gecko-dev/dom/security/test/unit/test_csp_reports.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

ChromeUtils.import('resource://gre/modules/NetUtil.jsm');
ChromeUtils.import("resource://gre/modules/Services.jsm");
ChromeUtils.import("resource://testing-common/httpd.js");

var httpServer = new HttpServer();
httpServer.start(-1);
var testsToFinish = 0;

var principal;

const REPORT_SERVER_PORT = httpServer.identity.primaryPort;
const REPORT_SERVER_URI = "http://localhost";
const REPORT_SERVER_PATH = "/report";

/**
 * Construct a callback that listens to a report submission and either passes
 * or fails a test based on what it gets.
 */
function makeReportHandler(testpath, message, expectedJSON) {
  return function(request, response) {
    // we only like "POST" submissions for reports!
    if (request.method !== "POST") {
      do_throw("violation report should be a POST request");
      return;
    }

    // check content-type of report is "application/csp-report"
    var contentType = request.hasHeader("Content-Type")
                    ? request.getHeader("Content-Type") : undefined;
    if (contentType !== "application/csp-report") {
      do_throw("violation report should have the 'application/csp-report' " +
               "content-type, when in fact it is " + contentType.toString())
    }

    // obtain violation report
    var reportObj = JSON.parse(
          NetUtil.readInputStreamToString(
            request.bodyInputStream,
            request.bodyInputStream.available()));

    // dump("GOT REPORT:\n" + JSON.stringify(reportObj) + "\n");
    // dump("TESTPATH:    " + testpath + "\n");
    // dump("EXPECTED:  \n" + JSON.stringify(expectedJSON) + "\n\n");

    for (var i in expectedJSON)
      Assert.equal(expectedJSON[i], reportObj['csp-report'][i]);

    testsToFinish--;
    httpServer.registerPathHandler(testpath, null);
    if (testsToFinish < 1)
      httpServer.stop(do_test_finished);
    else
      do_test_finished();
  };
}

/**
 * Everything created by this assumes it will cause a report.  If you want to
 * add a test here that will *not* cause a report to go out, you're gonna have
 * to make sure the test cleans up after itself.
 */
function makeTest(id, expectedJSON, useReportOnlyPolicy, callback) {
  testsToFinish++;
  do_test_pending();

  // set up a new CSP instance for each test.
  var csp = Cc["@mozilla.org/cspcontext;1"]
              .createInstance(Ci.nsIContentSecurityPolicy);
  var policy = "default-src 'none' 'report-sample'; " +
               "report-uri " + REPORT_SERVER_URI +
                               ":" + REPORT_SERVER_PORT +
                               "/test" + id;
  var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
                               ":" + REPORT_SERVER_PORT +
                               "/foo/self");

  dump("Created test " + id + " : " + policy + "\n\n");

  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
  principal = ssm.createCodebasePrincipal(selfuri, {});
  csp.setRequestContext(null, principal);

  // Load up the policy
  // set as report-only if that's the case
  csp.appendPolicy(policy, useReportOnlyPolicy, false);

  // prime the report server
  var handler = makeReportHandler("/test" + id, "Test " + id, expectedJSON);
  httpServer.registerPathHandler("/test" + id, handler);

  //trigger the violation
  callback(csp);
}

function run_test() {
  var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
                               ":" + REPORT_SERVER_PORT +
                               "/foo/self");

  // test that inline script violations cause a report.
  makeTest(0, {"blocked-uri": "inline"}, false,
      function(csp) {
        let inlineOK = true;
        inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
                                       "", // aNonce
                                       false, // aParserCreated
                                       null, // aTriggeringElement
                                       "", // aContentOfPseudoScript
                                       0, // aLineNumber
                                       0); // aColumnNumber

        // this is not a report only policy, so it better block inline scripts
        Assert.ok(!inlineOK);
      });

