Bug 1048048 - add preload content policy types - tests (r=dveditz)

CLOSED TREE

--HG--
extra : source : 02c6d6aef163530bafee0d39761f18ca3aa1f40c
extra : amend_source : bff4f1c8ed0fe42addb24774b8c6dd89fe2c7905

dom/security/test/csp/file_report_for_import.css

@@ -0,0 +1 @@
+@import url("http://example.com/tests/dom/security/test/csp/file_report_for_import_server.sjs?stylesheet");

dom/security/test/csp/file_report_for_import.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Bug 1048048 - Test sending csp-report when using import in css</title>
+    <link rel="stylesheet" type="text/css" href="file_report_for_import.css">
+  </head>
+  <body>
+  empty body, just testing @import in the included css for bug 1048048
+</body>
+</html>

dom/security/test/csp/file_report_for_import_server.sjs

@@ -0,0 +1,49 @@
+// Custom *.sjs file specifically for the needs of Bug:
+// Bug 1048048 - CSP violation report not sent for @import
+
+const CC = Components.Constructor;
+const BinaryInputStream = CC("@mozilla.org/binaryinputstream;1",
+                             "nsIBinaryInputStream",
+                             "setInputStream");
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+  var queryString = request.queryString;
+
+  // (1) lets process the queryresult request async and
+  // wait till we have received the image request.
+  if (queryString === "queryresult") {
+    response.processAsync();
+    setObjectState("queryResult", response);
+    return;
+  }
+
+  // (2) handle the csp-report and return the JSON back to
+  // the testfile using the afore stored xml request in (1).
+  if (queryString === "report") {
+    getObjectState("queryResult", function(queryResponse) {
+      if (!queryResponse) {
+        return;
+      }
+
+      // send the report back to the XML request for verification
+      var report = new BinaryInputStream(request.bodyInputStream);
+      var avail;
+      var bytes = [];
+      while ((avail = report.available()) > 0) {
+        Array.prototype.push.apply(bytes, report.readByteArray(avail));
+      }
+      var data = String.fromCharCode.apply(null, bytes);
+      queryResponse.bodyOutputStream.write(data, data.length);
+      queryResponse.finish();
+    });
+    return;
+  }
+
+  // we should not get here ever, but just in case return
+  // something unexpected.
+  response.write("doh!");
+}

dom/security/test/csp/mochitest.ini

@@ -127,6 +127,9 @@ support-files =
   file_upgrade_insecure_referrer_server.sjs
   file_upgrade_insecure_cors.html
   file_upgrade_insecure_cors_server.sjs
+  file_report_for_import.css
+  file_report_for_import.html
+  file_report_for_import_server.sjs
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -191,5 +194,6 @@ skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolk
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
 [test_upgrade_insecure_cors.html]
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
+[test_report_for_import.html]
 [test_blocked_uri_in_reports.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)

dom/security/test/csp/test_report_for_import.html

@@ -0,0 +1,112 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=548193
+-->
+<head>
+  <title>Test for Bug 548193</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+
+<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<script class="testbody" type="text/javascript">
+
+/*
+ * Description of the test:
+ * We are loading a stylesheet using a csp policy that only allows styles from 'self'
+ * to be loaded. In other words, the *.css file itself should be allowed to load, but
+ * the @import file within the CSS should get blocked. We verify that the generated
+ * csp-report is sent and contains all the expected values.
+ * In detail, the test starts by sending an XHR request to the report-server
+ * which waits on the server side till the report was received and hands the
+ * report in JSON format back to the testfile which then verifies accuracy
+ * of all the different report fields in the CSP report.
+ */
+
+const TEST_FILE = "tests/dom/security/test/csp/file_report_for_import.html";
+const REPORT_URI =
+  "http://mochi.test:8888/tests/dom/security/test/csp/file_report_for_import_server.sjs?report";
+const POLICY = "style-src 'self'; report-uri " + REPORT_URI;
+
+const DOC_URI =
+  "http://mochi.test:8888/tests/dom/security/test/csp/file_testserver.sjs?" +
+  "file=tests/dom/security/test/csp/file_report_for_import.html&" +
+  "csp=style-src%20%27self%27%3B%20" +
+  "report-uri%20http%3A//mochi.test%3A8888/tests/dom/security/test/csp/" +
+  "file_report_for_import_server.sjs%3Freport";
+
+function checkResults(reportStr) {
+  try {
+    var reportObj = JSON.parse(reportStr);
+    var cspReport = reportObj["csp-report"];
+
+    is(cspReport["document-uri"], DOC_URI, "Incorrect document-uri");
+    is(cspReport["referrer"],
+       "http://mochi.test:8888/tests/dom/security/test/csp/test_report_for_import.html",
+       "Incorrect referrer");
+    is(cspReport["violated-directive"],
+       "style-src http://mochi.test:8888",
+       "Incorrect violated-directive");
+    is(cspReport["original-policy"],
+       "style-src http://mochi.test:8888; report-uri " +
+       "http://mochi.test:8888/tests/dom/security/test/csp/file_report_for_import_server.sjs?report",
+       "Incorrect original-policy");
+    is(cspReport["blocked-uri"],
+       "http://example.com/tests/dom/security/test/csp/file_report_for_import_server.sjs?stylesheet",
+       "Incorrect blocked-uri");
+
+    // we do not always set the following fields
+    is(cspReport["source-file"], undefined, "Incorrect source-file");
+    is(cspReport["script-sample"], undefined, "Incorrect script-sample");
+    is(cspReport["line-number"], undefined, "Incorrect line-number");
+  }
+  catch (e) {
+    ok(false, "Could not parse JSON (exception: " + e + ")");
+  }
+}
+
+function loadTestPageIntoFrame() {
+  // load the resource which will generate a CSP violation report
+  // save this for last so that our listeners are registered.
+  var src = "file_testserver.sjs";
+  // append the file that should be served
+  src += "?file=" + escape(TEST_FILE);
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(POLICY);
+  // appending a fragment so we can test that it's correctly stripped
+  // for document-uri and source-file.
+  src += "#foo";
+  document.getElementById("cspframe").src = src;
+}
+
+function runTest() {
+  // send an xhr request to the server which is processed async, which only
+  // returns after the server has received the csp report.
+  var myXHR = new XMLHttpRequest();
+  myXHR.open("GET", "file_report_for_import_server.sjs?queryresult");
+  myXHR.onload = function(e) {
+    checkResults(myXHR.responseText);
+    SimpleTest.finish();
+  }
+  myXHR.onerror = function(e) {
+    ok(false, "could not query results from server (" + e.message + ")");
+    SimpleTest.finish();
+  }
+  myXHR.send();
+
+  // give it some time and run the testpage
+  SimpleTest.executeSoon(loadTestPageIntoFrame);
+}
+
+SimpleTest.waitForExplicitFinish();
+runTest();
+
+</script>
+</pre>
+</body>
+</html>