зеркало из https://github.com/mozilla/gecko-dev.git
Bug 988616 - Split CSP tests for CSP (1.0) and X-CSP, and update build system files r=sstamm r=ckerschb
This commit is contained in:
Родитель
39d6efd63d
Коммит
d9291168cd
|
@ -11,16 +11,7 @@ var thisSite = "http://mochi.test:8888";
|
|||
var otherSite = "http://example.com";
|
||||
var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
|
||||
|
||||
var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
|
||||
"frame-src": thisSite+page+"?testid=frame-src&csp=1",
|
||||
"img-src": thisSite+page+"?testid=img-src&csp=1",
|
||||
"media-src": thisSite+page+"?testid=media-src&csp=1",
|
||||
"object-src": thisSite+page+"?testid=object-src&csp=1",
|
||||
"script-src": thisSite+page+"?testid=script-src&csp=1",
|
||||
"style-src": thisSite+page+"?testid=style-src&csp=1",
|
||||
"worker": thisSite+page+"?testid=worker&csp=1",
|
||||
"xhr-src": thisSite+page+"?testid=xhr-src&csp=1",
|
||||
"font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
|
||||
var tests = { "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
|
||||
"frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
|
||||
"img-src-spec-compliant": thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
|
||||
"media-src-spec-compliant": thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
|
||||
|
|
|
@ -14,8 +14,8 @@ function handleRequest(request, response)
|
|||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
// set CSP header
|
||||
response.setHeader("X-Content-Security-Policy",
|
||||
"allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
|
||||
response.setHeader("Content-Security-Policy",
|
||||
"default-src 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
|
||||
false);
|
||||
|
||||
// content which will trigger a violation report
|
||||
|
|
|
@ -1 +1 @@
|
|||
X-Content-Security-Policy: default-src 'self', allow *
|
||||
Content-Security-Policy: default-src 'self', default-src *
|
||||
|
|
|
@ -1 +1 @@
|
|||
X-Content-Security-Policy: default-src 'self' , allow *
|
||||
X-Content-Security-Policy: default-src 'self' , default-src *
|
||||
|
|
|
@ -25,7 +25,7 @@ function handleRequest(request, response) {
|
|||
|
||||
var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
|
||||
|
||||
response.setHeader("X-Content-Security-Policy", csp, false);
|
||||
response.setHeader("Content-Security-Policy", csp, false);
|
||||
|
||||
// the actual file content.
|
||||
// this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
|
||||
|
|
|
@ -1 +1 @@
|
|||
X-Content-Security-Policy: default-src *; options inline-script
|
||||
Content-Security-Policy: default-src *; script-src 'unsafe-inline'
|
||||
|
|
|
@ -17,15 +17,9 @@ support-files =
|
|||
file_CSP_bug885433_blocks.html^headers^
|
||||
file_CSP_bug888172.html
|
||||
file_CSP_bug888172.sjs
|
||||
file_CSP_bug916446.html
|
||||
file_CSP_bug916446.html^headers^
|
||||
file_CSP_evalscript_main.html
|
||||
file_CSP_evalscript_main.html^headers^
|
||||
file_CSP_evalscript_main.js
|
||||
file_CSP_evalscript_main_allowed.js
|
||||
file_CSP_evalscript_main_allowed_getCRMFRequest.js
|
||||
file_CSP_evalscript_main_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_main_getCRMFRequest.js
|
||||
file_CSP_evalscript_main_spec_compliant.html
|
||||
file_CSP_evalscript_main_spec_compliant.html^headers^
|
||||
|
@ -38,32 +32,20 @@ support-files =
|
|||
file_CSP_evalscript_no_CSP_at_all.html
|
||||
file_CSP_evalscript_no_CSP_at_all.html^headers^
|
||||
file_CSP_evalscript_no_CSP_at_all.js
|
||||
file_CSP_frameancestors.sjs
|
||||
file_CSP_frameancestors_main.html
|
||||
file_CSP_frameancestors_main.js
|
||||
file_CSP_frameancestors_main_spec_compliant.html
|
||||
file_CSP_frameancestors_main_spec_compliant.js
|
||||
file_CSP_frameancestors_spec_compliant.sjs
|
||||
file_CSP_inlinescript_main.html
|
||||
file_CSP_inlinescript_main.html^headers^
|
||||
file_CSP_inlinescript_main_spec_compliant.html
|
||||
file_CSP_inlinescript_main_spec_compliant.html^headers^
|
||||
file_CSP_inlinescript_main_spec_compliant_allowed.html
|
||||
file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_inlinestyle_main.html
|
||||
file_CSP_inlinestyle_main.html^headers^
|
||||
file_CSP_inlinestyle_main_spec_compliant.html
|
||||
file_CSP_inlinestyle_main_spec_compliant.html^headers^
|
||||
file_CSP_inlinestyle_main_spec_compliant_allowed.html
|
||||
file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_main.html
|
||||
file_CSP_main.html^headers^
|
||||
file_CSP_main.js
|
||||
file_CSP_main_spec_compliant.html
