Bug 1187335 - P3 - modify SRI test to match current behavior. r=bkelly, r=francois.
authorTom Tung <ttung@mozilla.com>
Mon, 30 May 2016 12:26:56 +0800
changeset 313229 c586b098334477f680e9eff7e65e904805f7d7ee
parent 313228 89c1c3294bee9930d4421f0f033f9d9ed0a69be3
child 313230 cd24ae54ea421b45b24919741fabe9cdb29a40fd
push id30676
push userkwierso@gmail.com
push dateThu, 08 Sep 2016 22:22:24 +0000
treeherdermozilla-central@176aff980979 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbkelly, francois
bugs1187335
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1187335 - P3 - modify SRI test to match current behavior. r=bkelly, r=francois.
dom/security/test/sri/iframe_script_crossdomain.html
dom/security/test/sri/iframe_style_crossdomain.html
--- a/dom/security/test/sri/iframe_script_crossdomain.html
+++ b/dom/security/test/sri/iframe_script_crossdomain.html
@@ -53,27 +53,27 @@
 
   function good_correct301Blocked() {
     ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
   }
   function bad_correct301Loaded() {
     ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
   }
 
-  function good_correctDataBlocked() {
-    ok(true, "A data: URL was blocked correctly.");
+  function good_correctDataLoaded() {
+    ok(true, "Since data: URLs are same-origin, they should be loaded.");
   }
-  function bad_correctDataLoaded() {
-    ok(false, "Since data: URLs are neither same-origin nor CORS, they should be blocked!");
+  function bad_correctDataBlocked() {
+    todo(false, "We should not block scripts in data: URIs!");
   }
-  function good_correctDataCORSBlocked() {
-    ok(true, "A data: URL was blocked correctly even though it was a CORS load.");
+  function good_correctDataCORSLoaded() {
+    ok(true, "A data: URL with a CORS load was loaded correctly.");
   }
-  function bad_correctDataCORSLoaded() {
-    todo(false, "We should not load scripts in data: URIs regardless of CORS mode!");
+  function bad_correctDataCORSBlocked() {
+    ok(false, "We should not BLOCK scripts!");
   }
 
   window.onload = function() {
     SimpleTest.finish()
   }
 </script>
 
 <!-- cors-enabled. should be loaded -->
@@ -107,28 +107,28 @@
         onload="bad_incorrect301Loaded()"></script>
 
 <!-- non-cors that's same-origin initially but redirected to another origin -->
 <script src="script_301.js"
         integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
         onerror="good_correct301Blocked()"
         onload="bad_correct301Loaded()"></script>
 
-<!-- data: URLs are not same-origin -->
+<!-- data: URLs are same-origin -->
 <script src="data:,console.log('data:valid');"
         integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
-        onerror="good_correctDataBlocked()"
-        onload="bad_correctDataLoaded()"></script>
+        onerror="bad_correctDataBlocked()"
+        onload="good_correctDataLoaded()"></script>
 
-<!-- data: URLs should always be opaque -->
+<!-- not cors-enabled with data: URLs. should trigger onload -->
 <script src="data:,console.log('data:valid');"
         crossorigin="anonymous"
         integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
-        onerror="good_correctDataCORSBlocked()"
-        onload="bad_correctDataCORSLoaded()"></script>
+        onerror="bad_correctDataCORSBlocked()"
+        onload="good_correctDataCORSLoaded()"></script>
 
 <script>
   ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
   ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
   ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
   ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
 </script>
 </body>
--- a/dom/security/test/sri/iframe_style_crossdomain.html
+++ b/dom/security/test/sri/iframe_style_crossdomain.html
@@ -3,21 +3,24 @@
      http://creativecommons.org/publicdomain/zero/1.0/ -->
 <html>
 <head>
   <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
   <script type="application/javascript">
     function check_styles() {
       var redText = document.getElementById('red-text');
-      var blackText = document.getElementById('black-text');
+      var greenText = document.getElementById('green-text');
+      var blueText = document.getElementById('blue-text');
       var redTextColor = window.getComputedStyle(redText, null).getPropertyValue('color');
-      var blackTextColor = window.getComputedStyle(blackText, null).getPropertyValue('color');
+      var greenTextColor = window.getComputedStyle(greenText, null).getPropertyValue('color');
+      var blueTextColor = window.getComputedStyle(blueText, null).getPropertyValue('color');
       ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red.");
-      todo(blackTextColor == 'rgb(0, 0, 0)', "The second part should still be black.");
+      ok(greenTextColor == 'rgb(0, 255, 0)', "The second part should be green.");
+      ok(blueTextColor == 'rgb(0, 0, 255)', "The third part should be blue.");
     }
 
