Bug 916054 - CSP mochitests for URLs with path. r=grobinson
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Mon, 30 Sep 2013 10:49:07 -0700
changeset 182114 3aa13aa6777c7293e2453350d1f56d2c8257ba39
parent 182113 65dbffad01e1d258d6819faaf728e099635991b6
child 182115 303b316dd325e35a5bda7dae8821156dd9b92311
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgrobinson
bugs916054
milestone29.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 916054 - CSP mochitests for URLs with path. r=grobinson
content/base/test/csp/file_csp_regexp_parsing.html
content/base/test/csp/file_csp_regexp_parsing.js
content/base/test/csp/file_csp_testserver.sjs
content/base/test/csp/mochitest.ini
content/base/test/csp/test_csp_regexp_parsing.html
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/file_csp_regexp_parsing.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Bug 916054 - URLs with path are ignored by FF's CSP parser</title>
+  </head>
+  <body>
+  <div id="testdiv">blocked</div>
+  <script src="http://test1.example.com/tests/content/base/test/csp/file_csp_regexp_parsing.js"></script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/file_csp_regexp_parsing.js
@@ -0,0 +1,1 @@
+document.getElementById("testdiv").innerHTML = "allowed";
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/file_csp_testserver.sjs
@@ -0,0 +1,45 @@
+// SJS file for CSP mochitests
+
+Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+function loadHTMLFromFile(path) {
+  // Load the HTML to return in the response from file.
+  // Since it's relative to the cwd of the test runner, we start there and
+  // append to get to the actual path of the file.
+  var testHTMLFile =
+    Components.classes["@mozilla.org/file/directory_service;1"].
+    getService(Components.interfaces.nsIProperties).
+    get("CurWorkD", Components.interfaces.nsILocalFile);
+  var dirs = path.split("/");
+  for (var i = 0; i < dirs.length; i++) {
+    testHTMLFile.append(dirs[i]);
+  }
+  var testHTMLFileStream =
+    Components.classes["@mozilla.org/network/file-input-stream;1"].
+    createInstance(Components.interfaces.nsIFileInputStream);
+  testHTMLFileStream.init(testHTMLFile, -1, 0, 0);
+  var testHTML = NetUtil.readInputStreamToString(testHTMLFileStream, testHTMLFileStream.available());
+  return testHTML;
+}
+
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  var csp = unescape(query['csp']);
+  var file = unescape(query['file']);
+
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // Deliver the CSP policy encoded in the URI
+  response.setHeader("Content-Security-Policy", csp, false);
+
+  // Send HTML to test allowed/blocked behaviors
+  response.setHeader("Content-Type", "text/html", false);
+  response.write(loadHTMLFromFile(file));
+}
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -103,16 +103,19 @@ support-files =
   file_CSP_bug941404_xhr.html
   file_CSP_bug941404_xhr.html^headers^
   file_hash_source.html
   file_hash_source.html^headers^
   file_dual_headers_warning.html
   file_dual_headers_warning.html^headers^
   file_self_none_as_hostname_confusion.html
   file_self_none_as_hostname_confusion.html^headers^
+  file_csp_testserver.sjs
+  file_csp_regexp_parsing.html
+  file_csp_regexp_parsing.js
 
 [test_CSP.html]
 [test_CSP_bug663567.html]
 [test_CSP_bug802872.html]
 [test_CSP_bug885433.html]
 [test_CSP_bug888172.html]
 [test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
@@ -128,8 +131,9 @@ support-files =
 [test_CSP_bug909029.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 [test_dual_headers_warning.html]
 [test_self_none_as_hostname_confusion.html]
 [test_bug949549.html]
+[test_csp_regexp_parsing.html]
new file mode 100644
