diff options
Diffstat (limited to 'dom/security/test/sri')
56 files changed, 1222 insertions, 0 deletions
diff --git a/dom/security/test/sri/file_bug_1271796.css b/dom/security/test/sri/file_bug_1271796.css new file mode 100644 index 000000000..c0928f2cf --- /dev/null +++ b/dom/security/test/sri/file_bug_1271796.css @@ -0,0 +1,2 @@ +/*! Simple test for bug 1271796 */ +p::before { content: "\2014"; } diff --git a/dom/security/test/sri/iframe_csp_directive_style_imports.html b/dom/security/test/sri/iframe_csp_directive_style_imports.html new file mode 100644 index 000000000..0abea7854 --- /dev/null +++ b/dom/security/test/sri/iframe_csp_directive_style_imports.html @@ -0,0 +1,6 @@ +<!-- file should be loaded (text is blue), but subsequent files shouldn't (text is red) --> +<link rel="stylesheet" href="style_importing.css" + integrity="sha384-m5Q2GOhAtLrdiv6rCmxY3GjEFMVInALcdTyDnEddUUiDH2uQvJSX5GSJYQiatpTK" + onload="parent.postMessage('finish', '*');" + onerror="parent.postMessage('finish', '*');"> +<p id="text-for-import-test">blue text</p> diff --git a/dom/security/test/sri/iframe_csp_directive_style_imports.html^headers^ b/dom/security/test/sri/iframe_csp_directive_style_imports.html^headers^ new file mode 100644 index 000000000..0a6ccba79 --- /dev/null +++ b/dom/security/test/sri/iframe_csp_directive_style_imports.html^headers^ @@ -0,0 +1 @@ +content-security-policy: require-sri-for script style diff --git a/dom/security/test/sri/iframe_require-sri-for_main.html b/dom/security/test/sri/iframe_require-sri-for_main.html new file mode 100644 index 000000000..467c699c7 --- /dev/null +++ b/dom/security/test/sri/iframe_require-sri-for_main.html @@ -0,0 +1,47 @@ +<script> + window.hasCORSLoaded = false; // set through script_crossdomain1.js +</script> + +<!-- script tag cors-enabled. should be loaded --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js" + crossorigin="" + integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q==" + onload="parent.postMessage('good_sriLoaded', '*');"></script> + +<!-- script tag cors but not using SRI. should trigger onerror --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain5.js" + onload="parent.postMessage('bad_nonsriLoaded', '*');" + onerror="parent.postMessage('good_nonsriBlocked', '*');"></script> + +<!-- svg:script tag with cors but not using SRI. should trigger onerror --> +<svg xmlns="http://www.w3.org/2000/svg"> + <script xlink:href="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js" + onload="parent.postMessage('bad_svg_nonsriLoaded', '*');" + onerror="parent.postMessage('good_svg_nonsriBlocked', '*');"></script> + ></script> +</svg> + +<!-- stylesheet with cors and integrity. it should just load fine. --> +<link rel="stylesheet" href="style1.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onload="parent.postMessage('good_sriLoaded', '*');"> + +<!-- stylesheet not using SRI, should trigger onerror --> +<link rel="stylesheet" href="style3.css" + onload="parent.postMessage('bad_nonsriLoaded', '*');" + onerror="parent.postMessage('good_nonsriBlocked', '*');"> + + +<p id="black-text">black text</p> +<script> + // this worker should not load, + // given that we can not provide integrity metadata through the constructor + w = new Worker("rsf_worker.js"); + w.onerror = function(e) { + if (typeof w == "object") { + parent.postMessage("finish", '*'); + } else { + parent.postMessage("error", "*") + } + } +</script> diff --git a/dom/security/test/sri/iframe_require-sri-for_main.html^headers^ b/dom/security/test/sri/iframe_require-sri-for_main.html^headers^ new file mode 100644 index 000000000..0a6ccba79 --- /dev/null +++ b/dom/security/test/sri/iframe_require-sri-for_main.html^headers^ @@ -0,0 +1 @@ +content-security-policy: require-sri-for script style diff --git a/dom/security/test/sri/iframe_require-sri-for_no_csp.html b/dom/security/test/sri/iframe_require-sri-for_no_csp.html new file mode 100644 index 000000000..435b32ea3 --- /dev/null +++ b/dom/security/test/sri/iframe_require-sri-for_no_csp.html @@ -0,0 +1,5 @@ +<script> + w = new Worker("rsf_csp_worker.js"); + // use the handler function in the parent frame (test_require-sri-for_csp_directive.html) + w.onmessage = parent.handler; +</script> diff --git a/dom/security/test/sri/iframe_script_crossdomain.html b/dom/security/test/sri/iframe_script_crossdomain.html new file mode 100644 index 000000000..a752c7e79 --- /dev/null +++ b/dom/security/test/sri/iframe_script_crossdomain.html @@ -0,0 +1,135 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> +</head> +<body> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> + +<script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + + window.hasCORSLoaded = false; + window.hasNonCORSLoaded = false; + + function good_nonsriLoaded() { + ok(true, "Non-eligible non-SRI resource was loaded correctly."); + } + function bad_nonsriBlocked() { + ok(false, "Non-eligible non-SRI resources should be loaded!"); + } + + function good_nonCORSInvalidBlocked() { + ok(true, "A non-CORS resource with invalid metadata was correctly blocked."); + } + function bad_nonCORSInvalidLoaded() { + ok(false, "Non-CORS resources with invalid metadata should be blocked!"); + } + + window.onerrorCalled = false; + window.onloadCalled = false; + + function bad_onloadCalled() { + window.onloadCalled = true; + } + + function good_onerrorCalled() { + window.onerrorCalled = true; + } + + function good_incorrect301Blocked() { + ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly."); + } + function bad_incorrect301Loaded() { + ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!"); + } + + function good_correct301Blocked() { + ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly."); + } + function bad_correct301Loaded() { + ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!"); + } + + function good_correctDataLoaded() { + ok(true, "Since data: URLs are same-origin, they should be loaded."); + } + function bad_correctDataBlocked() { + todo(false, "We should not block scripts in data: URIs!"); + } + function good_correctDataCORSLoaded() { + ok(true, "A data: URL with a CORS load was loaded correctly."); + } + function bad_correctDataCORSBlocked() { + ok(false, "We should not BLOCK scripts!"); + } + + window.onload = function() { + SimpleTest.finish() + } +</script> + +<!-- cors-enabled. should be loaded --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js" + crossorigin="" + integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script> + +<!