Bug 1387871 - CSP: Test 'self' within meta csp in data: URI iframe. r=dveditz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 23 Aug 2017 09:50:20 +0200
changeset 376311 6c69390e7b8afa5c3d42bcb463f8a4ba8fb504f2
parent 376310 f96c5e184fbfc5e5b1712d867ccf1b5cd5f0cd5d
child 376312 ced4dd04b1f13f91cc271e736f2141045e817c83
push id32380
push userarchaeopteryx@coole-files.de
push dateWed, 23 Aug 2017 14:30:12 +0000
treeherdermozilla-central@446cd9f4b0f5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs1387871
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1387871 - CSP: Test 'self' within meta csp in data: URI iframe. r=dveditz
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_meta_csp_self.html
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -313,12 +313,13 @@ tags = mcb
 [test_image_nonce.html]
 [test_websocket_self.html]
 skip-if = toolkit == 'android'
 [test_ignore_xfo.html]
 [test_data_csp_inheritance.html]
 [test_data_csp_merge.html]
 [test_report_font_cache.html]
 [test_data_doc_ignore_meta_csp.html]
+[test_meta_csp_self.html]
 [test_uir_top_nav.html]
 support-files =
   file_uir_top_nav.html
   file_uir_top_nav_dummy.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_meta_csp_self.html
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1387871 - CSP: Test 'self' within meta csp in  data: URI iframe</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+/* Description of the test:
+ * We load a data: URI into an iframe which provides a meta-csp
+ * including the keyword 'self'. We make sure 'self' does not
+ * allow a data: image to load.
+ */
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  window.removeEventListener("message", receiveMessage);
+  is(event.data.result, "dataFrameReady", "sanity: received msg from loaded frame");
+
+  var frame = document.getElementById("testframe");
+
+  // make sure the img was blocked
+  var img = SpecialPowers.wrap(frame).contentDocument.getElementById("testimg");
+  is(img.width, 0, "img should be blocked -  width should be 0");
+  is(img.height, 0, "img should be blocked - height should be 0");
+
+  // sanity check, make sure 'self' translates into data
+  var principal = SpecialPowers.wrap(frame).contentDocument.nodePrincipal;
+  var cspJSON = principal.cspJSON;
+
+  // parse the cspJSON in a csp-object
+  var cspOBJ = JSON.parse(cspJSON);
+  ok(cspOBJ, "sanity: was able to parse the CSP JSON");
+
+  // make sure we only got one policy
+  var policies = cspOBJ["csp-policies"];
+  is(policies.length, 1, "sanity: received one CSP policy");
+
+  var policy = policies[0];
+  var val = policy['img-src'];
+  is(val.toString(), "data://", "'self' should translate into data");
+  SimpleTest.finish();
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.data_uri.unique_opaque_origin", true]]},
+  function() {
+    let DATA_URI = `data:text/html,
+      <html>
+      <head>
+        <meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+      </head>
+      <body onload="parent.postMessage({result:'dataFrameReady'},'*');">
+        data: URI frame with meta-csp including 'self'<br/>
+        <img id="testimg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" />
+      </body>
+      </html>`;
+    document.getElementById("testframe").src = DATA_URI;
+  });
+
+</script>
+</body>
+</html>