| author | Christoph Kerschbaumer <mozilla@christophkerschbaumer.com> |
| Mon, 30 Sep 2013 10:49:07 -0700 | |
| changeset 182114 | 3aa13aa6777c7293e2453350d1f56d2c8257ba39 |
| parent 182113 | 65dbffad01e1d258d6819faaf728e099635991b6 |
| child 182115 | 303b316dd325e35a5bda7dae8821156dd9b92311 |
| push id | 3343 |
| push user | ffxbld |
| push date | Mon, 17 Mar 2014 21:55:32 +0000 |
| treeherder | mozilla-beta@2f7d3415f79f [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | grobinson |
| bugs | 916054 |
| milestone | 29.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
new file mode 100644 --- /dev/null +++ b/content/base/test/csp/file_csp_regexp_parsing.html @@ -0,0 +1,10 @@ +<!DOCTYPE HTML> +<html> + <head> + <title>Bug 916054 - URLs with path are ignored by FF's CSP parser</title> + </head> + <body> + <div id="testdiv">blocked</div> + <script src="http://test1.example.com/tests/content/base/test/csp/file_csp_regexp_parsing.js"></script> +</body> +</html>
new file mode 100644 --- /dev/null +++ b/content/base/test/csp/file_csp_regexp_parsing.js @@ -0,0 +1,1 @@ +document.getElementById("testdiv").innerHTML = "allowed";
new file mode 100644 --- /dev/null +++ b/content/base/test/csp/file_csp_testserver.sjs @@ -0,0 +1,45 @@ +// SJS file for CSP mochitests + +Components.utils.import("resource://gre/modules/NetUtil.jsm"); + +function loadHTMLFromFile(path) { + // Load the HTML to return in the response from file. + // Since it's relative to the cwd of the test runner, we start there and + // append to get to the actual path of the file. + var testHTMLFile = + Components.classes["@mozilla.org/file/directory_service;1"]. + getService(Components.interfaces.nsIProperties). + get("CurWorkD", Components.interfaces.nsILocalFile); + var dirs = path.split("/"); + for (var i = 0; i < dirs.length; i++) { + testHTMLFile.append(dirs[i]); + } + var testHTMLFileStream = + Components.classes["@mozilla.org/network/file-input-stream;1"]. + createInstance(Components.interfaces.nsIFileInputStream); + testHTMLFileStream.init(testHTMLFile, -1, 0, 0); + var testHTML = NetUtil.readInputStreamToString(testHTMLFileStream, testHTMLFileStream.available()); + return testHTML; +} + +function handleRequest(request, response) +{ + var query = {}; + request.queryString.split('&').forEach(function (val) { + var [name, value] = val.split('='); + query[name] = unescape(value); + }); + + var csp = unescape(query['csp']); + var file = unescape(query['file']); + + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + // Deliver the CSP policy encoded in the URI + response.setHeader("Content-Security-Policy", csp, false); + + // Send HTML to test allowed/blocked behaviors + response.setHeader("Content-Type", "text/html", false); + response.write(loadHTMLFromFile(file)); +}
--- a/content/base/test/csp/mochitest.ini +++ b/content/base/test/csp/mochitest.ini @@ -103,16 +103,19 @@ support-files = file_CSP_bug941404_xhr.html file_CSP_bug941404_xhr.html^headers^ file_hash_source.html file_hash_source.html^headers^ file_dual_headers_warning.html file_dual_headers_warning.html^headers^ file_self_none_as_hostname_confusion.html file_self_none_as_hostname_confusion.html^headers^ + file_csp_testserver.sjs + file_csp_regexp_parsing.html + file_csp_regexp_parsing.js [test_CSP.html] [test_CSP_bug663567.html] [test_CSP_bug802872.html] [test_CSP_bug885433.html] [test_CSP_bug888172.html] [test_CSP_bug916446.html] [test_CSP_evalscript.html] @@ -128,8 +131,9 @@ support-files = [test_CSP_bug909029.html] [test_policyuri_regression_from_multipolicy.html] [test_nonce_source.html] [test_CSP_bug941404.html] [test_hash_source.html] [test_dual_headers_warning.html] [test_self_none_as_hostname_confusion.html] [test_bug949549.html] +[test_csp_regexp_parsing.html]
