Bug 1509738 - Test nonce snapshot for CSP loades. r=jkt
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 13 Feb 2019 20:42:34 +0100
changeset 459040 53354f120211
parent 459039 943193dd891e
child 459041 4c1eb1293bbf
push id111913
push usershindli@mozilla.com
push dateThu, 14 Feb 2019 05:01:59 +0000
treeherdermozilla-inbound@a0752d7e8073 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjkt
bugs1509738
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509738 - Test nonce snapshot for CSP loades. r=jkt
dom/security/test/csp/file_nonce_snapshot.sjs
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_nonce_snapshot.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_snapshot.sjs
@@ -0,0 +1,48 @@
+"use strict";
+
+const TEST_FRAME =
+  `<!DOCTYPE HTML>
+   <html>
+   <body>
+   <script id='myScript' nonce='123456789' type='application/javascript'></script>
+   <script nonce='123456789'>
+     let myScript = document.getElementById('myScript');
+     // 1) start loading the script using the nonce 123456789
+     myScript.src='file_nonce_snapshot.sjs?redir-script';
+     // 2) dynamically change the nonce, load should use initial nonce
+     myScript.setAttribute('nonce','987654321');
+   </script>
+   </body>
+   </html>`;
+
+const SCRIPT = "window.parent.postMessage('script-loaded', '*');";
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+ 
+  let queryString = request.queryString;
+
+  if (queryString === "load-frame") {
+    response.setHeader("Content-Security-Policy", "script-src 'nonce-123456789'", false);
+    response.setHeader("Content-Type", "text/html", false);
+    response.write(TEST_FRAME);
+    return;
+  }
+
+  if (queryString === "redir-script") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", "file_nonce_snapshot.sjs?load-script", false);
+    return;
+  }
+
+  if (queryString === "load-script") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write(SCRIPT);
+    return;
+  }
+
+  // we should never get here but just in case return something unexpected
+  response.write("do'h");
+}
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -363,8 +363,11 @@ support-files =
   file_frame_src_inner.html
 [test_security_policy_violation_event.html]
 [test_csp_worker_inheritance.html]
 support-files =
   worker.sjs
   worker_helper.js
   main_csp_worker.html
   main_csp_worker.html^headers^
+[test_nonce_snapshot.html]
+support-files =
+  file_nonce_snapshot.sjs
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_nonce_snapshot.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1509738 - Snapshot nonce at load start time</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * a) the test starts loading a script using whitelisted nonce
+ * b) the nonce of the script gets modified
+ * c) the script hits a 302 server side redirect
+ * d) we ensure the script still loads and does not use the modified nonce
+ */
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  is(event.data, "script-loaded", "script loaded even though nonce was dynamically modified");
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+
+SimpleTest.waitForExplicitFinish();
+let src = "file_nonce_snapshot.sjs?load-frame";
+document.getElementById("testframe").src = src;
+
+</script>
+</body>
+</html>