From 7d67148f52d158b80841f83dc7a023c637e11bf0 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Sat, 14 Apr 2018 22:22:59 +0200
Subject: moebius#159: CSP - support for "frame-ancestors" in
 "Content-Security-Policy-Report-Only"

https://github.com/MoonchildProductions/moebius/pull/159
---
 dom/security/test/csp/file_frame_ancestors_ro.html |  1 +
 .../test/csp/file_frame_ancestors_ro.html^headers^ |  1 +
 dom/security/test/csp/mochitest.ini                |  3 +
 dom/security/test/csp/test_frame_ancestors_ro.html | 69 ++++++++++++++++++++++
 4 files changed, 74 insertions(+)
 create mode 100644 dom/security/test/csp/file_frame_ancestors_ro.html
 create mode 100644 dom/security/test/csp/file_frame_ancestors_ro.html^headers^
 create mode 100644 dom/security/test/csp/test_frame_ancestors_ro.html

(limited to 'dom/security/test/csp')

diff --git a/dom/security/test/csp/file_frame_ancestors_ro.html b/dom/security/test/csp/file_frame_ancestors_ro.html
new file mode 100644
index 000000000..ff5ae9cf9
--- /dev/null
+++ b/dom/security/test/csp/file_frame_ancestors_ro.html
@@ -0,0 +1 @@
+<html><body>Child Document</body></html>
diff --git a/dom/security/test/csp/file_frame_ancestors_ro.html^headers^ b/dom/security/test/csp/file_frame_ancestors_ro.html^headers^
new file mode 100644
index 000000000..d018af3a9
--- /dev/null
+++ b/dom/security/test/csp/file_frame_ancestors_ro.html^headers^
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: frame-ancestors 'none'; report-uri http://mochi.test:8888/foo.sjs
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index ca5c2c6ea..33b112020 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -91,6 +91,8 @@ support-files =
   file_bug941404.html
   file_bug941404_xhr.html
   file_bug941404_xhr.html^headers^
+  file_frame_ancestors_ro.html
+  file_frame_ancestors_ro.html^headers^
   file_hash_source.html
   file_dual_header_testserver.sjs
   file_hash_source.html^headers^
@@ -240,6 +242,7 @@ skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_bug910139.html]
 [test_bug909029.html]
 [test_bug1229639.html]
+[test_frame_ancestors_ro.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_bug941404.html]
diff --git a/dom/security/test/csp/test_frame_ancestors_ro.html b/dom/security/test/csp/test_frame_ancestors_ro.html
new file mode 100644
index 000000000..90f68e25e
--- /dev/null
+++ b/dom/security/test/csp/test_frame_ancestors_ro.html
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for frame-ancestors support in Content-Security-Policy-Report-Only</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width: 100%" id="cspframe"></iframe>
+<script type="text/javascript">
+const docUri = "http://mochi.test:8888/tests/dom/security/test/csp/file_frame_ancestors_ro.html";
+const frame = document.getElementById("cspframe");
+
+let testResults = {
+  reportFired: false,
+  frameLoaded: false
+};
+
+function checkResults(reportObj) {
+  let cspReport = reportObj["csp-report"];
+  is(cspReport["document-uri"], docUri, "Incorrect document-uri");
+
+  // we can not test for the whole referrer since it includes platform specific information
+  is(cspReport["referrer"], document.location.toString(), "Incorrect referrer");
+  is(cspReport["blocked-uri"], document.location.toString(), "Incorrect blocked-uri");
+  is(cspReport["violated-directive"], "frame-ancestors 'none'", "Incorrect violated-directive");
+  is(cspReport["original-policy"], "frame-ancestors 'none'; report-uri http://mochi.test:8888/foo.sjs", "Incorrect original-policy");
+  testResults.reportFired = true;
+}
+
+let chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
+let script = SpecialPowers.loadChromeScript(chromeScriptUrl);
+
+script.addMessageListener('opening-request-completed', function ml(msg) {
+  if (msg.error) {
+    ok(false, "Could not query report (exception: " + msg.error + ")");
+  } else {
+    try {
+      let reportObj = JSON.parse(msg.report);
+      // test for the proper values in the report object
+      checkResults(reportObj);
+    } catch (e) {
+      ok(false, "Error verifying report object (exception: " + e + ")");
+    }
+  }
+
+  script.removeMessageListener('opening-request-completed', ml);
+  script.sendAsyncMessage("finish");
+  checkTestResults();
+});
+
+frame.addEventListener( 'load', () => {
+  // Make sure the frame is still loaded
+  testResults.frameLoaded = true;
+  checkTestResults()
+} );
+
+function checkTestResults() {
+  if( testResults.reportFired && testResults.frameLoaded ) {
+    SimpleTest.finish();
+  }
+}
+
+SimpleTest.waitForExplicitFinish();
+frame.src = docUri;
+
+</script>
+</body>
+</html>
-- 
cgit v1.2.3


