From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- .../content-security-policy/support/alert-pass.js | 1 + .../support/alertAssert.sub.js | 43 +++++++++++ .../support/checkReport.sub.js | 84 +++++++++++++++++++++ .../content-security-policy/support/fail.asis | 5 ++ .../tests/content-security-policy/support/fail.js | 1 + .../tests/content-security-policy/support/fail.png | Bin 0 -> 759 bytes .../support/inject-image.js | 5 ++ .../content-security-policy/support/logTest.sub.js | 41 ++++++++++ .../support/media/flash.swf | Bin 0 -> 638 bytes .../tests/content-security-policy/support/pass.png | Bin 0 -> 1689 bytes .../content-security-policy/support/report.py | 34 +++++++++ .../content-security-policy/support/siblingPath.js | 5 ++ 12 files changed, 219 insertions(+) create mode 100644 testing/web-platform/tests/content-security-policy/support/alert-pass.js create mode 100644 testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/support/checkReport.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/support/fail.asis create mode 100644 testing/web-platform/tests/content-security-policy/support/fail.js create mode 100644 testing/web-platform/tests/content-security-policy/support/fail.png create mode 100644 testing/web-platform/tests/content-security-policy/support/inject-image.js create mode 100644 testing/web-platform/tests/content-security-policy/support/logTest.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/support/media/flash.swf create mode 100644 testing/web-platform/tests/content-security-policy/support/pass.png create mode 100644 testing/web-platform/tests/content-security-policy/support/report.py create mode 100644 testing/web-platform/tests/content-security-policy/support/siblingPath.js (limited to 'testing/web-platform/tests/content-security-policy/support') diff --git a/testing/web-platform/tests/content-security-policy/support/alert-pass.js b/testing/web-platform/tests/content-security-policy/support/alert-pass.js new file mode 100644 index 000000000..d3f811ec1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/alert-pass.js @@ -0,0 +1 @@ +alert_assert("PASS"); \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js b/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js new file mode 100644 index 000000000..ee9e54ea7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js @@ -0,0 +1,43 @@ +// note, this template substitution is XSS, but no way to avoid it in this framework +var expected_alerts = {{GET[alerts]}}; +var timeout= "{{GET[timeout]}}"; +if (timeout == "") { + timeout = 2; +} + +if(expected_alerts.length == 0) { + function alert_assert(msg) { + test(function () { assert_unreached(msg) }); + } +} else { + var t_alert = async_test('Expecting alerts: {{GET[alerts]}}'); + step_timeout(function() { + if(t_alert.phase != t_alert.phases.COMPLETE) { + t_alert.step(function() { assert_unreached('Alert timeout, expected alerts ' + expected_alerts + ' not fired.') }); + t_alert.done(); + } + }, timeout * 1000); + var alert_assert = function (msg) { + t_alert.step(function () { + if(msg && msg instanceof Error) { + msg = msg.message; + } + if (msg && msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + }.bind(this); +} diff --git a/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js b/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js new file mode 100644 index 000000000..803dc06d5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js @@ -0,0 +1,84 @@ +(function () { + + // Get values from the substitution engine. + // We can't just pull these from the document context + // because this script is intended to be transcluded into + // another document, and we want the GET values used to request it, + // not the values for the including document + + // XXX these are unencoded, so there's an unavoidable + // injection vulnerability in constructing this file... + // need to upgrade the template engine. + var reportField = "{{GET[reportField]}}"; + var reportValue = "{{GET[reportValue]}}"; + var reportExists = "{{GET[reportExists]}}"; + var noCookies = "{{GET[noCookies]}}"; + + var location = window.location; + var thisTestName = location.pathname.split('/')[location.pathname.split('/').length - 1].split('.')[0]; + + var reportID = ""; + + var cookies = document.cookie.split(';'); + for (var i = 0; i < cookies.length; i++) { + var cookieName = cookies[i].split('=')[0].trim(); + var cookieValue = cookies[i].split('=')[1].trim(); + + if (cookieName == thisTestName) { + reportID = cookieValue; + var cookieToDelete = cookieName + "=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=" + document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1); + document.cookie = cookieToDelete; + break; + } + } + + var timeout = document.querySelector("meta[name=timeout][content=long]") ? 50 : 5; + var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=take&timeout=" + timeout + "&reportID=" + reportID; + + var reportTest = async_test("Violation report status OK."); + reportTest.step(function () { + + var report = new XMLHttpRequest(); + report.onload = reportTest.step_func(function () { + + var data = JSON.parse(report.responseText); + + if (data.error) { + assert_equals("false", reportExists, data.error); + } else { + if(reportExists != "" && reportExists == "false" && data["csp-report"]) { + assert_unreached("CSP report sent, but not expecting one: " + JSON.stringify(data["csp-report"])); + } + // Firefox expands 'self' or origins in a policy to the actual origin value + // so "www.example.com" becomes "http://www.example.com:80". + // Accomodate this by just testing that the correct directive name + // is reported, not the details... + + if(data["csp-report"] != undefined && data["csp-report"][reportField] != undefined) { + assert_true(data["csp-report"][reportField].indexOf(reportValue.split(" ")[0]) != -1, + reportField + " value of \"" + data["csp-report"][reportField] + "\" did not match " + + reportValue.split(" ")[0] + "."); + } + } + + reportTest.done(); + }); + + report.open("GET", reportLocation, true); + report.send(); + }); + + if (noCookies) { + var cookieTest = async_test("No cookies sent with report."); + var cookieReport = new XMLHttpRequest(); + cookieReport.onload = cookieTest.step_func(function () { + var data = JSON.parse(cookieReport.responseText); + assert_equals(data.reportCookies, "None"); + cookieTest.done(); + }); + var cReportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=cookies&timeout=" + timeout + "&reportID=" + reportID; + cookieReport.open("GET", cReportLocation, true); + cookieReport.send(); + }; + +})(); diff --git a/testing/web-platform/tests/content-security-policy/support/fail.asis b/testing/web-platform/tests/content-security-policy/support/fail.asis new file mode 100644 index 000000000..96196615b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/fail.asis @@ -0,0 +1,5 @@ +HTTP/1.1 200 OK +Content-Type: text/plain +Access-Control-Allow-Origin: * + +FAIL \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/support/fail.js b/testing/web-platform/tests/content-security-policy/support/fail.js new file mode 100644 index 000000000..9632567a6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/fail.js @@ -0,0 +1 @@ +test(function() { assert_unreached("FAIL")}); \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/support/fail.png b/testing/web-platform/tests/content-security-policy/support/fail.png new file mode 100644 index 000000000..b59338033 Binary files /dev/null and b/testing/web-platform/tests/content-security-policy/support/fail.png differ diff --git a/testing/web-platform/tests/content-security-policy/support/inject-image.js b/testing/web-platform/tests/content-security-policy/support/inject-image.js new file mode 100644 index 000000000..cc5b60079 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/inject-image.js @@ -0,0 +1,5 @@ +// This script block will trigger a violation report. +var i = document.createElement('img'); +i.src = '/content-security-policy/support/fail.png'; +document.body.appendChild(i); +log("TEST COMPLETE"); \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/support/logTest.sub.js b/testing/web-platform/tests/content-security-policy/support/logTest.sub.js new file mode 100644 index 000000000..f712252ce --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/logTest.sub.js @@ -0,0 +1,41 @@ +// note, this template substitution is XSS, but no way to avoid it in this framework +var expected_logs = {{GET[logs]}}; +var timeout = "{{GET[timeout]}}"; +if (timeout == "") { + timeout = 2; +} + +if (expected_logs.length == 0) { + function log_assert(msg) { + test(function () { assert_unreached(msg) }); + } +} else { + var t_log = async_test('Expecting logs: {{GET[logs]}}'); + step_timeout(function() { + if(t_log.phase != t_log.phases.COMPLETE){ + t_log.step(function () { assert_unreached('Logging timeout, expected logs ' + expected_logs + ' not sent.') }); + t_log.done(); + } + }, timeout * 1000); + function log(msg) { + //cons/**/ole.log(msg); + t_log.step(function () { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_log.done(); + } + for (var i = 0; i < expected_logs.length; i++) { + if (expected_logs[i] == msg) { + assert_true(expected_logs[i] == msg); + expected_logs.splice(i, 1); + if (expected_logs.length == 0) { + t_log.done(); + } + return; + } + } + assert_unreached('unexpected log: ' + msg); + t_log.done(); + }); + } +} diff --git a/testing/web-platform/tests/content-security-policy/support/media/flash.swf b/testing/web-platform/tests/content-security-policy/support/media/flash.swf new file mode 100644 index 000000000..80bf47e20 Binary files /dev/null and b/testing/web-platform/tests/content-security-policy/support/media/flash.swf differ diff --git a/testing/web-platform/tests/content-security-policy/support/pass.png b/testing/web-platform/tests/content-security-policy/support/pass.png new file mode 100644 index 000000000..2fa1e0ac0 Binary files /dev/null and b/testing/web-platform/tests/content-security-policy/support/pass.png differ diff --git a/testing/web-platform/tests/content-security-policy/support/report.py b/testing/web-platform/tests/content-security-policy/support/report.py new file mode 100644 index 000000000..193315fa0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/report.py @@ -0,0 +1,34 @@ +import time +import json +import re + +def main(request, response): + op = request.GET.first("op"); + key = request.GET.first("reportID") + + if op == "take": + timeout = float(request.GET.first("timeout")) + t0 = time.time() + while time.time() - t0 < timeout: + time.sleep(0.5) + value = request.server.stash.take(key=key) + if value is not None: + return [("Content-Type", "application/json")], value + + return [("Content-Type", "application/json")], json.dumps({'error': 'No such report.' , 'guid' : key}) + + if op == "cookies": + cval = request.server.stash.take(key=re.sub('^...', 'ccc', key)) + if cval is None: + cval = "\"None\"" + + return [("Content-Type", "application/json")], "{ \"reportCookies\" : " + cval + "}" + + if hasattr(request, 'Cookies'): + request.server.stash.put(key=re.sub('^...', 'ccc', key), value=request.Cookies) + + report = request.body + report.rstrip() + request.server.stash.take(key=key) + request.server.stash.put(key=key, value=report) + return [("Content-Type", "text/plain")], "Recorded report " + report diff --git a/testing/web-platform/tests/content-security-policy/support/siblingPath.js b/testing/web-platform/tests/content-security-policy/support/siblingPath.js new file mode 100644 index 000000000..f4012f04d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/support/siblingPath.js @@ -0,0 +1,5 @@ + buildSiblingPath = function(hostPrefix, relativePath, newPort) { + var port = newPort ? newPort : document.location.port; + var path = document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1); + return (document.location.protocol + '//' + hostPrefix + "." + document.location.hostname + ':' + port + path + relativePath); +}; \ No newline at end of file -- cgit v1.2.3