Bug 1297051 - Test CSPRO should not block mixed content. r=dveditz a=ritu
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 24 Aug 2016 09:24:20 +0200
changeset 347895 e7145d5a6c29e99bad06262ebb910f9654b97ee3
parent 347894 7773a88b7025976105e73787e3f5e7541c6396df
child 347896 8eaf4affd3321ba544c4289d15c6e81d6b0f4c71
push id6389
push userraliiev@mozilla.com
push dateMon, 19 Sep 2016 13:38:22 +0000
treeherdermozilla-beta@01d67bfe6c81 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz, ritu
bugs1297051
milestone50.0a2
Bug 1297051 - Test CSPRO should not block mixed content. r=dveditz a=ritu
dom/security/test/csp/file_block_all_mcb.sjs
dom/security/test/csp/test_block_all_mixed_content.html
--- a/dom/security/test/csp/file_block_all_mcb.sjs
+++ b/dom/security/test/csp/file_block_all_mcb.sjs
@@ -23,16 +23,33 @@ const BODY =
   "  };" +
   "  myImg.onerror = function(e) {" +
   "    window.parent.postMessage({result: \"img-blocked\"}, \"*\");" +
   "  };" +
   "</script>" +
   "</body>" +
   "</html>";
 
+// We have to use this special code fragment, in particular '?nocache' to trigger an
+// actual network load rather than loading the image from the cache.
+const BODY_CSPRO =
+  "<body>" +
+  "<img id=\"testimage\" src=\"http://mochi.test:8888/tests/image/test/mochitest/blue.png?nocache\"></img>" +
+  "<script type=\"application/javascript\">" +
+  "  var myImg = document.getElementById(\"testimage\");" +
+  "  myImg.onload = function(e) {" +
+  "    window.parent.postMessage({result: \"img-loaded\"}, \"*\");" +
+  "  };" +
+  "  myImg.onerror = function(e) {" +
+  "    window.parent.postMessage({result: \"img-blocked\"}, \"*\");" +
+  "  };" +
+  "</script>" +
+  "</body>" +
+  "</html>";
+
 function handleRequest(request, response)
 {
   // avoid confusing cache behaviors
   response.setHeader("Cache-Control", "no-cache", false);
  
   var queryString = request.queryString;
 
   if (queryString === "csp-block") {
@@ -42,12 +59,18 @@ function handleRequest(request, response
   if (queryString === "csp-allow") {
     response.write(HEAD + CSP_ALLOW + BODY);
     return;
   }
   if (queryString === "no-csp") {
     response.write(HEAD + BODY);
     return;
   }
+  if (queryString === "cspro-block") {
+    // CSP RO is not supported in meta tag, let's use the header
+    response.setHeader("Content-Security-Policy-Report-Only", "block-all-mixed-content", false);
+    response.write(HEAD + BODY_CSPRO);
+    return;
+  }
   // we should never get here but just in case return something unexpected
   response.write("do'h");
 
 }
--- a/dom/security/test/csp/test_block_all_mixed_content.html
+++ b/dom/security/test/csp/test_block_all_mixed_content.html
@@ -51,16 +51,21 @@ const tests = [
     expected: "img-loaded",
     description: "(no-csp) mixed display content should be loaded"
   },
   { // Test 4
     query: "csp-block",
     expected: "img-blocked",
     description: "(csp-block) block-all-mixed content should block insecure cache loads"
   },
+  { // Test 5
+    query: "cspro-block",
+    expected: "img-loaded",
+    description: "(cspro-block) block-all-mixed in report only mode should not block"
+  },
 ];
 
 var curTest;
 var counter = -1;
 
 function checkResults(result) {
   is(result, curTest.expected, curTest.description);
   loadNextTest();