File: url-hash-in-header-and-meta.https.html

package info (click to toggle)
firefox 147.0.2-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,683,484 kB
  • sloc: cpp: 7,607,246; javascript: 6,533,185; ansic: 3,775,227; python: 1,415,393; xml: 634,561; asm: 438,951; java: 186,241; sh: 62,752; makefile: 18,079; objc: 13,092; perl: 12,808; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10; exp: 6
file content (99 lines) | stat: -rw-r--r-- 4,813 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
<!DOCTYPE HTML>
<html>
<head>
  <title>Tests for policies provided both in the header and by a meta tag</title>
  <script src="/common/get-host-info.sub.js"></script>
  <script src='/resources/testharness.js'></script>
  <script src='/resources/testharnessreport.js'></script>
  <script src='support/util.js'></script>
</head>
<body>
  <script nonce="abc">
    const { ORIGIN, REMOTE_ORIGIN } = get_host_info();
    const scriptUrl = new URL("./support/externalScript.js", document.location).toString();

    // Some of these tests set CSP in both the header and the meta tag, others
    // set multiple policies in multiple meta tags.

    promise_test(async t => {
      const scriptUrlHash = await sha256ofURL(scriptUrl);
      const headerPolicy = `script-src 'nonce-forinlinescript'`;
      const metaPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;

      let frame = document.createElement('iframe');
      frame.src = `support/iframe_meta.sub.html?pipe=header(Content-Security-Policy,${headerPolicy})&policy=${metaPolicy}&script_url=externalScript.js`;
      document.body.appendChild(frame);

      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
      assert_equals(msgEvent.data, 'CSP_VIOLATION');
    }, "url-hash in meta tag should not relax policy set by header");

    promise_test(async t => {
      const scriptUrlHash = await sha256ofURL(scriptUrl);
      const headerPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
      const metaPolicy = `script-src 'nonce-forinlinescript'`;

      let frame = document.createElement('iframe');
      frame.src = `support/iframe_meta.sub.html?pipe=header(Content-Security-Policy,${headerPolicy})&policy=${metaPolicy}&script_url=externalScript.js`;
      document.body.appendChild(frame);

      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
      assert_equals(msgEvent.data, 'CSP_VIOLATION');
    }, "meta tag can restrict policy set by header");

    promise_test(async t => {
      const scriptUrlHash = await sha256ofURL(scriptUrl);
      const headerPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
      const metaPolicy = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}' 'url-sha256-abc'`;

      let frame = document.createElement('iframe');
      frame.src = `support/iframe_meta.sub.html?pipe=header(Content-Security-Policy,${headerPolicy})&policy=${metaPolicy}&script_url=externalScript.js`;
      document.body.appendChild(frame);

      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
      assert_equals(msgEvent.data, 'SCRIPT_RAN');
    }, "more lax meta tag should still allow script");

    promise_test(async t => {
      const scriptUrlHash = await sha256ofURL(scriptUrl);
      const metaPolicy1 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;
      const metaPolicy2 = `script-src 'nonce-forinlinescript'`;

      let frame = document.createElement('iframe');
      frame.src = `support/iframe_meta_multiple.html?pipe=sub&policy1=${metaPolicy1}&policy2=${metaPolicy2}`;
      document.body.appendChild(frame);

      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
      assert_equals(msgEvent.data, 'CSP_VIOLATION');
    }, "multiple meta tags should apply most strict policy - lax first");

    promise_test(async t => {
      const scriptUrlHash = await sha256ofURL(scriptUrl);
      const metaPolicy1 = `script-src 'nonce-forinlinescript'`;
      const metaPolicy2 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}'`;

      let frame = document.createElement('iframe');
      frame.src = `support/iframe_meta_multiple.html?pipe=sub&policy1=${metaPolicy1}&policy2=${metaPolicy2}`;
      document.body.appendChild(frame);

      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
      assert_equals(msgEvent.data, 'CSP_VIOLATION');
    }, "multiple meta tags should apply most strict policy - strict first");

    promise_test(async t => {
      const scriptUrlHash = await sha256ofURL(scriptUrl);
      const metaPolicy1 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}' 'url-sha256-abc'`;
      const metaPolicy2 = `script-src 'nonce-forinlinescript' 'url-sha256-${scriptUrlHash}' 'url-sha256-def'`;

      let frame = document.createElement('iframe');
      frame.src = `support/iframe_meta_multiple.html?pipe=sub&policy1=${metaPolicy1}&policy2=${metaPolicy2}`;
      document.body.appendChild(frame);

      const msgEvent = await new Promise(resolve => window.onmessage = resolve);
      assert_equals(msgEvent.data, 'SCRIPT_RAN');
    }, "multiple meta tags should apply most strict policy - both lax");

  </script>

</body>
</html>