Bug 808292 - CSP: Implement path-level host-source matching, mochitests (r=grobinson,sstamm)
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Tue, 12 Aug 2014 13:08:52 -0700
changeset 230483 31d8c9d1a0c394b18a09152203d91cebe88e9c40
parent 230482 c40236b38f0334f595dad0205fe62b0a38be91c8
child 230484 9a5ca02006f77040974436d872cc396499f7c482
push id4187
push userbhearsum@mozilla.com
push dateFri, 28 Nov 2014 15:29:12 +0000
treeherdermozilla-beta@f23cc6a30c11 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgrobinson, sstamm
bugs808292
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 808292 - CSP: Implement path-level host-source matching, mochitests (r=grobinson,sstamm)
content/base/test/csp/file_csp_path_matching.html
content/base/test/csp/file_csp_path_matching.js
content/base/test/csp/file_csp_regexp_parsing.html
content/base/test/csp/file_csp_regexp_parsing.js
content/base/test/csp/mochitest.ini
content/base/test/csp/test_csp_path_matching.html
content/base/test/csp/test_csp_regexp_parsing.html
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/file_csp_path_matching.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Bug 808292 - Implement path-level host-source matching to CSP</title>
+  </head>
+  <body>
+  <div id="testdiv">blocked</div>
+  <script src="http://test1.example.com/tests/content/base/test/csp/file_csp_path_matching.js#foo"></script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/file_csp_path_matching.js
@@ -0,0 +1,1 @@
+document.getElementById("testdiv").innerHTML = "allowed";
deleted file mode 100644
--- a/content/base/test/csp/file_csp_regexp_parsing.html
+++ /dev/null
@@ -1,10 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-  <head>
-    <title>Bug 916054 - URLs with path are ignored by FF's CSP parser</title>
-  </head>
-  <body>
-  <div id="testdiv">blocked</div>
-  <script src="http://test1.example.com/tests/content/base/test/csp/file_csp_regexp_parsing.js"></script>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/csp/file_csp_regexp_parsing.js
+++ /dev/null
@@ -1,1 +0,0 @@
-document.getElementById("testdiv").innerHTML = "allowed";
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -76,19 +76,19 @@ support-files =
   file_nonce_source.html^headers^
   file_CSP_bug941404.html
   file_CSP_bug941404_xhr.html
   file_CSP_bug941404_xhr.html^headers^
   file_hash_source.html
   file_hash_source.html^headers^
   file_self_none_as_hostname_confusion.html
   file_self_none_as_hostname_confusion.html^headers^
+  file_csp_path_matching.html
+  file_csp_path_matching.js
   file_csp_testserver.sjs
-  file_csp_regexp_parsing.html
-  file_csp_regexp_parsing.js
   file_report_uri_missing_in_report_only_header.html
   file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.html
   file_redirect_content.sjs
   file_redirect_report.sjs
   file_subframe_run_js_if_allowed.html
   file_subframe_run_js_if_allowed.html^headers^
   file_leading_wildcard.html
@@ -116,17 +116,17 @@ skip-if = (buildapp == 'b2g' && (toolkit
 [test_CSP_bug909029.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
 [test_self_none_as_hostname_confusion.html]
 [test_bug949549.html]
-[test_csp_regexp_parsing.html]
+[test_csp_path_matching.html]
 [test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
 [test_301_redirect.html]
 skip-if = buildapp == 'b2g' # intermittent orange (bug 1028490)
 [test_302_redirect.html]
 skip-if = buildapp == 'b2g' # intermittent orange (bug 1028490)
 [test_303_redirect.html]
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/test_csp_path_matching.html
@@ -0,0 +1,103 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 808292 - Implement path-level host-source matching to CSP</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <p id="display"></p>
+  <div id="content" style="visibility: hidden">
+    <iframe style="width:100%;" id="testframe"></iframe>
+  </div>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+/* Description of the test:
+ * We are loading the following url (including a fragment portion):
+ * http://test1.example.com/tests/content/base/test/csp/file_csp_path_matching.js#foo
+ * using different policies and verify that the applied policy is accurately enforced.
