Bug 1297156: Test that favicon loads are correctly blocked by content security policies. draft
authorDave Townsend <dtownsend@oxymoronical.com>
Wed, 11 Apr 2018 13:00:09 -0700
changeset 780717 934a84c5785365d2646d8b09c3796898a07b160d
parent 780716 4acfb683a03bbf3c82c0544d661f57e40ee61772
push id106099
push userdtownsend@mozilla.com
push dateWed, 11 Apr 2018 20:47:47 +0000
bugs1297156
milestone61.0a1
Bug 1297156: Test that favicon loads are correctly blocked by content security policies. MozReview-Commit-ID: 4hMwr42wZU8
dom/security/test/csp/browser.ini
dom/security/test/csp/browser_favicon.js
dom/security/test/csp/file_favicon.html
dom/security/test/csp/file_favicon.html^headers^
dom/security/test/csp/file_favicon.ico
--- a/dom/security/test/csp/browser.ini
+++ b/dom/security/test/csp/browser.ini
@@ -3,11 +3,16 @@ support-files =
   !/dom/security/test/csp/file_testserver.sjs
   !/dom/security/test/csp/file_web_manifest.html
   !/dom/security/test/csp/file_web_manifest.json
   !/dom/security/test/csp/file_web_manifest.json^headers^
   !/dom/security/test/csp/file_web_manifest_https.html
   !/dom/security/test/csp/file_web_manifest_https.json
   !/dom/security/test/csp/file_web_manifest_mixed_content.html
   !/dom/security/test/csp/file_web_manifest_remote.html
+  file_favicon.html
+  file_favicon.html^headers^
+  file_favicon.ico
+
 [browser_test_web_manifest.js]
 [browser_test_web_manifest_mixed_content.js]
 [browser_manifest-src-override-default-src.js]
+[browser_favicon.js]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/browser_favicon.js
@@ -0,0 +1,57 @@
+add_task(async function() {
+  const url = "http://example.org/tests/dom/security/test/csp/file_favicon.html";
+  let loadCount = 0;
+
+  const observer = (subject, topic, data) => {
+    switch (topic) {
+      case "http-on-modify-request": {
+        let channel = subject.QueryInterface(Ci.nsIHttpChannel);
+        let url = channel.URI.spec;
+
+        // We see requests for both the linked favicon and http://example.org/favicon.ico
+        if (url.endsWith("favicon.ico")) {
+          ok(false, `Should not have seen a favicon network request for ${url}`);
+          loadCount++;
+        }
+        break;
+      }
+      case "csp-on-violate-policy": {
+        let url = subject.QueryInterface(Ci.nsIURI).spec;
+        if (url.endsWith("favicon.ico")) {
+          ok(true, `Should have seen a blocked favicon network request for ${url}`);
+          loadCount++;
+        }
+        break;
+      }
+    }
+  };
+
+  Services.obs.addObserver(observer, "csp-on-violate-policy");
+  Services.obs.addObserver(observer, "http-on-modify-request");
+
+  registerCleanupFunction(() => {
+    Services.obs.removeObserver(observer, "csp-on-violate-policy");
+    Services.obs.removeObserver(observer, "http-on-modify-request");
+  });
+
+  let tab = await BrowserTestUtils.openNewForegroundTab({
+    gBrowser,
+    url,
+    waitForLoad: false,
+  });
+
+  let favicon = document.getAnonymousElementByAttribute(tab, "anonid", "tab-icon-image");
+  let browser = gBrowser.getBrowserForTab(tab);
+
+  await Promise.all([
+    Promise.race([
+      BrowserTestUtils.waitForEvent(favicon, "load"),
+      BrowserTestUtils.waitForEvent(favicon, "error"),
+    ]),
+    BrowserTestUtils.browserLoaded(browser, false, url),
+  ]);
+
+  BrowserTestUtils.removeTab(tab);
+
+  is(loadCount, 3, "Should have seen three requests for favicons.");
+});
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_favicon.html
@@ -0,0 +1,9 @@
+<html>
+<head>
+  <meta charset='utf-8'/>
+  <link rel='icon' href='file_favicon.ico'>
+</head>
+<body>
+Make sure favicon is blocked by CSP.
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_favicon.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: img-src 'none'
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..d44438903b751f4732f5365783eb0229b0501f9a
GIT binary patch
literal 1406
zc${sNu}d656o=n};bd8o)56N#Jtc-%Pi19LTfxTKZb)No6UbH8fq*bwiX@OCjeo&a
zDdN=H#L7bO4x$jyCB@74W-i8r?B3hk_q&<*`*z;kiWHpvzNF*jBasEZpA#kxh(c!b
zkA?g>iii0yePlSyUv_dc8jWQ1Z6w!UKg!I^jLgo?N>x=dH#a8>3k$NixG2lZ%d)z<
zD!aS8vc0`68yg$4wzek2S1LO@DsSafbQ0yu>32E3yp%VeKI7mBPXr?7)NyfW4$YaS
zd5A~%+<0`4?ln&f=m9;D1oWV(ltlE19?>I0L|1Yp*O;x+>4`v?rrDm0gTcYzU~n)b
zBp4hF4h9E<gCSwU;9zhtI2arZ2^|IpgM-1r;9ziy28V;g8HZ|qyhLJWAR?jpkzw(e
zdyG6qJuGP%_|bFYVezn}Wr4%P;o<PXG|fu|hljz#;9;<(^Kf_=JPZ*p<(ifdpM1vY
z^14J6oaLIA8t(v8z%*bGU<!B#ehd@|!D?x4NAgC;Kj0tmw-yEbgXu5?7=mhQTkeEU
z?nY+qjW9&~B5V<kh+k^0aj*svj%XY_SZX(uA}kS>2t>p%Z2?#!6C;BnLWIS(MKl(A
z5@Ct99*M<vgLNUKt)wt03<`t7pfIHE1Ve;DVNe(%3~7tOpfD&53WLHxX#yPvg+XCZ
z02Kd7F=e7M$b0J%eN^+X+BU|^l6;W8y*)WNIFQ4`LpeG+l9Q7YIX*s?v$HcfKR=g?
ziwn8Bx{{ll8@ao?lk1-<@87-Se{BC~O&_tkDYLqks+9jZdPPy~Pwz!~n{79!=kH$}
z<GSmLr_<Msl#^avbPO2hT+6EM$RF49<MriRDSK7X4Z4C$(Ttb&wO_ZL%_!=6ywx`4
zgyE!JUClFXORIXNvkFB!=(@IFPD&fltZ*GPJq*jH8?3a&i}`+QhPP$YHpR1|=~tQH
w$7Vff2Tfh~eiKjn_2%S0`}?qUxPHyMZW^-w&wKL0`*KK);S<IY*Xw!iFYO$~&;S4c