Bug 1548385: Test CSP blocks scripts correctly within template. r=jkt

Differential Revision: https://phabricator.services.mozilla.com/D30480

--HG--
extra : moz-landing-system : lando

dom/security/test/csp/file_script_template.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">
+<template id="a">
+  <script src="file_script_template.js"></script>
+</template>
+</head>
+<body>
+<script>
+  var temp = document.getElementsByTagName("template")[0];
+  var clon = temp.content.cloneNode(true);
+  document.body.appendChild(clon);
+</script>
+</body>
+</html>

dom/security/test/csp/file_script_template.js

@@ -0,0 +1 @@
+// dummy *.js file

dom/security/test/csp/mochitest.ini

@@ -375,3 +375,7 @@ support-files =
   file_windowwatcher_subframeC.html
   file_windowwatcher_subframeD.html
   file_windowwatcher_win_open.html
+[test_script_template.html]
+support-files =
+  file_script_template.html
+  file_script_template.js

dom/security/test/csp/test_script_template.html

@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1548385 - CSP: Test script template</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/**
+ * Description of the test:
+ * We load a document using a CSP of "default-src 'unsafe-inline'"
+ * and make sure that an external script within a template gets
+ * blocked correctly.
+ */
+
+const CSP_BLOCKED_SUBJECT = "csp-on-violate-policy";
+const CSP_ALLOWED_SUBJECT = "specialpowers-http-notify-request";
+
+SimpleTest.waitForExplicitFinish();
+
+function examiner() {
+  SpecialPowers.addObserver(this, CSP_BLOCKED_SUBJECT);
+  SpecialPowers.addObserver(this, CSP_ALLOWED_SUBJECT);
+}
+
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    if (topic == CSP_BLOCKED_SUBJECT) {
+      let jsFileName = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      if (jsFileName.endsWith("file_script_template.js")) {
+        ok(true, "js file blocked by CSP");
+        this.removeAndFinish();
+      }
+    }
+
+    if (topic == CSP_ALLOWED_SUBJECT) {
+      if (data.endsWith("file_script_template.js")) {
+        ok(false, "js file allowed by CSP");
+        this.removeAndFinish();
+      }
+    }
+  },
+
+  removeAndFinish: function() {
+    SpecialPowers.removeObserver(this, CSP_BLOCKED_SUBJECT);
+    SpecialPowers.removeObserver(this, CSP_ALLOWED_SUBJECT);
+    SimpleTest.finish();
+  }
+}
+
+window.examiner = new examiner();
+document.getElementById("testframe").src = "file_script_template.html";
+
+</script>
+</body>
+</html>