Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb
authorvinoth <cegvinoth@gmail.com>
Fri, 22 Jun 2018 20:38:05 +0300
changeset 423360 ce98fd40ce8214571163674970ccdb167a1b241b
parent 423359 4b1d446faee677ac36221b66a3c13baa980cceda
child 423361 74c53ad34b8a4b8b05305002dd4082ea2fdd4786
child 423397 16a0430796894ad4b9cb86bde55f07cf57453b56
push id104550
push userarchaeopteryx@coole-files.de
push dateFri, 22 Jun 2018 17:41:00 +0000
treeherdermozilla-inbound@ce98fd40ce82 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1469150
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb Reviewers: ckerschb Reviewed By: ckerschb Subscribers: ckerschb Bug #: 1469150 Differential Revision: https://phabricator.services.mozilla.com/D1721
dom/security/test/csp/file_nonce_redirector.sjs
dom/security/test/csp/file_nonce_redirects.html
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_nonce_redirects.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_redirector.sjs
@@ -0,0 +1,25 @@
+// custom *.sjs file for
+// Bug 1469150:Scripts with valid nonce get blocked if URL redirects.
+
+const URL_PATH = "example.com/tests/dom/security/test/csp/";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  let queryStr = request.queryString;
+
+  if (queryStr === "redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location",
+      "https://" + URL_PATH + "file_nonce_redirector.sjs?load", false);
+    return;
+  }
+
+  if (queryStr === "load") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write("console.log('script loaded');");
+    return;
+  }
+
+  // we should never get here - return something unexpected
+  response.write("d'oh");
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_redirects.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  </head>
+<body>
+
+<script nonce='abcd1234' id='redirectScript'></script>
+
+<script nonce='abcd1234' type='application/javascript'>
+  var redirectScript = document.getElementById('redirectScript');
+  redirectScript.onload = function(e) {
+    window.parent.postMessage({result: 'script-loaded'}, '*');
+  };
+  redirectScript.onerror = function(e) {
+    window.parent.postMessage({result: 'script-blocked'}, '*');
+  }
+  redirectScript.src = 'file_nonce_redirector.sjs?redirect';
+</script>
+</body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -89,16 +89,18 @@ support-files =
   file_bug1312272.html
   file_bug1312272.js
   file_bug1312272.html^headers^
   file_policyuri_regression_from_multipolicy.html
   file_policyuri_regression_from_multipolicy.html^headers^
   file_policyuri_regression_from_multipolicy_policy
   file_nonce_source.html
   file_nonce_source.html^headers^
+  file_nonce_redirects.html
+  file_nonce_redirector.sjs
   file_bug941404.html
   file_bug941404_xhr.html
   file_bug941404_xhr.html^headers^
   file_frame_ancestors_ro.html
   file_frame_ancestors_ro.html^headers^
   file_hash_source.html
   file_dual_header_testserver.sjs
   file_hash_source.html^headers^
@@ -260,16 +262,17 @@ skip-if = verify
 [test_redirects.html]
 [test_bug910139.html]
 skip-if = verify
 [test_bug909029.html]
 [test_bug1229639.html]
 [test_frame_ancestors_ro.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
+[test_nonce_redirects.html]
 [test_bug941404.html]
 [test_form-action.html]
 [test_hash_source.html]
 [test_scheme_relative_sources.html]
 [test_ignore_unsafe_inline.html]
 [test_self_none_as_hostname_confusion.html]
 [test_empty_directive.html]
 [test_path_matching.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_nonce_redirects.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a script with a matching nonce, which redirects
+ * and we make sure that script is allowed.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+
+  if (aResult === "script-loaded") {
+    ok(true, "expected result: script loaded");
+  }
+  else {
+    ok(false, "unexpected result: script blocked");
+  }
+  finishTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_nonce_redirects.html";
+
+</script>
+</body>
+</html>