Bug 908933 - Part2 - CSP tests: ShouldProcess should block TYPE_OBJECT. r=ckerschb
authorEthan Tseng <ettseng@mozilla.com>
Wed, 27 Jan 2016 01:35:53 +0800
changeset 321896 41cb765011b63019f8d9aa92b7db24bab1eb646e
parent 321895 bf293d7d7ac6177bd73bddefce083847607f5bb7
child 321897 3668019351bb2d8f819004b092ad62542b72cd57
push id5913
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 16:57:49 +0000
treeherdermozilla-beta@dcaf0a6fa115 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs908933
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 908933 - Part2 - CSP tests: ShouldProcess should block TYPE_OBJECT. r=ckerschb
dom/security/test/csp/file_shouldprocess.html
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_shouldprocess.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_shouldprocess.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Helper for Test Bug 908933</title>
+    <meta charset="utf-8">
+  </head>
+  <body>
+	<object type="application/x-java-test" codebase="test1"></object>
+
+	<object classid="java:test2" codebase="./test2"></object>
+
+	<object data="test3" classid="java:test3" codebase="./test3"></object>
+
+	<applet codebase="test4"></applet>
+
+	<embed src="test5.class" codebase="test5" type="application/x-java-test">
+
+	<embed type="application/x-java-test" codebase="test6">
+
+	<embed src="test7.class">
+
+	<embed src="test8.class" codebase="test8">
+
+  </body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -76,16 +76,17 @@ support-files =
   file_bug910139.xsl
   file_bug909029_star.html
   file_bug909029_star.html^headers^
   file_bug909029_none.html
   file_bug909029_none.html^headers^
   file_policyuri_regression_from_multipolicy.html
   file_policyuri_regression_from_multipolicy.html^headers^
   file_policyuri_regression_from_multipolicy_policy
+  file_shouldprocess.html
   file_nonce_source.html
   file_nonce_source.html^headers^
   file_bug941404.html
   file_bug941404_xhr.html
   file_bug941404_xhr.html^headers^
   file_hash_source.html
   file_dual_header_testserver.sjs
   file_hash_source.html^headers^
@@ -217,15 +218,18 @@ skip-if = buildapp == 'b2g' || toolkit =
 [test_upgrade_insecure_cors.html]
 skip-if = buildapp == 'b2g' || toolkit == 'gonk' || toolkit == 'android'
 [test_report_for_import.html]
 [test_blocked_uri_in_reports.html]
 [test_service_worker.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_child-src_worker.html]
 skip-if = buildapp == 'b2g' #investigate in bug 1222904
+[test_shouldprocess.html]
+# Fennec platform does not support Java applet plugin
+skip-if = toolkit == 'android' #investigate in bug 1250814
 [test_child-src_worker_data.html]
 [test_child-src_worker-redirect.html]
 [test_child-src_iframe.html]
 [test_meta_element.html]
 [test_meta_header_dual.html]
 [test_docwrite_meta.html]
 [test_multipartchannel.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_shouldprocess.html
@@ -0,0 +1,98 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=908933
+-->
+<head>
+  <title>Test Bug 908933</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <meta http-equiv="content-type" content="text/html; charset=utf-8">
+</head>
+<body>
+<script class="testbody" type="text/javascript">
+
+/*
+ * Description of the test:
+ * We load variations of 'objects' and make sure all the
+ * resource loads are correctly blocked by CSP.
+ * For all the testing we use a CSP with "object-src 'none'"
+ * so that all the loads are either blocked by
+ * shouldProcess or shouldLoad.
+ */
+
+const POLICY = "default-src http://mochi.test:8888; object-src 'none'";
+const TESTFILE = "tests/dom/security/test/csp/file_shouldprocess.html";
+
+SimpleTest.waitForExplicitFinish();
+
+var tests = [
+  // Note that the files listed below don't actually exist.
+  // Since loading of them should be blocked by shouldProcess, we don't
+  // really need these files.
+
+  // blocked by shouldProcess
+  "http://mochi.test:8888/tests/dom/security/test/csp/test1",
+  "http://mochi.test:8888/tests/dom/security/test/csp/test2",
+  "http://mochi.test:8888/tests/dom/security/test/csp/test3",
+  "http://mochi.test:8888/tests/dom/security/test/csp/test4",
+  "http://mochi.test:8888/tests/dom/security/test/csp/test5",
+  "http://mochi.test:8888/tests/dom/security/test/csp/test6",
+  // blocked by shouldLoad
+  "http://mochi.test:8888/tests/dom/security/test/csp/test7.class",
+  "http://mochi.test:8888/tests/dom/security/test/csp/test8.class",
+];
+
+function checkResults(aURI) {
+  var index = tests.indexOf(aURI);
+  if (index > -1) {
+    tests.splice(index, 1);
+    ok(true, "ShouldLoad or ShouldProcess blocks TYPE_OBJECT with uri: " + aURI + "!");
+  }
+  else {
+    ok(false, "ShouldLoad or ShouldProcess incorreclty blocks TYPE_OBJECT with uri: " + aURI + "!");
+  }
+  if (tests.length == 0) {
+    window.examiner.remove();
+    SimpleTest.finish();
+  }
+}
+
+// used to watch that shouldProcess blocks TYPE_OBJECT
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    if (topic === "csp-on-violate-policy") {
+      var asciiSpec =
+        SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      checkResults(asciiSpec);
+    }
+  },
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+  }
+}
+window.examiner = new examiner();
+
+function loadFrame() {
+  var src = "file_testserver.sjs";
+  // append the file that should be served
+  src += "?file=" + escape(TESTFILE);
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(POLICY);
+
+  var iframe = document.createElement("iframe");
+  iframe.src = src;
+  document.body.appendChild(iframe);
+}
+
+SpecialPowers.pushPrefEnv(
+  { "set": [['plugin.java.mime', 'application/x-java-test']] },
+  loadFrame);
+
+</script>
+</pre>
+</body>
+</html>