Bug 1548385: Test CSP blocks scripts correctly within template. r=jkt
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Mon, 13 May 2019 20:20:58 +0000
changeset 532508 ff2278c703c15245c7d8639f4fc10d13ba44b51c
parent 532507 30c5aa2279c6d4f3952b0db3da22fed9ff21f949
child 532509 7db0ea895005973d998409c051d9d7e69c2a896b
push id11268
push usercsabou@mozilla.com
push dateTue, 14 May 2019 15:24:22 +0000
treeherdermozilla-beta@5fb7fcd568d6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjkt
bugs1548385
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1548385: Test CSP blocks scripts correctly within template. r=jkt Differential Revision: https://phabricator.services.mozilla.com/D30480
dom/security/test/csp/file_script_template.html
dom/security/test/csp/file_script_template.js
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_script_template.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_script_template.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">
+<template id="a">
+  <script src="file_script_template.js"></script>
+</template>
+</head>
+<body>
+<script>
+  var temp = document.getElementsByTagName("template")[0];
+  var clon = temp.content.cloneNode(true);
+  document.body.appendChild(clon);
+</script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_script_template.js
@@ -0,0 +1,1 @@
+// dummy *.js file
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -370,8 +370,12 @@ support-files =
   file_nonce_snapshot.sjs
 [test_uir_windowwatcher.html]
 support-files =
   file_windowwatcher_frameA.html
   file_windowwatcher_subframeB.html
   file_windowwatcher_subframeC.html
   file_windowwatcher_subframeD.html
   file_windowwatcher_win_open.html
+[test_script_template.html]
+support-files =
+  file_script_template.html
+  file_script_template.js
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_script_template.html
@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1548385 - CSP: Test script template</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/**
+ * Description of the test:
+ * We load a document using a CSP of "default-src 'unsafe-inline'"
+ * and make sure that an external script within a template gets
+ * blocked correctly.
+ */
+
+const CSP_BLOCKED_SUBJECT = "csp-on-violate-policy";
+const CSP_ALLOWED_SUBJECT = "specialpowers-http-notify-request";
+
+SimpleTest.waitForExplicitFinish();
+
+function examiner() {
+  SpecialPowers.addObserver(this, CSP_BLOCKED_SUBJECT);
+  SpecialPowers.addObserver(this, CSP_ALLOWED_SUBJECT);
+}
+
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    if (topic == CSP_BLOCKED_SUBJECT) {
+      let jsFileName = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      if (jsFileName.endsWith("file_script_template.js")) {
+        ok(true, "js file blocked by CSP");
+        this.removeAndFinish();
+      }
+    }
+
+    if (topic == CSP_ALLOWED_SUBJECT) {
+      if (data.endsWith("file_script_template.js")) {
+        ok(false, "js file allowed by CSP");
+        this.removeAndFinish();
+      }
+    }
+  },
+
+  removeAndFinish: function() {
+    SpecialPowers.removeObserver(this, CSP_BLOCKED_SUBJECT);
+    SpecialPowers.removeObserver(this, CSP_ALLOWED_SUBJECT);
+    SimpleTest.finish();
+  }
+}
+
+window.examiner = new examiner();
+document.getElementById("testframe").src = "file_script_template.html";
+
+</script>
+</body>
+</html>