|
||||
file_CSP_main_spec_compliant.html^headers^
|
||||
file_CSP_main_spec_compliant.js
|
||||
file_bothCSPheaders.html
|
||||
file_bothCSPheaders.html^headers^
|
||||
file_bug836922_npolicies.html
|
||||
file_bug836922_npolicies.html^headers^
|
||||
file_bug836922_npolicies_ro_violation.sjs
|
||||
|
@ -104,8 +86,6 @@ support-files =
|
|||
file_CSP_bug941404_xhr.html^headers^
|
||||
file_hash_source.html
|
||||
file_hash_source.html^headers^
|
||||
file_dual_headers_warning.html
|
||||
file_dual_headers_warning.html^headers^
|
||||
file_self_none_as_hostname_confusion.html
|
||||
file_self_none_as_hostname_confusion.html^headers^
|
||||
file_csp_testserver.sjs
|
||||
|
@ -114,8 +94,6 @@ support-files =
|
|||
file_report_uri_missing_in_report_only_header.html
|
||||
file_report_uri_missing_in_report_only_header.html^headers^
|
||||
file_csp_report.sjs
|
||||
file_policyuri_async_fetch.html
|
||||
file_policyuri_async_fetch.html^headers^
|
||||
file_redirect_content.sjs
|
||||
file_redirect_report.sjs
|
||||
file_subframe_run_js_if_allowed.html
|
||||
|
@ -130,7 +108,6 @@ support-files =
|
|||
[test_CSP_bug802872.html]
|
||||
[test_CSP_bug885433.html]
|
||||
[test_CSP_bug888172.html]
|
||||
[test_CSP_bug916446.html]
|
||||
[test_CSP_evalscript.html]
|
||||
[test_CSP_evalscript_getCRMFRequest.html]
|
||||
skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
|
||||
|
@ -138,7 +115,6 @@ skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) wi
|
|||
skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
|
||||
[test_CSP_inlinescript.html]
|
||||
[test_CSP_inlinestyle.html]
|
||||
[test_bothCSPheaders.html]
|
||||
[test_bug836922_npolicies.html]
|
||||
[test_bug886164.html]
|
||||
[test_csp_redirects.html]
|
||||
|
@ -149,14 +125,12 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
|
|||
[test_CSP_bug941404.html]
|
||||
[test_hash_source.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
|
||||
[test_dual_headers_warning.html]
|
||||
[test_self_none_as_hostname_confusion.html]
|
||||
[test_bug949549.html]
|
||||
[test_csp_regexp_parsing.html]
|
||||
[test_report_uri_missing_in_report_only_header.html]
|
||||
[test_csp_report.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
|
||||
[test_policyuri_async_fetch.html]
|
||||
[test_301_redirect.html]
|
||||
[test_302_redirect.html]
|
||||
[test_303_redirect.html]
|
||||
|
|
|
@ -10,30 +10,11 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
window.tests = {
|
||||
img_good: -1,
|
||||
img_bad: -1,
|
||||
style_good: -1,
|
||||
style_bad: -1,
|
||||
frame_good: -1,
|
||||
frame_bad: -1,
|
||||
script_good: -1,
|
||||
script_bad: -1,
|
||||
xhr_good: -1,
|
||||
xhr_bad: -1,
|
||||
media_good: -1,
|
||||
media_bad: -1,
|
||||
font_good: -1,
|
||||
font_bad: -1,
|
||||
object_good: -1,
|
||||
object_bad: -1,
|
||||
img_spec_compliant_good: -1,
|
||||
img_spec_compliant_bad: -1,
|
||||
style_spec_compliant_good: -1,
|
||||
|
@ -130,8 +111,7 @@ SpecialPowers.pushPrefEnv(
|
|||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
|
||||
document.getElementById('cspframe').src = 'file_CSP_main_spec_compliant.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -11,14 +11,11 @@
|
|||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var evalScriptsThatRan = 0;
|
||||
var evalScriptsBlocked = 0;
|
||||
var evalScriptsTotal = 24;
|
||||
var evalScriptsTotal = 16;
|
||||
|
||||
// called by scripts that run
|
||||
var scriptRan = function(shouldrun, testname, data) {
|
||||
|
@ -54,10 +51,8 @@ SpecialPowers.pushPrefEnv(
|
|||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
|
||||
// document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -12,14 +12,13 @@
|
|||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var evalScriptsThatRan = 0;
|
||||
var evalScriptsBlocked = 0;
|
||||
var evalScriptsTotal = 4;
|
||||
var evalScriptsTotal = 3;
|
||||
|
||||
// called by scripts that run
|
||||
var scriptRan = function(shouldrun, testname, data) {
|
||||
|
@ -54,10 +53,9 @@ SpecialPowers.pushPrefEnv(
|
|||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
|
||||
document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -10,24 +10,11 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
var framesThatShouldLoad = {
|
||||
aa_allow: -1, /* innermost frame allows a */
|
||||
//aa_block: -1, /* innermost frame denies a */
|
||||
ab_allow: -1, /* innermost frame allows a */
|
||||
//ab_block: -1, /* innermost frame denies a */
|
||||
aba_allow: -1, /* innermost frame allows b,a */
|
||||
