Bug 1069762 - CSP: blocked-uri in violation reports should not contain sensitive data - tests (r=sstamm)
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Fri, 17 Oct 2014 14:22:27 -0700
changeset 296351 c6ed7442143b3c00d139d817f2e768a7cd8fe42c
parent 296350 6227331e17ed5320b7b997d72704f8939bced596
child 296352 4ac1ba0956eb6b5713557cb7ae66b04bca874768
push id962
push userjlund@mozilla.com
push dateFri, 04 Dec 2015 23:28:54 +0000
treeherdermozilla-release@23a2d286e80f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssstamm
bugs1069762
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1069762 - CSP: blocked-uri in violation reports should not contain sensitive data - tests (r=sstamm)
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_blocked_uri_in_reports.html
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -186,8 +186,10 @@ skip-if = buildapp == 'b2g' #no ssl supp
 # no ssl support as well as websocket tests do not work (see test_websocket.html)
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
 [test_upgrade_insecure_reporting.html]
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
 [test_upgrade_insecure_referrer.html]
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
 [test_upgrade_insecure_cors.html]
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
+[test_blocked_uri_in_reports.html]
+skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_blocked_uri_in_reports.html
@@ -0,0 +1,118 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1069762 - Check blocked-uri in csp-reports after redirect</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+/* Description of the test:
+ * We try to load a script from:
+ *   http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs
+ * which gets redirected to:
+ *  http://test1.example.com/tests/dom/security//test/csp/file_path_matching.js
+ *
+ * The blocked-uri in the csp-report should be:
+ *   test1.example.com
+ * instead of:
+ *  http://test1.example.com/tests/com/security/test/csp/file_path_matching.js
+ *
+ * see also: http://www.w3.org/TR/CSP/#violation-reports
+ *
+ * Note, that we reuse the test-setup from
+ * test_path_matching_redirect.html
+ */
+
+const reportURI = "http://mochi.test:8888/foo.sjs";
+const policy = "script-src http://example.com; report-uri " + reportURI;
+const testfile = "tests/dom/security/test/csp/file_path_matching_redirect.html";
+
+// This is used to watch requests go out so we can see if the report is
+// sent correctly
+function examiner() {
+  SpecialPowers.addObserver(this, "http-on-opening-request", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI
+    if (!SpecialPowers.can_QI(subject))
+      return;
+
+    if (topic === "http-on-opening-request") {
+      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
+      if (asciiSpec !== reportURI) return;
+
+      try {
+        // Verify that the report was properly formatted.
+        // We'll parse the report text as JSON and verify that the properties
+        // have expected values.
+        var reportText = "{}";
+        var uploadStream = SpecialPowers.wrap(SpecialPowers.do_QueryInterface(subject, "nsIUploadChannel")).uploadStream;
+
+        if (uploadStream) {
+          // get the bytes from the request body
+          var binstream = SpecialPowers.Cc["@mozilla.org/binaryinputstream;1"]
+                                          .createInstance(SpecialPowers.Ci.nsIBinaryInputStream);
+          binstream.setInputStream(uploadStream);
+
+          var segments = [];
+          for (var count = uploadStream.available(); count; count = uploadStream.available()) {
+            var data = binstream.readBytes(count);
+            segments.push(data);
+          }
+
+          var reportText = segments.join("");
+          // rewind stream as we are supposed to - there will be an assertion later if we don't.
+          SpecialPowers.do_QueryInterface(uploadStream, "nsISeekableStream").seek(SpecialPowers.Ci.nsISeekableStream.NS_SEEK_SET, 0);
+        }
+        try {
+          var reportObj = JSON.parse(reportText);
+        }
+        catch (e) {
+          ok(false, "Could not parse JSON (exception: " + e + ")");
+        }
+        var cspReport = reportObj["csp-report"];
+        // blocked-uri should only be the asciiHost instead of:
+        // http://test1.example.com/tests/dom/security/test/csp/file_path_matching.js
+        is(cspReport["blocked-uri"], "http://test1.example.com", "Incorrect blocked-uri");
+      }
+      catch (e) {
+        ok(false, "Could not query report (exception: " + e + ")");
+      }
+
+      // finish up
+      window.examiner.remove();
+      SimpleTest.finish();
+    }
+  },
+
+  // remove the listener
+  remove: function() {
+    SpecialPowers.removeObserver(this, "http-on-opening-request");
+  }
+}
+window.examiner = new examiner();
+SimpleTest.waitForExplicitFinish();
+
+function runTest() {
+  var src = "file_testserver.sjs";
+  // append the file that should be served
+  src += "?file=" + escape(testfile);
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(policy);
+
+  document.getElementById("cspframe").src = src;
+}
+
+runTest();
+
+</script>
+</body>
+</html>