-- not cors-enabled. should be blocked --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js" + crossorigin="anonymous" + integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94=" + onload="bad_onloadCalled()" + onerror="good_onerrorCalled()"></script> + +<!-- non-cors but not actually using SRI. should trigger onload --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js" + integrity=" " + onload="good_nonsriLoaded()" + onerror="bad_nonsriBlocked()"></script> + +<!-- non-cors with invalid metadata --> +<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js" + integrity="sha256-bogus" + onload="bad_nonCORSInvalidLoaded()" + onerror="good_nonCORSInvalidBlocked()"></script> + +<!-- non-cors that's same-origin initially but redirected to another origin --> +<script src="script_301.js" + integrity="sha384-invalid" + onerror="good_incorrect301Blocked()" + onload="bad_incorrect301Loaded()"></script> + +<!-- non-cors that's same-origin initially but redirected to another origin --> +<script src="script_301.js" + integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3" + onerror="good_correct301Blocked()" + onload="bad_correct301Loaded()"></script> + +<!-- data: URLs are same-origin --> +<script src="data:,console.log('data:valid');" + integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg=" + onerror="bad_correctDataBlocked()" + onload="good_correctDataLoaded()"></script> + +<!-- not cors-enabled with data: URLs. should trigger onload --> +<script src="data:,console.log('data:valid');" + crossorigin="anonymous" + integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg=" + onerror="bad_correctDataCORSBlocked()" + onload="good_correctDataCORSLoaded()"></script> + +<script> + ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash"); + ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked"); + ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain"); + ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain"); +</script> +</body> +</html> diff --git a/dom/security/test/sri/iframe_script_sameorigin.html b/dom/security/test/sri/iframe_script_sameorigin.html new file mode 100644 index 000000000..b891db547 --- /dev/null +++ b/dom/security/test/sri/iframe_script_sameorigin.html @@ -0,0 +1,249 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashLoaded() { + ok(true, "A script was correctly loaded when integrity matched") + } + function bad_correctHashBlocked() { + ok(false, "We should load scripts with hashes that match!"); + } + + function good_correctHashArrayLoaded() { + ok(true, "A script was correctly loaded when one of the hashes in the integrity attribute matched") + } + function bad_correctHashArrayBlocked() { + ok(false, "We should load scripts with at least one hash that match!"); + } + + function good_emptyIntegrityLoaded() { + ok(true, "A script was correctly loaded when the integrity attribute was empty") + } + function bad_emptyIntegrityBlocked() { + ok(false, "We should load scripts with empty integrity attributes!"); + } + + function good_whitespaceIntegrityLoaded() { + ok(true, "A script was correctly loaded when the integrity attribute only contained whitespace") + } + function bad_whitespaceIntegrityBlocked() { + ok(false, "We should load scripts with integrity attributes containing only whitespace!"); + } + + function good_incorrectHashBlocked() { + ok(true, "A script was correctly blocked, because the hash digest was wrong"); + } + function bad_incorrectHashLoaded() { + ok(false, "We should not load scripts with hashes that do not match the content!"); + } + + function good_incorrectHashArrayBlocked() { + ok(true, "A script was correctly blocked, because all the hashes were wrong"); + } + function bad_incorrectHashArrayLoaded() { + ok(false, "We should not load scripts when none of the hashes match the content!"); + } + + function good_incorrectHashLengthBlocked() { + ok(true, "A script was correctly blocked, because the hash length was wrong"); + } + function bad_incorrectHashLengthLoaded() { + ok(false, "We should not load scripts with hashes that don't have the right length!"); + } + + function bad_incorrectHashFunctionBlocked() { + ok(false, "We should load scripts with invalid/unsupported hash functions!"); + } + function good_incorrectHashFunctionLoaded() { + ok(true, "A script was correctly loaded, despite the hash function being invalid/unsupported."); + } + + function bad_missingHashFunctionBlocked() { + ok(false, "We should load scripts with missing hash functions!"); + } + function good_missingHashFunctionLoaded() { + ok(true, "A script was correctly loaded, despite a missing hash function."); + } + + function bad_missingHashValueBlocked() { + ok(false, "We should load scripts with missing hash digests!"); + } + function good_missingHashValueLoaded() { + ok(true, "A script was correctly loaded, despite the missing hash digest."); + } + + function good_401Blocked() { + ok(true, "A script was not loaded because of 401 response."); + } + function bad_401Loaded() { + ok(false, "We should nt load scripts with a 401 response!"); + } + + function good_valid302Loaded() { + ok(true, "A script was loaded successfully despite a 302 response."); + } + function bad_valid302Blocked() { + ok(false, "We should load scripts with a 302 response and the right hash!"); + } + + function good_invalid302Blocked() { + ok(true, "A script was blocked successfully after a 302 response."); + } + function bad_invalid302Loaded() { + ok(false, "We should not load scripts with a 302 response and the wrong hash!"); + } + + function good_validBlobLoaded() { + ok(true, "A script was loaded successfully from a blob: URL."); + } + function bad_validBlobBlocked() { + ok(false, "We should load scripts using blob: URLs with the right hash!"); + } + + function good_invalidBlobBlocked() { + ok(true, "A script was blocked successfully from a blob: URL."); + } + function bad_invalidBlobLoaded() { + ok(false, "We should not load scripts using blob: URLs with the wrong hash!"); + } +</script> +</head> +<body> + <!-- valid hash. should trigger onload --> + <!-- the hash value comes from running this command: + cat script.js | openssl dgst -sha256 -binary | openssl enc -base64 -A + --> + <script src="script.