Bug 471020 - Test X-Content-Type-Options: nosniff. r=dveditz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 20 Jul 2016 12:33:29 +0200
changeset 330888 004aa0e93265705f0514ded5b9b77792af77272b
parent 330887 6cf0a45011d47ae9d8b10612fbb2b254af8d8e32
child 330889 a2fefead2fed63c859ad9bddbd357be511425208
push id9858
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 14:37:10 +0000
treeherdermozilla-aurora@203106ef6cb6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs471020
milestone50.0a1
Bug 471020 - Test X-Content-Type-Options: nosniff. r=dveditz
dom/security/test/general/file_nosniff_testserver.sjs
dom/security/test/general/mochitest.ini
dom/security/test/general/test_nosniff.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/general/file_nosniff_testserver.sjs
@@ -0,0 +1,60 @@
+"use strict";
+Components.utils.importGlobalProperties(["URLSearchParams"]);
+
+const SCRIPT = "var foo = 24;";
+const CSS = "body { background-color: green; }";
+
+// small red image
+const IMG = atob(
+  "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
+  "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
+
+function handleRequest(request, response) {
+  const query = new URLSearchParams(request.queryString);
+
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // set the nosniff header
+  response.setHeader("X-Content-Type-Options", "  NoSniFF  , foo  ", false);
+
+  if (query.has("cssCorrectType")) {
+    response.setHeader("Content-Type", "teXt/cSs", false);
+    response.write(CSS);
+    return;
+  }
+
+  if (query.has("cssWrongType")) {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write(CSS);
+    return;
+  }
+
+  if (query.has("scriptCorrectType")) {
+    response.setHeader("Content-Type", "appLIcation/jAvaScriPt;blah", false);
+    response.write(SCRIPT);
+    return;
+  }
+
+  if (query.has("scriptWrongType")) {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write(SCRIPT);
+    return;
+  }
+
+  if (query.has("imgCorrectType")) {
+    response.setHeader("Content-Type", "iMaGe/pnG;blah", false);
+    response.write(IMG);
+    return;
+  }
+
+  if (query.has("imgtWrongType")) {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write(IMG);
+    return;
+  }
+
+  // we should never get here, but just in case
+  response.setHeader("Content-Type", "text/html", false);
+  response.write("do'h");
+}
--- a/dom/security/test/general/mochitest.ini
+++ b/dom/security/test/general/mochitest.ini
@@ -1,5 +1,7 @@
 [DEFAULT]
 support-files =
   file_contentpolicytype_targeted_link_iframe.sjs
+  file_nosniff_testserver.sjs
 
 [test_contentpolicytype_targeted_link_iframe.html]
+[test_nosniff.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/general/test_nosniff.html
@@ -0,0 +1,115 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 471020 - Add X-Content-Type-Options: nosniff support to Firefox</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <!-- add the two css tests -->
+  <link rel="stylesheet" id="cssCorrectType">
+  <link rel="stylesheet" id="cssWrongType">
+</head>
+<body>
+
+<!-- add the two script tests -->
+<script id="scriptCorrectType"></script>
+<script id="scriptWrongType"></script>
+
+<!-- add the two img tests -->
+<img id="imgCorrectType" />
+<img id="imgWrongType" />
+
+<script class="testbody" type="text/javascript">
+/* Description of the test:
+ * We load 2 css files, 2 script files and 2 image files, where
+ * the sever either responds with the right mime type or
+ * the wrong mime type for each test.
+ */
+
+SimpleTest.waitForExplicitFinish();
+const NUM_TESTS = 6;
+
+var testCounter = 0;
+function checkFinish() {
+	testCounter++;
+	if (testCounter === NUM_TESTS) {
+		SimpleTest.finish();
+	}
+}
+
+// 1) Test CSS with correct mime type
+var cssCorrectType = document.getElementById("cssCorrectType");
+cssCorrectType.onload = function() {
+  ok(true, "style nosniff correct type should load");
+  checkFinish();
+}
+cssCorrectType.onerror = function() {
+  ok(false, "style nosniff correct type should load");
+  checkFinish();
+}
+cssCorrectType.href = "file_nosniff_testserver.sjs?cssCorrectType";
+
+// 2) Test CSS with wrong mime type
+var cssWrongType = document.getElementById("cssWrongType");
+cssWrongType.onload = function() {
+  ok(false, "style nosniff wrong type should not load");
+  checkFinish();
+}
+cssWrongType.onerror = function() {
+  ok(true, "style nosniff wrong type should not load");
+  checkFinish();
+}
+cssWrongType.href = "file_nosniff_testserver.sjs?cssWrongType";
+
+// 3) Test SCRIPT with correct mime type
+var scriptCorrectType = document.getElementById("scriptCorrectType");
+scriptCorrectType.onload = function() {
+  ok(true, "script nosniff correct type should load");
+  checkFinish();
+}
+scriptCorrectType.onerror = function() {
+  ok(false, "script nosniff correct type should load");
+  checkFinish();
+}
+scriptCorrectType.src = "file_nosniff_testserver.sjs?scriptCorrectType";
+
+// 4) Test SCRIPT with wrong mime type
+var scriptWrongType = document.getElementById("scriptWrongType");
+scriptWrongType.onload = function() {
+  ok(false, "script nosniff wrong type should not load");
+  checkFinish();
+}
+scriptWrongType.onerror = function() {
+  ok(true, "script nosniff wrong type should not load");
+  checkFinish();
+}
+scriptWrongType.src = "file_nosniff_testserver.sjs?scriptWrongType";
+
+// 5) Test IMG with correct mime type
+var imgCorrectType = document.getElementById("imgCorrectType");
+imgCorrectType.onload = function() {
+  ok(true, "img nosniff correct type should load");
+  checkFinish();
+}
+imgCorrectType.onerror = function() {
+  ok(false, "img nosniff correct type should load");
+  checkFinish();
+}
+imgCorrectType.src = "file_nosniff_testserver.sjs?imgCorrectType";
+
+// 6) Test IMG with wrong mime type
+var imgWrongType = document.getElementById("imgWrongType");
+imgWrongType.onload = function() {
+  ok(false, "img nosniff wrong type should not load");
+  checkFinish();
+}
+imgWrongType.onerror = function() {
+  ok(true, "img nosniff wrong type should not load");
+  checkFinish();
+}
+imgWrongType.src = "file_nosniff_testserver.sjs?imgWrongType";
+
+</script>
+</body>
+</html>