Bug 911547 - Test CSP enforcement in session-restored documents. r=ttaubert

--HG--
extra : rebase_source : a794cee6cc797f5acc67989bd17f755bae5ce0c3

browser/components/sessionstore/test/browser.ini

@@ -41,6 +41,8 @@ support-files =
   browser_597315_c2.html
   browser_662743_sample.html
   browser_739531_sample.html
+  browser_911547_sample.html
+  browser_911547_sample.html^headers^
 
 #NB: the following are disabled
 #  browser_464620_a.html
@@ -184,3 +186,4 @@ skip-if = os == "mac"
 [browser_625016.js]
 skip-if = os == "mac"
 
+[browser_911547.js]

browser/components/sessionstore/test/browser_911547.js

@@ -0,0 +1,70 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// This tests that session restore component does restore the right content
+// security policy with the document.
+// The policy being tested disallows inline scripts
+
+function test() {
+  TestRunner.run();
+}
+
+function runTests() {
+  // create a tab that has a CSP
+  let testURL = "http://mochi.test:8888/browser/browser/components/sessionstore/test/browser_911547_sample.html";
+  let tab = gBrowser.selectedTab = gBrowser.addTab(testURL);
+  gBrowser.selectedTab = tab;
+
+  let browser = tab.linkedBrowser;
+  yield waitForLoad(browser);
+
+  // this is a baseline to ensure CSP is active
+  // attempt to inject and run a script via inline (pre-restore, allowed)
+  injectInlineScript(browser,'document.getElementById("test_id").value = "fail";');
+  is(browser.contentDocument.getElementById("test_id").value, "ok",
+     "CSP should block the inline script that modifies test_id");
+
+  // attempt to click a link to a data: URI (will inherit the CSP of the
+  // origin document) and navigate to the data URI in the link.
+  browser.contentDocument.getElementById("test_data_link").click();
+  yield waitForLoad(browser);
+
+  is(browser.contentDocument.getElementById("test_id2").value, "ok",
+     "CSP should block the script loaded by the clicked data URI");
+
+  // close the tab
+  gBrowser.removeTab(tab);
+
+  // open new tab and recover the state
+  tab = ss.undoCloseTab(window, 0);
+  yield waitForTabRestored(tab);
+  browser = tab.linkedBrowser;
+
+  is(browser.contentDocument.getElementById("test_id2").value, "ok",
+     "CSP should block the script loaded by the clicked data URI after restore");
+
+  // clean up
+  gBrowser.removeTab(tab);
+}
+
+function waitForLoad(aElement) {
+  aElement.addEventListener("load", function onLoad() {
+    aElement.removeEventListener("load", onLoad, true);
+    executeSoon(next);
+  }, true);
+}
+
+function waitForTabRestored(aElement) {
+  aElement.addEventListener("SSTabRestored", function tabRestored(e) {
+    aElement.removeEventListener("SSTabRestored", tabRestored, true);
+    executeSoon(next);
+  }, true);
+}
+
+// injects an inline script element (with a text body)
+function injectInlineScript(browser, scriptText) {
+  let scriptElt = browser.contentDocument.createElement("script");
+  scriptElt.type = 'text/javascript';
+  scriptElt.text = scriptText;
+  browser.contentDocument.body.appendChild(scriptElt);
+}

browser/components/sessionstore/test/browser_911547_sample.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Test 911547</title>
+  </head>
+<body>
+
+  <!--
+   this element gets modified by an injected script;
+   that script should be blocked by CSP.
+   Inline scripts can modify it, but not data uris.
+  -->
+  <input type="text" id="test_id" value="ok">
+
+  <a id="test_data_link" href="data:text/html,<input type='text' id='test_id2' value='ok'/> <script>document.getElementById('test_id2').value = 'fail';</script>">Test Link</a>
+
+</body>
+</html>

browser/components/sessionstore/test/browser_911547_sample.html^headers^

@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self'