1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy Connections</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
window.tests = {
img_good: -1,
img_bad: -1,
style_good: -1,
style_bad: -1,
frame_good: -1,
frame_bad: -1,
script_good: -1,
script_bad: -1,
xhr_good: -1,
xhr_bad: -1,
fetch_good: -1,
fetch_bad: -1,
beacon_good: -1,
beacon_bad: -1,
worker_xhr_same_bad: -1,
worker_xhr_cross_good: -1,
worker_fetch_same_bad: -1,
worker_fetch_cross_good: -1,
worker_script_same_good: -1,
worker_script_cross_bad: -1,
worker_inherited_xhr_good: -1,
worker_inherited_xhr_bad: -1,
worker_inherited_fetch_good: -1,
worker_inherited_fetch_bad: -1,
worker_inherited_script_good: -1,
worker_inherited_script_bad: -1,
worker_child_xhr_same_bad: -1,
worker_child_xhr_cross_bad: -1,
worker_child_script_same_bad: -1,
worker_child_script_cross_bad: -1,
worker_child_inherited_parent_xhr_bad: -1,
worker_child_inherited_parent_xhr_good: -1,
worker_child_inherited_parent_script_good: -1,
worker_child_inherited_parent_script_bad: -1,
worker_child_inherited_document_xhr_good: -1,
worker_child_inherited_document_xhr_bad: -1,
worker_child_inherited_document_script_good: -1,
worker_child_inherited_document_script_bad: -1,
media_good: -1,
media_bad: -1,
font_good: -1,
font_bad: -1,
object_good: -1,
object_bad: -1,
};
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
var testpat = new RegExp("testid=([a-z0-9_]+)");
//_good things better be allowed!
//_bad things better be stopped!
// This is a special observer topic that is proxied from
// http-on-modify-request in the parent process to inform us when a URI is
// loaded
if (topic === "specialpowers-http-notify-request") {
var uri = data;
if (!testpat.test(uri)) return;
var testid = testpat.exec(uri)[1];
window.testResult(testid,
/_good/.test(testid),
uri + " allowed by csp");
}
if (topic === "csp-on-violate-policy") {
// these were blocked... record that they were blocked
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (!testpat.test(asciiSpec)) return;
var testid = testpat.exec(asciiSpec)[1];
window.testResult(testid,
/_bad/.test(testid),
asciiSpec + " blocked by \"" + data + "\"");
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
window.testResult = function(testname, result, msg) {
// test already complete.... forget it... remember the first result.
if (window.tests[testname] != -1)
return;
ok(testname in window.tests, "It's a real test");
window.tests[testname] = result;
is(result, true, testname + ' test: ' + msg);
// if any test is incomplete, keep waiting
for (var v in window.tests)
if(tests[v] == -1)
return;
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set':[// This defaults to 0 ("preload none") on mobile (B2G/Android), which
// blocks loading the resource until the user interacts with a
// corresponding widget, which breaks the media_* tests. We set it
// back to the default used by desktop Firefox to get consistent
// behavior.
["media.preload.default", 2]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_main.html';
});
</script>
</pre>
</body>
</html>
|