+ */
+
+var policies = [
+  ["allowed", "*"],
+  ["allowed", "test1.example.com"],
+  ["allowed", "test1.example.com/"],
+  ["allowed", "test1.example.com/tests/content/base/test/csp/"],
+  ["allowed", "test1.example.com/tests/content/base/test/csp/file_csp_path_matching.js"],
+
+  ["allowed", "test1.example.com?foo=val"],
+  ["allowed", "test1.example.com/?foo=val"],
+  ["allowed", "test1.example.com/tests/content/base/test/csp/?foo=val"],
+  ["allowed", "test1.example.com/tests/content/base/test/csp/file_csp_path_matching.js?foo=val"],
+
+  ["allowed", "test1.example.com#foo"],
+  ["allowed", "test1.example.com/#foo"],
+  ["allowed", "test1.example.com/tests/content/base/test/csp/#foo"],
+  ["allowed", "test1.example.com/tests/content/base/test/csp/file_csp_path_matching.js#foo"],
+
+  ["allowed", "*.example.com"],
+  ["allowed", "*.example.com/"],
+  ["allowed", "*.example.com/tests/content/base/test/csp/"],
+  ["allowed", "*.example.com/tests/content/base/test/csp/file_csp_path_matching.js"],
+
+  ["allowed", "test1.example.com:80"],
+  ["allowed", "test1.example.com:80/"],
+  ["allowed", "test1.example.com:80/tests/content/base/test/csp/"],
+  ["allowed", "test1.example.com:80/tests/content/base/test/csp/file_csp_path_matching.js"],
+
+  ["allowed", "test1.example.com:*"],
+  ["allowed", "test1.example.com:*/"],
+  ["allowed", "test1.example.com:*/tests/content/base/test/csp/"],
+  ["allowed", "test1.example.com:*/tests/content/base/test/csp/file_csp_path_matching.js"],
+
+  ["blocked", "test1.example.com/tests"],
+  ["blocked", "test1.example.com/tests/content/base/test/csp"],
+  ["blocked", "test1.example.com/tests/content/base/test/csp/file_csp_path_matching.py"],
+
+  ["blocked", "test1.example.com:8888/tests"],
+  ["blocked", "test1.example.com:8888/tests/content/base/test/csp"],
+  ["blocked", "test1.example.com:8888/tests/content/base/test/csp/file_csp_path_matching.py"],
+]
+
+var counter = 0;
+var policy;
+
+function loadNextTest() {
+  if (counter == policies.length) {
+    SimpleTest.finish();
+  }
+  else {
+    policy = policies[counter++];
+    var src = "file_csp_testserver.sjs";
+    // append the file that should be served
+    src += "?file=" + escape("tests/content/base/test/csp/file_csp_path_matching.html");
+    // append the CSP that should be used to serve the file
+    src += "&csp=" + escape("default-src 'none'; script-src " + policy[1]);
+
+    document.getElementById("testframe").addEventListener("load", test, false);
+    document.getElementById("testframe").src = src;
+  }
+}
+
+function test() {
+  try {
+    document.getElementById("testframe").removeEventListener('load', test, false);
+    var testframe = document.getElementById("testframe");
+    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
+    is(divcontent, policy[0], "should be " + policy[0] + " in test " + (counter - 1) + "!");
+  }
+  catch (e) {
+    ok(false, "ERROR: could not access content in test " + (counter - 1) + "!");
+  }
+  loadNextTest();
+}
+
+loadNextTest();
+
+</script>
+</body>
+</html>
deleted file mode 100644
--- a/content/base/test/csp/test_csp_regexp_parsing.html
+++ /dev/null
@@ -1,101 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Bug 916054 - URLs with path are ignored by FF's CSP parser</title>
-  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-  <p id="display"></p>
