Bug 1277248 - Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb
authorFrederik Braun <fbraun+gh@mozilla.com>
Tue, 13 Sep 2016 11:05:37 +0200
changeset 313841 d434f479d145930cfd7b156a6a78586408defc3c
parent 313840 4bba6c0a00db9aae2ff285df40b547575a3f997c
child 313842 8f0df87ccf9c1b783d449bda9ee5d74a344432fb
push id32264
push usercbook@mozilla.com
push dateWed, 14 Sep 2016 10:18:20 +0000
treeherderautoland@b9c4a0402a0a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1277248
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1277248 - Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb MozReview-Commit-ID: 1knIYZ93UeY
dom/security/test/sri/iframe_require-sri-for_main.html
dom/security/test/sri/test_require-sri-for_csp_directive.html
--- a/dom/security/test/sri/iframe_require-sri-for_main.html
+++ b/dom/security/test/sri/iframe_require-sri-for_main.html
@@ -1,31 +1,40 @@
 <script>
   window.hasCORSLoaded = false; // set through script_crossdomain1.js
 </script>
 
-<!-- cors-enabled. should be loaded -->
+<!-- script tag cors-enabled. should be loaded -->
 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
         crossorigin=""
         integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="
         onload="parent.postMessage('good_sriLoaded', '*');"></script>
 
-<!-- cors but not using SRI. should trigger onerror -->
+<!-- script tag cors but not using SRI. should trigger onerror -->
 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain5.js"
           onload="parent.postMessage('bad_nonsriLoaded', '*');"
           onerror="parent.postMessage('good_nonsriBlocked', '*');"></script>
 
-<!-- cors and integrity. it should just load fine. -->
+<!-- svg:script tag with cors but not using SRI. should trigger onerror -->
+<svg xmlns="http://www.w3.org/2000/svg">
+          <script xlink:href="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
+          onload="parent.postMessage('bad_svg_nonsriLoaded', '*');"
+          onerror="parent.postMessage('good_svg_nonsriBlocked', '*');"></script>
+          ></script>
+</svg>
+
+<!-- stylesheet with cors and integrity. it should just load fine. -->
 <link rel="stylesheet" href="style1.css"
       integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
       onload="parent.postMessage('good_sriLoaded', '*');">
 
-<!-- not using SRI, should trigger onerror -->
+<!-- stylesheet not using SRI, should trigger onerror -->
 <link rel="stylesheet" href="style3.css"
       onload="parent.postMessage('bad_nonsriLoaded', '*');"
       onerror="parent.postMessage('good_nonsriBlocked', '*');">
 
+
 <p id="black-text">black text</p>
 <script>
   window.onload = function() {
     parent.postMessage("finish", '*');
   }
 </script>
--- a/dom/security/test/sri/test_require-sri-for_csp_directive.html
+++ b/dom/security/test/sri/test_require-sri-for_csp_directive.html
@@ -22,16 +22,22 @@
         ok(true, "Eligible SRI resources was correctly loaded.");
         break;
       case 'bad_nonsriLoaded':
         ok(false, "Eligible non-SRI resource should be blocked by the CSP!");
         break;
       case 'good_nonsriBlocked':
         ok(true, "Eligible non-SRI resources was correctly blocked by the CSP.");
         break;
+      case 'bad_svg_nonsriLoaded':
+        ok(false, 'Eligible non-SRI resource should be blocked by the CSP.');
+        break;
+      case 'good_svg_nonsriBlocked':
+        ok(true, 'Eligible non-SRI svg script was correctly blocked by the CSP.');
+        break;
       case 'finish':
         var blackText = frame.contentDocument.getElementById('black-text');
         var blackTextColor = frame.contentWindow.getComputedStyle(blackText, null).getPropertyValue('color');
         ok(blackTextColor == 'rgb(0, 0, 0)', "The second part should not be black.");
         removeEventListener('message', handler);
         SimpleTest.finish();
         break;
       default: