Bug 1384741 - Part 4: Test that we don't send CSP violation reports for cached fonts we don't actually use. r=jfkthame
authorCameron McCormack <cam@mcc.id.au>
Mon, 07 Aug 2017 10:13:31 +0800
changeset 374416 4d5fc5ec7769b066d4c915255a56cabbbd0613c5
parent 374415 549366daed9847d5a01a05e787fcf634682d5c83
child 374417 1a3ab2692bc9dbf83404c8263b657280422e9866
push id93678
push userarchaeopteryx@coole-files.de
push dateSat, 12 Aug 2017 23:17:05 +0000
treeherdermozilla-inbound@a79ccbfacad8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjfkthame
bugs1384741
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1384741 - Part 4: Test that we don't send CSP violation reports for cached fonts we don't actually use. r=jfkthame MozReview-Commit-ID: Hlu6Dp1Hc1D
dom/security/test/csp/Ahem.ttf
dom/security/test/csp/file_report_font_cache-1.html
dom/security/test/csp/file_report_font_cache-2.html
dom/security/test/csp/file_report_font_cache-2.html^headers^
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_report_font_cache.html
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ac81cb03165ab831a36abb59145ff7a2f5675fb9
GIT binary patch
literal 12480
zc%1E84RjRM75?UDXJ>zaB*qvc(wA)rRAWfcQlu0?0u3}ECV)t-u-TntgW27<yCI1J
z1#8hp{)!YMrU;QA1w|CJ0U`n-0-~a(ND-DaT8uOzMW7x8);lkgh){caPTO;Ao!Rr|
z-MQa;_ucpIH}6g0LIB{vbV$g$rJz^u%2C5-143WYPW1TQWnK0q4FxQvfD$Tphs$sU
zY(Ump!sCidtBQuLiyR;WO+bp*r@6iR>PB`Ytbs}&A1SPMIf>+xRMLF@NaY5Gsbs$f
zkQz&a9ycrR;R4cgNZ0CjSC-*(-M)}a?ODL>*QO=Tst0;z(fGcyU^p^+@72{nCiNGS
zq5Cf2=7cM5EuPS&|0&p{7Sdo{aKi0+z2&;q!+=;{sYPP+C_zNqMg1feqdB&<r@Mf!
zU#Ga{6jY<n#W)QwwFvWIA)!Gek1)5b7G6bfK_V?=TU*2Fz_W2+x$PZqyM8b*5bU^U
z_`tA}L5Lryd&0P<jQcdz@Xah{G0Xo!;d>A-a-OlHbfqVf#B?a4-PmX@-fM)8eM`hY
zzXW3pnf4_GR@%MvJ;+Y`yAz$z8C?*EcqHI5B;s-;(O#a6E0Kb$$d9Yh4d0`kClxMy
zA8F{0bo4+^`~cVBT4dllWTF?ckd5BB9yj2J=z|}jFK$FX{22Z56AZvjw66`q%@~Xv
z48c(R6uB6N;rJQyFajfS3r68q<f8ziF$QCC8^+;wjK|M$2Y!J&F#!|FUpETjffpKz
zPz)bRFbQ{|6n+E{L>cZz2w_A}j>)J%C8}@_?!^?^FQ?&`wB5ds8MqI>!u>deUt=a7
zz=QYzzd<#Q;vvjJ3ufc5XvG}N#fLb8zn~ExV;+8scQGFiV*!4Lh4=_>;}g7tM^J+(
zt?42>hFZLdx9~^o!+!h;zsF)cj$>GYy=cZ#G~v&D{STrJ@8JLr;|VOoa;(5gJc*~U
z3ajxno}m_N@GREiIXsVbSdSO*BL0ASY`{irqLWi5Hh@-ZAVsk=MPV9ZLbgyKR0{LO
z*Th}oA!&j1l+++?VR0;xrLb<y#nM?8>&J3ZU8(6V(WSV$xDs3`u5PYtUAeA_F3okK
z`|jgnEXL24o>)Tm^0~boWN-fk_AX<|tSe*O-i=?g7w@{V!=9JhLo62iAl6JL?2Ooy
z*tpnDz`0f`1I}G@_T6)dhht6KfTo6~O-=Pp&o-@WT6}ox;b)@F(LK?9`Z7g#M>j{8
zN2{X`9Qxw@w75?V_71<0%on{1=f8pXtrUezuSY44IuDjoq+cR7R1**8Q9Ku7J8|L#
zV##d0hMmNWxx|w?TK^ryfg0?_F1$`GSVXaVf}*bT@gZX5O5)@)isot~nwyECYj{L!
