path: root/toolkit/components/webextensions/test/xpcshell/test_csp_validator.js
diff options
authorwolfbeast <>2019-04-05 20:01:10 +0200
committerwolfbeast <>2019-04-05 20:01:10 +0200
commitc3b63b831cd2c64700e875b28540212c7c881ac6 (patch)
treeedd98fcbd2004d3b562904f822bf6c3322fc7f52 /toolkit/components/webextensions/test/xpcshell/test_csp_validator.js
parentd432e068a21c815d5d5e7bcbc1cc8c6e77a7d1e0 (diff)
parentcc07da9cb4d6e7a53f8d953427ffc2bca2e0c2df (diff)
Merge branch 'master' into 816
Diffstat (limited to 'toolkit/components/webextensions/test/xpcshell/test_csp_validator.js')
1 files changed, 0 insertions, 85 deletions
diff --git a/toolkit/components/webextensions/test/xpcshell/test_csp_validator.js b/toolkit/components/webextensions/test/xpcshell/test_csp_validator.js
deleted file mode 100644
index 59a7322bc..000000000
--- a/toolkit/components/webextensions/test/xpcshell/test_csp_validator.js
+++ /dev/null
@@ -1,85 +0,0 @@
-/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
-/* vim: set sts=2 sw=2 et tw=80: */
-"use strict";
-const cps = Cc[";1"].getService(Ci.nsIAddonContentPolicy);
-add_task(function* test_csp_validator() {
- let checkPolicy = (policy, expectedResult, message = null) => {
- do_print(`Checking policy: ${policy}`);
- let result = cps.validateAddonCSP(policy);
- equal(result, expectedResult);
- };
- checkPolicy("script-src 'self'; object-src 'self';",
- null);
- let hash = "'sha256-NjZhMDQ1YjQ1MjEwMmM1OWQ4NDBlYzA5N2Q1OWQ5NDY3ZTEzYTNmMzRmNjQ5NGU1MzlmZmQzMmMxYmIzNWYxOCAgLQo='";
- checkPolicy(`script-src 'self' https://com https://* moz-extension://09abcdef blob: filesystem: ${hash} 'unsafe-eval'; ` +
- `object-src 'self' https://com https://* moz-extension://09abcdef blob: filesystem: ${hash}`,
- null);
- checkPolicy("",
- "Policy is missing a required \u2018script-src\u2019 directive");
- checkPolicy("object-src 'none';",
- "Policy is missing a required \u2018script-src\u2019 directive");
- checkPolicy("default-src 'self'", null,
- "A valid default-src should count as a valid script-src or object-src");
- checkPolicy("default-src 'self'; script-src 'self'", null,
- "A valid default-src should count as a valid script-src or object-src");
- checkPolicy("default-src 'self'; object-src 'self'", null,
- "A valid default-src should count as a valid script-src or object-src");
- checkPolicy("default-src 'self'; script-src",
- "\u2018script-src\u2019 directive contains a forbidden http: protocol source",
- "A valid default-src should not allow an invalid script-src directive");
- checkPolicy("default-src 'self'; object-src",
- "\u2018object-src\u2019 directive contains a forbidden http: protocol source",
- "A valid default-src should not allow an invalid object-src directive");
- checkPolicy("script-src 'self';",
- "Policy is missing a required \u2018object-src\u2019 directive");
- checkPolicy("script-src 'none'; object-src 'none'",
- "\u2018script-src\u2019 must include the source 'self'");
- checkPolicy("script-src 'self'; object-src 'none';",
- null);
- checkPolicy("script-src 'self' 'unsafe-inline'; object-src 'self';",
- "\u2018script-src\u2019 directive contains a forbidden 'unsafe-inline' keyword");
- let directives = ["script-src", "object-src"];
- for (let [directive, other] of [directives, directives.slice().reverse()]) {
- for (let src of ["https://*", "https://*", "https://*"]) {
- checkPolicy(`${directive} 'self' ${src}; ${other} 'self';`,
- `https: wildcard sources in \u2018${directive}\u2019 directives must include at least one non-generic sub-domain (e.g., * rather than *.com)`);
- }
- checkPolicy(`${directive} 'self' https:; ${other} 'self';`,
- `https: protocol requires a host in \u2018${directive}\u2019 directives`);
- checkPolicy(`${directive} 'self'; ${other} 'self';`,
- `\u2018${directive}\u2019 directive contains a forbidden http: protocol source`);
- for (let protocol of ["http", "ftp", "meh"]) {
- checkPolicy(`${directive} 'self' ${protocol}:; ${other} 'self';`,
- `\u2018${directive}\u2019 directive contains a forbidden ${protocol}: protocol source`);
- }
- checkPolicy(`${directive} 'self' 'nonce-01234'; ${other} 'self';`,
- `\u2018${directive}\u2019 directive contains a forbidden 'nonce-*' keyword`);
- }