From c1315412cc21a85fb779bef0d87dadde751cfe71 Mon Sep 17 00:00:00 2001 From: janekptacijarabaci Date: Thu, 21 Jun 2018 20:57:09 +0200 Subject: Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects https://bugzilla.mozilla.org/show_bug.cgi?id=1469150 --- ...dom_security_test_csp_file_nonce_redirector.sjs | 25 ++++++++++++ ...dom_security_test_csp_file_nonce_redirects.html | 23 +++++++++++ ...dom_security_test_csp_test_nonce_redirects.html | 47 ++++++++++++++++++++++ dom/security/test/csp/mochitest.ini | 3 ++ 4 files changed, 98 insertions(+) create mode 100644 dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs create mode 100644 dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html create mode 100644 dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html (limited to 'dom/security/test') diff --git a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs new file mode 100644 index 000000000..21a8f4e9c --- /dev/null +++ b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirector.sjs @@ -0,0 +1,25 @@ +// custom *.sjs file for +// Bug 1469150:Scripts with valid nonce get blocked if URL redirects. + +const URL_PATH = "example.com/tests/dom/security/test/csp/"; + +function handleRequest(request, response) { + response.setHeader("Cache-Control", "no-cache", false); + let queryStr = request.queryString; + + if (queryStr === "redirect") { + response.setStatusLine("1.1", 302, "Found"); + response.setHeader("Location", + "https://" + URL_PATH + "file_nonce_redirector.sjs?load", false); + return; + } + + if (queryStr === "load") { + response.setHeader("Content-Type", "application/javascript", false); + response.write("console.log('script loaded');"); + return; + } + + // we should never get here - return something unexpected + response.write("d'oh"); +} diff --git a/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html new file mode 100644 index 000000000..e29116490 --- /dev/null +++ b/dom/security/test/csp/dom_security_test_csp_file_nonce_redirects.html @@ -0,0 +1,23 @@ + + + + + + Bug 1469150:Scripts with valid nonce get blocked if URL redirects + + + + + + + + diff --git a/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html b/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html new file mode 100644 index 000000000..f84fdcc7b --- /dev/null +++ b/dom/security/test/csp/dom_security_test_csp_test_nonce_redirects.html @@ -0,0 +1,47 @@ + + + + + Bug 1469150:Scripts with valid nonce get blocked if URL redirects + + + + + + + + + + diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini index 33b112020..86b7fd0cd 100644 --- a/dom/security/test/csp/mochitest.ini +++ b/dom/security/test/csp/mochitest.ini @@ -88,6 +88,8 @@ support-files = file_shouldprocess.html file_nonce_source.html file_nonce_source.html^headers^ + file_nonce_redirects.html + file_nonce_redirector.sjs file_bug941404.html file_bug941404_xhr.html file_bug941404_xhr.html^headers^ @@ -245,6 +247,7 @@ skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445) [test_frame_ancestors_ro.html] [test_policyuri_regression_from_multipolicy.html] [test_nonce_source.html] +[test_nonce_redirects.html] [test_bug941404.html] [test_form-action.html] [test_hash_source.html] -- cgit v1.2.3