From bd851735628cd6b07285e87fa60081e9d11a3b7e Mon Sep 17 00:00:00 2001
From: Gaming4JC <g4jc@bulletmail.org>
Date: Sat, 26 May 2018 15:00:01 -0400
Subject: Remove support and tests for HSTS priming from the tree. Fixes #384

---
 dom/security/test/csp/test_referrerdirective.html | 2 --
 1 file changed, 2 deletions(-)

(limited to 'dom/security/test/csp')

diff --git a/dom/security/test/csp/test_referrerdirective.html b/dom/security/test/csp/test_referrerdirective.html
index 770fcc40b..f590460a0 100644
--- a/dom/security/test/csp/test_referrerdirective.html
+++ b/dom/security/test/csp/test_referrerdirective.html
@@ -116,8 +116,6 @@ SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPrefEnv({
     'set': [['security.mixed_content.block_active_content',   false],
             ['security.mixed_content.block_display_content',  false],
-            ['security.mixed_content.send_hsts_priming',  false],
-            ['security.mixed_content.use_hsts',  false],
     ]
     },
     function() {
-- 
cgit v1.2.3


From c1315412cc21a85fb779bef0d87dadde751cfe71 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Thu, 21 Jun 2018 20:57:09 +0200
Subject: Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL
 redirects

https://bugzilla.mozilla.org/show_bug.cgi?id=1469150
---
 ...dom_security_test_csp_file_nonce_redirector.sjs | 25 ++++++++++++
 ...dom_security_test_csp_file_nonce_redirects.html | 23 +++++++++++
 ...dom_security_test_csp_test_nonce_redirects.html | 47 ++++++++++++++++++++++
 dom/security/test/csp/mochitest.ini                |  3 ++
 4 files changed, 98 insertions(+)
 create mode 100644 dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs
 create mode 100644 dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html
 create mode 100644 dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html

(limited to 'dom/security/test/csp')

