on the test harness -- can't do this skipping for
+      // cross-origin blocking since the observer doesn't get the URI.  This
+      // can cause this test to over-succeed (but only in specific cases).
+      if (asciiSpec.includes("test_frameancestors_userpass.html")) {
+        return;
+      }
+    } catch (ex) {
+      // was not an nsIURI, so it was probably a cross-origin report.
+    }
+
+
+    if (topic === "csp-on-violate-policy") {
+      //these were blocked... record that they were blocked
+      window.frameBlocked(asciiSpec, data);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+  }
+}
+
+// called when a frame is loaded
+// -- if it's not enumerated above, it should not load!
+var frameLoaded = function(testname, uri) {
+  //test already complete.... forget it... remember the first result.
+  if (window.framesThatShouldLoad[testname] != -1)
+    return;
+
+  if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
+    // uh-oh, we're not expecting this frame to load!
+    ok(false, testname + ' framed site should not have loaded: ' + uri);
+  } else {
+    //Check if @ symbol is there in URI.
+    if (uri.includes('@')) {
+      ok(false, ' URI contains userpass. Fetched URI is ' + uri);
+    } else {
+      framesThatShouldLoad[testname] = true;
+      ok(true, ' URI doesn\'t contain userpass. Fetched URI is ' + uri);
+    }
+  }
+  checkTestResults();
+}
+
+// called when a frame is blocked
+// -- we can't determine *which* frame was blocked, but at least we can count them
+var frameBlocked = function(uri, policy) {
+
+  //Check if @ symbol is there in URI or in csp policy.
+  if (policy.includes('@') || uri.includes('@')) {
+    ok(false, ' a CSP policy blocked frame from being loaded. But contains' +
+      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );
+  } else {
+    ok(true, ' a CSP policy blocked frame from being loaded. Doesn\'t contain'+
+      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );
+  }
+  expectedViolationsLeft--;
+  checkTestResults();
+}
+
+
+// Check to see if all the tests have run
+var checkTestResults = function() {
+  // if any test is incomplete, keep waiting
+  for (var v in framesThatShouldLoad)
+    if(window.framesThatShouldLoad[v] == -1)
+      return;
+
+  if (window.expectedViolationsLeft > 0)
+    return;
+
+  // ... otherwise, finish
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+window.addEventListener("message", receiveMessage);
+
+function receiveMessage(event) {
+  if (event.data.call && event.data.call == 'frameLoaded')
+    frameLoaded(event.data.testname, event.data.uri);
+}
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+window.examiner = new examiner();
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+// ... this loads the testbed of good and bad requests.
+document.getElementById('cspframe').src = 'file_frameancestors_userpass.html';
+
+</script>
+</pre>
+</body>
+</html>
--- a/dom/security/test/gtest/TestCSPParser.cpp
+++ b/dom/security/test/gtest/TestCSPParser.cpp
@@ -797,16 +797,18 @@ TEST(CSPParser, GoodGeneratedPolicies)
     { "frame-ancestors 'self'",
       "frame-ancestors http://www.selfuri.com" },
     { "frame-ancestors http://self.com:88",
       "frame-ancestors http://self.com:88" },
     { "frame-ancestors http://a.b.c.d.e.f.g.h.i.j.k.l.x.com",
       "frame-ancestors http://a.b.c.d.e.f.g.h.i.j.k.l.x.com" },
     { "frame-ancestors https://self.com:34",
       "frame-ancestors https://self.com:34" },
+    { "frame-ancestors http://sampleuser:samplepass@example.com",
+      "frame-ancestors 'none'" },
     { "default-src 'none'; frame-ancestors 'self'",
       "default-src 'none'; frame-ancestors http://www.selfuri.com" },
     { "frame-ancestors http://self:80",
       "frame-ancestors http://self:80" },
     { "frame-ancestors http://self.com/bar",
       "frame-ancestors http://self.com/bar" },
     { "default-src 'self'; frame-ancestors 'self'",
       "default-src http://www.selfuri.com; frame-ancestors http://www.selfuri.com" },
@@ -1127,9 +1129,8 @@ TEST(CSPParser, FuzzyPoliciesIncDirLimAS
       uint32_t inputIndex = rand() % sizeof(input);
       testPol[0].policy[i] = input[inputIndex];
     }
     ASSERT_TRUE(NS_SUCCEEDED(runTestSuite(testPol, 1,
                                           kFuzzyExpectedPolicyCount)));
   }
 }
 #endif
-