Bug 1355801: Nonce should not apply to images tests. r=dveditz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 10 May 2017 08:53:27 +0200
changeset 357478 b62ad39ce4a65365cd4a4c9a632cdccdbd290592
parent 357477 92676fadb9e2f129418e58d75b1dc38760b7110c
child 357479 75a137315cd3af0b75d44ad728eb5d1bfbfc5049
push id31792
push usercbook@mozilla.com
push dateWed, 10 May 2017 13:07:59 +0000
treeherdermozilla-central@ebbcdaa5b580 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs1355801
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1355801: Nonce should not apply to images tests. r=dveditz
dom/security/test/csp/file_image_nonce.html
dom/security/test/csp/file_image_nonce.html^headers^
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_image_nonce.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_image_nonce.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <title>Bug 1355801: Nonce should not apply to images</title>
+  </head>
+<body>
+
+<img id='matchingNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?a' nonce='abc'></img>
+<img id='nonMatchingNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?b' nonce='bca'></img>
+<img id='noNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?c'></img>
+
+<script type='application/javascript'>
+  var matchingNonce = document.getElementById('matchingNonce');
+  matchingNonce.onload = function(e) {
+    window.parent.postMessage({result: 'img-with-matching-nonce-loaded'}, '*');
+  };
+  matchingNonce.onerror = function(e) {
+    window.parent.postMessage({result: 'img-with-matching-nonce-blocked'}, '*');
+  }
+
+  var nonMatchingNonce = document.getElementById('nonMatchingNonce');
+  nonMatchingNonce.onload = function(e) {
+    window.parent.postMessage({result: 'img-with_non-matching-nonce-loaded'}, '*');
+  };
+  nonMatchingNonce.onerror = function(e) {
+    window.parent.postMessage({result: 'img-with_non-matching-nonce-blocked'}, '*');
+  }
+
+  var noNonce = document.getElementById('noNonce');
+  noNonce.onload = function(e) {
+    window.parent.postMessage({result: 'img-without-nonce-loaded'}, '*');
+  };
+  noNonce.onerror = function(e) {
+    window.parent.postMessage({result: 'img-without-nonce-blocked'}, '*');
+  }
+</script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_image_nonce.html^headers^
@@ -0,0 +1,2 @@
+Content-Security-Policy: img-src 'nonce-abc';
+Cache-Control: no-cache
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -206,16 +206,18 @@ support-files =
   file_punycode_host_src.sjs
   file_punycode_host_src.js
   file_iframe_srcdoc.sjs
   file_iframe_sandbox_srcdoc.html
   file_iframe_sandbox_srcdoc.html^headers^
   file_websocket_self.html
   file_websocket_explicit.html
   file_websocket_self_wsh.py
+  file_image_nonce.html
+  file_image_nonce.html^headers^
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
@@ -296,10 +298,11 @@ tags = mcb
 [test_bug1312272.html]
 [test_strict_dynamic.html]
 [test_strict_dynamic_parser_inserted.html]
 [test_strict_dynamic_default_src.html]
 [test_upgrade_insecure_navigation.html]
 [test_punycode_host_src.html]
 [test_iframe_sandbox_srcdoc.html]
 [test_iframe_srcdoc.html]
+[test_image_nonce.html]
 [test_websocket_self.html]
 skip-if = toolkit == 'android'
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_image_nonce.html
@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load three images: (a) with a matching nonce,
+                         (b) with a non matching nonce,
+ *                       (c) with no nonce
+ * and make sure that all three images get blocked because
+ * "img-src nonce-bla" should not allow an image load, not
+ * even if the nonce matches*.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+var counter = 0;
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+  counter++;
+  if (aResult === "img-with-matching-nonce-blocked" ||
+      aResult === "img-with_non-matching-nonce-blocked" ||
+      aResult === "img-without-nonce-blocked") {
+    ok (true, "correct result for: " + aResult);
+  }
+  else {
+    ok(false, "unexpected result: " + aResult + "\n\n");
+  }
+  if (counter < 3) {
+    return;
+  }
+  finishTest();
+}
+
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin' to bubble up results back to this main page.
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_image_nonce.html";
+
+</script>
+</body>
+</html>