Bug 1269241 - Add SRI tests for UTF-8 stylesheets. r=ckerschb,r=jkt
authorFrancois Marier <francois@mozilla.com>
Thu, 07 Jul 2016 14:44:51 -0700
changeset 304137 0a64cf8e2fb51ab0fe81bf0bb154caf2e5848d93
parent 304136 7975518290c621749e1e2111f2dd39f093681dea
child 304138 98eca6a35e1a96107aba99410afb256bdb2dd6cd
push id30414
push usercbook@mozilla.com
push dateFri, 08 Jul 2016 09:59:01 +0000
treeherdermozilla-central@45682df2d2d4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb, jkt
bugs1269241
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1269241 - Add SRI tests for UTF-8 stylesheets. r=ckerschb,r=jkt
dom/security/SRICheck.cpp
dom/security/test/sri/iframe_style_sameorigin.html
dom/security/test/sri/mochitest.ini
dom/security/test/sri/style4.css
dom/security/test/sri/style4.css^headers^
dom/security/test/sri/style5.css
dom/security/test/sri/style6.css
dom/security/test/sri/style6.css^headers^
--- a/dom/security/SRICheck.cpp
+++ b/dom/security/SRICheck.cpp
@@ -319,16 +319,25 @@ SRICheckDataVerifier::VerifyHash(const S
     nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
                                     NS_LITERAL_CSTRING("Sub-resource Integrity"),
                                     aDocument,
                                     nsContentUtils::eSECURITY_PROPERTIES,
                                     "InvalidIntegrityLength");
     return NS_ERROR_SRI_CORRUPT;
   }
 
+  if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) {
+    nsAutoCString encodedHash;
+    nsresult rv = Base64Encode(mComputedHash, encodedHash);
+    if (NS_SUCCEEDED(rv)) {
+      SRILOG(("SRICheckDataVerifier::VerifyHash, mComputedHash=%s",
+              encodedHash.get()));
+    }
+  }
+
   if (!binaryHash.Equals(mComputedHash)) {
     SRILOG(("SRICheckDataVerifier::VerifyHash, hash[%u] did not match", aHashIndex));
     return NS_ERROR_SRI_CORRUPT;
   }
 
   SRILOG(("SRICheckDataVerifier::VerifyHash, hash[%u] verified successfully", aHashIndex));
   return NS_OK;
 }
--- a/dom/security/test/sri/iframe_style_sameorigin.html
+++ b/dom/security/test/sri/iframe_style_sameorigin.html
@@ -56,16 +56,35 @@
       ok(false, "We should load stylesheets using blob: URLs with the right hash!");
     }
     function good_invalidBlobBlocked() {
       ok(true, "A stylesheet was blocked successfully from a blob: URL with an invalid hash.");
     }
     function bad_invalidBlobLoaded() {
       ok(false, "We should not load stylesheets using blob: URLs when they have the wrong hash!");
     }
+
+    function good_correctUTF8HashLoaded() {
+      ok(true, "A UTF8 stylesheet was correctly loaded when integrity matched");
+    }
+    function bad_correctUTF8HashBlocked() {
+      ok(false, "We should load UTF8 stylesheets with hashes that match!");
+    }
+    function good_correctUTF8BOMHashLoaded() {
+      ok(true, "A UTF8 stylesheet (with BOM) was correctly loaded when integrity matched");
+    }
+    function bad_correctUTF8BOMHashBlocked() {
+      todo(false, "We should load UTF8 (with BOM) stylesheets with hashes that match!");
+    }
+    function good_correctUTF8ishHashLoaded() {
+      ok(true, "A UTF8ish stylesheet was correctly loaded when integrity matched");
+    }
+    function bad_correctUTF8ishHashBlocked() {
+      todo(false, "We should load UTF8ish stylesheets with hashes that match!");
+    }
   </script>
 
   <!-- valid sha256 hash. should trigger onload -->
   <link rel="stylesheet" href="style1.css"
         integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
         onerror="bad_correctHashBlocked()"
         onload="good_correctHashLoaded()">
 
