dom/security/test/csp/test_redirects.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

<!DOCTYPE HTML>
<html>
<head>
  <title>Tests for Content Security Policy during redirects</title>
  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">

</div>

<iframe style="width:100%;height:300px;" id="harness"></iframe>
<pre id="log"></pre>
<script class="testbody" type="text/javascript">

var path = "/tests/dom/security/test/csp/";

// debugging
function log(s) {
  return;
  dump("**" + s + "\n");
  var log = document.getElementById("log");
  log.textContent = log.textContent+s+"\n";
}

// used to watch if requests are blocked by CSP or allowed through
function examiner() {
  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype  = {
  observe: function(subject, topic, data) {
    var testpat = new RegExp("testid=([a-z0-9-]+)");
    var asciiSpec;
    var testid;

    if (topic === "specialpowers-http-notify-request") {
      // request was sent
      var allowedUri = data;
      if (!testpat.test(allowedUri)) return;
      testid = testpat.exec(allowedUri)[1];
      if (testExpectedResults[testid] == "completed") return;
      log("allowed: "+allowedUri);
      window.testResult(testid, allowedUri, true);
    }

    else if (topic === "csp-on-violate-policy") {
      // request was blocked
      asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
      if (!testpat.test(asciiSpec)) return;
      testid = testpat.exec(asciiSpec)[1];
      // had to add this check because http-on-modify-request can fire after
      // csp-on-violate-policy, apparently, even though the request does
      // not hit the wire.
      if (testExpectedResults[testid] == "completed") return;
      log("BLOCKED: "+asciiSpec);
      window.testResult(testid, asciiSpec, false);
    }
  },

  remove: function() {
    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
  }
}
window.examiner = new examiner();

// contains { test_frame_id : expected_result }
var testExpectedResults = { "font-src": true,
                            "font-src-redir": false,
                            "frame-src": true,
                            "frame-src-redir": false,
                            "img-src": true,
                            "img-src-redir": false,
                            "media-src": true,
                            "media-src-redir": false,
                            "object-src": true,
                            "object-src-redir": false,
                            "script-src": true,
                            "script-src-redir": false,
                            "style-src": true,
                            "style-src-redir": false,
                            "xhr-src": true,
                            "xhr-src-redir": false,
                            "from-worker": true,
                            "script-src-redir-from-worker": true, // redir is allowed since policy isn't inherited
                            "xhr-src-redir-from-worker": true, // redir is allowed since policy isn't inherited
                            "fetch-src-redir-from-worker": true, // redir is allowed since policy isn't inherited
                            "from-blob-worker": true,
                            "script-src-redir-from-blob-worker": false,
                            "xhr-src-redir-from-blob-worker": false,
                            "fetch-src-redir-from-blob-worker": false,
                            "img-src-from-css": true,
                            "img-src-redir-from-css": false,
                          };

// takes the name of the test, the URL that was tested, and whether the
// load occurred
var testResult = function(testName, url, result) {
  log("  testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
  is(result, testExpectedResults[testName], testName+" test: "+url);

 // mark test as completed
  testExpectedResults[testName] = "completed";

  // don't finish until we've run all the tests
  for (var t in testExpectedResults) {
    if (testExpectedResults[t] != "completed") {
      return;
    }
  }

  window.examiner.remove();
  SimpleTest.finish();
}

SimpleTest.waitForExplicitFinish();

SpecialPowers.pushPrefEnv(
  {'set':[// This defaults to 0 ("preload none") on mobile (B2G/Android), which
          // blocks loading the resource until the user interacts with a
          // corresponding widget, which breaks the media_* tests. We set it
          // back to the default used by desktop Firefox to get consistent
          // behavior.
          ["media.preload.default", 2]]},
  function() {
    // save this for last so that our listeners are registered.
    // ... this loads the testbed of good and bad requests.
    document.getElementById("harness").src = "file_redirects_main.html";
  });
</script>
</pre>

</body>
</html>