     SimpleTest.waitForExplicitFinish();
     window.onload = function() {
       check_styles();
       SimpleTest.finish();
     }
   </script>
@@ -37,27 +40,34 @@
 
     function good_incorrectHashBlocked() {
       ok(true, "A non-CORS cross-domain stylesheet with incorrect hash was correctly blocked.");
     }
     function bad_incorrectHashLoaded() {
       ok(false, "We should load non-CORS cross-domain stylesheets with incorrect hashes!");
     }
 
-    function good_correctDataBlocked() {
-      ok(true, "A stylesheet was correctly blocked, because it came from a data: URI.");
+    function bad_correctDataBlocked() {
+      ok(false, "We should not block non-CORS cross-domain stylesheets in data: URI!");
     }
-    function bad_correctDataLoaded() {
-      ok(false, "We should not load stylesheets in data: URIs!");
+    function good_correctDataLoaded() {
+      ok(true, "A non-CORS cross-domain stylesheet with data: URI was correctly loaded.");
+    }
+    function bad_correctDataCORSBlocked() {
+      ok(false, "We should not block CORS stylesheets in data: URI!");
     }
-    function good_correctDataCORSBlocked() {
-      ok(true, "A stylesheet was correctly blocked, because it came from a data: URI even though it was a CORS load.");
+    function good_correctDataCORSLoaded() {
+      ok(true, "A CORS stylesheet with data: URI was correctly loaded.");
     }
-    function bad_correctDataCORSLoaded() {
-      todo(false, "We should not load stylesheets in data: URIs regardless of CORS mode!");
+
+    function good_correctHashOpaqueBlocked() {
+      ok(true, "A non-CORS(Opaque) cross-domain stylesheet with correct hash was correctly blocked.");
+    }
+    function bad_correctHashOpaqueLoaded() {
+      ok(false, "We should not load non-CORS(Opaque) cross-domain stylesheets with correct hashes!");
     }
   </script>
 
   <!-- valid CORS sha256 hash -->
   <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css"
         crossorigin="anonymous"
         integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
         onerror="bad_correctHashCORSBlocked()"
@@ -71,30 +81,37 @@
 
   <!-- invalid non-CORS sha256 hash -->
   <link rel="stylesheet" href="style_301.css?again"
         integrity="sha256-bogus"
         onerror="good_incorrectHashBlocked()"
         onload="bad_incorrectHashLoaded()">
 
   <!-- valid non-CORS sha256 hash in a data: URL -->
-  <link rel="stylesheet" href="data:text/css,.red-text{color:red}"
-        integrity="sha256-ewUcnAs4+XY5k2JpfUQGFdG5YMZkq80/nIKW67kd7vE="
-        onerror="good_correctDataBlocked()"
-        onload="bad_correctDataLoaded()">
+  <link rel="stylesheet" href="data:text/css,.green-text{color:rgb(0, 255, 0)}"
+        integrity="sha256-EhVtGGyovvffvYdhyqJxUJ/ekam7zlxxo46iM13cwP0="
+        onerror="bad_correctDataBlocked()"
+        onload="good_correctDataLoaded()">
 
   <!-- valid CORS sha256 hash in a data: URL -->
-  <link rel="stylesheet" href="data:text/css,.red-text{color:red}"
+  <link rel="stylesheet" href="data:text/css,.blue-text{color:rgb(0, 0, 255)}"
         crossorigin="anonymous"
-        integrity="sha256-ewUcnAs4+XY5k2JpfUQGFdG5YMZkq80/nIKW67kd7vE="
-        onerror="good_correctDataCORSBlocked()"
-        onload="bad_correctDataCORSLoaded()">
+        integrity="sha256-m0Fs2hNSyPOn1030Dp+c8pJFHNmwpeTbB+8J/DcqLss="
+        onerror="bad_correctDataCORSBlocked()"
+        onload="good_correctDataCORSLoaded()">
+
+  <!-- valid non-CORS sha256 hash -->
+  <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css"
+        integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
+        onerror="good_correctHashOpaqueBlocked()"
+        onload="bad_correctHashOpaqueLoaded()">
 </head>
 <body>
 <p><span id="red-text">This should be red</span> but
-  <span id="black-text" class="red-text">this should remain black.</span></p>
+  <span id="green-text" class="green-text">this should be green</span> and
+  <span id="blue-text" class="blue-text">this should be blue</span></p>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <pre id="test">
 </pre>
 </body>
 </html>