| author | Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com> |
| Tue, 08 Nov 2016 13:34:36 +0100 | |
| changeset 321523 | f3c84b1049871fcbf39298d22411ecbc8b3ba8dd |
| parent 321522 | 201b2637eac61fc6bc85604c2d202f4c5b79e568 |
| child 321524 | d2baab775c7ee6b8f6f38d835ea10f6bdf323ffa |
| push id | 83632 |
| push user | mozilla@christophkerschbaumer.com |
| push date | Tue, 08 Nov 2016 15:52:17 +0000 |
| treeherder | mozilla-inbound@f3c84b104987 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | dveditz |
| bugs | 1299483 |
| milestone | 52.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
new file mode 100644 --- /dev/null +++ b/dom/security/test/csp/file_strict_dynamic_default_src.html @@ -0,0 +1,14 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title> +</head> +<body> + +<div id="testdiv">blocked</div> +<script nonce="foo" src="http://mochi.test:8888/tests/dom/security/test/csp/file_strict_dynamic_default_src.js"></script> + +<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img> + +</body> +</html>
new file mode 100644 --- /dev/null +++ b/dom/security/test/csp/file_strict_dynamic_default_src.js @@ -0,0 +1,1 @@ +document.getElementById("testdiv").innerHTML = "allowed";
--- a/dom/security/test/csp/mochitest.ini +++ b/dom/security/test/csp/mochitest.ini @@ -192,16 +192,18 @@ support-files = file_strict_dynamic_script_inline.html file_strict_dynamic_script_extern.html file_strict_dynamic.js file_strict_dynamic_parser_inserted_doc_write.html file_strict_dynamic_parser_inserted_doc_write_correct_nonce.html file_strict_dynamic_non_parser_inserted.html file_strict_dynamic_non_parser_inserted_inline.html file_strict_dynamic_unsafe_eval.html + file_strict_dynamic_default_src.html + file_strict_dynamic_default_src.js [test_base-uri.html] [test_blob_data_schemes.html] [test_connect-src.html] [test_CSP.html] [test_allow_https_schemes.html] [test_bug663567.html] [test_bug802872.html] @@ -277,8 +279,9 @@ tags = mcb [test_ping.html] [test_require_sri_meta.html] [test_sendbeacon.html] [test_upgrade_insecure_docwrite_iframe.html] [test_bug1242019.html] [test_bug1312272.html] [test_strict_dynamic.html] [test_strict_dynamic_parser_inserted.html] +[test_strict_dynamic_default_src.html]
new file mode 100644 --- /dev/null +++ b/dom/security/test/csp/test_strict_dynamic_default_src.html @@ -0,0 +1,136 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + <iframe style="width:100%;" id="testframe"></iframe> + +<script class="testbody" type="text/javascript"> + +SimpleTest.waitForExplicitFinish(); +SpecialPowers.setBoolPref("security.csp.enableStrictDynamic", true); + +/* Description of the test: + * We load scripts and images with a CSP of 'strict-dynamic' making sure + * whitelists get ignored for scripts but not for images when strict-dynamic + * appears in default-src. + * + * Please note that we do not support strict-dynamic within default-src yet, + * see Bug 1313937. When updating this test please do not change the + * csp policies, but only replace todo_is() with is(). + */ + +var tests = [ + { + script_desc: "(test1) script should be allowed because of valid nonce", + img_desc: "(test1) img should be allowed because of 'self'", + script_result: "allowed", + img_result: "allowed", + policy: "default-src 'strict-dynamic' 'self'; script-src 'nonce-foo'" + }, + { + script_desc: "(test 2) script should be blocked because of invalid nonce", + img_desc: "(test 2) img should be allowed because of valid scheme-src", + script_result: "blocked", + img_result: "allowed", + policy: "default-src 'strict-dynamic' http:; script-src 'nonce-bar' http:" + }, + { + script_desc: "(test 3) script should be blocked because of invalid nonce", + img_desc: "(test 3) img should be allowed because of valid host-src", + script_result: "blocked", + script_enforced: "", + img_result: "allowed", + policy: "default-src 'strict-dynamic' mochi.test; script-src 'nonce-bar' http:" + }, + { + script_desc: "(test 4) script should be allowed because of valid nonce", + img_desc: "(test 4) img should be blocked because of default-src 'strict-dynamic'", + script_result: "allowed", + img_result: "blocked", + policy: "default-src 'strict-dynamic'; script-src 'nonce-foo'" + }, + // some reverse order tests (have script-src appear before default-src) + { + script_desc: "(test 5) script should be allowed because of valid nonce", + img_desc: "(test 5) img should be blocked because of default-src 'strict-dynamic'", + script_result: "allowed", + img_result: "blocked", + policy: "script-src 'nonce-foo'; default-src 'strict-dynamic';" + }, + { + script_desc: "(test 6) script should be allowed because of valid nonce", + img_desc: "(test 6) img should be blocked because of default-src http:", + script_result: "blocked", + img_result: "allowed", + policy: "script-src 'nonce-bar' http:; default-src 'strict-dynamic' http:;" + }, + { + script_desc: "(test 7) script should be allowed because of invalid nonce", + img_desc: "(test 7) img should be blocked because of image-src http:", + script_result: "blocked", + img_result: "allowed", + policy: "script-src 'nonce-bar' http:; default-src 'strict-dynamic' http:; img-src http:" + }, +]; + +var counter = 0; +var curTest; + +function loadNextTest() { + if (counter == tests.length) { + SimpleTest.finish(); + return; + } + + curTest = tests[counter++]; + var src = "file_testserver.sjs?file="; + // append the file that should be served + src += escape("tests/dom/security/test/csp/file_strict_dynamic_default_src.html"); + // append the CSP that should be used to serve the file + src += "&csp=" + escape(curTest.policy); + + document.getElementById("testframe").addEventListener("load", checkResults, false); + document.getElementById("testframe").src = src; +} + +function checkResults() { + try { + var testframe = document.getElementById("testframe"); + testframe.removeEventListener('load', checkResults, false); + + // check if script loaded + var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML; + if (curTest.script_result === "blocked") { + todo_is(divcontent, curTest.script_result, curTest.script_desc); + } + else { + is(divcontent, curTest.script_result, curTest.script_desc); + } + + // check if image loaded + var testimg = testframe.contentWindow.document.getElementById("testimage"); + if (curTest.img_result === "allowed") { + ok(testimg.complete, curTest.img_desc); + } + else { + ok((testimg.width == 0) && (testimg.height == 0), curTest.img_desc); + } + } + catch (e) { + ok(false, "ERROR: could not access content for test: '" + curTest.script_desc + "'"); + } + + loadNextTest(); +} + +// start running the tests +loadNextTest(); + +</script> +</body> +</html>