//aba_block: -1, /* innermost frame denies b */
|
||||
//aba2_block: -1, /* innermost frame denies a */
|
||||
abb_allow: -1, /* innermost frame allows b,a */
|
||||
//abb_block: -1, /* innermost frame denies b */
|
||||
//abb2_block: -1, /* innermost frame denies a */
|
||||
aa_allow_spec_compliant: -1, /* innermost frame allows a *
|
||||
//aa_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
ab_allow_spec_compliant: -1, /* innermost frame allows a */
|
||||
|
@ -40,7 +27,7 @@ var framesThatShouldLoad = {
|
|||
//abb2_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
};
|
||||
|
||||
var expectedViolationsLeft = 12;
|
||||
var expectedViolationsLeft = 6;
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
|
@ -126,8 +113,7 @@ SpecialPowers.pushPrefEnv(
|
|||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
|
||||
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main_spec_compliant.html';
|
||||
});
|
||||
|
||||
</script>
|
||||
|
|
|
@ -11,16 +11,13 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var inlineScriptsThatRan = 0;
|
||||
var inlineScriptsBlocked = 0;
|
||||
var inlineScriptsTotal = 12;
|
||||
var inlineScriptsTotal = 8;
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
|
@ -79,8 +76,8 @@ var checkTestResults = function() {
|
|||
// The four scripts in the page with 'unsafe-inline' should run.
|
||||
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
|
||||
|
||||
// The other eight scripts in the other two pages should be blocked.
|
||||
is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
|
||||
// The four scripts in the other page should be blocked.
|
||||
is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
|
||||
|
||||
// ... otherwise, finish
|
||||
window.examiner.remove();
|
||||
|
@ -92,10 +89,10 @@ var checkTestResults = function() {
|
|||
window.examiner = new examiner();
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
function clickit() {
|
||||
var cspframe = document.getElementById('cspframe');
|
||||
var a = cspframe.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
|
||||
function clickit1() {
|
||||
var cspframe1 = document.getElementById('cspframe1');
|
||||
var a = cspframe1.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
|
||||
}
|
||||
|
||||
function clickit2() {
|
||||
|
@ -104,23 +101,15 @@ function clickit2() {
|
|||
sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
|
||||
}
|
||||
|
||||
function clickit3() {
|
||||
var cspframe3 = document.getElementById('cspframe3');
|
||||
var a = cspframe3.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
|
||||
document.getElementById('cspframe').addEventListener('load', clickit, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe1').src = 'file_CSP_inlinescript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe1').addEventListener('load', clickit1, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
|
||||
document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe3').addEventListener('load', clickit3, false);
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -10,33 +10,68 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var done = 0;
|
||||
|
||||
// Our original CSP implementation does not block inline styles.
|
||||
function checkStyles(evt) {
|
||||
var cspframe = document.getElementById('cspframe');
|
||||
// When a CSP 1.0 compliant policy is specified we should block inline
|
||||
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
|
||||
// (when it's not explicitly allowed.)
|
||||
function checkStylesSpecCompliant(evt) {
|
||||
var cspframe = document.getElementById('cspframe1');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
//expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
|
||||
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
|
||||
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should allow inline
|
||||
// styles when it is explicitly allowed.
|
||||
function checkStylesSpecCompliantAllowed(evt) {
|
||||
var cspframe = document.getElementById('cspframe2');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
// expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
|
||||
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
|
||||
// since it relies on executing script to set .cssText
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
|
@ -46,72 +81,8 @@ function checkStyles(evt) {
|
|||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should block inline
|
||||
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
|
||||
// (when it's not explicitly allowed.)
