| author | Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com> |
| Wed, 10 May 2017 08:53:27 +0200 | |
| changeset 357478 | b62ad39ce4a65365cd4a4c9a632cdccdbd290592 |
| parent 357477 | 92676fadb9e2f129418e58d75b1dc38760b7110c |
| child 357479 | 75a137315cd3af0b75d44ad728eb5d1bfbfc5049 |
| push id | 31792 |
| push user | cbook@mozilla.com |
| push date | Wed, 10 May 2017 13:07:59 +0000 |
| treeherder | mozilla-central@ebbcdaa5b580 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | dveditz |
| bugs | 1355801 |
| milestone | 55.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
new file mode 100644 --- /dev/null +++ b/dom/security/test/csp/file_image_nonce.html @@ -0,0 +1,39 @@ +<!DOCTYPE HTML> +<html> + <head> + <meta charset='utf-8'> + <title>Bug 1355801: Nonce should not apply to images</title> + </head> +<body> + +<img id='matchingNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?a' nonce='abc'></img> +<img id='nonMatchingNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?b' nonce='bca'></img> +<img id='noNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?c'></img> + +<script type='application/javascript'> + var matchingNonce = document.getElementById('matchingNonce'); + matchingNonce.onload = function(e) { + window.parent.postMessage({result: 'img-with-matching-nonce-loaded'}, '*'); + }; + matchingNonce.onerror = function(e) { + window.parent.postMessage({result: 'img-with-matching-nonce-blocked'}, '*'); + } + + var nonMatchingNonce = document.getElementById('nonMatchingNonce'); + nonMatchingNonce.onload = function(e) { + window.parent.postMessage({result: 'img-with_non-matching-nonce-loaded'}, '*'); + }; + nonMatchingNonce.onerror = function(e) { + window.parent.postMessage({result: 'img-with_non-matching-nonce-blocked'}, '*'); + } + + var noNonce = document.getElementById('noNonce'); + noNonce.onload = function(e) { + window.parent.postMessage({result: 'img-without-nonce-loaded'}, '*'); + }; + noNonce.onerror = function(e) { + window.parent.postMessage({result: 'img-without-nonce-blocked'}, '*'); + } +</script> +</body> +</html>
new file mode 100644 --- /dev/null +++ b/dom/security/test/csp/file_image_nonce.html^headers^ @@ -0,0 +1,2 @@ +Content-Security-Policy: img-src 'nonce-abc'; +Cache-Control: no-cache
--- a/dom/security/test/csp/mochitest.ini +++ b/dom/security/test/csp/mochitest.ini @@ -206,16 +206,18 @@ support-files = file_punycode_host_src.sjs file_punycode_host_src.js file_iframe_srcdoc.sjs file_iframe_sandbox_srcdoc.html file_iframe_sandbox_srcdoc.html^headers^ file_websocket_self.html file_websocket_explicit.html file_websocket_self_wsh.py + file_image_nonce.html + file_image_nonce.html^headers^ [test_base-uri.html] [test_blob_data_schemes.html] [test_connect-src.html] [test_CSP.html] [test_allow_https_schemes.html] [test_bug663567.html] [test_bug802872.html] @@ -296,10 +298,11 @@ tags = mcb [test_bug1312272.html] [test_strict_dynamic.html] [test_strict_dynamic_parser_inserted.html] [test_strict_dynamic_default_src.html] [test_upgrade_insecure_navigation.html] [test_punycode_host_src.html] [test_iframe_sandbox_srcdoc.html] [test_iframe_srcdoc.html] +[test_image_nonce.html] [test_websocket_self.html] skip-if = toolkit == 'android'
new file mode 100644 --- /dev/null +++ b/dom/security/test/csp/test_image_nonce.html @@ -0,0 +1,60 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta charset="utf-8"> + <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<iframe style="width:100%;" id="testframe"></iframe> + +<script class="testbody" type="text/javascript"> + +/* Description of the test: + * We load three images: (a) with a matching nonce, + (b) with a non matching nonce, + * (c) with no nonce + * and make sure that all three images get blocked because + * "img-src nonce-bla" should not allow an image load, not + * even if the nonce matches*. + */ + +SimpleTest.waitForExplicitFinish(); + +var counter = 0; + +function finishTest() { + window.removeEventListener("message", receiveMessage); + SimpleTest.finish(); +} + +function checkResults(aResult) { + counter++; + if (aResult === "img-with-matching-nonce-blocked" || + aResult === "img-with_non-matching-nonce-blocked" || + aResult === "img-without-nonce-blocked") { + ok (true, "correct result for: " + aResult); + } + else { + ok(false, "unexpected result: " + aResult + "\n\n"); + } + if (counter < 3) { + return; + } + finishTest(); +} + +// a postMessage handler that is used by sandboxed iframes without +// 'allow-same-origin' to bubble up results back to this main page. +window.addEventListener("message", receiveMessage); +function receiveMessage(event) { + checkResults(event.data.result); +} + +document.getElementById("testframe").src = "file_image_nonce.html"; + +</script> +</body> +</html>