diff options
Diffstat (limited to 'toolkit/components/webextensions/test/mochitest/test_ext_content_security_policy.html')
| -rw-r--r-- | toolkit/components/webextensions/test/mochitest/test_ext_content_security_policy.html | 162 |
1 files changed, 0 insertions, 162 deletions
diff --git a/toolkit/components/webextensions/test/mochitest/test_ext_content_security_policy.html b/toolkit/components/webextensions/test/mochitest/test_ext_content_security_policy.html deleted file mode 100644 index a36f29563..000000000 --- a/toolkit/components/webextensions/test/mochitest/test_ext_content_security_policy.html +++ /dev/null @@ -1,162 +0,0 @@ -<!DOCTYPE HTML> -<html> -<head> - <title>WebExtension CSP test</title> - <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> - <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script> - <script type="text/javascript" src="/tests/SimpleTest/ExtensionTestUtils.js"></script> - <script type="text/javascript" src="head.js"></script> - <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> -</head> -<body> - -<script type="text/javascript"> -"use strict"; - -/** - * Tests that content security policies for an add-on are actually applied to * - * documents that belong to it. This tests both the base policies and add-on - * specific policies, and ensures that the parsed policies applied to the - * document's principal match what was specified in the policy string. - * - * @param {object} [customCSP] - */ -function* testPolicy(customCSP = null) { - let baseURL; - - let baseCSP = { - "object-src": ["blob:", "filesystem:", "https://*", "moz-extension:", "'self'"], - "script-src": ["'unsafe-eval'", "'unsafe-inline'", "blob:", "filesystem:", "https://*", "moz-extension:", "'self'"], - }; - - let addonCSP = { - "object-src": ["'self'"], - "script-src": ["'self'"], - }; - - let content_security_policy = null; - - if (customCSP) { - for (let key of Object.keys(customCSP)) { - addonCSP[key] = customCSP[key].split(/\s+/); - } - - content_security_policy = Object.keys(customCSP) - .map(key => `${key} ${customCSP[key]}`) - .join("; "); - } - - - function filterSelf(sources) { - return sources.map(src => src == "'self'" ? baseURL : src); - } - - function checkSource(name, policy, expected) { - is(JSON.stringify(policy[name].sort()), - JSON.stringify(filterSelf(expected[name]).sort()), - `Expected value for ${name}`); - } - - function checkCSP(csp, location) { - let policies = csp["csp-policies"]; - - info(`Base policy for ${location}`); - - is(policies[0]["report-only"], false, "Policy is not report-only"); - checkSource("object-src", policies[0], baseCSP); - checkSource("script-src", policies[0], baseCSP); - - info(`Add-on policy for ${location}`); - - is(policies[1]["report-only"], false, "Policy is not report-only"); - checkSource("object-src", policies[1], addonCSP); - checkSource("script-src", policies[1], addonCSP); - } - - - function getCSP(window) { - let {cspJSON} = SpecialPowers.Cu.getObjectPrincipal(window); - return JSON.parse(cspJSON); - } - - function background(getCSPFn) { - browser.test.sendMessage("base-url", browser.extension.getURL("").replace(/\/$/, "")); - - browser.test.sendMessage("background-csp", getCSPFn(window)); - } - - function tabScript(getCSPFn) { - browser.test.sendMessage("tab-csp", getCSPFn(window)); - } - - let extension = ExtensionTestUtils.loadExtension({ - background: `(${background})(${getCSP})`, - - files: { - "tab.html": `<html><head><meta charset="utf-8"> - <script src="tab.js"></${"script"}></head></html>`, - - "tab.js": `(${tabScript})(${getCSP})`, - - "content.html": `<html><head><meta charset="utf-8"></head></html>`, - }, - - manifest: { - content_security_policy, - - web_accessible_resources: ["content.html", "tab.html"], - }, - }); - - - info(`Testing CSP for policy: ${content_security_policy}`); - - yield extension.startup(); - - baseURL = yield extension.awaitMessage("base-url"); - - - let win1 = window.open(`${baseURL}/tab.html`); - - let frame = document.createElement("iframe"); - frame.src = `${baseURL}/content.html`; - document.body.appendChild(frame); - - yield new Promise(resolve => { - frame.onload = resolve; - }); - - - let backgroundCSP = yield extension.awaitMessage("background-csp"); - checkCSP(backgroundCSP, "background page"); - - let tabCSP = yield extension.awaitMessage("tab-csp"); - checkCSP(tabCSP, "tab page"); - - let contentCSP = getCSP(frame.contentWindow); - checkCSP(contentCSP, "content frame"); - - - win1.close(); - frame.remove(); - - yield extension.unload(); -} - -add_task(function* testCSP() { - yield testPolicy(null); - - let hash = "'sha256-NjZhMDQ1YjQ1MjEwMmM1OWQ4NDBlYzA5N2Q1OWQ5NDY3ZTEzYTNmMzRmNjQ5NGU1MzlmZmQzMmMxYmIzNWYxOCAgLQo='"; - - yield testPolicy({ - "object-src": "'self' https://*.example.com", - "script-src": `'self' https://*.example.com 'unsafe-eval' ${hash}`, - }); - - yield testPolicy({ - "object-src": "'none'", - "script-src": `'self'`, - }); -}); -</script> -</body> |