|
||||
function checkStylesSpecCompliant(evt) {
|
||||
var cspframe = document.getElementById('cspframe2');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
//expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should allow inline
|
||||
// styles when it is explicitly allowed.
|
||||
function checkStylesSpecCompliantAllowed(evt) {
|
||||
var cspframe = document.getElementById('cspframe3');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
// expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
|
||||
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
|
||||
// since it relies on executing script to set .cssText
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
|
@ -119,7 +90,7 @@ function checkStylesSpecCompliantAllowed(evt) {
|
|||
|
||||
function checkIfDone() {
|
||||
done++;
|
||||
if (done == 3)
|
||||
if (done == 2)
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
|
@ -128,12 +99,10 @@ SpecialPowers.pushPrefEnv(
|
|||
function() {
|
||||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
|
||||
document.getElementById('cspframe').addEventListener('load', checkStyles, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
|
||||
document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
|
||||
document.getElementById('cspframe1').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
|
||||
document.getElementById('cspframe1').addEventListener('load', checkStylesSpecCompliant, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliantAllowed, false);
|
||||
}
|
||||
);
|
||||
</script>
|
||||
|
|
|
@ -213,7 +213,8 @@ SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
|
|||
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
|
||||
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
|
||||
["security.mixed_content.block_active_content", false],
|
||||
["security.mixed_content.block_display_content", false]]},
|
||||
["security.mixed_content.block_display_content", false],
|
||||
["security.csp.speccompliant", true]]},
|
||||
function() { gTestRunner.next(); });
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=773891
|
||||
-->
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
|
@ -218,7 +218,8 @@ SpecialPowers.addPermission("browser", true, "https://example.com");
|
|||
|
||||
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
|
||||
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
|
||||
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
|
||||
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
|
||||
["security.csp.speccompliant", true]]},
|
||||
function() { gTestRunner.next(); });
|
||||
|
||||
|
||||
|
|
|
@ -68,25 +68,7 @@ examiner.prototype = {
|
|||
window.examiner = new examiner();
|
||||
|
||||
// contains { test_frame_id : expected_result }
|
||||
var testExpectedResults = { "font-src": true,
|
||||
"font-src-redir": false,
|
||||
"frame-src": true,
|
||||
"frame-src-redir": false,
|
||||
"img-src": true,
|
||||
"img-src-redir": false,
|
||||
"media-src": true,
|
||||
"media-src-redir": false,
|
||||
"object-src": true,
|
||||
"object-src-redir": false,
|
||||
"script-src": true,
|
||||
"script-src-redir": false,
|
||||
"style-src": true,
|
||||
"style-src-redir": false,
|
||||
"worker": true,
|
||||
"worker-redir": false,
|
||||
"xhr-src": true,
|
||||
"xhr-src-redir": false,
|
||||
"font-src-spec-compliant": true,
|
||||
var testExpectedResults = { "font-src-spec-compliant": true,
|
||||
"font-src-redir-spec-compliant": false,
|
||||
"frame-src-spec-compliant": true,
|
||||
"frame-src-redir-spec-compliant": false,
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
TEST_TOOL_DIRS += [
|
||||
'csp',
|
||||
'xcsp',
|
||||
'websocket_hybi',
|
||||
]
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
}
|
||||
@font-face {
|
||||
font-family: "arbitrary_bad";
|
||||
src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
|
||||
src: url('http://example.org/tests/content/base/test/xcsp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
|
||||
}
|
||||
|
||||
.div_arbitrary_good { font-family: "arbitrary_good"; }
|
||||
|
|
|
@ -4,9 +4,9 @@ function setupFrames() {
|
|||
|
||||
var $ = function(v) { return document.getElementById(v); }
|
||||
var base = {
|
||||
self: '/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
|
||||
a: 'http://mochi.test:8888/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
|
