Bug 1299483 - CSP: Implement 'strict-dynamic', test default-src. r=dveditz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Tue, 08 Nov 2016 13:34:36 +0100
changeset 321523 f3c84b1049871fcbf39298d22411ecbc8b3ba8dd
parent 321522 201b2637eac61fc6bc85604c2d202f4c5b79e568
child 321524 d2baab775c7ee6b8f6f38d835ea10f6bdf323ffa
push id83632
push usermozilla@christophkerschbaumer.com
push dateTue, 08 Nov 2016 15:52:17 +0000
treeherdermozilla-inbound@f3c84b104987 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs1299483
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1299483 - CSP: Implement 'strict-dynamic', test default-src. r=dveditz
dom/security/test/csp/file_strict_dynamic_default_src.html
dom/security/test/csp/file_strict_dynamic_default_src.js
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_strict_dynamic_default_src.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_default_src.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
+</head>
+<body>
+
+<div id="testdiv">blocked</div>
+<script nonce="foo" src="http://mochi.test:8888/tests/dom/security/test/csp/file_strict_dynamic_default_src.js"></script>
+
+<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>
+
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_default_src.js
@@ -0,0 +1,1 @@
+document.getElementById("testdiv").innerHTML = "allowed";
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -192,16 +192,18 @@ support-files =
   file_strict_dynamic_script_inline.html
   file_strict_dynamic_script_extern.html
   file_strict_dynamic.js
   file_strict_dynamic_parser_inserted_doc_write.html
   file_strict_dynamic_parser_inserted_doc_write_correct_nonce.html
   file_strict_dynamic_non_parser_inserted.html
   file_strict_dynamic_non_parser_inserted_inline.html
   file_strict_dynamic_unsafe_eval.html
+  file_strict_dynamic_default_src.html
+  file_strict_dynamic_default_src.js
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
@@ -277,8 +279,9 @@ tags = mcb
 [test_ping.html]
 [test_require_sri_meta.html]
 [test_sendbeacon.html]
 [test_upgrade_insecure_docwrite_iframe.html]
 [test_bug1242019.html]
 [test_bug1312272.html]
 [test_strict_dynamic.html]
 [test_strict_dynamic_parser_inserted.html]
+[test_strict_dynamic_default_src.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_strict_dynamic_default_src.html
@@ -0,0 +1,136 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.setBoolPref("security.csp.enableStrictDynamic", true);
+
+/* Description of the test:
+ * We load scripts and images with a CSP of 'strict-dynamic' making sure
+ * whitelists get ignored for scripts but not for images when strict-dynamic
+ * appears in default-src.
+ *
+ * Please note that we do not support strict-dynamic within default-src yet,
+ * see Bug 1313937. When updating this test please do not change the
+ * csp policies, but only replace todo_is() with is().
+ */
+
+var tests = [
+  {
+    script_desc: "(test1) script should be allowed because of valid nonce",
+    img_desc: "(test1) img should be allowed because of 'self'",
+    script_result: "allowed",
+    img_result: "allowed",
+    policy: "default-src 'strict-dynamic' 'self'; script-src 'nonce-foo'"
+  },
+  {
+    script_desc: "(test 2) script should be blocked because of invalid nonce",
+    img_desc: "(test 2) img should be allowed because of valid scheme-src",
+    script_result: "blocked",
+    img_result: "allowed",
+    policy: "default-src 'strict-dynamic' http:; script-src 'nonce-bar' http:"
+  },
+  {
+    script_desc: "(test 3) script should be blocked because of invalid nonce",
+    img_desc: "(test 3) img should be allowed because of valid host-src",
+    script_result: "blocked",
+    script_enforced: "",
+    img_result: "allowed",
+    policy: "default-src 'strict-dynamic' mochi.test; script-src 'nonce-bar' http:"
+  },
+  {
+    script_desc: "(test 4) script should be allowed because of valid nonce",
+    img_desc: "(test 4) img should be blocked because of default-src 'strict-dynamic'",
+    script_result: "allowed",
+    img_result: "blocked",
+    policy: "default-src 'strict-dynamic'; script-src 'nonce-foo'"
+  },
+  // some reverse order tests (have script-src appear before default-src)
+  {
+    script_desc: "(test 5) script should be allowed because of valid nonce",
+    img_desc: "(test 5) img should be blocked because of default-src 'strict-dynamic'",
+    script_result: "allowed",
+    img_result: "blocked",
+    policy: "script-src 'nonce-foo'; default-src 'strict-dynamic';"
+  },
+  {
+    script_desc: "(test 6) script should be allowed because of valid nonce",
+    img_desc: "(test 6) img should be blocked because of default-src http:",
+    script_result: "blocked",
+    img_result: "allowed",
+    policy: "script-src 'nonce-bar' http:; default-src 'strict-dynamic' http:;"
+  },
+  {
+    script_desc: "(test 7) script should be allowed because of invalid nonce",
+    img_desc: "(test 7) img should be blocked because of image-src http:",
+    script_result: "blocked",
+    img_result: "allowed",
+    policy: "script-src 'nonce-bar' http:; default-src 'strict-dynamic' http:; img-src http:"
+  },
+];
+
+var counter = 0;
+var curTest;
+
+function loadNextTest() {
+  if (counter == tests.length) {
+    SimpleTest.finish();
+    return;
+  }
+
+  curTest = tests[counter++];
+  var src = "file_testserver.sjs?file=";
+  // append the file that should be served
+  src += escape("tests/dom/security/test/csp/file_strict_dynamic_default_src.html");
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(curTest.policy);
+
+  document.getElementById("testframe").addEventListener("load", checkResults, false);
+  document.getElementById("testframe").src = src;
+}
+
+function checkResults() {
+  try {
+    var testframe = document.getElementById("testframe");
+    testframe.removeEventListener('load', checkResults, false);
+
+    // check if script loaded
+    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
+    if (curTest.script_result === "blocked") {
+      todo_is(divcontent, curTest.script_result, curTest.script_desc);
+    }
+    else {
+      is(divcontent, curTest.script_result, curTest.script_desc);
+    }
+
+    // check if image loaded
+    var testimg = testframe.contentWindow.document.getElementById("testimage");
+    if (curTest.img_result === "allowed") {
+      ok(testimg.complete, curTest.img_desc);
+    }
+    else {
+      ok((testimg.width == 0) && (testimg.height == 0), curTest.img_desc);
+    }
+  }
+  catch (e) {
+    ok(false, "ERROR: could not access content for test: '" + curTest.script_desc + "'");
+  }
+
+  loadNextTest();
+}
+
+// start running the tests
+loadNextTest();
+
+</script>
+</body>
+</html>