blob: f68d8c03f23ba75fd7b7fe5bf3298b182f45f8bb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1069762 - Check blocked-uri in csp-reports after redirect</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
/* Description of the test:
* We try to load a script from:
* http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs
* which gets redirected to:
* http://test1.example.com/tests/dom/security//test/csp/file_path_matching.js
*
* The blocked-uri in the csp-report should be:
* test1.example.com
* instead of:
* http://test1.example.com/tests/com/security/test/csp/file_path_matching.js
*
* see also: http://www.w3.org/TR/CSP/#violation-reports
*
* Note, that we reuse the test-setup from
* test_path_matching_redirect.html
*/
const reportURI = "http://mochi.test:8888/foo.sjs";
const policy = "script-src http://example.com; report-uri " + reportURI;
const testfile = "tests/dom/security/test/csp/file_path_matching_redirect.html";
var chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
var script = SpecialPowers.loadChromeScript(chromeScriptUrl);
script.addMessageListener('opening-request-completed', function ml(msg) {
if (msg.error) {
ok(false, "Could not query report (exception: " + msg.error + ")");
} else {
try {
var reportObj = JSON.parse(msg.report);
} catch (e) {
ok(false, "Could not parse JSON (exception: " + e + ")");
}
try {
var cspReport = reportObj["csp-report"];
// blocked-uri should only be the asciiHost instead of:
// http://test1.example.com/tests/dom/security/test/csp/file_path_matching.js
is(cspReport["blocked-uri"], "http://test1.example.com", "Incorrect blocked-uri");
} catch (e) {
ok(false, "Could not query report (exception: " + e + ")");
}
}
script.removeMessageListener('opening-request-completed', ml);
SimpleTest.finish();
});
SimpleTest.waitForExplicitFinish();
function runTest() {
var src = "file_testserver.sjs";
// append the file that should be served
src += "?file=" + escape(testfile);
// append the CSP that should be used to serve the file
src += "&csp=" + escape(policy);
document.getElementById("cspframe").src = src;
}
runTest();
</script>
</body>
</html>
|