Bug 1299483 - CSP: Implement 'strict-dynamic', mochitests. r=dveditz,freddyb
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Tue, 08 Nov 2016 13:33:27 +0100
changeset 321705 a802f55a2d95cb550b3f6e7a79399a8eae35d5e9
parent 321704 d16e2f01a122cd3bf9abd9cf91d831ad53e7dfd9
child 321706 201b2637eac61fc6bc85604c2d202f4c5b79e568
push id30934
push usercbook@mozilla.com
push dateWed, 09 Nov 2016 15:38:21 +0000
treeherdermozilla-central@336759fad462 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz, freddyb
bugs1299483
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1299483 - CSP: Implement 'strict-dynamic', mochitests. r=dveditz,freddyb
dom/security/test/csp/file_strict_dynamic.js
dom/security/test/csp/file_strict_dynamic_script_extern.html
dom/security/test/csp/file_strict_dynamic_script_inline.html
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_strict_dynamic.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic.js
@@ -0,0 +1,1 @@
+document.getElementById("testdiv").innerHTML = "allowed";
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_script_extern.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
+</head>
+<body>
+<div id="testdiv">blocked</div>
+<script nonce="foo" src="http://example.com/tests/dom/security/test/csp/file_strict_dynamic.js"></script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_script_inline.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
+</head>
+<body>
+<div id="testdiv">blocked</div>
+
+<script nonce="foo">
+  document.getElementById("testdiv").innerHTML = "allowed";
+</script>
+
+</body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -184,16 +184,19 @@ support-files =
   file_sandbox_11.html
   file_sandbox_12.html
   file_require_sri_meta.sjs
   file_require_sri_meta.js
   file_sendbeacon.html
   file_upgrade_insecure_docwrite_iframe.sjs
   file_data-uri_blocked.html
   file_data-uri_blocked.html^headers^
+  file_strict_dynamic_script_inline.html
+  file_strict_dynamic_script_extern.html
+  file_strict_dynamic.js
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
@@ -267,8 +270,9 @@ tags = mcb
 [test_iframe_sandbox_top_1.html]
 [test_sandbox.html]
 [test_ping.html]
 [test_require_sri_meta.html]
 [test_sendbeacon.html]
 [test_upgrade_insecure_docwrite_iframe.html]
 [test_bug1242019.html]
 [test_bug1312272.html]
+[test_strict_dynamic.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_strict_dynamic.html
@@ -0,0 +1,115 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.setBoolPref("security.csp.enableStrictDynamic", true);
+
+/* Description of the test:
+ * We load scripts with a CSP of 'strict-dynamic' with valid
+ * and invalid nonces and make sure scripts are allowed/blocked
+ * accordingly. Different tests load inline and external scripts
+ * also using a CSP including http: and https: making sure
+ * other srcs are invalided by 'strict-dynamic'.
+ */
+
+var tests = [
+  {
+    desc: "strict-dynamic with valid nonce should be allowed",
+    result: "allowed",
+    file: "file_strict_dynamic_script_extern.html",
+    policy: "script-src 'strict-dynamic' 'nonce-foo' https: 'none' 'self'"
+  },
+  {
+    desc: "strict-dynamic with invalid nonce should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_extern.html",
+    policy: "script-src 'strict-dynamic' 'nonce-bar' http: http://example.com"
+  },
+  {
+    desc: "strict-dynamic, whitelist and invalid nonce should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_extern.html",
+    policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
+  },
+  {
+    desc: "strict-dynamic with no 'nonce-' should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_extern.html",
+    policy: "script-src 'strict-dynamic'"
+  },
+  // inline scripts
+  {
+    desc: "strict-dynamic with valid nonce should be allowed",
+    result: "allowed",
+    file: "file_strict_dynamic_script_inline.html",
+    policy: "script-src 'strict-dynamic' 'nonce-foo' https: 'none' 'self'"
+  },
+  {
+    desc: "strict-dynamic with invalid nonce should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_inline.html",
+    policy: "script-src 'strict-dynamic' 'nonce-bar' http: http://example.com"
+  },
+  {
+    desc: "strict-dynamic, unsafe-inline and invalid nonce should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_inline.html",
+    policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
+  },
+  {
+    desc: "strict-dynamic with no 'nonce-' should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_script_inline.html",
+    policy: "script-src 'strict-dynamic'"
+  },
+];
+
+var counter = 0;
+var curTest;
+
+function loadNextTest() {
+  if (counter == tests.length) {
+    SimpleTest.finish();
+    return;
+  }
+
+  curTest = tests[counter++];
+  var src = "file_testserver.sjs?file=";
+  // append the file that should be served
+  src += escape("tests/dom/security/test/csp/" + curTest.file)
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(curTest.policy);
+
+  document.getElementById("testframe").addEventListener("load", test, false);
+  document.getElementById("testframe").src = src;
+}
+
+function test() {
+  try {
+    document.getElementById("testframe").removeEventListener('load', test, false);
+    var testframe = document.getElementById("testframe");
+    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
+    is(divcontent, curTest.result, curTest.desc);
+  }
+  catch (e) {
+    ok(false, "ERROR: could not access content for test: '" + curTest.desc + "'");
+  }
+  loadNextTest();
+}
+
+// start running the tests
+loadNextTest();
+
+</script>
+</body>
+</html>