зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1100181 - CSP: Enforce connect-src when submitting pings. r=arroway
This commit is contained in:
Родитель
b8eb7f0a9e
Коммит
25f6f710d7
|
@ -163,6 +163,7 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
|
|||
case nsIContentPolicy::TYPE_WEBSOCKET:
|
||||
case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
|
||||
case nsIContentPolicy::TYPE_BEACON:
|
||||
case nsIContentPolicy::TYPE_PING:
|
||||
case nsIContentPolicy::TYPE_FETCH:
|
||||
return nsIContentSecurityPolicy::CONNECT_SRC_DIRECTIVE;
|
||||
|
||||
|
@ -171,7 +172,6 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
|
|||
return nsIContentSecurityPolicy::OBJECT_SRC_DIRECTIVE;
|
||||
|
||||
case nsIContentPolicy::TYPE_XBL:
|
||||
case nsIContentPolicy::TYPE_PING:
|
||||
case nsIContentPolicy::TYPE_DTD:
|
||||
case nsIContentPolicy::TYPE_OTHER:
|
||||
return nsIContentSecurityPolicy::DEFAULT_SRC_DIRECTIVE;
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1100181 - CSP: Enforce connect-src when submitting pings</title>
|
||||
</head>
|
||||
<body>
|
||||
<!-- we are using an image for the test, but can be anything -->
|
||||
<a id="testlink"
|
||||
href="http://mochi.test:8888/tests/image/test/mochitest/blue.png"
|
||||
ping="http://mochi.test:8888/tests/image/test/mochitest/blue.png?send-ping">
|
||||
Send ping
|
||||
</a>
|
||||
|
||||
<script type="text/javascript">
|
||||
var link = document.getElementById("testlink");
|
||||
link.click();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
|
@ -162,6 +162,7 @@ support-files =
|
|||
file_form_action_server.sjs
|
||||
!/image/test/mochitest/blue.png
|
||||
file_meta_whitespace_skipping.html
|
||||
file_ping.html
|
||||
|
||||
[test_base-uri.html]
|
||||
[test_blob_data_schemes.html]
|
||||
|
@ -248,3 +249,4 @@ tags = mcb
|
|||
tags = mcb
|
||||
[test_form_action_blocks_url.html]
|
||||
[test_meta_whitespace_skipping.html]
|
||||
[test_ping.html]
|
||||
|
|
|
@ -0,0 +1,103 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1100181 - CSP: Enforce connect-src when submitting pings</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<iframe style="width:100%;" id="testframe"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/*
|
||||
* Description of the test:
|
||||
* We load a page with a given CSP and verify that hyperlink auditing
|
||||
* is correctly evaluated through the "connect-src" directive.
|
||||
*/
|
||||
|
||||
// Need to pref hyperlink auditing on since it's disabled by default.
|
||||
SpecialPowers.setBoolPref("browser.send_pings", true);
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var tests = [
|
||||
{
|
||||
result : "allowed",
|
||||
policy : "connect-src 'self'"
|
||||
},
|
||||
{
|
||||
result : "blocked",
|
||||
policy : "connect-src 'none'"
|
||||
}
|
||||
];
|
||||
|
||||
// initializing to -1 so we start at index 0 when we start the test
|
||||
var counter = -1;
|
||||
|
||||
function checkResult(aResult) {
|
||||
is(aResult, tests[counter].result, "should be " + tests[counter].result + " in test " + counter + "!");
|
||||
loadNextTest();
|
||||
}
|
||||
|
||||
// We use the examiner to identify requests that hit the wire and requests
|
||||
// that are blocked by CSP and bubble up the result to the including iframe
|
||||
// document (parent).
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
observe: function(subject, topic, data) {
|
||||
if (topic === "specialpowers-http-notify-request") {
|
||||
// making sure we do not bubble a result for something
|
||||
// other then the request in question.
|
||||
if (!data.includes("send-ping")) {
|
||||
return;
|
||||
}
|
||||
checkResult("allowed");
|
||||
return;
|
||||
}
|
||||
|
||||
if (topic === "csp-on-violate-policy") {
|
||||
// making sure we do not bubble a result for something
|
||||
// other then the request in question.
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(
|
||||
SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
|
||||
if (!asciiSpec.includes("send-ping")) {
|
||||
return;
|
||||
}
|
||||
checkResult("blocked");
|
||||
}
|
||||
},
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
|
||||
}
|
||||
}
|
||||
window.ConnectSrcExaminer = new examiner();
|
||||
|
||||
function loadNextTest() {
|
||||
counter++;
|
||||
if (counter == tests.length) {
|
||||
window.ConnectSrcExaminer.remove();
|
||||
SimpleTest.finish();
|
||||
return;
|
||||
}
|
||||
|
||||
var src = "file_testserver.sjs";
|
||||
// append the file that should be served
|
||||
src += "?file=" + escape("tests/dom/security/test/csp/file_ping.html");
|
||||
// append the CSP that should be used to serve the file
|
||||
src += "&csp=" + escape(tests[counter].policy);
|
||||
|
||||
document.getElementById("testframe").src = src;
|
||||
}
|
||||
|
||||
// start running the tests
|
||||
loadNextTest();
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Загрузка…
Ссылка в новой задаче