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- valid sha512 hash. should trigger onload --> + <script src="script.js" + integrity="sha512-mzSqH+vC6qrXX46JX2WEZ0FtY/lGj/5+5yYCBlk0jfYHLm0vP6XgsURbq83mwMApsnwbDLXdgjp5J8E93GT6Mw==?ignore=this" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- one valid sha256 hash. should trigger onload --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_correctHashArrayBlocked()" + onload="good_correctHashArrayLoaded()"></script> + + <!-- empty integrity. should trigger onload --> + <script src="script.js" + integrity="" + onerror="bad_emptyIntegrityBlocked()" + onload="good_emptyIntegrityLoaded()"></script> + + <!-- whitespace integrity. should trigger onload --> + <script src="script.js" + integrity=" + +" + onerror="bad_whitespaceIntegrityBlocked()" + onload="good_whitespaceIntegrityLoaded()"></script> + + <!-- invalid sha256 hash but valid sha384 hash. should trigger onload --> + <script src="script.js" + integrity="sha256-bogus sha384-zDCkvKOHXk8mM6Nk07oOGXGME17PA4+ydFw+hq0r9kgF6ZDYFWK3fLGPEy7FoOAo?" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- valid sha256 and invalid sha384. should trigger onerror --> + <script src="script.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha384-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_incorrectHashLengthBlocked()" + onload="bad_incorrectHashLengthLoaded()"></script> + + <!-- invalid hash. should trigger onerror --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"></script> + + <!-- invalid hashes. should trigger onerror --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-ZkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-zkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"></script> + + <!-- invalid hash function. should trigger onload --> + <script src="script.js" + integrity="rot13-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_incorrectHashFunctionBlocked()" + onload="good_incorrectHashFunctionLoaded()"></script> + + <!-- missing hash function. should trigger onload --> + <script src="script.js" + integrity="RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_missingHashFunctionBlocked()" + onload="good_missingHashFunctionLoaded()"></script> + + <!-- missing hash value. should trigger onload --> + <script src="script.js" + integrity="sha512-" + onerror="bad_missingHashValueBlocked()" + onload="good_missingHashValueLoaded()"></script> + + <!-- 401 response. should trigger onerror --> + <script src="script_401.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="good_401Blocked()" + onload="bad_401Loaded()"></script> + + <!-- valid sha256 after a redirection. should trigger onload --> + <script src="script_302.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_valid302Blocked()" + onload="good_valid302Loaded()"></script> + + <!-- invalid sha256 after a redirection. should trigger onerror --> + <script src="script_302.js" + integrity="sha256-JSi74NSN8WQNr9syBGmNg2APJp9PnHUO5ioZo5hmIiQ=" + onerror="good_invalid302Blocked()" + onload="bad_invalid302Loaded()"></script> + + <!-- valid sha256 for a blob: URL --> + <script> + var blob = new Blob(["console.log('blob:valid');"], + {type:"application/javascript"}); + var script = document.createElement('script'); + script.setAttribute('src', URL.createObjectURL(blob)); + script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ='); + script.onerror = bad_validBlobBlocked; + script.onload = good_validBlobLoaded; + var head = document.getElementsByTagName('head').item(0); + head.appendChild(script); + </script> + + <!-- invalid sha256 for a blob: URL --> + <script> + var blob = new Blob(["console.log('blob:invalid');"], + {type:"application/javascript"}); + var script = document.createElement('script'); + script.setAttribute('src', URL.createObjectURL(blob)); + script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ='); + script.onerror = good_invalidBlobBlocked; + script.onload = bad_invalidBlobLoaded; + var head = document.getElementsByTagName('head').item(0); + head.appendChild(script); + </script> + +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/iframe_sri_disabled.html b/dom/security/test/sri/iframe_sri_disabled.html new file mode 100644 index 000000000..9fb10293a --- /dev/null +++ b/dom/security/test/sri/iframe_sri_disabled.html @@ -0,0 +1,74 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashLoaded() { + ok(true, "A script was correctly loaded when integrity matched") + } + function bad_correctHashBlocked() { + ok(false, "We should load scripts with hashes that match!"); + } + + function good_incorrectHashLoaded() { + ok(true, "A script was correctly loaded despite the incorrect hash because SRI is disabled."); + } + function bad_incorrectHashBlocked() { + ok(false, "We should load scripts with hashes that do not match the content when SRI is disabled!"); + } + + function good_correctStyleHashLoaded() { + ok(true, "A stylesheet was correctly loaded when integrity matched") + } + function bad_correctStyleHashBlocked() { + ok(false, "We should load stylesheets with hashes that match!"); + } + + function good_incorrectStyleHashLoaded() { + ok(true, "A stylesheet was correctly loaded despite the incorrect hash because SRI is disabled."); + } + function bad_incorrectStyleHashBlocked() { + ok(false, "We should load stylesheets with hashes that do not match the content when SRI is disabled!"); + } + </script> + + <!-- valid sha256 hash. should trigger onload --> + <link rel="stylesheet" href="style1.css?disabled" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="bad_correctStyleHashBlocked()" + onload="good_correctStyleHashLoaded()"> + + <!-- invalid sha256 hash. should trigger onerror --> + <link rel="stylesheet" href="style2.css?disabled" + integrity="sha256-bogus" + onerror="bad_incorrectStyleHashBlocked()" + onload="good_incorrectStyleHashLoaded()"> +</head> +<body> + <!-- valid hash. should trigger onload --> + <script src="script.js" + integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"></script> + + <!