зеркало из https://github.com/mozilla/gecko-dev.git
Backed out changeset d63424e06b3e (bug 916446) for failing on b2g
This commit is contained in:
Родитель
a88fbd9517
Коммит
369eceb552
|
@ -243,8 +243,6 @@ CSPRep.ALLOW_DIRECTIVE = "allow";
|
|||
* while the policy-uri is asynchronously fetched
|
||||
* @param csp (optional)
|
||||
* the CSP object to update once the policy has been fetched
|
||||
* @param reportOnly (optional)
|
||||
* whether or not this CSP is report-only (defaults to false)
|
||||
* @returns
|
||||
* an instance of CSPRep
|
||||
*/
|
||||
|
@ -482,8 +480,7 @@ CSPRep.fromString = function(aStr, self, docRequest, csp, reportOnly) {
|
|||
// directive to be present.
|
||||
if (!aCSPR._directives[SD.DEFAULT_SRC]) {
|
||||
cspWarn(aCSPR, CSPLocalizer.getStr("allowOrDefaultSrcRequired"));
|
||||
return CSPRep.fromString("default-src 'none'", selfUri, docRequest, csp,
|
||||
reportOnly);
|
||||
return CSPRep.fromString("default-src 'none'", selfUri);
|
||||
}
|
||||
return aCSPR;
|
||||
};
|
||||
|
@ -501,8 +498,6 @@ CSPRep.fromString = function(aStr, self, docRequest, csp, reportOnly) {
|
|||
* while the policy-uri is asynchronously fetched
|
||||
* @param csp (optional)
|
||||
* the CSP object to update once the policy has been fetched
|
||||
* @param reportOnly (optional)
|
||||
* whether or not this CSP is report-only (defaults to false)
|
||||
* @returns
|
||||
* an instance of CSPRep
|
||||
*/
|
||||
|
|
|
@ -97,9 +97,6 @@ MOCHITEST_FILES := \
|
|||
file_bug836922_npolicies.html^headers^ \
|
||||
file_bug836922_npolicies_violation.sjs \
|
||||
file_bug836922_npolicies_ro_violation.sjs \
|
||||
test_CSP_bug916446.html \
|
||||
file_CSP_bug916446.html \
|
||||
file_CSP_bug916446.html^headers^ \
|
||||
$(NULL)
|
||||
|
||||
MOCHITEST_CHROME_FILES := \
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<body>
|
||||
<ol>
|
||||
<li id="inline-script">Inline script (green if allowed, black if blocked)</li>
|
||||
</ol>
|
||||
|
||||
<script>
|
||||
// Use inline script to set a style attribute
|
||||
document.getElementById("inline-script").style.color = "rgb(0, 128, 0)";
|
||||
</script>
|
||||
|
||||
<img src="file_CSP.sjs?testid=img_bad&type=img/png"></img>
|
||||
|
||||
</body>
|
||||
</html>
|
|
@ -1 +0,0 @@
|
|||
x-content-security-policy-report-only: options eval-script; script-src 'self' ; report-uri /csp_report
|
|
@ -1,118 +0,0 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test for Bug 916446</title>
|
||||
<!--
|
||||
test that an invalid report-only policy (a stripped down version of what
|
||||
web.tweetdeck.com was serving) defaults to "default-src 'none'" but only
|
||||
sends reports and is not accidentally enforced
|
||||
-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<iframe style="width:200px;height:200px;" id='testframe'></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
function examiner() {
|
||||
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
|
||||
SpecialPowers.addObserver(this, "http-on-modify-request", false);
|
||||
}
|
||||
examiner.prototype = {
|
||||
completedTests: 0,
|
||||
totalTests: 4,
|
||||
|
||||
observe: function(subject, topic, data) {
|
||||
// subject should be an nsURI, and should be either allowed or blocked.
|
||||
if (!SpecialPowers.can_QI(subject))
|
||||
return;
|
||||
|
||||
var testpat = new RegExp("testid=([a-z0-9_]+)");
|
||||
|
||||
if (topic === "http-on-modify-request") {
|
||||
//these things were allowed by CSP
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
|
||||
if (!testpat.test(asciiSpec)) return;
|
||||
var testid = testpat.exec(asciiSpec)[1];
|
||||
if (testid === "img_bad") {
|
||||
// img_bad should be *allowed* because the policy is report-only
|
||||
ok(true, "Inline scripts should execute (because the policy is report-only)");
|
||||
this.completedTests++;
|
||||
}
|
||||
}
|
||||
|
||||
if(topic === "csp-on-violate-policy") {
|
||||
// these were blocked
|
||||
try {
|
||||
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
|
||||
if (!testpat.test(asciiSpec)) return;
|
||||
var testid = testpat.exec(asciiSpec)[1];
|
||||
if (testid === "img_bad") {
|
||||
ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
|
||||
this.completedTests++;
|
||||
}
|
||||
} catch (e) {
|
||||
// if that fails, the subject is probably a string
|
||||
violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
|
||||
if (/Inline Scripts will not execute/.test(violation_msg)) {
|
||||
ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
|
||||
this.completedTests++;
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
// must eventually call this to remove the listener,
|
||||
// or mochitests might get borked.
|
||||
remove: function() {
|
||||
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
|
||||
SpecialPowers.removeObserver(this, "http-on-modify-request");
|
||||
}
|
||||
}
|
||||
|
||||
window.examiner = new examiner();
|
||||
|
||||
function checkInlineScriptExecuted() {
|
||||
var green = 'rgb(0, 128, 0)';
|
||||
var black = 'rgb(0, 0, 0)';
|
||||
var that = this;
|
||||
function getElementColorById(id) {
|
||||
return window.getComputedStyle(that.contentDocument.getElementById(id)).color;
|
||||
}
|
||||
if (getElementColorById('inline-script') === green) {
|
||||
ok(true, "Inline scripts should execute (because the policy is report-only)");
|
||||
window.examiner.completedTests++;
|
||||
}
|
||||
|
||||
waitToFinish();
|
||||
}
|
||||
|
||||
function waitToFinish() {
|
||||
setTimeout(function wait() {
|
||||
if (window.examiner.completedTests < window.examiner.totalTests) {
|
||||
waitToFinish();
|
||||
} else {
|
||||
// Cleanup
|
||||
window.examiner.remove();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
}, 10);
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", false]]},
|
||||
function() {
|
||||
var testframe = document.getElementById('testframe');
|
||||
testframe.src = 'file_CSP_bug916446.html';
|
||||
testframe.addEventListener('load', checkInlineScriptExecuted);
|
||||
}
|
||||
);
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
Загрузка…
Ссылка в новой задаче