||||
b: 'http://example.com/tests/content/base/test/csp/file_CSP_frameancestors.sjs'
|
||||
self: '/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
|
||||
a: 'http://mochi.test:8888/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
|
||||
b: 'http://example.com/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs'
|
||||
};
|
||||
|
||||
var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
<script>
|
||||
var thisSite = "http://mochi.test:8888";
|
||||
var otherSite = "http://example.com";
|
||||
var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
|
||||
var page = "/tests/content/base/test/xcsp/file_csp_redirects_page.sjs";
|
||||
|
||||
var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
|
||||
"frame-src": thisSite+page+"?testid=frame-src&csp=1",
|
||||
|
@ -20,15 +20,6 @@ var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
|
|||
"style-src": thisSite+page+"?testid=style-src&csp=1",
|
||||
"worker": thisSite+page+"?testid=worker&csp=1",
|
||||
"xhr-src": thisSite+page+"?testid=xhr-src&csp=1",
|
||||
"font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
|
||||
"frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
|
||||
"img-src-spec-compliant": thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
|
||||
"media-src-spec-compliant": thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
|
||||
"object-src-spec-compliant": thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
|
||||
"script-src-spec-compliant": thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
|
||||
"style-src-spec-compliant": thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
|
||||
"worker-spec-compliant": thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
|
||||
"xhr-src-spec-compliant": thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
|
||||
};
|
||||
|
||||
var container = document.getElementById("container");
|
||||
|
|
|
@ -2,84 +2,29 @@
|
|||
support-files =
|
||||
file_CSP.css
|
||||
file_CSP.sjs
|
||||
file_CSP_bug663567.xsl
|
||||
file_CSP_bug663567_allows.xml
|
||||
file_CSP_bug663567_allows.xml^headers^
|
||||
file_CSP_bug663567_blocks.xml
|
||||
file_CSP_bug663567_blocks.xml^headers^
|
||||
file_CSP_bug802872.html
|
||||
file_CSP_bug802872.html^headers^
|
||||
file_CSP_bug802872.js
|
||||
file_CSP_bug802872.sjs
|
||||
file_CSP_bug885433_allows.html
|
||||
file_CSP_bug885433_allows.html^headers^
|
||||
file_CSP_bug885433_blocks.html
|
||||
file_CSP_bug885433_blocks.html^headers^
|
||||
file_CSP_bug888172.html
|
||||
file_CSP_bug888172.sjs
|
||||
file_CSP_bug916446.html
|
||||
file_CSP_bug916446.html^headers^
|
||||
file_CSP_evalscript_main.html
|
||||
file_CSP_evalscript_main.html^headers^
|
||||
file_CSP_evalscript_main.js
|
||||
file_CSP_evalscript_main_allowed.js
|
||||
file_CSP_evalscript_main_allowed_getCRMFRequest.js
|
||||
file_CSP_evalscript_main_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_main_getCRMFRequest.js
|
||||
file_CSP_evalscript_main_spec_compliant.html
|
||||
file_CSP_evalscript_main_spec_compliant.html^headers^
|
||||
file_CSP_evalscript_main_spec_compliant_allowed.html
|
||||
file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
|
||||
file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
|
||||
file_CSP_evalscript_no_CSP_at_all.html
|
||||
file_CSP_evalscript_no_CSP_at_all.html^headers^
|
||||
file_CSP_evalscript_no_CSP_at_all.js
|
||||
file_CSP_frameancestors.sjs
|
||||
file_CSP_frameancestors_main.html
|
||||
file_CSP_frameancestors_main.js
|
||||
file_CSP_frameancestors_main_spec_compliant.html
|
||||
file_CSP_frameancestors_main_spec_compliant.js
|
||||
file_CSP_frameancestors_spec_compliant.sjs
|
||||
file_CSP_inlinescript_main.html
|
||||
file_CSP_inlinescript_main.html^headers^
|
||||
file_CSP_inlinescript_main_spec_compliant.html
|
||||
file_CSP_inlinescript_main_spec_compliant.html^headers^
|
||||
file_CSP_inlinescript_main_spec_compliant_allowed.html
|
||||
file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_inlinestyle_main.html
|
||||
file_CSP_inlinestyle_main.html^headers^
|
||||
file_CSP_inlinestyle_main_spec_compliant.html
|
||||
file_CSP_inlinestyle_main_spec_compliant.html^headers^
|
||||
file_CSP_inlinestyle_main_spec_compliant_allowed.html
|
||||
file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
|
||||
file_CSP_main.html
|
||||
file_CSP_main.html^headers^
|
||||
file_CSP_main.js