-- invalid hash. should trigger onerror --> + <script src="script.js" + integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" + onerror="bad_incorrectHashBlocked()" + onload="good_incorrectHashLoaded()"></script> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/iframe_style_crossdomain.html b/dom/security/test/sri/iframe_style_crossdomain.html new file mode 100644 index 000000000..22c8593b5 --- /dev/null +++ b/dom/security/test/sri/iframe_style_crossdomain.html @@ -0,0 +1,117 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + function check_styles() { + var redText = document.getElementById('red-text'); + var greenText = document.getElementById('green-text'); + var blueText = document.getElementById('blue-text'); + var redTextColor = window.getComputedStyle(redText, null).getPropertyValue('color'); + var greenTextColor = window.getComputedStyle(greenText, null).getPropertyValue('color'); + var blueTextColor = window.getComputedStyle(blueText, null).getPropertyValue('color'); + ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red."); + ok(greenTextColor == 'rgb(0, 255, 0)', "The second part should be green."); + ok(blueTextColor == 'rgb(0, 0, 255)', "The third part should be blue."); + } + + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + check_styles(); + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashCORSLoaded() { + ok(true, "A CORS cross-domain stylesheet with correct hash was correctly loaded."); + } + function bad_correctHashCORSBlocked() { + ok(false, "We should load CORS cross-domain stylesheets with hashes that match!"); + } + function good_correctHashBlocked() { + ok(true, "A non-CORS cross-domain stylesheet with correct hash was correctly blocked."); + } + function bad_correctHashLoaded() { + ok(false, "We should block non-CORS cross-domain stylesheets with hashes that match!"); + } + + function good_incorrectHashBlocked() { + ok(true, "A non-CORS cross-domain stylesheet with incorrect hash was correctly blocked."); + } + function bad_incorrectHashLoaded() { + ok(false, "We should load non-CORS cross-domain stylesheets with incorrect hashes!"); + } + + function bad_correctDataBlocked() { + ok(false, "We should not block non-CORS cross-domain stylesheets in data: URI!"); + } + function good_correctDataLoaded() { + ok(true, "A non-CORS cross-domain stylesheet with data: URI was correctly loaded."); + } + function bad_correctDataCORSBlocked() { + ok(false, "We should not block CORS stylesheets in data: URI!"); + } + function good_correctDataCORSLoaded() { + ok(true, "A CORS stylesheet with data: URI was correctly loaded."); + } + + function good_correctHashOpaqueBlocked() { + ok(true, "A non-CORS(Opaque) cross-domain stylesheet with correct hash was correctly blocked."); + } + function bad_correctHashOpaqueLoaded() { + ok(false, "We should not load non-CORS(Opaque) cross-domain stylesheets with correct hashes!"); + } + </script> + + <!-- valid CORS sha256 hash --> + <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css" + crossorigin="anonymous" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="bad_correctHashCORSBlocked()" + onload="good_correctHashCORSLoaded()"> + + <!-- valid non-CORS sha256 hash --> + <link rel="stylesheet" href="style_301.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="good_correctHashBlocked()" + onload="bad_correctHashLoaded()"> + + <!-- invalid non-CORS sha256 hash --> + <link rel="stylesheet" href="style_301.css?again" + integrity="sha256-bogus" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"> + + <!-- valid non-CORS sha256 hash in a data: URL --> + <link rel="stylesheet" href="data:text/css,.green-text{color:rgb(0, 255, 0)}" + integrity="sha256-EhVtGGyovvffvYdhyqJxUJ/ekam7zlxxo46iM13cwP0=" + onerror="bad_correctDataBlocked()" + onload="good_correctDataLoaded()"> + + <!-- valid CORS sha256 hash in a data: URL --> + <link rel="stylesheet" href="data:text/css,.blue-text{color:rgb(0, 0, 255)}" + crossorigin="anonymous" + integrity="sha256-m0Fs2hNSyPOn1030Dp+c8pJFHNmwpeTbB+8J/DcqLss=" + onerror="bad_correctDataCORSBlocked()" + onload="good_correctDataCORSLoaded()"> + + <!-- valid non-CORS sha256 hash --> + <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="good_correctHashOpaqueBlocked()" + onload="bad_correctHashOpaqueLoaded()"> +</head> +<body> +<p><span id="red-text">This should be red</span> but + <span id="green-text" class="green-text">this should be green</span> and + <span id="blue-text" class="blue-text">this should be blue</span></p> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/iframe_style_sameorigin.html b/dom/security/test/sri/iframe_style_sameorigin.html new file mode 100644 index 000000000..d994e7c2b --- /dev/null +++ b/dom/security/test/sri/iframe_style_sameorigin.html @@ -0,0 +1,164 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + function check_styles() { + var redText = document.getElementById('red-text'); + var blueText = document.getElementById('blue-text-element'); + var blackText1 = document.getElementById('black-text'); + var blackText2 = document.getElementById('black-text-2'); + var redTextColor = window.getComputedStyle(redText, null).getPropertyValue('color'); + var blueTextColor = window.getComputedStyle(blueText, null).getPropertyValue('color'); + var blackTextColor1 = window.getComputedStyle(blackText1, null).getPropertyValue('color'); + var blackTextColor2 = window.getComputedStyle(blackText2, null).getPropertyValue('color'); + ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red."); + ok(blueTextColor == 'rgb(0, 0, 255)', "The second part should be blue."); + ok(blackTextColor1 == 'rgb(0, 0, 0)', "The second last part should still be black."); + ok(blackTextColor2 == 'rgb(0, 0, 0)', "The last part should still be black."); + } + + SimpleTest.waitForExplicitFinish(); + window.onload = function() { + check_styles(); + SimpleTest.finish(); + } + </script> + <script> + function good_correctHashLoaded() { + ok(true, "A stylesheet was correctly loaded when integrity matched"); + } + function bad_correctHashBlocked() { + ok(false, "We should load stylesheets with hashes that match!"); + } + + function good_emptyIntegrityLoaded() { + ok(true, "A stylesheet was correctly loaded when the integrity attribute was empty"); + } + function bad_emptyIntegrityBlocked() { + ok(false, "We should load stylesheets with empty integrity attributes!"); + } + + function good_incorrectHashBlocked() { + ok(true, "A stylesheet was correctly blocked, because the hash digest was wrong"); + } + function bad_incorrectHashLoaded() { + ok(false, "We should not load stylesheets with hashes that do not match the content!"); + } + + function good_validBlobLoaded() { + ok(true, "A stylesheet was loaded successfully from a blob: URL with the right hash."); + } + function bad_validBlobBlocked() { + ok(false, "We should load stylesheets using blob: URLs with the right hash!"); + } + function