Bug 1509738 - Summary: Test nonce snapshot for CSP loades r=jkt
☠☠ backed out by 36ae1038bf8c ☠ ☠
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Tue, 12 Feb 2019 18:01:30 +0000
changeset 458814 5cbc3f79a126
parent 458813 9ae214a9c414
child 458815 8a7955cc1149
push id35548
push useropoprus@mozilla.com
push dateWed, 13 Feb 2019 09:48:26 +0000
treeherdermozilla-central@93e37c529818 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjkt
bugs1509738
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509738 - Summary: Test nonce snapshot for CSP loades r=jkt Differential Revision: https://phabricator.services.mozilla.com/D19357
dom/security/test/csp/file_nonce_snapshot.sjs
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_nonce_snapshot.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_snapshot.sjs
@@ -0,0 +1,48 @@
+"use strict";
+
+const TEST_FRAME =
+  `<!DOCTYPE HTML>
+   <html>
+   <body>
+   <script id='myScript' nonce='123456789' type='application/javascript'></script>
+   <script nonce='123456789'>
+     let myScript = document.getElementById('myScript');
+     // 1) start loading the script using the nonce 123456789
+     myScript.src='file_nonce_snapshot.sjs?redir-script';
+     // 2) dynamically change the nonce, load should use initial nonce
+     myScript.setAttribute('nonce','987654321');
+   </script>
+   </body>
+   </html>`;
+
+const SCRIPT = "window.parent.postMessage('script-loaded', '*');";
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+ 
+  let queryString = request.queryString;
+
+  if (queryString === "load-frame") {
+    response.setHeader("Content-Security-Policy", "script-src 'nonce-123456789'", false);
+    response.setHeader("Content-Type", "text/html", false);
+    response.write(TEST_FRAME);
+    return;
+  }
+
+  if (queryString === "redir-script") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", "file_nonce_snapshot.sjs?load-script", false);
+    return;
+  }
+
+  if (queryString === "load-script") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write(SCRIPT);
+    return;
+  }
+
+  // we should never get here but just in case return something unexpected
+  response.write("do'h");
+}
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -363,8 +363,11 @@ support-files =
   file_frame_src_inner.html
 [test_security_policy_violation_event.html]
 [test_csp_worker_inheritance.html]
 support-files =
   worker.sjs
   worker_helper.js
   main_csp_worker.html
   main_csp_worker.html^headers^
+[test_nonce_snapshot.html]
+support-files =
+  file_nonce_snapshot.sjs
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_nonce_snapshot.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1509738 - Snapshot nonce at load start time</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * a) the test starts loading a script using whitelisted nonce
+ * b) the nonce of the script gets modified
+ * c) the script hits a 302 server side redirect
+ * d) we ensure the script still loads and does not use the modified nonce
+ */
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  is(event.data, "script-loaded", "script loaded even though nonce was dynamically modified");
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+
+SimpleTest.waitForExplicitFinish();
+let src = "file_nonce_snapshot.sjs?load-frame";
+document.getElementById("testframe").src = src;
+
+</script>
+</body>
+</html>