|
||||
file_CSP_main_spec_compliant.html
|
||||
file_CSP_main_spec_compliant.html^headers^
|
||||
file_CSP_main_spec_compliant.js
|
||||
file_bothCSPheaders.html
|
||||
file_bothCSPheaders.html^headers^
|
||||
file_bug836922_npolicies.html
|
||||
file_bug836922_npolicies.html^headers^
|
||||
file_bug836922_npolicies_ro_violation.sjs
|
||||
file_bug836922_npolicies_violation.sjs
|
||||
file_bug886164.html
|
||||
file_bug886164.html^headers^
|
||||
file_bug886164_2.html
|
||||
file_bug886164_2.html^headers^
|
||||
file_bug886164_3.html
|
||||
file_bug886164_3.html^headers^
|
||||
file_bug886164_4.html
|
||||
file_bug886164_4.html^headers^
|
||||
file_bug886164_5.html
|
||||
file_bug886164_5.html^headers^
|
||||
file_bug886164_6.html
|
||||
file_bug886164_6.html^headers^
|
||||
file_csp_bug768029.html
|
||||
file_csp_bug768029.sjs
|
||||
file_csp_bug773891.html
|
||||
|
@ -87,32 +32,8 @@ support-files =
|
|||
file_csp_redirects_main.html
|
||||
file_csp_redirects_page.sjs
|
||||
file_csp_redirects_resource.sjs
|
||||
file_CSP_bug910139.sjs
|
||||
file_CSP_bug910139.xml
|
||||
file_CSP_bug910139.xsl
|
||||
file_CSP_bug909029_star.html
|
||||
file_CSP_bug909029_star.html^headers^
|
||||
file_CSP_bug909029_none.html
|
||||
file_CSP_bug909029_none.html^headers^
|
||||
file_policyuri_regression_from_multipolicy.html
|
||||
file_policyuri_regression_from_multipolicy.html^headers^
|
||||
file_policyuri_regression_from_multipolicy_policy
|
||||
file_nonce_source.html
|
||||
file_nonce_source.html^headers^
|
||||
file_CSP_bug941404.html
|
||||
file_CSP_bug941404_xhr.html
|
||||
file_CSP_bug941404_xhr.html^headers^
|
||||
file_hash_source.html
|
||||
file_hash_source.html^headers^
|
||||
file_dual_headers_warning.html
|
||||
file_dual_headers_warning.html^headers^
|
||||
file_self_none_as_hostname_confusion.html
|
||||
file_self_none_as_hostname_confusion.html^headers^
|
||||
file_csp_testserver.sjs
|
||||
file_csp_regexp_parsing.html
|
||||
file_csp_regexp_parsing.js
|
||||
file_report_uri_missing_in_report_only_header.html
|
||||
file_report_uri_missing_in_report_only_header.html^headers^
|
||||
file_csp_report.sjs
|
||||
file_policyuri_async_fetch.html
|
||||
file_policyuri_async_fetch.html^headers^
|
||||
|
@ -126,10 +47,6 @@ support-files =
|
|||
file_multi_policy_injection_bypass_2.html^headers^
|
||||
|
||||
[test_CSP.html]
|
||||
[test_CSP_bug663567.html]
|
||||
[test_CSP_bug802872.html]
|
||||
[test_CSP_bug885433.html]
|
||||
[test_CSP_bug888172.html]
|
||||
[test_CSP_bug916446.html]
|
||||
[test_CSP_evalscript.html]
|
||||
[test_CSP_evalscript_getCRMFRequest.html]
|
||||
|
@ -139,21 +56,8 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
|
|||
[test_CSP_inlinescript.html]
|
||||
[test_CSP_inlinestyle.html]
|
||||
[test_bothCSPheaders.html]
|
||||
[test_bug836922_npolicies.html]
|
||||
[test_bug886164.html]
|
||||
[test_csp_redirects.html]
|
||||
[test_CSP_bug910139.html]
|
||||
[test_CSP_bug909029.html]
|
||||
[test_policyuri_regression_from_multipolicy.html]
|
||||
[test_nonce_source.html]
|
||||
[test_CSP_bug941404.html]
|
||||
[test_hash_source.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
|
||||
[test_dual_headers_warning.html]
|
||||
[test_self_none_as_hostname_confusion.html]
|
||||
[test_bug949549.html]
|
||||
[test_csp_regexp_parsing.html]
|
||||
[test_report_uri_missing_in_report_only_header.html]
|
||||
[test_csp_report.html]
|
||||
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
|
||||
[test_policyuri_async_fetch.html]
|
||||
|
|
|
@ -10,11 +10,8 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
|
||||
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
window.tests = {
|
||||
|
@ -34,22 +31,6 @@ window.tests = {
|
|||
font_bad: -1,
|
||||
object_good: -1,
|
||||
object_bad: -1,
|
||||
img_spec_compliant_good: -1,
|
||||
img_spec_compliant_bad: -1,
|
||||
style_spec_compliant_good: -1,
|
||||
style_spec_compliant_bad: -1,
|
||||
frame_spec_compliant_good: -1,
|
||||
frame_spec_compliant_bad: -1,
|
||||
script_spec_compliant_good: -1,
|
||||
script_spec_compliant_bad: -1,
|
||||
xhr_spec_compliant_good: -1,
|
||||
xhr_spec_compliant_bad: -1,
|
||||
media_spec_compliant_good: -1,
|
||||
media_spec_compliant_bad: -1,
|
||||
font_spec_compliant_good: -1,
|
||||
font_spec_compliant_bad: -1,
|
||||
object_spec_compliant_good: -1,
|
||||
object_spec_compliant_bad: -1,