-  <div id="content" style="visibility: hidden">
-    <iframe style="width:100%;" id="testframe"></iframe>
-  </div>
-
-<script class="testbody" type="text/javascript">
-
-SimpleTest.waitForExplicitFinish();
-
-var policies = [
-  ["allowed", "*"],
-  ["allowed", "test1.example.com"],
-  ["allowed", "test1.example.com/"],
-  ["allowed", "test1.example.com/path-1"],
-  ["allowed", "test1.example.com/path-1/"],
-  ["allowed", "test1.example.com/path-1/path_2/"],
-  ["allowed", "test1.example.com/path-1/path_2/file.js"],
-  ["allowed", "test1.example.com/path-1/path_2/file_1.js"],
-  ["allowed", "test1.example.com/path-1/path_2/file-2.js"],
-  ["allowed", "test1.example.com/path-1/path_2/f.js"],
-  ["allowed", "test1.example.com/path-1/path_2/f.oo.js"],
-  ["allowed", "*.example.com"],
-  ["allowed", "*.example.com/"],
-  ["allowed", "*.example.com/path-1"],
-  ["allowed", "*.example.com/path-1/"],
-  ["allowed", "*.example.com/path-1/path_2/"],
-  ["allowed", "*.example.com/path-1/path_2/file.js"],
-  ["allowed", "*.example.com/path-1/path_2/file_1.js"],
-  ["allowed", "*.example.com/path-1/path_2/file-2.js"],
-  ["allowed", "*.example.com/path-1/path_2/f.js"],
-  ["allowed", "*.example.com/path-1/path_2/f.oo.js"],
-  ["allowed", "test1.example.com:80"],
-  ["allowed", "test1.example.com:80/"],
-  ["allowed", "test1.example.com:80/path-1"],
-  ["allowed", "test1.example.com:80/path-1/"],
-  ["allowed", "test1.example.com:80/path-1/path_2"],
-  ["allowed", "test1.example.com:80/path-1/path_2/"],
-  ["allowed", "test1.example.com:80/path-1/path_2/file.js"],
-  ["allowed", "test1.example.com:80/path-1/path_2/f.ile.js"],
-  ["allowed", "test1.example.com:*"],
-  ["allowed", "test1.example.com:*/"],
-  ["allowed", "test1.example.com:*/path-1"],
-  ["allowed", "test1.example.com:*/path-1/"],
-  ["allowed", "test1.example.com:*/path-1/path_2"],
-  ["allowed", "test1.example.com:*/path-1/path_2/"],
-  ["allowed", "test1.example.com:*/path-1/path_2/file.js"],
-  ["allowed", "test1.example.com:*/path-1/path_2/f.ile.js"],
-  // the following tests should fail
-  ["blocked", "test1.example.com:88path-1/"],
-  ["blocked", "test1.example.com:80.js"],
-  ["blocked", "test1.example.com:*.js"],
-  ["blocked", "test1.example.com:*."]
-]
-
-var counter = 0;
-var policy;
-
-function loadNextTest() {
-  if (counter == policies.length) {
-    SimpleTest.finish();
-  }
-  else {
-    policy = policies[counter++];
-    var src = "file_csp_testserver.sjs";
-    // append the file that should be served
-    src += "?file=" + escape("tests/content/base/test/csp/file_csp_regexp_parsing.html");
-    // append the CSP that should be used to serve the file
-    src += "&csp=" + escape("default-src 'none'; script-src " + policy[1]);
-
-    document.getElementById("testframe").addEventListener("load", test, false);
-    document.getElementById("testframe").src = src;
-  }
-}
-
-function test() {
-  try {
-    document.getElementById("testframe").removeEventListener('load', test, false);
-    var testframe = document.getElementById("testframe");
-    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
-    is(divcontent, policy[0], "should be " + policy[0] + " in test " + (counter - 1) + "!");
-  }
-  catch (e) {
-    ok(false, "ERROR: could not access content in test " + (counter - 1) + "!");
-  }
-  loadNextTest();
-}
-
-loadNextTest();
-
-</script>
-</body>
-</html>