Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb
authorvinoth <cegvinoth@gmail.com>
Fri, 22 Jun 2018 20:38:05 +0300
changeset 809831 ce98fd40ce8214571163674970ccdb167a1b241b
parent 809830 4b1d446faee677ac36221b66a3c13baa980cceda
child 809832 16a0430796894ad4b9cb86bde55f07cf57453b56
child 809863 74c53ad34b8a4b8b05305002dd4082ea2fdd4786
push id113822
push userbmo:sahith.reddy@gmail.com
push dateSat, 23 Jun 2018 04:02:45 +0000
reviewersckerschb
bugs1469150
milestone62.0a1
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb Reviewers: ckerschb Reviewed By: ckerschb Subscribers: ckerschb Bug #: 1469150 Differential Revision: https://phabricator.services.mozilla.com/D1721
dom/security/test/csp/file_nonce_redirector.sjs
dom/security/test/csp/file_nonce_redirects.html
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_nonce_redirects.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_redirector.sjs
@@ -0,0 +1,25 @@
+// custom *.sjs file for
+// Bug 1469150:Scripts with valid nonce get blocked if URL redirects.
+
+const URL_PATH = "example.com/tests/dom/security/test/csp/";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  let queryStr = request.queryString;
+
+  if (queryStr === "redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location",
+      "https://" + URL_PATH + "file_nonce_redirector.sjs?load", false);
+    return;
+  }
+
+  if (queryStr === "load") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write("console.log('script loaded');");
+    return;
+  }
+
+  // we should never get here - return something unexpected
+  response.write("d'oh");
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_redirects.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  </head>
+<body>
+
+<script nonce='abcd1234' id='redirectScript'></script>
+
+<script nonce='abcd1234' type='application/javascript'>
+  var redirectScript = document.getElementById('redirectScript');
+  redirectScript.onload = function(e) {
+    window.parent.postMessage({result: 'script-loaded'}, '*');
+  };
+  redirectScript.onerror = function(e) {
+    window.parent.postMessage({result: 'script-blocked'}, '*');
+  }
+  redirectScript.src = 'file_nonce_redirector.sjs?redirect';
+</script>
+</body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -89,16 +89,18 @@ support-files =
   file_bug1312272.html
   file_bug1312272.js
   file_bug1312272.html^headers^
   file_policyuri_regression_from_multipolicy.html
   file_policyuri_regression_from_multipolicy.html^headers^
   file_policyuri_regression_from_multipolicy_policy
   file_nonce_source.html
   file_nonce_source.html^headers^
+  file_nonce_redirects.html
+  file_nonce_redirector.sjs
   file_bug941404.html
   file_bug941404_xhr.html
   file_bug941404_xhr.html^headers^
   file_frame_ancestors_ro.html
   file_frame_ancestors_ro.html^headers^
   file_hash_source.html
   file_dual_header_testserver.sjs
   file_hash_source.html^headers^
@@ -260,16 +262,17 @@ skip-if = verify
 [test_redirects.html]
 [test_bug910139.html]
 skip-if = verify
 [test_bug909029.html]
 [test_bug1229639.html]
 [test_frame_ancestors_ro.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
+[test_nonce_redirects.html]
 [test_bug941404.html]
 [test_form-action.html]
 [test_hash_source.html]
 [test_scheme_relative_sources.html]
 [test_ignore_unsafe_inline.html]
 [test_self_none_as_hostname_confusion.html]
 [test_empty_directive.html]
 [test_path_matching.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_nonce_redirects.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a script with a matching nonce, which redirects
+ * and we make sure that script is allowed.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+
+  if (aResult === "script-loaded") {
+    ok(true, "expected result: script loaded");
+  }
+  else {
+    ok(false, "unexpected result: script blocked");
+  }
+  finishTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_nonce_redirects.html";
+
+</script>
+</body>
+</html>