@@ -75,16 +94,34 @@
         onerror="bad_emptyIntegrityBlocked()"
         onload="good_emptyIntegrityLoaded()">
 
   <!-- invalid sha256 hash. should trigger onerror -->
   <link rel="stylesheet" href="style3.css"
         integrity="sha256-bogus"
         onerror="good_incorrectHashBlocked()"
         onload="bad_incorrectHashLoaded()">
+
+  <!-- valid sha384 hash of a utf8 file. should trigger onload -->
+  <link rel="stylesheet" href="style4.css"
+        integrity="sha384-13rt+j7xMDLhohLukb7AZx8lDGS3hkahp0IoeuyvxSNVPyc1QQmTDcwXGhQZjoMH"
+        onerror="bad_correctUTF8HashBlocked()"
+        onload="good_correctUTF8HashLoaded()">
+
+  <!-- valid sha384 hash of a utf8 file with a BOM. should trigger onload -->
+  <link rel="stylesheet" href="style5.css"
+        integrity="sha384-udAqVKPIHf/OD1isAYKrgzsog/3Q6lSEL2nKhtLSTmHryiae0+y6x1akeTzEF446"
+        onerror="bad_correctUTF8BOMHashBlocked()"
+        onload="good_correctUTF8BOMHashLoaded()">
+
+  <!-- valid sha384 hash of a utf8 file with the wrong charset. should trigger onload -->
+  <link rel="stylesheet" href="style6.css"
+        integrity="sha384-Xli4ROFoVGCiRgXyl7y8jv5Vm2yuqj+8tkNL3cUI7AHaCocna75JLs5xID437W6C"
+        onerror="bad_correctUTF8ishHashBlocked()"
+        onload="good_correctUTF8ishHashLoaded()">
 </head>
 <body>
 
 <!-- valid sha256 for a blob: URL -->
 <script>
    var blob = new Blob(['.blue-text{color:blue}'],
                        {type: 'text/css'});
    var link = document.createElement('link');
@@ -104,17 +141,20 @@
    link.rel = 'stylesheet';
    link.href = window.URL.createObjectURL(blob);
    link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM=');
    link.onerror = good_invalidBlobBlocked;
    link.onload = bad_invalidBlobLoaded;
    document.body.appendChild(link);
 </script>
 
-<p><span id="red-text">This should be red </span> and
+<p><span id="red-text">This should be red </span>,
+  <span id="purple-text">this should be purple</span>,
+  <span id="brown-text">this should be brown</span>,
+  <span id="orange-text">this should be orange</span>, and
   <span class="blue-text" id="blue-text-element">this should be blue.</span>
   However, <span id="black-text">this should stay black</span> and
   <span class="black-text" id="black-text-2">this should also stay black.</span>
 </p>
 
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
--- a/dom/security/test/sri/mochitest.ini
+++ b/dom/security/test/sri/mochitest.ini
@@ -23,16 +23,21 @@ support-files =
   script_302.js
   script_302.js^headers^
   script_401.js
   script_401.js^headers^
   style1.css
   style1.css^headers^
   style2.css
   style3.css
+  style4.css
+  style4.css^headers^
+  style5.css
+  style6.css
+  style6.css^headers^
   style_301.css
   style_301.css^headers^
 
 [test_script_sameorigin.html]
 [test_script_crossdomain.html]
 [test_sri_disabled.html]
 [test_style_crossdomain.html]
 [test_style_sameorigin.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style4.css
@@ -0,0 +1,4 @@
+/* François was here. */
+#purple-text {
+  color: purple;
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style4.css^headers^
@@ -0,0 +1,1 @@
+Content-Type: text/css; charset=utf-8
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style5.css
@@ -0,0 +1,4 @@
+/* François was here. */
+#orange-text {
+  color: orange;
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style6.css
@@ -0,0 +1,4 @@
+/* François was here. */
+#brown-text {
+  color: brown;
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style6.css^headers^
@@ -0,0 +1,1 @@
+Content-Type: text/css; charset=iso-8859-8