From 896e23c20eba71bffa77cb0874b9b341e1b6c264 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Fri, 25 Aug 2017 10:38:52 +0200
Subject: CSP: connect-src 'self' should always include https: and wss: schemes

---
 dom/security/test/csp/file_websocket_explicit.html | 31 +++++++++++
 dom/security/test/csp/file_websocket_self.html     | 31 +++++++++++
 dom/security/test/csp/file_websocket_self_wsh.py   |  7 +++
 dom/security/test/csp/mochitest.ini                |  5 ++
 dom/security/test/csp/test_websocket_self.html     | 61 ++++++++++++++++++++++
 5 files changed, 135 insertions(+)
 create mode 100644 dom/security/test/csp/file_websocket_explicit.html
 create mode 100644 dom/security/test/csp/file_websocket_self.html
 create mode 100644 dom/security/test/csp/file_websocket_self_wsh.py
 create mode 100644 dom/security/test/csp/test_websocket_self.html

(limited to 'dom/security/test/csp')

diff --git a/dom/security/test/csp/file_websocket_explicit.html b/dom/security/test/csp/file_websocket_explicit.html
new file mode 100644
index 000000000..51462ab74
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_explicit.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>
+  <meta http-equiv="Content-Security-Policy" content="connect-src ws:">
+</head>
+<body>
+  <script type="application/javascript">
+    /* load socket using ws */
+    var wsSocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wsSocket.onopen = function(e) {
+      window.parent.postMessage({result: "explicit-ws-loaded"}, "*");
+      wsSocket.close();
+    };
+    wsSocket.onerror = function(e) {
+      window.parent.postMessage({result: "explicit-ws-blocked"}, "*");
+    };
+
+    /* load socket using wss */
+    var wssSocket = new WebSocket("wss://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wssSocket.onopen = function(e) {
+      window.parent.postMessage({result: "explicit-wss-loaded"}, "*");
+      wssSocket.close();
+    };
+    wssSocket.onerror = function(e) {
+      window.parent.postMessage({result: "explicit-wss-blocked"}, "*");
+    };
+  </script>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_websocket_self.html b/dom/security/test/csp/file_websocket_self.html
new file mode 100644
index 000000000..3ff5f0558
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_self.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'self'">
+</head>
+<body>
+  <script type="application/javascript">
+    /* load socket using ws */
+    var wsSocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wsSocket.onopen = function(e) {
+      window.parent.postMessage({result: "self-ws-loaded"}, "*");
+      wsSocket.close();
+    };
+    wsSocket.onerror = function(e) {
+      window.parent.postMessage({result: "self-ws-blocked"}, "*");
+    };
+
+    /* load socket using wss */
+    var wssSocket = new WebSocket("wss://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wssSocket.onopen = function(e) {
+      window.parent.postMessage({result: "self-wss-loaded"}, "*");
+      wssSocket.close();
+    };
+    wssSocket.onerror = function(e) {
+      window.parent.postMessage({result: "self-wss-blocked"}, "*");
+    };
+  </script>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_websocket_self_wsh.py b/dom/security/test/csp/file_websocket_self_wsh.py
new file mode 100644
index 000000000..5fe508a91
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_self_wsh.py
@@ -0,0 +1,7 @@
+from mod_pywebsocket import msgutil
+
+def web_socket_do_extra_handshake(request):
+  pass
+
+def web_socket_transfer_data(request):
+  pass
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 8d44e9b0b..2102cbe70 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -215,6 +215,9 @@ support-files =
   file_image_nonce.html^headers^
   file_punycode_host_src.sjs
   file_punycode_host_src.js
+  file_websocket_self.html
+  file_websocket_explicit.html
+  file_websocket_self_wsh.py
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -311,3 +314,5 @@ support-files =
 [test_ignore_xfo.html]
 [test_image_nonce.html]
 [test_punycode_host_src.html]
+[test_websocket_self.html]
+skip-if = toolkit == 'android'
diff --git a/dom/security/test/csp/test_websocket_self.html b/dom/security/test/csp/test_websocket_self.html
new file mode 100644
index 000000000..a03c32704
--- /dev/null
+++ b/dom/security/test/csp/test_websocket_self.html
@@ -0,0 +1,61 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="test_ws_self_frame"></iframe>
+<iframe style="width:100%;" id="test_ws_explicit_frame"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load an iframe using connect-src 'self' and one
+ *            iframe using connect-src ws: and make
+ * sure that in both cases ws: as well as wss: is allowed to load.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+const TOTAL_TESTS = 4;
+var counter = 0;
+
+function checkResults(result) {
+  counter++;
+  if (result === "self-ws-loaded" || result === "self-wss-loaded" ||
+      result === "explicit-ws-loaded" || result === "explicit-wss-loaded") {
+    ok(true, "Evaluating: " + result);
+  }
+  else {
+    ok(false, "Evaluating: " + result);
+  }
+  if (counter < TOTAL_TESTS) {
+    return;
+  }
+  finishTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+const HOST = "http://example.com/tests/dom/security/test/csp/";
+var test_ws_self_frame = document.getElementById("test_ws_self_frame");
+test_ws_self_frame.src = HOST + "file_websocket_self.html";
+
+var test_ws_explicit_frame = document.getElementById("test_ws_explicit_frame");
+test_ws_explicit_frame.src = HOST + "file_websocket_explicit.html";
+
+</script>
+</body>
+</html>
-- 
cgit v1.2.3