diff --git a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs
new file mode 100644
index 000000000..21a8f4e9c
--- /dev/null
+++ b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs
@@ -0,0 +1,25 @@
+// custom *.sjs file for
+// Bug 1469150:Scripts with valid nonce get blocked if URL redirects.
+
+const URL_PATH = "example.com/tests/dom/security/test/csp/";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  let queryStr = request.queryString;
+
+  if (queryStr === "redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location",
+      "https://" + URL_PATH + "file_nonce_redirector.sjs?load", false);
+    return;
+  }
+
+  if (queryStr === "load") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write("console.log('script loaded');");
+    return;
+  }
+
+  // we should never get here - return something unexpected
+  response.write("d'oh");
+}
diff --git a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html
new file mode 100644
index 000000000..e29116490
--- /dev/null
+++ b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  </head>
+<body>
+
+<script nonce='abcd1234' id='redirectScript'></script>
+
+<script nonce='abcd1234' type='application/javascript'>
+  var redirectScript = document.getElementById('redirectScript');
+  redirectScript.onload = function(e) {
+    window.parent.postMessage({result: 'script-loaded'}, '*');
+  };
+  redirectScript.onerror = function(e) {
+    window.parent.postMessage({result: 'script-blocked'}, '*');
+  }
+  redirectScript.src = 'file_nonce_redirector.sjs?redirect';
+</script>
+</body>
+</html>
diff --git a/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html b/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html
new file mode 100644
index 000000000..f84fdcc7b
--- /dev/null
+++ b/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a script with a matching nonce, which redirects
+ * and we make sure that script is allowed.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+
+  if (aResult === "script-loaded") {
+    ok(true, "expected result: script loaded");
+  }
+  else {
+    ok(false, "unexpected result: script blocked");
+  }
+  finishTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_nonce_redirects.html";
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 33b112020..86b7fd0cd 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -88,6 +88,8 @@ support-files =
   file_shouldprocess.html
   file_nonce_source.html
   file_nonce_source.html^headers^
+  file_nonce_redirects.html
+  file_nonce_redirector.sjs
   file_bug941404.html
   file_bug941404_xhr.html
   file_bug941404_xhr.html^headers^
@@ -245,6 +247,7 @@ skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_frame_ancestors_ro.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
+[test_nonce_redirects.html]
 [test_bug941404.html]
 [test_form-action.html]
 [test_hash_source.html]
-- 
cgit v1.2.3


From d413e1fb87779a0c3f474f8e773e01ad0878beea Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Sat, 23 Jun 2018 04:29:34 +0200
Subject: Bug 1469150 - Tests added to check scripts with valid nonce is
 allowed if URL redirects (follow up)

---
 ...dom_security_test_csp_file_nonce_redirector.sjs | 25 ------------
 ...dom_security_test_csp_file_nonce_redirects.html | 23 -----------
 ...dom_security_test_csp_test_nonce_redirects.html | 47 ----------------------
 dom/security/test/csp/file_nonce_redirector.sjs    | 25 ++++++++++++
 dom/security/test/csp/file_nonce_redirects.html    | 23 +++++++++++
 dom/security/test/csp/test_nonce_redirects.html    | 47 ++++++++++++++++++++++
 6 files changed, 95 insertions(+), 95 deletions(-)
 delete mode 100644 dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs
 delete mode 100644 dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html
 delete mode 100644 dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html
 create mode 100644 dom/security/test/csp/file_nonce_redirector.sjs
 create mode 100644 dom/security/test/csp/file_nonce_redirects.html
 create mode 100644 dom/security/test/csp/test_nonce_redirects.html

(limited to 'dom/security/test/csp')

