Bug 908933 - CSP tests: ShouldProcess should block TYPE_OBJECT (r=sstamm)
☠☠ backed out by dd908f8adbc8 ☠ ☠
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Fri, 08 Aug 2014 15:01:52 -0700
changeset 210165 7481265f0325ca2fce7f416bccfb62c437193181
parent 210164 e81f1e1c9c9f8a72019bc6e807579ed8e1573724
child 210166 9d614a6431ae214fcb62305e8d400b8a80270fee
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewerssstamm
bugs908933
milestone35.0a1
Bug 908933 - CSP tests: ShouldProcess should block TYPE_OBJECT (r=sstamm)
content/base/test/csp/file_csp_shouldprocess.html
content/base/test/csp/mochitest.ini
content/base/test/csp/test_csp_shouldprocess.html
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/file_csp_shouldprocess.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Helper for Test Bug 908933</title>
+    <meta charset="utf-8">
+  </head>
+  <body>
+	<object type="application/x-java-test" codebase="test1"></object>
+
+	<object classid="java:test2" codebase="./test2"></object>
+
+	<object data="test3" classid="java:test3" codebase="./test3"></object>
+
+	<applet codebase="test4"></applet>
+
+	<embed src="test5.class" codebase="test5" type="application/x-java-test">
+
+	<embed type="application/x-java-test" codebase="test6">
+
+	<embed src="test7.class">
+
+	<embed src="test8.class" codebase="test8">
+
+  </body>
+</html>
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -55,16 +55,17 @@ support-files =
   file_bug886164_5.html^headers^
   file_bug886164_6.html
   file_bug886164_6.html^headers^
   file_csp_bug768029.html
   file_csp_bug768029.sjs
   file_csp_bug773891.html
   file_csp_bug773891.sjs
   file_csp_redirects_main.html
+  file_csp_shouldprocess.html
   file_csp_redirects_page.sjs
   file_csp_redirects_resource.sjs
   file_CSP_bug910139.sjs
   file_CSP_bug910139.xml
   file_CSP_bug910139.xsl
   file_CSP_bug909029_star.html
   file_CSP_bug909029_star.html^headers^
   file_CSP_bug909029_none.html
@@ -109,16 +110,17 @@ support-files =
 [test_CSP_evalscript.html]
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
 [test_csp_redirects.html]
+[test_csp_shouldprocess.html]
 [test_CSP_bug910139.html]
 [test_CSP_bug909029.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
 [test_self_none_as_hostname_confusion.html]
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/test_csp_shouldprocess.html
@@ -0,0 +1,94 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=908933
+-->
+<head>
+  <title>Test Bug 908933</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <meta http-equiv="content-type" content="text/html; charset=utf-8">
+</head>
+<body>
+<script class="testbody" type="text/javascript">
+
+/*
+ * Description of the test:
+ * We load variations of 'objects' and make sure all the
+ * resource loads are correctly blocked by CSP.
+ * For all the testing we use a CSP with "object-src 'none'"
+ * so that all the loads are either blocked by
+ * shouldProcess or shouldLoad.
+ */
+
+const POLICY = "default-src 'http://mochi.test:8888'; object-src 'none'";
+const TESTFILE = "tests/content/base/test/csp/file_csp_shouldprocess.html";
+
+SimpleTest.waitForExplicitFinish();
+
+var tests = [
+  // blocked by shouldProcess
+  "http://mochi.test:8888/tests/content/base/test/csp/test1",
+  "http://mochi.test:8888/tests/content/base/test/csp/test2",
+  "http://mochi.test:8888/tests/content/base/test/csp/test3",
+  "http://mochi.test:8888/tests/content/base/test/csp/test4",
+  "http://mochi.test:8888/tests/content/base/test/csp/test5",
+  "http://mochi.test:8888/tests/content/base/test/csp/test6",
+  // blocked by shouldLoad
+  "http://mochi.test:8888/tests/content/base/test/csp/test7.class",
+  "http://mochi.test:8888/tests/content/base/test/csp/test8.class",
+];
+
+function checkResults(aURI) {
+  var index = tests.indexOf(aURI);
+  if (index > -1) {
+    tests.splice(index, 1);
+    ok(true, "ShouldLoad or ShouldProcess blocks TYPE_OBJECT with uri: " + aURI + "!");
+  }
+  else {
+    ok(false, "ShouldLoad or ShouldProcess incorreclty blocks TYPE_OBJECT with uri: " + aURI + "!");
+  }
+  if (tests.length == 0) {
+    window.examiner.remove();
+    SimpleTest.finish();
+  }
+}
+
+// used to watch that shouldProcess blocks TYPE_OBJECT
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    if (topic === "csp-on-violate-policy") {
+      var asciiSpec =
+        SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      checkResults(asciiSpec);
+    }
+  },
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+  }
+}
+window.examiner = new examiner();
+
+function loadFrame() {
+  var src = "file_csp_testserver.sjs";
+  // append the file that should be served
+  src += "?file=" + escape(TESTFILE);
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(POLICY);
+
+  var iframe = document.createElement("iframe");
+  iframe.src = src;
+  document.body.appendChild(iframe);
+}
+
+SpecialPowers.pushPrefEnv(
+  { "set": [['plugin.java.mime', 'application/x-java-test']] },
+  loadFrame);
+
+</script>
+</pre>
+</body>
+</html>