ziK(v=v!3H|EyfmXBi@w|cP9~V?;_^TC+?OJdv)$ch`l;@Uncfe5r6L??%qpGdYB?T
zl{0uNULjVkBQCTtV-vAtBj?+D#MkZQ>qjO_OqTo$EYZ&l`i_+DqVGzHP6S*ZpBmpi
zH9mE!c<kI<;pBOz#LhNNB`ygaU&?eoQKM9;<!my6$!!a4VkTx{CT3zLW@0Ax-^RfI
zPR>rfoMSt`l|Gu-e-6|Ch2#>f>D%Y0iJ6#*nV5;0n2DK~iJ6#*nV5;0*mo8K5{;h=
zSr~vkjE4`CaX;o`3D%$iyRjcfa8eM3IH8-6A@mb+g|UKH2no}LIYO<lN~jlh2#rFs
za9lVqI>i*Rr`Si#5%a}~VnCcCR*N;_3UR%-P24L+#a8i*q)JIrn$%kwD2<fvkS0l$
z(oAWAR41*KHcNY?1LWyxS(X!ICTGh1<>B%;*(-<S>GB-8R$e97%RA&oxmi9gpSL(I
zDVCm=K9(FyzGb2%V3}g6w$xZwSk_y%S@v3@mR8FdMOBiNG^MvPP#LM*p-fULm6^%{
zrA}F^Y*zLt2b31&v{kkySeZ4`+TS|dI?h^Tjacuq&a*DIK5gA--D%xt{m^<sh1yx|
zs$Qe^rQc9>v|6Z^sngV1>LT??^+k2N`i|P99#hZS?6zcEy6pzr&9+gtJ8h-5du$Kd
z7TT8Cp0{nWy=gmWJ8JvfuGkapE_;@JfIZJX-tMzcw%>1`Z(m|xV{fqUw(qwev7dB^
zjyOj*M~0)HBiAw3;dO)@(;aghwT@MeddCh&qodhz+;QINbf!3aI{P?tocYd)&VX}@
zv)WnXT;W{r+~(Ztj5=GLXF92!k~*bz>P@k}O8Dx3Ul*f8gxc{WqO-8VkR>o-y&=og
zrqPfsND>YjvO@Y3I>Y$&mT<<91<2wqLl$8b-!Nneablw(%hcvWL$<&nw&(IGr2ov2
z<4FFyA;*)QFAO;WvLuo<LC@6_7E6jD(_G|bhD>vjpEhKgi@ed0X)f{sL#DaN&4x^K
zkv})&IH(pFay&X)R6|Z6eG*0>$n#hjJoL7>5u)OuXN~8#Fs{+4ju5KX8vJw*<8G82
zSO(WtQZEf<+)_G*U=Tf*b33|?0K8PY2zT-J6+ELxA5pjEBOfYwyD+yBpnko0?#)-v
z3`I0rkdNN(OCj%}p_FU|sLmwa7_KRzu}gWMAoXJ04}F$;yJ9|9-BKB!dkNPE3DJG2
z;_dWVhPk~_d{i&l(>?L>QLE@anrrpvq2z^+S_Sx;T{vc&mxED2KSsq(R?GPcm!Jn<
z-9m1?g8O`_pP96ZKJH6C-HZ90^fe!AM5o>BY-*WJb$jdf`X9G5&=J9Kgn4}KklPc{
zLSg0(X)NN?nC55UyUXb*gK3o>tt`UQhYa$RM>OURc$urrmBA`}B_1CO`+^nB9rkE}
zNH4F(YgQBr`ni=tcUUVe322#YOjs)_FJ(o+5Q}KxNJ*fWd4m43V7Mew5)80#RXC#g
z!<lSUDCjNsXkJ!W#YP9cUN+S23k9@LTTe1MxS)U)xc%iJcS(;hD+~oI!di#T%t1cQ
zpRW~{m%2k^X*#;;?96PYtMzh$u3crc)<yFz_^!SM-(b64E4Cd5v3u#O0v%_=SJx?0
ziqLoO3$q>nmogpy-8{z`JjYSbaD0$wH$H^fn8WiJAI3sF!ZU%EU@7W&9-^L$q-P=N
zxrc4}LL2cCUg5b-yXgDub?m_#Jil=--p0FV<av(o@l3}9cpnFG2vHp7S&l9E7)N;y
z<tI3XPjMW7!wGzblN6QHJUV)I<0h=YlXx7D@jS=vJk#-2+=p#=0IRVBoAEMz8O}lt
y7U5AWr*Fkt%;njaE3pCZU<<Yi5=23kM~=zM6LUvPIYaXJ>91$y$3ck2Abkl9&3O_4
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_report_font_cache-1.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<style>
+@font-face {
+  font-family: "CSP Report Test Font 1";
+  src: url(Ahem.ttf?report_font_cache-1);
+}
+@font-face {
+  font-family: "CSP Report Test Font 2";
+  src: url(Ahem.ttf?report_font_cache-2);
+}
+@font-face {
+  font-family: "CSP Report Test Font 3";
+  src: url(Ahem.ttf?report_font_cache-3);
+}
+.x { font: 24px "CSP Report Test Font 1"; }
+.y { font: 24px "CSP Report Test Font 2"; }
+.z { font: 24px "CSP Report Test Font 3"; }
+</style>
+<p class=x>A</p>
+<p class=y>A</p>
+<p class=z>A</p>
+<script>
+// Wait until the fonts would have been added to the user font cache.
