Bug 1312680 - Test that require-sri-for blocks style loads via @import r=francois
authorFrederik Braun <fbraun+gh@mozilla.com>
Thu, 03 Nov 2016 03:18:00 +0100
changeset 347584 970a2877f18432f932fad7ed280792d83b554aa8
parent 347583 1c9d27b4ad3e0f7bdb7c5d0b31225f4d9ff888c9
child 347585 b5e30ab177beaff7d380982bad1d27e769481771
push id10298
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:33:03 +0000
treeherdermozilla-aurora@7e29173b1641 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfrancois
bugs1312680
milestone52.0a1
Bug 1312680 - Test that require-sri-for blocks style loads via @import r=francois MozReview-Commit-ID: A8DPWH2S3sD
dom/security/test/sri/iframe_csp_directive_style_imports.html
dom/security/test/sri/iframe_csp_directive_style_imports.html^headers^
dom/security/test/sri/mochitest.ini
dom/security/test/sri/style_imported.css
dom/security/test/sri/style_importing.css
dom/security/test/sri/test_csp_directive_style_imports.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/iframe_csp_directive_style_imports.html
@@ -0,0 +1,6 @@
+<!-- file should be loaded (text is blue), but subsequent files shouldn't (text is red)  -->
+<link rel="stylesheet" href="style_importing.css"
+            integrity="sha384-m5Q2GOhAtLrdiv6rCmxY3GjEFMVInALcdTyDnEddUUiDH2uQvJSX5GSJYQiatpTK"
+            onload="parent.postMessage('finish', '*');"
+            onerror="parent.postMessage('finish', '*');">
+<p id="text-for-import-test">blue text</p>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/iframe_csp_directive_style_imports.html^headers^
@@ -0,0 +1,1 @@
+content-security-policy: require-sri-for script style
--- a/dom/security/test/sri/mochitest.ini
+++ b/dom/security/test/sri/mochitest.ini
@@ -1,11 +1,13 @@
 [DEFAULT]
 support-files =
   file_bug_1271796.css
+  iframe_csp_directive_style_imports.html
+  iframe_csp_directive_style_imports.html^headers^
   iframe_require-sri-for_main.html
   iframe_require-sri-for_main.html^headers^
   iframe_require-sri-for_no_csp.html
   iframe_script_crossdomain.html
   iframe_script_sameorigin.html
   iframe_sri_disabled.html
   iframe_style_crossdomain.html
   iframe_style_sameorigin.html
@@ -36,17 +38,20 @@ support-files =
   style3.css
   style4.css
   style4.css^headers^
   style5.css
   style6.css
   style6.css^headers^
   style_301.css
   style_301.css^headers^
+  style_importing.css
+  style_imported.css
 
 [test_script_sameorigin.html]
 [test_script_crossdomain.html]
 [test_sri_disabled.html]
 [test_style_crossdomain.html]
 [test_style_sameorigin.html]
 [test_require-sri-for_csp_directive.html]
 [test_require-sri-for_csp_directive_disabled.html]
 [test_bug_1271796.html]
+[test_csp_directive_style_imports.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style_imported.css
@@ -0,0 +1,6 @@
+#text-for-import-test {
+  color: red;
+}
+#text-for-import-test::before {
+  content: 'Test failed';
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style_importing.css
@@ -0,0 +1,4 @@
+/* neither of them should load. trying multiple cases*/
+@import url("style_imported.css");
+@import 'style_imported.css';
+#text-for-import-test { color: blue; }
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/test_csp_directive_style_imports.html
@@ -0,0 +1,42 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for SRI require-sri-for CSP directive</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1265318">Mozilla Bug 1265318</a><br>
+<iframe style="width:200px;height:200px;" id="test_frame"></iframe><br>
+</body>
+<script type="application/javascript">
+  var finished = 0;
+  SpecialPowers.setBoolPref("security.csp.experimentalEnabled", true);
+  SimpleTest.waitForExplicitFinish();
+  function handler(event) {
+    console.log(event);
+    switch (event.data) {
+      case 'finish':
+        // need finish message from iframe_require-sri-for_main onload event and
+        // from iframe_require-sri-for_no_csp, which spawns a Worker
+        var importText = frame.contentDocument.getElementById('text-for-import-test');
+        var importColor = frame.contentWindow.getComputedStyle(importText, null).getPropertyValue('color');
+        ok(importColor == 'rgb(0, 0, 255)', "The import should not work without integrity. The text is now red, but should not.");
+        removeEventListener('message', handler);
+        SimpleTest.finish();
+        break;
+      default:
+        ok(false, 'Something is wrong here');
+        break;
+    }
+  }
+  addEventListener("message", handler);
+  // This frame has a CSP that requires SRI
+  var frame = document.getElementById("test_frame");
+  frame.src = "iframe_csp_directive_style_imports.html";
+</script>
+</html>