|
||||
};
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
|
@ -131,7 +112,6 @@ SpecialPowers.pushPrefEnv(
|
|||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -10,15 +10,11 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var evalScriptsThatRan = 0;
|
||||
var evalScriptsBlocked = 0;
|
||||
var evalScriptsTotal = 24;
|
||||
var evalScriptsTotal = 8;
|
||||
|
||||
// called by scripts that run
|
||||
var scriptRan = function(shouldrun, testname, data) {
|
||||
|
@ -55,9 +51,6 @@ SpecialPowers.pushPrefEnv(
|
|||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
|
||||
// document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -11,15 +11,13 @@
|
|||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var evalScriptsThatRan = 0;
|
||||
var evalScriptsBlocked = 0;
|
||||
var evalScriptsTotal = 4;
|
||||
var evalScriptsTotal = 2;
|
||||
|
||||
// called by scripts that run
|
||||
var scriptRan = function(shouldrun, testname, data) {
|
||||
|
@ -55,9 +53,7 @@ SpecialPowers.pushPrefEnv(
|
|||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
|
||||
document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
|
||||
document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_evalscript_no_CSP_at_all.html';
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -10,11 +10,8 @@
|
|||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
// These are test results: -1 means it hasn't run,
|
||||
// true/false is the pass/fail result.
|
||||
var framesThatShouldLoad = {
|
||||
|
@ -28,19 +25,9 @@ var framesThatShouldLoad = {
|
|||
abb_allow: -1, /* innermost frame allows b,a */
|
||||
//abb_block: -1, /* innermost frame denies b */
|
||||
//abb2_block: -1, /* innermost frame denies a */
|
||||
aa_allow_spec_compliant: -1, /* innermost frame allows a *
|
||||
//aa_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
ab_allow_spec_compliant: -1, /* innermost frame allows a */
|
||||
//ab_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
aba_allow_spec_compliant: -1, /* innermost frame allows b,a */
|
||||
//aba_block_spec_compliant: -1, /* innermost frame denies b */
|
||||
//aba2_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
abb_allow_spec_compliant: -1, /* innermost frame allows b,a */
|
||||
//abb_block_spec_compliant: -1, /* innermost frame denies b */
|
||||
//abb2_block_spec_compliant: -1, /* innermost frame denies a */
|
||||
};
|
||||
|
||||
var expectedViolationsLeft = 12;
|
||||
var expectedViolationsLeft = 6;
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
|
@ -127,7 +114,6 @@ SpecialPowers.pushPrefEnv(
|
|||
// save this for last so that our listeners are registered.
|
||||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
|
||||
document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
|
||||
});
|
||||
|
||||
</script>
|
||||
|
|
|
@ -12,15 +12,10 @@
|
|||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
var inlineScriptsThatRan = 0;
|
||||
var inlineScriptsBlocked = 0;
|
||||
var inlineScriptsTotal = 12;
|
||||
var inlineScriptsTotal = 4;
|
||||
|
||||
// This is used to watch the blocked data bounce off CSP and allowed data
|
||||
// get sent out to the wire.
|
||||
|
@ -53,14 +48,6 @@ examiner.prototype = {
|
|||
}
|
||||
}
|
||||
|
||||
// called by scripts that run
|
||||
// the first argument is whether the script expects to be allowed or not.
|
||||
var scriptRan = function(result, testname, data) {
|
||||
inlineScriptsThatRan++;
|
||||
ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
|
||||
checkTestResults();
|
||||
}
|
||||
|
||||
// called when a script is blocked
|
||||
// -- we can't determine *which* frame was blocked, but at least we can count them
|
||||
var scriptBlocked = function(testname, data) {
|
||||
|
@ -69,18 +56,14 @@ var scriptBlocked = function(testname, data) {
|
|||
checkTestResults();
|
||||
}
|
||||
|
||||
|
||||
// Check to see if all the tests have run
|
||||
var checkTestResults = function() {
|
||||
// if any test is incomplete, keep waiting
|
||||
if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
|
||||
if (inlineScriptsBlocked < inlineScriptsTotal)
|
||||
return;
|
||||
|
||||
// The four scripts in the page with 'unsafe-inline' should run.
|
||||
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
|
||||
|
||||
// The other eight scripts in the other two pages should be blocked.