good_invalidBlobBlocked() { + ok(true, "A stylesheet was blocked successfully from a blob: URL with an invalid hash."); + } + function bad_invalidBlobLoaded() { + ok(false, "We should not load stylesheets using blob: URLs when they have the wrong hash!"); + } + + function good_correctUTF8HashLoaded() { + ok(true, "A UTF8 stylesheet was correctly loaded when integrity matched"); + } + function bad_correctUTF8HashBlocked() { + ok(false, "We should load UTF8 stylesheets with hashes that match!"); + } + function good_correctUTF8BOMHashLoaded() { + ok(true, "A UTF8 stylesheet (with BOM) was correctly loaded when integrity matched"); + } + function bad_correctUTF8BOMHashBlocked() { + ok(false, "We should load UTF8 (with BOM) stylesheets with hashes that match!"); + } + function good_correctUTF8ishHashLoaded() { + ok(true, "A UTF8ish stylesheet was correctly loaded when integrity matched"); + } + function bad_correctUTF8ishHashBlocked() { + ok(false, "We should load UTF8ish stylesheets with hashes that match!"); + } + </script> + + <!-- valid sha256 hash. should trigger onload --> + <link rel="stylesheet" href="style1.css" + integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" + onerror="bad_correctHashBlocked()" + onload="good_correctHashLoaded()"> + + <!-- empty metadata. should trigger onload --> + <link rel="stylesheet" href="style2.css" + integrity="" + onerror="bad_emptyIntegrityBlocked()" + onload="good_emptyIntegrityLoaded()"> + + <!-- invalid sha256 hash. should trigger onerror --> + <link rel="stylesheet" href="style3.css" + integrity="sha256-bogus" + onerror="good_incorrectHashBlocked()" + onload="bad_incorrectHashLoaded()"> + + <!-- valid sha384 hash of a utf8 file. should trigger onload --> + <link rel="stylesheet" href="style4.css" + integrity="sha384-13rt+j7xMDLhohLukb7AZx8lDGS3hkahp0IoeuyvxSNVPyc1QQmTDcwXGhQZjoMH" + onerror="bad_correctUTF8HashBlocked()" + onload="good_correctUTF8HashLoaded()"> + + <!-- valid sha384 hash of a utf8 file with a BOM. should trigger onload --> + <link rel="stylesheet" href="style5.css" + integrity="sha384-udAqVKPIHf/OD1isAYKrgzsog/3Q6lSEL2nKhtLSTmHryiae0+y6x1akeTzEF446" + onerror="bad_correctUTF8BOMHashBlocked()" + onload="good_correctUTF8BOMHashLoaded()"> + + <!-- valid sha384 hash of a utf8 file with the wrong charset. should trigger onload --> + <link rel="stylesheet" href="style6.css" + integrity="sha384-Xli4ROFoVGCiRgXyl7y8jv5Vm2yuqj+8tkNL3cUI7AHaCocna75JLs5xID437W6C" + onerror="bad_correctUTF8ishHashBlocked()" + onload="good_correctUTF8ishHashLoaded()"> +</head> +<body> + +<!-- valid sha256 for a blob: URL --> +<script> + var blob = new Blob(['.blue-text{color:blue}'], + {type: 'text/css'}); + var link = document.createElement('link'); + link.rel = 'stylesheet'; + link.href = window.URL.createObjectURL(blob); + link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM='); + link.onerror = bad_validBlobBlocked; + link.onload = good_validBlobLoaded; + document.body.appendChild(link); +</script> + +<!-- invalid sha256 for a blob: URL --> +<script> + var blob = new Blob(['.black-text{color:blue}'], + {type: 'text/css'}); + var link = document.createElement('link'); + link.rel = 'stylesheet'; + link.href = window.URL.createObjectURL(blob); + link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM='); + link.onerror = good_invalidBlobBlocked; + link.onload = bad_invalidBlobLoaded; + document.body.appendChild(link); +</script> + +<p><span id="red-text">This should be red </span>, + <span id="purple-text">this should be purple</span>, + <span id="brown-text">this should be brown</span>, + <span id="orange-text">this should be orange</span>, and + <span class="blue-text" id="blue-text-element">this should be blue.</span> + However, <span id="black-text">this should stay black</span> and + <span class="black-text" id="black-text-2">this should also stay black.</span> +</p> + +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/security/test/sri/mochitest.ini b/dom/security/test/sri/mochitest.ini new file mode 100644 index 000000000..e6e2e2fc3 --- /dev/null +++ b/dom/security/test/sri/mochitest.ini @@ -0,0 +1,57 @@ +[DEFAULT] +support-files = + file_bug_1271796.css + iframe_csp_directive_style_imports.html + iframe_csp_directive_style_imports.html^headers^ + iframe_require-sri-for_main.html + iframe_require-sri-for_main.html^headers^ + iframe_require-sri-for_no_csp.html + iframe_script_crossdomain.html + iframe_script_sameorigin.html + iframe_sri_disabled.html + iframe_style_crossdomain.html + iframe_style_sameorigin.html + rsf_csp_worker.js + rsf_csp_worker.js^headers^ + rsf_imported.js + rsf_worker.js + script_crossdomain1.js + script_crossdomain1.js^headers^ + script_crossdomain2.js + script_crossdomain3.js + script_crossdomain3.js^headers^ + script_crossdomain4.js + script_crossdomain4.js^headers^ + script_crossdomain5.js + script_crossdomain5.js^headers^ + script.js + script.js^headers^ + script_301.js + script_301.js^headers^ + script_302.js + script_302.js^headers^ + script_401.js + script_401.js^headers^ + style1.css + style1.css^headers^ + style2.css + style3.css + style4.css + style4.css^headers^ + style5.css + style6.css + style6.css^headers^ + style_301.css + style_301.css^headers^ + style_importing.css + style_imported.css + +[test_script_sameorigin.html] +[test_script_crossdomain.html] +[test_sri_disabled.html] +[test_style_crossdomain.html] +[test_style_sameorigin.html] +[test_require-sri-for_csp_directive.html] +[test_require-sri-for_csp_directive_disabled.html] +[test_bug_1271796.html] +[test_csp_directive_style_imports.html] diff --git a/dom/security/test/sri/rsf_csp_worker.js b/dom/security/test/sri/rsf_csp_worker.js new file mode 100644 index 000000000..553fdf92b --- /dev/null +++ b/dom/security/test/sri/rsf_csp_worker.js @@ -0,0 +1,9 @@ +postMessage("good_worker_could_load"); +try { + importScripts('rsf_imported.js'); +} catch(e) { + postMessage("good_worker_after_importscripts"); +} +finally { + postMessage("finish"); +} diff --git a/dom/security/test/sri/rsf_csp_worker.js^headers^ b/dom/security/test/sri/rsf_csp_worker.js^headers^ new file mode 100644 index 000000000..0a6ccba79 --- /dev/null +++ b/dom/security/test/sri/rsf_csp_worker.js^headers^ @@ -0,0 +1 @@ +content-security-policy: require-sri-for script style diff --git a/dom/security/test/sri/rsf_imported.js b/dom/security/test/sri/rsf_imported.js new file mode 100644 index 