new file mode 100644 --- /dev/null +++ b/content/base/test/csp/test_csp_regexp_parsing.html @@ -0,0 +1,107 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 916054 - URLs with path are ignored by FF's CSP parser</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + <p id="display"></p> + <div id="content" style="visibility: hidden"> + <iframe style="width:100%;" id="testframe"></iframe> + </div> + +<script class="testbody" type="text/javascript"> + +SimpleTest.waitForExplicitFinish(); + +var policies = [ + ["allowed", "*"], + ["allowed", "test1.example.com"], + ["allowed", "test1.example.com/"], + ["allowed", "test1.example.com/path-1"], + ["allowed", "test1.example.com/path-1/"], + ["allowed", "test1.example.com/path-1/path_2/"], + ["allowed", "test1.example.com/path-1/path_2/file.js"], + ["allowed", "test1.example.com/path-1/path_2/file_1.js"], + ["allowed", "test1.example.com/path-1/path_2/file-2.js"], + ["allowed", "test1.example.com/path-1/path_2/f.js"], + ["allowed", "*.example.com"], + ["allowed", "*.example.com/"], + ["allowed", "*.example.com/path-1"], + ["allowed", "*.example.com/path-1/"], + ["allowed", "*.example.com/path-1/path_2/"], + ["allowed", "*.example.com/path-1/path_2/file.js"], + ["allowed", "*.example.com/path-1/path_2/file_1.js"], + ["allowed", "*.example.com/path-1/path_2/file-2.js"], + ["allowed", "*.example.com/path-1/path_2/f.js"], + ["allowed", "test1.example.com:80"], + ["allowed", "test1.example.com:80/"], + ["allowed", "test1.example.com:80/path-1"], + ["allowed", "test1.example.com:80/path-1/"], + ["allowed", "test1.example.com:80/path-1/path_2"], + ["allowed", "test1.example.com:80/path-1/path_2/"], + ["allowed", "test1.example.com:80/path-1/path_2/file.js"], + ["allowed", "test1.example.com:*"], + ["allowed", "test1.example.com:*/"], + ["allowed", "test1.example.com:*/path-1"], + ["allowed", "test1.example.com:*/path-1/"], + ["allowed", "test1.example.com:*/path-1/path_2"], + ["allowed", "test1.example.com:*/path-1/path_2/"], + ["allowed", "test1.example.com:*/path-1/path_2/file.js"], + // the following tests should fail + ["blocked", "test1.example.com/path-1//path_2"], + ["blocked", "test1.example.com/path-1/file.js.cpp"], + ["blocked", "test1.example.com:88path-1/"], + ["blocked", "test1.example.com:80//"], + ["blocked", "test1.example.com:80//path-1"], + ["blocked", "test1.example.com:80/.js"], + ["blocked", "test1.example.com:80.js"], + ["blocked", "test1.example.com:*.js"], + ["blocked", "test1.example.com:*."] +] + +var counter = 0; +var policy; + +function loadNextTest() { + if (counter == policies.length) { + SimpleTest.finish(); + } + else { + policy = policies[counter++]; + var src = "file_csp_testserver.sjs"; + // append the file that should be served + src += "?file=" + escape("tests/content/base/test/csp/file_csp_regexp_parsing.html"); + // append the CSP that should be used to serve the file + src += "&csp=" + escape("default-src 'none'; script-src " + policy[1]); + + document.getElementById("testframe").addEventListener("load", test, false); + document.getElementById("testframe").src = src; + } +} + +function test() { + try { + document.getElementById("testframe").removeEventListener('load', test, false); + var testframe = document.getElementById("testframe"); + var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML; + is(divcontent, policy[0], "should be " + policy[0] + " in test " + (counter - 1) + "!"); + } + catch (e) { + ok(false, "ERROR: could not access content in test " + (counter - 1) + "!"); + } + loadNextTest(); +} + +SpecialPowers.pushPrefEnv( + {'set':[["security.csp.speccompliant", true]]}, + function () { + loadNextTest(); + } +); + +</script> +</body> +</html>