  // test that eval violations cause a report.
  makeTest(1, {"blocked-uri": "eval",
               // JSON script-sample is UTF8 encoded
               "script-sample" : "\xc2\xa3\xc2\xa5\xc2\xb5\xe5\x8c\x97\xf0\xa0\x9d\xb9",
               "line-number": 1,
               "column-number": 2}, false,
      function(csp) {
        let evalOK = true, oReportViolation = {'value': false};
        evalOK = csp.getAllowsEval(oReportViolation);

        // this is not a report only policy, so it better block eval
        Assert.ok(!evalOK);
        // ... and cause reports to go out
        Assert.ok(oReportViolation.value);

        if (oReportViolation.value) {
          // force the logging, since the getter doesn't.
          csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_EVAL,
                                  null, // aTriggeringElement
                                  selfuri.asciiSpec,
                                  // sending UTF-16 script sample to make sure
                                  // csp report in JSON is not cut-off, please
                                  // note that JSON is UTF8 encoded.
                                  "\u00a3\u00a5\u00b5\u5317\ud841\udf79",
                                  1, // line number
                                  2); // column number
        }
      });

  makeTest(2, {"blocked-uri": "http://blocked.test/foo.js"}, false,
      function(csp) {
        // shouldLoad creates and sends out the report here.
        csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SCRIPT,
                      NetUtil.newURI("http://blocked.test/foo.js"),
                      null, null, null, null, true);
      });

  // test that inline script violations cause a report in report-only policy
  makeTest(3, {"blocked-uri": "inline"}, true,
      function(csp) {
        let inlineOK = true;
        inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
                                       "", // aNonce
                                       false, // aParserCreated
                                       null, // aTriggeringElement
                                       "", // aContentOfPseudoScript
                                       0, // aLineNumber
                                       0); // aColumnNumber

        // this is a report only policy, so it better allow inline scripts
        Assert.ok(inlineOK);
      });

  // test that eval violations cause a report in report-only policy
  makeTest(4, {"blocked-uri": "inline"}, true,
      function(csp) {
        let evalOK = true, oReportViolation = {'value': false};
        evalOK = csp.getAllowsEval(oReportViolation);

        // this is a report only policy, so it better allow eval
        Assert.ok(evalOK);
        // ... but still cause reports to go out
        Assert.ok(oReportViolation.value);

        if (oReportViolation.value) {
          // force the logging, since the getter doesn't.
          csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
                                  null, // aTriggeringElement
                                  selfuri.asciiSpec,
                                  "script sample",
                                  4, // line number
                                  5); // column number
        }
      });

  // test that only the uri's scheme is reported for globally unique identifiers
  makeTest(5, {"blocked-uri": "data"}, false,
    function(csp) {
      var base64data =
        "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
        "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==";
      // shouldLoad creates and sends out the report here.
      csp.shouldLoad(Ci.nsIContentPolicy.TYPE_IMAGE,
                     NetUtil.newURI("data:image/png;base64," + base64data),
                     null, null, null, null, true);
      });

  // test that only the uri's scheme is reported for globally unique identifiers
  makeTest(6, {"blocked-uri": "intent"}, false,
    function(csp) {
      // shouldLoad creates and sends out the report here.
      csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SUBDOCUMENT,
                     NetUtil.newURI("intent://mymaps.com/maps?um=1&ie=UTF-8&fb=1&sll"),
                     null, null, null, null, true);
      });

  // test fragment removal
  var selfSpec = REPORT_SERVER_URI + ":" + REPORT_SERVER_PORT + "/foo/self/foo.js";
  makeTest(7, {"blocked-uri": selfSpec}, false,
    function(csp) {
      var uri = NetUtil
      // shouldLoad creates and sends out the report here.
      csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SCRIPT,
                     NetUtil.newURI(selfSpec + "#bar"),
                     null, null, null, null, true);
      });

  // test scheme of ftp:
  makeTest(8, {"blocked-uri": "ftp://blocked.test/profile.png"}, false,
    function(csp) {
      // shouldLoad creates and sends out the report here.
      csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SCRIPT,
                    NetUtil.newURI("ftp://blocked.test/profile.png"),
                    null, null, null, null, true);
    });
}