Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb
authorvinoth <cegvinoth@gmail.com>
Mon, 07 May 2018 15:01:22 -0400
changeset 417135 c12ef7d20d6c7de6aaa0072c33e8153d98e59bd9
parent 417134 6419ce7979bdb0de0b4b7bf194976b703912cb4b
child 417136 84fcdac4cee2829f43a9408189212c591225c8db
push id33961
push userrgurzau@mozilla.com
push dateMon, 07 May 2018 22:08:28 +0000
treeherdermozilla-central@59005ba3cd3e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1439330
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D1011
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html
dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -244,16 +244,18 @@ prefs =
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
 [test_bug885433.html]
 [test_bug888172.html]
 [test_evalscript.html]
+[test_evalscript_blocked_by_strict_dynamic.html]
+[test_evalscript_allowed_by_strict_dynamic.html]
 [test_frameancestors.html]
 [test_frameancestors_userpass.html]
 skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_inlinescript.html]
 [test_inlinestyle.html]
 [test_invalid_source_expression.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" 
+        content="script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval'">
+  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
+  </title>
+  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+  </script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval' CSP and
+ * check if the eval function is allowed correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+  eval("1");
+  ok(true, "eval allowed by CSP");
+}
+catch (ex) {
+  ok(false, "eval should be allowed by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" 
+        content="script-src 'nonce-foobar' 'strict-dynamic'">
+  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
+  </title>
+  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+  </script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
+ * check if the eval function is blocked correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+  eval("1");
+  ok(false, "eval should be blocked by CSP");
+}
+catch (ex) {
+  ok(true, "eval blocked by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>
\ No newline at end of file