Bug 1825947 - Expand coverage of test_ext_dnr_system_restrictions.js r=rpl

Test-only change to expand coverage:
- Rules without "resourceTypes" do not block main frames by default.
  This was desirable because otherwise we could not be simulating
  fetch() requests from specified origins.
  However, it also meant that we lacked test coverage that verified
  that we wouldn't be blocking the main frame.
  Now we have that: dnr_ignores_css_import_at_restrictedDomains.

- While I am at it, I also added extra test coverage for the case
  where the triggering principal is NOT a restricted domain. While
  the implementation works as desired, there was no explicit test
  case for this scenario.

Differential Revision: https://phabricator.services.mozilla.com/D174503

toolkit/components/extensions/test/xpcshell/test_ext_dnr_system_restrictions.js

@@ -5,6 +5,16 @@ server.registerPathHandler("/", (req, res) => {
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.write("response from server");
 });
+server.registerPathHandler("/style_with_import.css", (req, res) => {
+  res.setHeader("Content-Type", "text/css");
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.write("@import url('http://example.com/imported.css');");
+});
+server.registerPathHandler("/imported.css", (req, res) => {
+  res.setHeader("Content-Type", "text/css");
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.write("imported_stylesheet_here { }");
+});
 
 add_setup(() => {
   Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);
@@ -21,7 +31,18 @@ async function startDNRExtension() {
   let extension = ExtensionTestUtils.loadExtension({
     async background() {
       await browser.declarativeNetRequest.updateSessionRules({
-        addRules: [{ id: 1, condition: {}, action: { type: "block" } }],
+        addRules: [
+          {
+            id: 1,
+            condition: { resourceTypes: ["xmlhttprequest", "stylesheet"] },
+            action: { type: "block" },
+          },
+          {
+            id: 2,
+            condition: { urlFilter: "blockme", resourceTypes: ["main_frame"] },
+            action: { type: "block" },
+          },
+        ],
       });
       browser.test.sendMessage("dnr_registered");
     },
@@ -64,3 +85,61 @@ add_task(async function dnr_ignores_initiator_from_restrictedDomains() {
   );
   await extension.unload();
 });
+
+add_task(async function dnr_ignores_navigation_to_restrictedDomains() {
+  let extension = await startDNRExtension();
+  let contentPage = await ExtensionTestUtils.loadContentPage(
+    "http://restricted/?blockme"
+  );
+  await contentPage.spawn(null, () => {
+    const { document } = content;
+    Assert.equal(document.URL, "http://restricted/?blockme", "Same URL");
+    Assert.equal(document.body.textContent, "response from server", "body");
+  });
+  await contentPage.close();
+  await extension.unload();
+});
+
+add_task(async function dnr_ignores_css_import_at_restrictedDomains() {
+  // CSS @import have triggeringPrincipal set to the URL of the stylesheet,
+  // and the loadingPrincipal set to the web page. To verify that access is
+  // indeed being restricted as expected, confirm that none of the stylesheet
+  // requests are blocked by the DNR extension.
+  let extension = await startDNRExtension();
+  let contentPage = await ExtensionTestUtils.loadContentPage(
+    "http://restricted/"
+  );
+  await contentPage.spawn(null, async () => {
+    // Use wrappedJSObject so that all operations below are with the principal
+    // of the content instead of the system principal (from this ContentTask).
+    const { document } = content.wrappedJSObject;
+    const style = document.createElement("link");
+    style.rel = "stylesheet";
+    // Note: intentionally not at "http://restricted/" because we want to check
+    // that subresources from a restricted domain are ignored by DNR..
+    style.href = "http://example.com/style_with_import.css";
+    style.crossOrigin = "anonymous";
+    await new Promise(resolve => {
+      info("Waiting for style sheet to load...");
+      style.onload = resolve;
+      document.head.append(style);
+    });
+    const importRule = style.sheet.cssRules[0];
+    Assert.equal(
+      importRule?.cssText,
+      `@import url("http://example.com/imported.css");`,
+      "Not blocked by DNR: Loaded style_with_import.css"
+    );
+    // Waiving Xrays here because we cannot read cssRules despite CORS because
+    // that is not implemented for child stylesheets (loaded via @import):
+    // https://searchfox.org/mozilla-central/rev/55d5c4b9dffe5e59eb6b019c1a930ec9ada47e10/layout/style/Loader.cpp#2052
+    const importedStylesheet = Cu.unwaiveXrays(importRule.styleSheet);
+    Assert.equal(
+      importedStylesheet.cssRules[0]?.cssText,
+      "imported_stylesheet_here { }",
+      "Not blocked by DNR: Loaded import.css"
+    );
+  });
+  await contentPage.close();
+  await extension.unload();
+});