Bug 1277557 - Test require-sri-for in meta tag r=francois
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Fri, 08 Jul 2016 07:26:34 +0200
changeset 304157 fe2cd5c40e738a41a3899b9b70e33810c8ea0a57
parent 304156 2373b4f2f321e24560ae06f39bdd5cd71f5c34a5
child 304158 a91607dcab11acc0cda76066b995b4dada139d2d
push id79256
push usermozilla@christophkerschbaumer.com
push dateFri, 08 Jul 2016 05:58:12 +0000
treeherdermozilla-inbound@fe2cd5c40e73 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfrancois
bugs1277557
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1277557 - Test require-sri-for in meta tag r=francois
dom/security/test/csp/file_require_sri_meta.js
dom/security/test/csp/file_require_sri_meta.sjs
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_require_sri_meta.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_require_sri_meta.js
@@ -0,0 +1,1 @@
+var foo = 24;
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_require_sri_meta.sjs
@@ -0,0 +1,54 @@
+// custom *.sjs for Bug 1277557
+// META CSP: require-sri-for script;
+
+const PRE_INTEGRITY =
+  "<!DOCTYPE HTML>" +
+  "<html><head><meta charset=\"utf-8\">" +
+  "<title>Bug 1277557 - CSP require-sri-for does not block when CSP is in meta tag</title>" +
+  "<meta http-equiv=\"Content-Security-Policy\" content=\"require-sri-for script; script-src 'unsafe-inline' *\">" +
+  "</head>" +
+  "<body>" +
+  "<script id=\"testscript\"" +
+  // Using math.random() to avoid confusing cache behaviors within the test
+  "        src=\"http://mochi.test:8888/tests/dom/security/test/csp/file_require_sri_meta.js?" + Math.random() + "\"";
+
+const WRONG_INTEGRITY =
+  "        integrity=\"sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC\"";
+
+const CORRECT_INEGRITY =
+  "        integrity=\"sha384-PkcuZQHmjBQKRyv1v3x0X8qFmXiSyFyYIP+f9SU86XWvRneifdNCPg2cYFWBuKsF\"";
+
+const POST_INTEGRITY =
+  "        onload=\"window.parent.postMessage({result: 'script-loaded'}, '*');\"" +
+  "        onerror=\"window.parent.postMessage({result: 'script-blocked'}, '*');\"" +
+  "></script>" +
+  "</body>" +
+  "</html>";
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  var queryString = request.queryString;
+
+  if (queryString === "no-sri") {
+    response.write(PRE_INTEGRITY + POST_INTEGRITY);
+    return;
+  }
+
+  if (queryString === "wrong-sri") {
+    response.write(PRE_INTEGRITY + WRONG_INTEGRITY + POST_INTEGRITY);
+    return;
+  }
+
+  if (queryString === "correct-sri") {
+    response.write(PRE_INTEGRITY + CORRECT_INEGRITY + POST_INTEGRITY);
+    return;
+  }
+
+  // we should never get here, but just in case
+  // return something unexpected
+  response.write("do'h");
+}
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -177,16 +177,18 @@ support-files =
   file_sandbox_5.html
   file_sandbox_6.html
   file_sandbox_7.html
   file_sandbox_8.html
   file_sandbox_9.html
   file_sandbox_10.html
   file_sandbox_11.html
   file_sandbox_12.html
+  file_require_sri_meta.sjs
+  file_require_sri_meta.js
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_bug663567.html]
@@ -267,8 +269,9 @@ tags = mcb
 [test_block_all_mixed_content_frame_navigation.html]
 tags = mcb
 [test_form_action_blocks_url.html]
 [test_meta_whitespace_skipping.html]
 [test_iframe_sandbox.html]
 [test_iframe_sandbox_top_1.html]
 [test_sandbox.html]
 [test_ping.html]
+[test_require_sri_meta.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_require_sri_meta.html
@@ -0,0 +1,77 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1277557 - CSP require-sri-for does not block when CSP is in meta tag</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load scripts within an iframe and make sure that meta-csp of
+ * require-sri-for applies correctly to preloaded scripts.
+ * Please note that we have to use <script src=""> to kick
+ * off the html preloader.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+SpecialPowers.setBoolPref("security.csp.experimentalEnabled", true);
+
+var curTest;
+var counter = -1;
+
+const tests = [
+  { // test 1
+    description: "script with *no* SRI should be blocked",
+    query: "no-sri",
+    expected: "script-blocked"
+  },
+  { // test 2
+    description: "script-with *incorrect* SRI should be blocked",
+    query: "wrong-sri",
+    expected: "script-blocked"
+  },
+  { // test 3
+    description: "script-with *correct* SRI should be loaded",
+    query: "correct-sri",
+    expected: "script-loaded"
+  },
+];
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage, false);
+  SimpleTest.finish();
+}
+
+function checkResults(result) {
+  is(result, curTest.expected, curTest.description);
+  loadNextTest();
+}
+
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+function loadNextTest() {
+  counter++;
+  if (counter == tests.length) {
+    finishTest();
+    return;
+  }
+  curTest = tests[counter];
+  var testframe = document.getElementById("testframe");
+  testframe.src = "file_require_sri_meta.sjs?" + curTest.query;
+}
+
+loadNextTest();
+
+</script>
+</body>
+</html>