зеркало из https://github.com/mozilla/gecko-dev.git
Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected (r=sstamm)
This commit is contained in:
Christoph Kerschbaumer
Родитель
28c2c8db86
Коммит
a7a59cdd3d
|
|
@ -0,0 +1,9 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected</title>
|
||||
</head>
|
||||
<body>
|
||||
<script src="file_worker_redirect.sjs?stage_0_script_loads_worker"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
// testserver customized for the needs of:
|
||||
// Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
response.setHeader("Content-Type", "text/html", false);
|
||||
|
||||
var query = request.queryString;
|
||||
|
||||
if (query === "stage_0_script_loads_worker") {
|
||||
var newWorker =
|
||||
"var myWorker = new Worker(\"file_worker_redirect.sjs?stage_1_worker_import_scripts\");" +
|
||||
"myWorker.onmessage = function (event) { parent.checkResult(\"allowed\"); };" +
|
||||
"myWorker.onerror = function (event) { parent.checkResult(\"blocked\"); };";
|
||||
response.write(newWorker);
|
||||
return;
|
||||
}
|
||||
|
||||
if (query === "stage_1_worker_import_scripts") {
|
||||
response.write("importScripts(\"file_worker_redirect.sjs?stage_2_redirect_imported_script\");");
|
||||
return;
|
||||
}
|
||||
|
||||
if (query === "stage_2_redirect_imported_script") {
|
||||
var newLocation =
|
||||
"http://test1.example.com/tests/dom/base/test/csp/file_worker_redirect.sjs?stage_3_target_script";
|
||||
response.setStatusLine("1.1", 302, "Found");
|
||||
response.setHeader("Location", newLocation, false);
|
||||
return;
|
||||
}
|
||||
|
||||
if (query === "stage_3_target_script") {
|
||||
response.write("postMessage(\"imported script loaded\");");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
|
@ -101,6 +101,8 @@ support-files =
|
|||
file_multi_policy_injection_bypass_2.html
|
||||
file_multi_policy_injection_bypass_2.html^headers^
|
||||
file_form-action.html
|
||||
file_worker_redirect.html
|
||||
file_worker_redirect.sjs
|
||||
|
||||
[test_base-uri.html]
|
||||
[test_connect-src.html]
|
||||
|
|
@ -147,3 +149,4 @@ skip-if = buildapp == 'b2g' # intermittent orange (bug 1028490)
|
|||
[test_subframe_run_js_if_allowed.html]
|
||||
[test_leading_wildcard.html]
|
||||
[test_multi_policy_injection_bypass.html]
|
||||
[test_worker_redirect.html]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,76 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 949706 - CSP: Correct handling of web workers importing scripts that get redirected</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<div id="content" style="visibility: hidden">
|
||||
<iframe style="width:100%;" id="testframe"></iframe>
|
||||
</div>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/* Description of the test:
|
||||
* We load a page that loads a script which then instantiates a web worker,
|
||||
* where that web worker then imports a script which gets redirected.
|
||||
* We verify that the CSP applies correctly after the imported script of
|
||||
* the worker gets redirected. More specifically, the test works as follows:
|
||||
*
|
||||
* test_worker_redirect.html
|
||||
* -> loads file_worker_redirect.html file into iframe
|
||||
* -> loads worker file_worker_redirect.sjs?stage_0_script_loads_worker
|
||||
* -> creates script file_worker_redirect.sjs?stage_1_worker_import_scripts
|
||||
* -> redirects script file_worker_redirect.sjs?stage_2_redirect_imported_script
|
||||
* -> loads target script file_worker_redirect.sjs?stage_3_target_script
|
||||
*
|
||||
* Please note that we have to use 'unsafe-eval' in the policy
|
||||
* so that workers are actually permitted by the CSP.
|
||||
*
|
||||
* The main test is loaded using:
|
||||
* http://mochi.test:8888
|
||||
* where the imported script gets redirected to:
|
||||
* http://test1.example.com
|
||||
*/
|
||||
|
||||
var tests = [
|
||||
{
|
||||
policy: "default-src 'self'; script-src 'self' 'unsafe-eval' http://test1.example.com;",
|
||||
expected: "allowed"
|
||||
},
|
||||
{
|
||||
policy: "default-src 'self'; script-src 'self' 'unsafe-eval';",
|
||||
expected: "blocked",
|
||||
},
|
||||
];
|
||||
|
||||
var counter = 0;
|
||||
var curTest;
|
||||
|
||||
function checkResult(aResult) {
|
||||
is(aResult, curTest.expected, "Should be (" + curTest.expected + ") in Test " + counter + "!");
|
||||
loadNextTest();
|
||||
}
|
||||
|
||||
function loadNextTest() {
|
||||
if (counter == tests.length) {
|
||||
SimpleTest.finish();
|
||||
return;
|
||||
}
|
||||
curTest = tests[counter++];
|
||||
var src = "file_csp_testserver.sjs";
|
||||
// append the file that should be served
|
||||
src += "?file=" + escape("tests/dom/base/test/csp/file_worker_redirect.html");
|
||||
// append the CSP that should be used to serve the file
|
||||
src += "&csp=" + escape(curTest.policy);
|
||||
document.getElementById("testframe").src = src;
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
loadNextTest();
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
Загрузка…
Ссылка в новой задаче