|
||||
is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
|
||||
// The other four scripts in the other two pages should be blocked.
|
||||
is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
|
||||
|
||||
// ... otherwise, finish
|
||||
window.examiner.remove();
|
||||
|
@ -98,18 +81,6 @@ function clickit() {
|
|||
sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
|
||||
}
|
||||
|
||||
function clickit2() {
|
||||
var cspframe2 = document.getElementById('cspframe2');
|
||||
var a = cspframe2.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
|
||||
}
|
||||
|
||||
function clickit3() {
|
||||
var cspframe3 = document.getElementById('cspframe3');
|
||||
var a = cspframe3.contentDocument.getElementById('anchortoclick');
|
||||
sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function() {
|
||||
|
@ -117,10 +88,6 @@ SpecialPowers.pushPrefEnv(
|
|||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
|
||||
document.getElementById('cspframe').addEventListener('load', clickit, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
|
||||
document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe3').addEventListener('load', clickit3, false);
|
||||
});
|
||||
</script>
|
||||
</pre>
|
||||
|
|
|
@ -11,13 +11,8 @@
|
|||
</div>
|
||||
|
||||
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
|
||||
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
var path = "/tests/content/base/test/csp/";
|
||||
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// set up and go
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
@ -49,77 +44,9 @@ function checkStyles(evt) {
|
|||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should block inline
|
||||
// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
|
||||
// (when it's not explicitly allowed.)
|
||||
function checkStylesSpecCompliant(evt) {
|
||||
var cspframe = document.getElementById('cspframe2');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
//expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
// When a CSP 1.0 compliant policy is specified we should allow inline
|
||||
// styles when it is explicitly allowed.
|
||||
function checkStylesSpecCompliantAllowed(evt) {
|
||||
var cspframe = document.getElementById('cspframe3');
|
||||
var color;
|
||||
|
||||
// black means the style wasn't applied. green colors are used for styles
|
||||
// expected to be applied. A color is red if a style is erroneously applied
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
|
||||
// Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
|
||||
// since it relies on executing script to set .cssText
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
|
||||
// SMIL tests
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
|
||||
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
|
||||
|
||||
color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
|
||||
ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
|
||||
|
||||
checkIfDone();
|
||||
}
|
||||
|
||||
function checkIfDone() {
|
||||
done++;
|
||||
if (done == 3)
|
||||
if (done == 1)
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
|
@ -130,10 +57,6 @@ SpecialPowers.pushPrefEnv(
|
|||
// ... this loads the testbed of good and bad requests.
|
||||
document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
|
||||
document.getElementById('cspframe').addEventListener('load', checkStyles, false);
|
||||
document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
|
||||
document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
|
||||
document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
|
||||
document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
|
||||
}
|
||||
);
|
||||
</script>
|
||||
|
|
|
@ -86,24 +86,6 @@ var testExpectedResults = { "font-src": true,
|
|||
"worker-redir": false,
|
||||
"xhr-src": true,
|
||||
"xhr-src-redir": false,
|
||||
"font-src-spec-compliant": true,
|
||||
"font-src-redir-spec-compliant": false,
|
||||
"frame-src-spec-compliant": true,
|
||||
"frame-src-redir-spec-compliant": false,
|
||||
"img-src-spec-compliant": true,
|
||||
"img-src-redir-spec-compliant": false,
|
||||
"media-src-spec-compliant": true,
|
||||
"media-src-redir-spec-compliant": false,
|
||||
"object-src-spec-compliant": true,
|
||||
"object-src-redir-spec-compliant": false,
|
||||
"script-src-spec-compliant": true,
|
||||
"script-src-redir-spec-compliant": false,
|
||||
"style-src-spec-compliant": true,
|
||||
"style-src-redir-spec-compliant": false,
|
||||
"worker-spec-compliant": true,
|
||||
"worker-redir-spec-compliant": false,
|
||||
"xhr-src-spec-compliant": true,
|
||||
"xhr-src-redir-spec-compliant": false,
|
||||
};
|
||||
|
||||
// takes the name of the test, the URL that was tested, and whether the
|
||||
|
|
|
@ -82,7 +82,7 @@ window.checkResults = function(reportObj) {
|
|||
var cspReport = reportObj["csp-report"];
|
||||
// correct violating request
|
||||
is(cspReport["document-uri"],
|
||||
"http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
|
||||
"http://mochi.test:8888/tests/content/base/test/xcsp/" + testFile,
|
||||
"Incorrect violating request");
|
||||
// correct blocked-uri
|
||||
is(cspReport["blocked-uri"],
|
||||
|
|
Загрузка…
Ссылка в новой задаче