| author | Frederik Braun <fbraun+gh@mozilla.com> |
| Tue, 13 Sep 2016 11:05:37 +0200 | |
| changeset 313841 | d434f479d145930cfd7b156a6a78586408defc3c |
| parent 313840 | 4bba6c0a00db9aae2ff285df40b547575a3f997c |
| child 313842 | 8f0df87ccf9c1b783d449bda9ee5d74a344432fb |
| push id | 32264 |
| push user | cbook@mozilla.com |
| push date | Wed, 14 Sep 2016 10:18:20 +0000 |
| treeherder | autoland@b9c4a0402a0a [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | ckerschb |
| bugs | 1277248 |
| milestone | 51.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/dom/security/test/sri/iframe_require-sri-for_main.html +++ b/dom/security/test/sri/iframe_require-sri-for_main.html @@ -1,31 +1,40 @@ <script> window.hasCORSLoaded = false; // set through script_crossdomain1.js </script> -<!-- cors-enabled. should be loaded --> +<!-- script tag cors-enabled. should be loaded --> <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js" crossorigin="" integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q==" onload="parent.postMessage('good_sriLoaded', '*');"></script> -<!-- cors but not using SRI. should trigger onerror --> +<!-- script tag cors but not using SRI. should trigger onerror --> <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain5.js" onload="parent.postMessage('bad_nonsriLoaded', '*');" onerror="parent.postMessage('good_nonsriBlocked', '*');"></script> -<!-- cors and integrity. it should just load fine. --> +<!-- svg:script tag with cors but not using SRI. should trigger onerror --> +<svg xmlns="http://www.w3.org/2000/svg"> + <script xlink:href="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js" + onload="parent.postMessage('bad_svg_nonsriLoaded', '*');" + onerror="parent.postMessage('good_svg_nonsriBlocked', '*');"></script> + ></script> +</svg> + +<!-- stylesheet with cors and integrity. it should just load fine. --> <link rel="stylesheet" href="style1.css" integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" onload="parent.postMessage('good_sriLoaded', '*');"> -<!-- not using SRI, should trigger onerror --> +<!-- stylesheet not using SRI, should trigger onerror --> <link rel="stylesheet" href="style3.css" onload="parent.postMessage('bad_nonsriLoaded', '*');" onerror="parent.postMessage('good_nonsriBlocked', '*');"> + <p id="black-text">black text</p> <script> window.onload = function() { parent.postMessage("finish", '*'); } </script>
--- a/dom/security/test/sri/test_require-sri-for_csp_directive.html +++ b/dom/security/test/sri/test_require-sri-for_csp_directive.html @@ -22,16 +22,22 @@ ok(true, "Eligible SRI resources was correctly loaded."); break; case 'bad_nonsriLoaded': ok(false, "Eligible non-SRI resource should be blocked by the CSP!"); break; case 'good_nonsriBlocked': ok(true, "Eligible non-SRI resources was correctly blocked by the CSP."); break; + case 'bad_svg_nonsriLoaded': + ok(false, 'Eligible non-SRI resource should be blocked by the CSP.'); + break; + case 'good_svg_nonsriBlocked': + ok(true, 'Eligible non-SRI svg script was correctly blocked by the CSP.'); + break; case 'finish': var blackText = frame.contentDocument.getElementById('black-text'); var blackTextColor = frame.contentWindow.getComputedStyle(blackText, null).getPropertyValue('color'); ok(blackTextColor == 'rgb(0, 0, 0)', "The second part should not be black."); removeEventListener('message', handler); SimpleTest.finish(); break; default: