Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts r?ckerschb draft
authorFrederik Braun <fbraun+gh@mozilla.com>
Tue, 13 Sep 2016 11:05:37 +0200
changeset 413050 876a36c8c84bcddd1c1502e42b0167068389d70d
parent 412834 b1156b0eb96fcb49966b20e5fcf6a01f634ea2ee
child 531109 270128bd46fdf07c045aba2cc5387da8fecd06eb
push id29304
push userbmo:fbraun@mozilla.com
push dateTue, 13 Sep 2016 10:23:04 +0000
reviewersckerschb
bugs1277248
milestone51.0a1
Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts r?ckerschb MozReview-Commit-ID: 1knIYZ93UeY
dom/security/test/sri/iframe_require-sri-for_main.html
dom/security/test/sri/test_require-sri-for_csp_directive.html
--- a/dom/security/test/sri/iframe_require-sri-for_main.html
+++ b/dom/security/test/sri/iframe_require-sri-for_main.html
@@ -1,31 +1,40 @@
 <script>
   window.hasCORSLoaded = false; // set through script_crossdomain1.js
 </script>
 
-<!-- cors-enabled. should be loaded -->
+<!-- script tag cors-enabled. should be loaded -->
 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
         crossorigin=""
         integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="
         onload="parent.postMessage('good_sriLoaded', '*');"></script>
 
-<!-- cors but not using SRI. should trigger onerror -->
+<!-- script tag cors but not using SRI. should trigger onerror -->
 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain5.js"
           onload="parent.postMessage('bad_nonsriLoaded', '*');"
           onerror="parent.postMessage('good_nonsriBlocked', '*');"></script>
 
-<!-- cors and integrity. it should just load fine. -->
+<!-- svg:script tag with cors but not using SRI. should trigger onerror -->
+<svg xmlns="http://www.w3.org/2000/svg">
+          <script xlink:href="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
+          onload="parent.postMessage('bad_svg_nonsriLoaded', '*');"
+          onerror="parent.postMessage('good_svg_nonsriBlocked', '*');"></script>
+          ></script>
+</svg>
+
+<!-- stylesheet with cors and integrity. it should just load fine. -->
 <link rel="stylesheet" href="style1.css"
       integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
       onload="parent.postMessage('good_sriLoaded', '*');">
 
-<!-- not using SRI, should trigger onerror -->
+<!-- stylesheet not using SRI, should trigger onerror -->
 <link rel="stylesheet" href="style3.css"
       onload="parent.postMessage('bad_nonsriLoaded', '*');"
       onerror="parent.postMessage('good_nonsriBlocked', '*');">
 
+
 <p id="black-text">black text</p>
 <script>
   window.onload = function() {
     parent.postMessage("finish", '*');
   }
 </script>
--- a/dom/security/test/sri/test_require-sri-for_csp_directive.html
+++ b/dom/security/test/sri/test_require-sri-for_csp_directive.html
@@ -22,16 +22,22 @@
         ok(true, "Eligible SRI resources was correctly loaded.");
         break;
       case 'bad_nonsriLoaded':
         ok(false, "Eligible non-SRI resource should be blocked by the CSP!");
         break;
       case 'good_nonsriBlocked':
         ok(true, "Eligible non-SRI resources was correctly blocked by the CSP.");
         break;
+      case 'bad_svg_nonsriLoaded':
+        ok(false, 'Eligible non-SRI resource should be blocked by the CSP.');
+        break;
+      case 'good_svg_nonsriBlocked':
+        ok(true, 'Eligible non-SRI svg script was correctly blocked by the CSP.');
+        break;
       case 'finish':
         var blackText = frame.contentDocument.getElementById('black-text');
         var blackTextColor = frame.contentWindow.getComputedStyle(blackText, null).getPropertyValue('color');
         ok(blackTextColor == 'rgb(0, 0, 0)', "The second part should not be black.");
         removeEventListener('message', handler);
         SimpleTest.finish();
         break;
       default: