Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb
☠☠ backed out by eb408f77a028 ☠ ☠
authorvinoth <cegvinoth@gmail.com>
Sat, 28 Apr 2018 09:54:40 -0400
changeset 416202 254e0c58f80fd65ad00bcd3b4dfd324a05d93e67
parent 416201 f9abb3479fdd7127f6e9be4c1638f88ef47240d0
child 416203 9263d25afcd041bf301cbd96c4cb8199975c85bf
push id33919
push usernerli@mozilla.com
push dateSun, 29 Apr 2018 09:48:23 +0000
treeherdermozilla-central@c552490c8659 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1439330
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D1011
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html
dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -244,16 +244,18 @@ prefs =
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
 [test_bug885433.html]
 [test_bug888172.html]
 [test_evalscript.html]
+[test_evalscript_blocked_by_strict_dynamic.html]
+[test_evalscript_allowed_by_strict_dynamic.html]
 [test_frameancestors.html]
 [test_frameancestors_userpass.html]
 skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_inlinescript.html]
 [test_inlinestyle.html]
 [test_invalid_source_expression.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" 
+        content="script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval'">
+  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
+  </title>
+  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+  </script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval' CSP and
+ * check if the eval function is allowed correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+  eval("1");
+  ok(true, "eval allowed by CSP");
+}
+catch (ex) {
+  ok(false, "eval should be allowed by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" 
+        content="script-src 'nonce-foobar' 'strict-dynamic'">
+  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
+  </title>
+  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+  </script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
+ * check if the eval function is blocked correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+  eval("1");
+  ok(false, "eval should be blocked by CSP");
+}
+catch (ex) {
+  ok(true, "eval blocked by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>
\ No newline at end of file