--- /dev/null
+++ b/content/base/test/csp/test_csp_regexp_parsing.html
@@ -0,0 +1,107 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 916054 - URLs with path are ignored by FF's CSP parser</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+  <p id="display"></p>
+  <div id="content" style="visibility: hidden">
+    <iframe style="width:100%;" id="testframe"></iframe>
+  </div>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+var policies = [
+  ["allowed", "*"],
+  ["allowed", "test1.example.com"],
+  ["allowed", "test1.example.com/"],
+  ["allowed", "test1.example.com/path-1"],
+  ["allowed", "test1.example.com/path-1/"],
+  ["allowed", "test1.example.com/path-1/path_2/"],
+  ["allowed", "test1.example.com/path-1/path_2/file.js"],
+  ["allowed", "test1.example.com/path-1/path_2/file_1.js"],
+  ["allowed", "test1.example.com/path-1/path_2/file-2.js"],
+  ["allowed", "test1.example.com/path-1/path_2/f.js"],
+  ["allowed", "*.example.com"],
+  ["allowed", "*.example.com/"],
+  ["allowed", "*.example.com/path-1"],
+  ["allowed", "*.example.com/path-1/"],
+  ["allowed", "*.example.com/path-1/path_2/"],
+  ["allowed", "*.example.com/path-1/path_2/file.js"],
+  ["allowed", "*.example.com/path-1/path_2/file_1.js"],
+  ["allowed", "*.example.com/path-1/path_2/file-2.js"],
+  ["allowed", "*.example.com/path-1/path_2/f.js"],
+  ["allowed", "test1.example.com:80"],
+  ["allowed", "test1.example.com:80/"],
+  ["allowed", "test1.example.com:80/path-1"],
+  ["allowed", "test1.example.com:80/path-1/"],
+  ["allowed", "test1.example.com:80/path-1/path_2"],
+  ["allowed", "test1.example.com:80/path-1/path_2/"],
+  ["allowed", "test1.example.com:80/path-1/path_2/file.js"],
+  ["allowed", "test1.example.com:*"],
+  ["allowed", "test1.example.com:*/"],
+  ["allowed", "test1.example.com:*/path-1"],
+  ["allowed", "test1.example.com:*/path-1/"],
+  ["allowed", "test1.example.com:*/path-1/path_2"],
+  ["allowed", "test1.example.com:*/path-1/path_2/"],
+  ["allowed", "test1.example.com:*/path-1/path_2/file.js"],
+  // the following tests should fail
+  ["blocked", "test1.example.com/path-1//path_2"],
+  ["blocked", "test1.example.com/path-1/file.js.cpp"],
+  ["blocked", "test1.example.com:88path-1/"],
+  ["blocked", "test1.example.com:80//"],
+  ["blocked", "test1.example.com:80//path-1"],
+  ["blocked", "test1.example.com:80/.js"],
+  ["blocked", "test1.example.com:80.js"],
+  ["blocked", "test1.example.com:*.js"],
+  ["blocked", "test1.example.com:*."]
+]
+
+var counter = 0;
+var policy;
+
+function loadNextTest() {
+  if (counter == policies.length) {
+    SimpleTest.finish();
+  }
+  else {
+    policy = policies[counter++];
+    var src = "file_csp_testserver.sjs";
+    // append the file that should be served
+    src += "?file=" + escape("tests/content/base/test/csp/file_csp_regexp_parsing.html");
+    // append the CSP that should be used to serve the file
+    src += "&csp=" + escape("default-src 'none'; script-src " + policy[1]);
+
+    document.getElementById("testframe").addEventListener("load", test, false);
+    document.getElementById("testframe").src = src;
+  }
+}
+
+function test() {
+  try {
+    document.getElementById("testframe").removeEventListener('load', test, false);
+    var testframe = document.getElementById("testframe");
+    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
+    is(divcontent, policy[0], "should be " + policy[0] + " in test " + (counter - 1) + "!");
+  }
+  catch (e) {
+    ok(false, "ERROR: could not access content in test " + (counter - 1) + "!");
+  }
+  loadNextTest();
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function () {
+    loadNextTest();
+  }
+);
+
+</script>
+</body>
+</html>