+document.body.offsetWidth;
+document.fonts.ready.then(() => window.parent.postMessage("first-doc-ready", "*"));
+</script>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_report_font_cache-2.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<style>
+@font-face {
+  font-family: "CSP Report Test Font 1";
+  src: url(Ahem.ttf?report_font_cache-1);
+}
+@font-face {
+  font-family: "CSP Report Test Font 3";
+  src: url(Ahem.ttf?report_font_cache-3);
+}
+p { margin-right: 1ex; } /* cause cached CSP check to happen OMT (due to
+                            font metrics lookup) */
+.x { font: 24px "CSP Report Test Font 1"; }
+.y { font: 24px "CSP Report Test Font 3"; }
+</style>
+<p class="x">A</p>
+<script>
+// First flush should dispatch the "Test Font 1" report that is stored
+// in the user font cache.
+document.body.offsetWidth;
+
+// Second flush should dispatch "Test Font 3" report.
+document.querySelector("p").className = "y";
+document.body.offsetWidth;
+</script>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_report_font_cache-2.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: font-src 'none'; report-uri http://mochi.test:8888/foo.sjs
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -214,16 +214,20 @@ support-files =
   file_image_nonce.html^headers^
   file_ignore_xfo.html
   file_ignore_xfo.html^headers^
   file_ro_ignore_xfo.html
   file_ro_ignore_xfo.html^headers^
   file_data_csp_inheritance.html
   file_data_csp_merge.html
   file_data_doc_ignore_meta_csp.html
+  file_report_font_cache-1.html
+  file_report_font_cache-2.html
+  file_report_font_cache-2.html^headers^
+  Ahem.ttf
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
@@ -307,9 +311,10 @@ tags = mcb
 [test_iframe_sandbox_srcdoc.html]
 [test_iframe_srcdoc.html]
 [test_image_nonce.html]
 [test_websocket_self.html]
 skip-if = toolkit == 'android'
 [test_ignore_xfo.html]
 [test_data_csp_inheritance.html]
 [test_data_csp_merge.html]
+[test_report_font_cache.html]
 [test_data_doc_ignore_meta_csp.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_report_font_cache.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css">
+<iframe id="f"></iframe>
+
+<script>
+var chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
+var script = SpecialPowers.loadChromeScript(chromeScriptUrl);
+
+var reportedFont1 = false;
+var reportedFont3 = false;
+
+function reportListener(msg) {
+  if (!msg.error) {
+    // Step 3: Check the specific blocked URLs from the CSP reports.
+    let blocked = JSON.parse(msg.report)["csp-report"]["blocked-uri"]
+                  .replace(/^.*\//, "");
+    switch (blocked) {
+      case "Ahem.ttf?report_font_cache-1":
+        ok(!reportedFont1, "should not have already reported Test Font 1");
+        ok(!reportedFont3, "should not have reported Test Font 3 before Test Font 1");
+        reportedFont1 = true;
+        break;
+      case "Ahem.ttf?report_font_cache-2":
+        ok(false, "should not have reported Test Font 2");
+        break;
+      case "Ahem.ttf?report_font_cache-3":
+        ok(!reportedFont3, "should not have already reported Test Font 3");
+        reportedFont3 = true;
+        break;
+    }
+    if (reportedFont1 && reportedFont3) {
+      script.removeMessageListener("opening-request-completed", reportListener);
+      script.sendAsyncMessage("finish");
+      SimpleTest.finish();
+    }
+  }
+}
+
+SimpleTest.waitForExplicitFinish();
+
+script.addMessageListener("opening-request-completed", reportListener);
+
+window.onmessage = function(message) {
+  // Step 2: Navigate to the second document, which will attempt to use the
+  // cached "Test Font 1" and then a new "Test Font 3", both of which will
+  // generate CSP reports.  The "Test Font 2" entry in the user font cache
+  // should not cause a CSP report from this document.
+  is(message.data, "first-doc-ready");
+  f.src = "file_report_font_cache-2.html";
+};
+
+// Step 1: Prime the user font cache with entries for "Test Font 1",
+// "Test Font 2" and "Test Font 3".
+f.src = "file_report_font_cache-1.html";
+</script>