toolkit/components/extensions/test/mochitest/test_ext_content_security_policy.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

<!DOCTYPE HTML>
<html>
<head>
  <title>WebExtension CSP test</title>
  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
  <script type="text/javascript" src="/tests/SimpleTest/ExtensionTestUtils.js"></script>
  <script type="text/javascript" src="head.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>

<script type="text/javascript">
"use strict";

/**
 * Tests that content security policies for an add-on are actually applied to *
 * documents that belong to it. This tests both the base policies and add-on
 * specific policies, and ensures that the parsed policies applied to the
 * document's principal match what was specified in the policy string.
 *
 * @param {object} [customCSP]
 */
function* testPolicy(customCSP = null) {
  let baseURL;

  let baseCSP = {
    "object-src": ["blob:", "filesystem:", "https://*", "moz-extension:", "'self'"],
    "script-src": ["'unsafe-eval'", "'unsafe-inline'", "blob:", "filesystem:", "https://*", "moz-extension:", "'self'"],
  };

  let addonCSP = {
    "object-src": ["'self'"],
    "script-src": ["'self'"],
  };

  let content_security_policy = null;

  if (customCSP) {
    for (let key of Object.keys(customCSP)) {
      addonCSP[key] = customCSP[key].split(/\s+/);
    }

    content_security_policy = Object.keys(customCSP)
      .map(key => `${key} ${customCSP[key]}`)
      .join("; ");
  }


  function filterSelf(sources) {
    return sources.map(src => src == "'self'" ? baseURL : src);
  }

  function checkSource(name, policy, expected) {
    is(JSON.stringify(policy[name].sort()),
       JSON.stringify(filterSelf(expected[name]).sort()),
       `Expected value for ${name}`);
  }

  function checkCSP(csp, location) {
    let policies = csp["csp-policies"];

    info(`Base policy for ${location}`);

    is(policies[0]["report-only"], false, "Policy is not report-only");
    checkSource("object-src", policies[0], baseCSP);
    checkSource("script-src", policies[0], baseCSP);

    info(`Add-on policy for ${location}`);

    is(policies[1]["report-only"], false, "Policy is not report-only");
    checkSource("object-src", policies[1], addonCSP);
    checkSource("script-src", policies[1], addonCSP);
  }


  function getCSP(window) {
    let {cspJSON} = SpecialPowers.Cu.getObjectPrincipal(window);
    return JSON.parse(cspJSON);
  }

  function background(getCSPFn) {
    browser.test.sendMessage("base-url", browser.extension.getURL("").replace(/\/$/, ""));

    browser.test.sendMessage("background-csp", getCSPFn(window));
  }

  function tabScript(getCSPFn) {
    browser.test.sendMessage("tab-csp", getCSPFn(window));
  }

  let extension = ExtensionTestUtils.loadExtension({
    background: `(${background})(${getCSP})`,

    files: {
      "tab.html": `<html><head><meta charset="utf-8">
                   <script src="tab.js"></${"script"}></head></html>`,

      "tab.js": `(${tabScript})(${getCSP})`,

      "content.html": `<html><head><meta charset="utf-8"></head></html>`,
    },

    manifest: {
      content_security_policy,

      web_accessible_resources: ["content.html", "tab.html"],
    },
  });


  info(`Testing CSP for policy: ${content_security_policy}`);

  yield extension.startup();

  baseURL = yield extension.awaitMessage("base-url");


  let win1 = window.open(`${baseURL}/tab.html`);

  let frame = document.createElement("iframe");
  frame.src = `${baseURL}/content.html`;
  document.body.appendChild(frame);

  yield new Promise(resolve => {
    frame.onload = resolve;
  });


  let backgroundCSP = yield extension.awaitMessage("background-csp");
  checkCSP(backgroundCSP, "background page");

  let tabCSP = yield extension.awaitMessage("tab-csp");
  checkCSP(tabCSP, "tab page");

  let contentCSP = getCSP(frame.contentWindow);
  checkCSP(contentCSP, "content frame");


  win1.close();
  frame.remove();

  yield extension.unload();
}

add_task(function* testCSP() {
  yield testPolicy(null);

  let hash = "'sha256-NjZhMDQ1YjQ1MjEwMmM1OWQ4NDBlYzA5N2Q1OWQ5NDY3ZTEzYTNmMzRmNjQ5NGU1MzlmZmQzMmMxYmIzNWYxOCAgLQo='";

  yield testPolicy({
    "object-src": "'self' https://*.example.com",
    "script-src": `'self' https://*.example.com 'unsafe-eval' ${hash}`,
  });

  yield testPolicy({
    "object-src": "'none'",
    "script-src": `'self'`,
  });
});
</script>
</body>