000000000..33f54b7a0 --- /dev/null +++ b/dom/security/test/sri/rsf_imported.js @@ -0,0 +1 @@ +postMessage('bad_worker_could_load_via_importScripts'); diff --git a/dom/security/test/sri/rsf_spawn_CSPd_worker.js b/dom/security/test/sri/rsf_spawn_CSPd_worker.js new file mode 100644 index 000000000..652c77100 --- /dev/null +++ b/dom/security/test/sri/rsf_spawn_CSPd_worker.js @@ -0,0 +1,3 @@ +w = new Worker("rsf_csp_worker.js"); +// use the handler function in test_require-sri-for_csp_directive.html +w.onmessage = parent.handler; diff --git a/dom/security/test/sri/rsf_worker.js b/dom/security/test/sri/rsf_worker.js new file mode 100644 index 000000000..553d3deee --- /dev/null +++ b/dom/security/test/sri/rsf_worker.js @@ -0,0 +1,2 @@ +parent.postMessage('bad_worker_could_load', '*'); +importScripts('rsf_imported.js'); diff --git a/dom/security/test/sri/script.js b/dom/security/test/sri/script.js new file mode 100644 index 000000000..8fd8f96b2 --- /dev/null +++ b/dom/security/test/sri/script.js @@ -0,0 +1 @@ +var load=true; diff --git a/dom/security/test/sri/script.js^headers^ b/dom/security/test/sri/script.js^headers^ new file mode 100644 index 000000000..b77232d81 --- /dev/null +++ b/dom/security/test/sri/script.js^headers^ @@ -0,0 +1 @@ +Cache-control: public diff --git a/dom/security/test/sri/script_301.js b/dom/security/test/sri/script_301.js new file mode 100644 index 000000000..9a95de77c --- /dev/null +++ b/dom/security/test/sri/script_301.js @@ -0,0 +1 @@ +var load=false; diff --git a/dom/security/test/sri/script_301.js^headers^ b/dom/security/test/sri/script_301.js^headers^ new file mode 100644 index 000000000..efbfb7334 --- /dev/null +++ b/dom/security/test/sri/script_301.js^headers^ @@ -0,0 +1,2 @@ +HTTP 301 Moved Permanently +Location: http://example.com/tests/dom/security/test/sri/script_crossdomain5.js diff --git a/dom/security/test/sri/script_302.js b/dom/security/test/sri/script_302.js new file mode 100644 index 000000000..9a95de77c --- /dev/null +++ b/dom/security/test/sri/script_302.js @@ -0,0 +1 @@ +var load=false; diff --git a/dom/security/test/sri/script_302.js^headers^ b/dom/security/test/sri/script_302.js^headers^ new file mode 100644 index 000000000..05a545a6a --- /dev/null +++ b/dom/security/test/sri/script_302.js^headers^ @@ -0,0 +1,2 @@ +HTTP 302 Found +Location: /tests/dom/security/test/sri/script.js diff --git a/dom/security/test/sri/script_401.js b/dom/security/test/sri/script_401.js new file mode 100644 index 000000000..8fd8f96b2 --- /dev/null +++ b/dom/security/test/sri/script_401.js @@ -0,0 +1 @@ +var load=true; diff --git a/dom/security/test/sri/script_401.js^headers^ b/dom/security/test/sri/script_401.js^headers^ new file mode 100644 index 000000000..889fbe081 --- /dev/null +++ b/dom/security/test/sri/script_401.js^headers^ @@ -0,0 +1,2 @@ +HTTP 401 Authorization Required +Cache-control: public diff --git a/dom/security/test/sri/script_crossdomain1.js b/dom/security/test/sri/script_crossdomain1.js new file mode 100644 index 000000000..1f17a6db2 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain1.js @@ -0,0 +1,4 @@ +/* + * this file should be loaded, because it has CORS enabled. +*/ +window.hasCORSLoaded = true; diff --git a/dom/security/test/sri/script_crossdomain1.js^headers^ b/dom/security/test/sri/script_crossdomain1.js^headers^ new file mode 100644 index 000000000..3a6a85d89 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain1.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/script_crossdomain2.js b/dom/security/test/sri/script_crossdomain2.js new file mode 100644 index 000000000..4b0208ab3 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain2.js @@ -0,0 +1,5 @@ +/* + * this file should not be loaded, because it does not have CORS + * enabled. + */ +window.hasNonCORSLoaded = true; diff --git a/dom/security/test/sri/script_crossdomain3.js b/dom/security/test/sri/script_crossdomain3.js new file mode 100644 index 000000000..eed05d59b --- /dev/null +++ b/dom/security/test/sri/script_crossdomain3.js @@ -0,0 +1 @@ +// This script intentionally left blank diff --git a/dom/security/test/sri/script_crossdomain3.js^headers^ b/dom/security/test/sri/script_crossdomain3.js^headers^ new file mode 100644 index 000000000..3a6a85d89 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain3.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/script_crossdomain4.js b/dom/security/test/sri/script_crossdomain4.js new file mode 100644 index 000000000..eed05d59b --- /dev/null +++ b/dom/security/test/sri/script_crossdomain4.js @@ -0,0 +1 @@ +// This script intentionally left blank diff --git a/dom/security/test/sri/script_crossdomain4.js^headers^ b/dom/security/test/sri/script_crossdomain4.js^headers^ new file mode 100644 index 000000000..3a6a85d89 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain4.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/script_crossdomain5.js b/dom/security/test/sri/script_crossdomain5.js new file mode 100644 index 000000000..eed05d59b --- /dev/null +++ b/dom/security/test/sri/script_crossdomain5.js @@ -0,0 +1 @@ +// This script intentionally left blank diff --git a/dom/security/test/sri/script_crossdomain5.js^headers^ b/dom/security/test/sri/script_crossdomain5.js^headers^ new file mode 100644 index 000000000..cb762eff8 --- /dev/null +++ b/dom/security/test/sri/script_crossdomain5.js^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: * diff --git a/dom/security/test/sri/style1.css b/dom/security/test/sri/style1.css new file mode 100644 index 000000000..c7ab9ecff --- /dev/null +++ b/dom/security/test/sri/style1.css @@ -0,0 +1,3 @@ +#red-text { + color: red; +} diff --git a/dom/security/test/sri/style1.css^headers^ b/dom/security/test/sri/style1.css^headers^ new file mode 100644 index 000000000..3a6a85d89 --- /dev/null +++ b/dom/security/test/sri/style1.css^headers^ @@ -0,0 +1 @@ +Access-Control-Allow-Origin: http://mochi.test:8888 diff --git a/dom/security/test/sri/style2.css b/dom/security/test/sri/style2.css new file mode 100644 index 000000000..9eece75e5 --- /dev/null +++ b/dom/security/test/sri/style2.css @@ -0,0 +1 @@ +; A valid but somewhat uninteresting stylesheet diff --git a/dom/security/test/sri/style3.css b/dom/security/test/sri/style3.css new file mode 100644 index 000000000..b64fa3b74 --- /dev/null +++ b/dom/security/test/sri/style3.css @@ -0,0 +1,3 @@ +#black-text { + color: green; +} diff --git a/dom/security/test/sri/style4.css