Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected (r=sstamm)
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Fri, 21 Nov 2014 12:54:51 -0800
changeset 218767 9bf92c31a2d8433d87238ac55271c34e42978713
parent 218766 2df3340c1c679b4d422f73fe9c353ea5db417287
child 218768 c8adfe4f59950fa970b167dd916741d356a29fd6
push id52626
push usermozilla@christophkerschbaumer.com
push dateMon, 08 Dec 2014 22:55:32 +0000
treeherdermozilla-inbound@9bf92c31a2d8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssstamm
bugs949706
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected (r=sstamm)
dom/base/test/csp/file_worker_redirect.html
dom/base/test/csp/file_worker_redirect.sjs
dom/base/test/csp/mochitest.ini
dom/base/test/csp/test_worker_redirect.html
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_worker_redirect.html
@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected</title>
+  </head>
+  <body>
+  <script src="file_worker_redirect.sjs?stage_0_script_loads_worker"></script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_worker_redirect.sjs
@@ -0,0 +1,37 @@
+// testserver customized for the needs of:
+// Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected
+
+function handleRequest(request, response)
+{
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  var query = request.queryString;
+
+  if (query === "stage_0_script_loads_worker") {
+    var newWorker =
+      "var myWorker = new Worker(\"file_worker_redirect.sjs?stage_1_worker_import_scripts\");" +
+      "myWorker.onmessage = function (event) { parent.checkResult(\"allowed\"); };" +
+      "myWorker.onerror = function (event) { parent.checkResult(\"blocked\"); };";
+    response.write(newWorker);
+    return;
+  }
+
+  if (query === "stage_1_worker_import_scripts") {
+    response.write("importScripts(\"file_worker_redirect.sjs?stage_2_redirect_imported_script\");");
+    return;
+  }
+
+  if (query === "stage_2_redirect_imported_script") {
+    var newLocation =
+      "http://test1.example.com/tests/dom/base/test/csp/file_worker_redirect.sjs?stage_3_target_script";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+
+  if (query === "stage_3_target_script") {
+    response.write("postMessage(\"imported script loaded\");");
+    return;
+  }
+}
--- a/dom/base/test/csp/mochitest.ini
+++ b/dom/base/test/csp/mochitest.ini
@@ -96,16 +96,18 @@ support-files =
   file_subframe_run_js_if_allowed.html
   file_subframe_run_js_if_allowed.html^headers^
   file_leading_wildcard.html
   file_multi_policy_injection_bypass.html
   file_multi_policy_injection_bypass.html^headers^
   file_multi_policy_injection_bypass_2.html
   file_multi_policy_injection_bypass_2.html^headers^
   file_form-action.html
+  file_worker_redirect.html
+  file_worker_redirect.sjs
 
 [test_base-uri.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_csp_allow_https_schemes.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_CSP_bug663567.html]
 [test_CSP_bug802872.html]
@@ -142,8 +144,9 @@ skip-if = buildapp == 'b2g' # intermitte
 skip-if = buildapp == 'b2g' # intermittent orange (bug 1028490)
 [test_303_redirect.html]
 skip-if = buildapp == 'b2g' # intermittent orange (bug 1028490)
 [test_307_redirect.html]
 skip-if = buildapp == 'b2g' # intermittent orange (bug 1028490)
 [test_subframe_run_js_if_allowed.html]
 [test_leading_wildcard.html]
 [test_multi_policy_injection_bypass.html]
+[test_worker_redirect.html]
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/test_worker_redirect.html
@@ -0,0 +1,76 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <div id="content" style="visibility: hidden">
+    <iframe style="width:100%;" id="testframe"></iframe>
+  </div>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a page that loads a script which then instantiates a web worker,
+ * where that web worker then imports a script which gets redirected.
+ * We verify that the CSP applies correctly after the imported script of
+ * the worker gets redirected. More specifically, the test works as follows:
+ *
+ * test_worker_redirect.html
+ * -> loads file_worker_redirect.html file into iframe
+ * -> loads worker file_worker_redirect.sjs?stage_0_script_loads_worker
+ * -> creates script file_worker_redirect.sjs?stage_1_worker_import_scripts
+ * -> redirects script file_worker_redirect.sjs?stage_2_redirect_imported_script
+ * -> loads target script file_worker_redirect.sjs?stage_3_target_script
+ *
+ * Please note that we have to use 'unsafe-eval' in the policy
+ * so that workers are actually permitted by the CSP.
+ *
+ * The main test is loaded using:
+ *   http://mochi.test:8888
+ * where the imported script gets redirected to:
+ *   http://test1.example.com
+ */
+
+var tests = [
+  {
+    policy: "default-src 'self'; script-src 'self' 'unsafe-eval' http://test1.example.com;",
+    expected: "allowed"
+  },
+  {
+    policy: "default-src 'self'; script-src 'self' 'unsafe-eval';",
+    expected: "blocked",
+  },
+];
+
+var counter = 0;
+var curTest;
+
+function checkResult(aResult) {
+  is(aResult, curTest.expected, "Should be (" + curTest.expected + ") in Test " + counter + "!");
+  loadNextTest();
+}
+
+function loadNextTest() {
+  if (counter == tests.length) {
+    SimpleTest.finish();
+    return;
+  }
+  curTest = tests[counter++];
+  var src = "file_csp_testserver.sjs";
+  // append the file that should be served
+  src += "?file=" + escape("tests/dom/base/test/csp/file_worker_redirect.html");
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(curTest.policy);
+  document.getElementById("testframe").src = src;
+}
+
+SimpleTest.waitForExplicitFinish();
+loadNextTest();
+
+</script>
+</body>
+</html>