Bug 1316826 - Test for JS URLs and strict-dynamic. r=dveditz
authorFrederik Braun <fbraun+gh@mozilla.com>
Mon, 28 Nov 2016 21:56:55 -0500
changeset 324514 df24b83fca7a5771149f46711841abeaff34adb7
parent 324513 011a51e21bbbb73b83918c798756376cd62601e7
child 324515 2411fdf8a816414051e84cb2de43498d9e648d18
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewersdveditz
bugs1316826
milestone53.0a1
Bug 1316826 - Test for JS URLs and strict-dynamic. r=dveditz MozReview-Commit-ID: EKmYoZbap25
dom/security/test/csp/file_strict_dynamic_js_url.html
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_strict_dynamic.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_strict_dynamic_js_url.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1316826 - 'strict-dynamic' blocking DOM event handlers</title>
+</head>
+<body>
+<div id="testdiv">blocked</div>
+
+<a id="jslink" href='javascript:document.getElementById("testdiv").innerHTML = "allowed"'>click me</a>
+<script nonce="foo">
+  document.getElementById("jslink").click();
+</script>
+
+</body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -184,16 +184,17 @@ support-files =
   file_sandbox_11.html
   file_sandbox_12.html
   file_require_sri_meta.sjs
   file_require_sri_meta.js
   file_sendbeacon.html
   file_upgrade_insecure_docwrite_iframe.sjs
   file_data-uri_blocked.html
   file_data-uri_blocked.html^headers^
+  file_strict_dynamic_js_url.html
   file_strict_dynamic_script_events.html
   file_strict_dynamic_script_events_xbl.html
   file_strict_dynamic_script_inline.html
   file_strict_dynamic_script_extern.html
   file_strict_dynamic.js
   file_strict_dynamic_parser_inserted_doc_write.html
   file_strict_dynamic_parser_inserted_doc_write_correct_nonce.html
   file_strict_dynamic_non_parser_inserted.html
--- a/dom/security/test/csp/test_strict_dynamic.html
+++ b/dom/security/test/csp/test_strict_dynamic.html
@@ -79,17 +79,23 @@ var tests = [
     policy: "script-src 'strict-dynamic' 'nonce-foo'"
   },
   {
     // marquee is a special snowflake. Extra test for xbl things.
     desc: "strict-dynamic with DOM events should be blocked (XBL)",
     result: "blocked",
     file: "file_strict_dynamic_script_events_xbl.html",
     policy: "script-src 'strict-dynamic' 'nonce-foo'"
-  }
+  },
+  {
+    desc: "strict-dynamic with JS URLs should be blocked",
+    result: "blocked",
+    file: "file_strict_dynamic_js_url.html",
+    policy: "script-src 'strict-dynamic' 'nonce-foo'"
+  },
 ];
 
 var counter = 0;
 var curTest;
 
 function loadNextTest() {
   if (counter == tests.length) {
     SimpleTest.finish();