b/dom/security/test/sri/style4.css new file mode 100644 index 000000000..eab83656e --- /dev/null +++ b/dom/security/test/sri/style4.css @@ -0,0 +1,4 @@ +/* François was here. */ +#purple-text { + color: purple; +} diff --git a/dom/security/test/sri/style4.css^headers^ b/dom/security/test/sri/style4.css^headers^ new file mode 100644 index 000000000..e13897f15 --- /dev/null +++ b/dom/security/test/sri/style4.css^headers^ @@ -0,0 +1 @@ +Content-Type: text/css; charset=utf-8 diff --git a/dom/security/test/sri/style5.css b/dom/security/test/sri/style5.css new file mode 100644 index 000000000..5d59134cc --- /dev/null +++ b/dom/security/test/sri/style5.css @@ -0,0 +1,4 @@ +/* François was here. */ +#orange-text { + color: orange; +} diff --git a/dom/security/test/sri/style6.css b/dom/security/test/sri/style6.css new file mode 100644 index 000000000..569557694 --- /dev/null +++ b/dom/security/test/sri/style6.css @@ -0,0 +1,4 @@ +/* François was here. */ +#brown-text { + color: brown; +} diff --git a/dom/security/test/sri/style6.css^headers^ b/dom/security/test/sri/style6.css^headers^ new file mode 100644 index 000000000..d866aa522 --- /dev/null +++ b/dom/security/test/sri/style6.css^headers^ @@ -0,0 +1 @@ +Content-Type: text/css; charset=iso-8859-8 diff --git a/dom/security/test/sri/style_301.css b/dom/security/test/sri/style_301.css new file mode 100644 index 000000000..c7ab9ecff --- /dev/null +++ b/dom/security/test/sri/style_301.css @@ -0,0 +1,3 @@ +#red-text { + color: red; +} diff --git a/dom/security/test/sri/style_301.css^headers^ b/dom/security/test/sri/style_301.css^headers^ new file mode 100644 index 000000000..c5b78ee04 --- /dev/null +++ b/dom/security/test/sri/style_301.css^headers^ @@ -0,0 +1,2 @@ +HTTP 301 Moved Permanently +Location: http://example.com/tests/dom/security/test/sri/style1.css diff --git a/dom/security/test/sri/style_imported.css b/dom/security/test/sri/style_imported.css new file mode 100644 index 000000000..4469e8d78 --- /dev/null +++ b/dom/security/test/sri/style_imported.css @@ -0,0 +1,6 @@ +#text-for-import-test { + color: red; +} +#text-for-import-test::before { + content: 'Test failed'; +} diff --git a/dom/security/test/sri/style_importing.css b/dom/security/test/sri/style_importing.css new file mode 100644 index 000000000..985dd3467 --- /dev/null +++ b/dom/security/test/sri/style_importing.css @@ -0,0 +1,4 @@ +/* neither of them should load. trying multiple cases*/ +@import url("style_imported.css"); +@import 'style_imported.css'; +#text-for-import-test { color: blue; } diff --git a/dom/security/test/sri/test_bug_1271796.html b/dom/security/test/sri/test_bug_1271796.html new file mode 100644 index 000000000..1d639c9cb --- /dev/null +++ b/dom/security/test/sri/test_bug_1271796.html @@ -0,0 +1,30 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + SimpleTest.waitForExplicitFinish(); + + function good_shouldLoadEncodingProblem() { + ok(true, "Problematically encoded file correctly loaded.") + }; + function bad_shouldntEncounterBug1271796() { + ok(false, "Problematically encoded should load!") + } + window.onload = function() { + SimpleTest.finish(); + } + </script> + <link rel="stylesheet" href="file_bug_1271796.css" crossorigin="anonymous" + integrity="sha384-8Xl0mTN4S2QZ5xeliG1sd4Ar9o1xMw6JoJy9RNjyHGQDha7GiLxo8l1llwLVgTNG" + onload="good_shouldLoadEncodingProblem();" + onerror="bad_shouldntEncounterBug1271796();"> +</head> +<body> +<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1271796">Bug 1271796</a><br> +<p>This text is prepended by emdash if css has loaded</p> +</body> +</html> diff --git a/dom/security/test/sri/test_csp_directive_style_imports.html b/dom/security/test/sri/test_csp_directive_style_imports.html new file mode 100644 index 000000000..f293e2412 --- /dev/null +++ b/dom/security/test/sri/test_csp_directive_style_imports.html @@ -0,0 +1,42 @@ +<!-- + Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ +--> +<!DOCTYPE HTML> +<html> +<head> + <title>Test for SRI require-sri-for CSP directive</title> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1265318">Mozilla Bug 1265318</a><br> +<iframe style="width:200px;height:200px;" id="test_frame"></iframe><br> +</body> +<script type="application/javascript"> + var finished = 0; + SpecialPowers.setBoolPref("security.csp.experimentalEnabled", true); + SimpleTest.waitForExplicitFinish(); + function handler(event) { + console.log(event); + switch (event.data) { + case 'finish': + // need finish message from iframe_require-sri-for_main onload event and + // from iframe_require-sri-for_no_csp, which spawns a Worker + var importText = frame.contentDocument.getElementById('text-for-import-test'); + var importColor = frame.contentWindow.getComputedStyle(importText, null).getPropertyValue('color'); + ok(importColor == 'rgb(0, 0, 255)', "The import should not work without integrity. The text is now red, but should not."); + removeEventListener('message', handler); + SimpleTest.finish(); + break; + default: + ok(false, 'Something is wrong here'); + break; + } + } + addEventListener("message", handler); + // This frame has a CSP that requires SRI + var frame = document.getElementById("test_frame"); + frame.src = "iframe_csp_directive_style_imports.html"; +</script> +</html> diff --git a/dom/security/test/sri/test_require-sri-for_csp_directive.html b/dom/security/test/sri/test_require-sri-for_csp_directive.html new file mode 100644 index 000000000..ef1b3603f --- /dev/null +++ b/dom/security/test/sri/test_require-sri-for_csp_directive.html @@ -0,0 +1,76 @@ +<!-- + Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ +--> +<!DOCTYPE HTML> +<html> +<head> + <title>Test for SRI require-sri-for CSP directive</title> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1265318">Mozilla Bug 1265318</a><br> +<iframe style="width:200px;height:200px;" id="test_frame"></iframe><br> +<iframe style="width:200px;height:200px;" id="test_frame_no_csp"></iframe> +</body> +<script type="application/javascript"> + var finished = 0; + SpecialPowers.setBoolPref("security.csp.experimentalEnabled", true); + SimpleTest.waitForExplicitFinish(); + function handler(event) { + switch (event.data) { + case 'good_sriLoaded': + ok(true, "Eligible SRI resources was correctly loaded."); + break; + case 'bad_nonsriLoaded': + ok(false, "Eligible non-SRI resource should be blocked by the CSP!"); + break; + case 'good_nonsriBlocked': + ok(true, "Eligible non-SRI resources was correctly blocked by the CSP."); + break; + case 'bad_svg_nonsriLoaded': + ok(false, 'Eligible non-SRI resource should be blocked by the CSP.'); + break; + case 'good_svg_nonsriBlocked': + ok(true, 'Eligible non-SRI svg script was correctly blocked by the CSP.'); + break; + case 'bad_worker_could_load': + ok(false, 'require-sri-for failed to block loading a Worker with no integrity metadata.'); + break; + case 'good_worker_could_load': + ok(true, "Loaded a worker that has require-sri-for set (but its parent doesnt).") + break; + case 'bad_worker_could_load_via_importScripts': + ok(false, 'require-sri-for failed to block loading importScript in a worker though we require SRI via CSP'); + break; + case 'good_worker_after_importscripts': + ok(true, 'Worker continued after failed importScript due to require-sri-for'); + break; + case 'finish': + finished++; + if (finished > 1) { + // need finish message from iframe_require-sri-for_main onload event and + // from iframe_require-sri-for_no_csp, which spawns a Worker + var blackText = frame.contentDocument.getElementById('black-text'); + var blackTextColor = frame.contentWindow.getComputedStyle(blackText, null).getPropertyValue('color'); + ok(blackTextColor == 'rgb(0, 0, 0)', "The second part should not be black."); + removeEventListener('message', handler); + SimpleTest.finish(); + } + break; + default: + ok(false, 'Something is wrong here'); + break; + } + } + addEventListener("message", handler); + // This frame has a CSP that requires SRI + var frame = document.getElementById("test_frame"); + frame.src = "iframe_require-sri-for_main.html"; + // This frame has no CSP to require SRI. + // Used for testing require-sri-for in a Worker. + var frame_no_csp = document.getElementById("test_frame_no_csp"); + frame_no_csp.src = "iframe_require-sri-for_no_csp.html"; +</script> +</html> diff --git a/dom/security/test/sri/test_require-sri-for_csp_directive_disabled.html b/dom/security/test/sri/test_require-sri-for_csp_directive_disabled.html new file mode 100644 index 000000000..b833fe11c --- /dev/null +++ b/dom/security/test/sri/test_require-sri-for_csp_directive_disabled.html @@ -0,0 +1,46 @@ +<!-- + Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ +--> +<!DOCTYPE HTML> +<html> +<head> + <title>Test for diabled SRI require-sri-for CSP directive</title> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1265318">Mozilla Bug 1265318</a> +<iframe style="width:200px;height:200px;" id="test_frame"></iframe> +</body> +<script type="application/javascript"> + SpecialPowers.setBoolPref("security.csp.experimentalEnabled", false); + SimpleTest.waitForExplicitFinish(); + function handler(event) { + switch (event.data) { + case 'good_sriLoaded': + ok(true, "Eligible SRI resources was correctly loaded."); + break; + case 'bad_nonsriLoaded': + ok(true, "Eligible non-SRI resource should be blocked by the CSP!"); + break; + case 'good_nonsriBlocked': + ok(false, "Eligible non-SRI resources was correctly blocked by the CSP."); + break; + case 'finish': + var blackText = frame.contentDocument.getElementById('black-text'); + var blackTextColor = frame.contentWindow.getComputedStyle(blackText, null).getPropertyValue('color'); + ok(blackTextColor != 'rgb(0, 0, 0)', "The second part should still be black."); + removeEventListener('message', handler); + SimpleTest.finish(); + break; + default: + ok(false, 'Something is wrong here'); + break; + } + } + addEventListener("message", handler); + var frame = document.getElementById("test_frame"); + frame.src = "iframe_require-sri-for_main.html"; +</script> +</html> diff --git a/dom/security/test/sri/test_script_crossdomain.html b/dom/security/test/sri/test_script_crossdomain.html new file mode 100644 index 000000000..327ea4247 --- /dev/null +++ b/dom/security/test/sri/test_script_crossdomain.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Cross-domain script tests for Bug 992096</title> + <script> + SpecialPowers.setBoolPref("security.sri.enable", true); + </script> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_script_crossdomain.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_script_sameorigin.html b/dom/security/test/sri/test_script_sameorigin.html new file mode 100644 index 000000000..df890d5f9 --- /dev/null +++ b/dom/security/test/sri/test_script_sameorigin.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Same-origin script tests for Bug 992096</title> + <script> + SpecialPowers.setBoolPref("security.sri.enable", true); + </script> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_script_sameorigin.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_sri_disabled.html b/dom/security/test/sri/test_sri_disabled.html new file mode 100644 index 000000000..4661235b1 --- /dev/null +++ b/dom/security/test/sri/test_sri_disabled.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>security.sri.enable tests for Bug 992096</title> + <script> + SpecialPowers.setBoolPref("security.sri.enable", false); + </script> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_sri_disabled.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_style_crossdomain.html b/dom/security/test/sri/test_style_crossdomain.html new file mode 100644 index 000000000..6bf4b2de1 --- /dev/null +++ b/dom/security/test/sri/test_style_crossdomain.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Cross-domain stylesheet tests for Bug 1196740</title> + <script> + SpecialPowers.setBoolPref("security.sri.enable", true); + </script> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1196740">Mozilla Bug 1196740</a> +<div> + <iframe src="iframe_style_crossdomain.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> diff --git a/dom/security/test/sri/test_style_sameorigin.html b/dom/security/test/sri/test_style_sameorigin.html new file mode 100644 index 000000000..fb1d3f78d --- /dev/null +++ b/dom/security/test/sri/test_style_sameorigin.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<!-- Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ --> +<html> +<head> + <meta charset="utf-8"> + <title>Same-origin stylesheet tests for Bug 992096</title> + <script> + SpecialPowers.setBoolPref("security.sri.enable", true); + </script> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a> +<div> + <iframe src="iframe_style_sameorigin.html" height="100%" width="90%" frameborder="0"></iframe> +</div> +</body> +</html> |