diff --git a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs
deleted file mode 100644
index 21a8f4e9c..000000000
--- a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs
+++ /dev/null
@@ -1,25 +0,0 @@
-// custom *.sjs file for
-// Bug 1469150:Scripts with valid nonce get blocked if URL redirects.
-
-const URL_PATH = "example.com/tests/dom/security/test/csp/";
-
-function handleRequest(request, response) {
-  response.setHeader("Cache-Control", "no-cache", false);
-  let queryStr = request.queryString;
-
-  if (queryStr === "redirect") {
-    response.setStatusLine("1.1", 302, "Found");
-    response.setHeader("Location",
-      "https://" + URL_PATH + "file_nonce_redirector.sjs?load", false);
-    return;
-  }
-
-  if (queryStr === "load") {
-    response.setHeader("Content-Type", "application/javascript", false);
-    response.write("console.log('script loaded');");
-    return;
-  }
-
-  // we should never get here - return something unexpected
-  response.write("d'oh");
-}
diff --git a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html
deleted file mode 100644
index e29116490..000000000
--- a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html
+++ /dev/null
@@ -1,23 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-  <head>
-  <meta charset='utf-8'>
-  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
-  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
-  </head>
-<body>
-
-<script nonce='abcd1234' id='redirectScript'></script>
-
-<script nonce='abcd1234' type='application/javascript'>
-  var redirectScript = document.getElementById('redirectScript');
-  redirectScript.onload = function(e) {
-    window.parent.postMessage({result: 'script-loaded'}, '*');
-  };
-  redirectScript.onerror = function(e) {
-    window.parent.postMessage({result: 'script-blocked'}, '*');
-  }
-  redirectScript.src = 'file_nonce_redirector.sjs?redirect';
-</script>
-</body>
-</html>
diff --git a/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html b/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html
deleted file mode 100644
index f84fdcc7b..000000000
--- a/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html
+++ /dev/null
@@ -1,47 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
-  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<iframe style="width:100%;" id="testframe"></iframe>
-
-<script class="testbody" type="text/javascript">
-
-/* Description of the test:
- * We load a script with a matching nonce, which redirects
- * and we make sure that script is allowed.
- */
-
-SimpleTest.waitForExplicitFinish();
-
-function finishTest() {
-  window.removeEventListener("message", receiveMessage);
-  SimpleTest.finish();
-}
-
-function checkResults(aResult) {
-
-  if (aResult === "script-loaded") {
-    ok(true, "expected result: script loaded");
-  }
-  else {
-    ok(false, "unexpected result: script blocked");
-  }
-  finishTest();
-}
-
-window.addEventListener("message", receiveMessage);
-function receiveMessage(event) {
-  checkResults(event.data.result);
-}
-
-document.getElementById("testframe").src = "file_nonce_redirects.html";
-
-</script>
-</body>
-</html>
diff --git a/dom/security/test/csp/file_nonce_redirector.sjs b/dom/security/test/csp/file_nonce_redirector.sjs
new file mode 100644
index 000000000..21a8f4e9c
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_redirector.sjs
@@ -0,0 +1,25 @@
+// custom *.sjs file for
+// Bug 1469150:Scripts with valid nonce get blocked if URL redirects.
+
+const URL_PATH = "example.com/tests/dom/security/test/csp/";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  let queryStr = request.queryString;
+
+  if (queryStr === "redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location",
+      "https://" + URL_PATH + "file_nonce_redirector.sjs?load", false);
+    return;
+  }
+
+  if (queryStr === "load") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write("console.log('script loaded');");
+    return;
+  }
+
+  // we should never get here - return something unexpected
+  response.write("d'oh");
+}
diff --git a/dom/security/test/csp/file_nonce_redirects.html b/dom/security/test/csp/file_nonce_redirects.html
new file mode 100644
index 000000000..e29116490
--- /dev/null
+++ b/dom/security/test/csp/file_nonce_redirects.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  </head>
+<body>
+
+<script nonce='abcd1234' id='redirectScript'></script>
+
+<script nonce='abcd1234' type='application/javascript'>
+  var redirectScript = document.getElementById('redirectScript');
+  redirectScript.onload = function(e) {
+    window.parent.postMessage({result: 'script-loaded'}, '*');
+  };
+  redirectScript.onerror = function(e) {
+    window.parent.postMessage({result: 'script-blocked'}, '*');
+  }
+  redirectScript.src = 'file_nonce_redirector.sjs?redirect';
+</script>
+</body>
+</html>
diff --git a/dom/security/test/csp/test_nonce_redirects.html b/dom/security/test/csp/test_nonce_redirects.html
new file mode 100644
index 000000000..f84fdcc7b
--- /dev/null
+++ b/dom/security/test/csp/test_nonce_redirects.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1469150:Scripts with valid nonce get blocked if URL redirects</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a script with a matching nonce, which redirects
+ * and we make sure that script is allowed.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+
+  if (aResult === "script-loaded") {
+    ok(true, "expected result: script loaded");
+  }
+  else {
+    ok(false, "unexpected result: script blocked");
+  }
+  finishTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_nonce_redirects.html";
+
+</script>
+</body>
+</html>
-- 
cgit v1.2.3