1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy Frame Ancestors directive</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/";
var inlineScriptsThatRan = 0;
var inlineScriptsBlocked = 0;
var inlineScriptsTotal = 12;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
this.obsvc = Components.classes['@mozilla.org/observer-service;1']
.getService(Components.interfaces.nsIObserverService);
this.obsvc.addObserver(this, "csp-on-violate-policy", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
// subject should be an nsURI, and should be either allowed or blocked.
if(!subject.QueryInterface) return;
if (topic === "csp-on-violate-policy") {
var what = null;
try {
//these were blocked... record that they were blocked
what = subject.QueryInterface(Components.interfaces.nsIURI).asciiSpec;
} catch(e) {
//if that fails, the subject is probably a string
what = subject.QueryInterface(Components.interfaces.nsISupportsCString).data;
}
window.scriptBlocked(what, data);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
this.obsvc.removeObserver(this, "csp-on-violate-policy");
}
}
// called by scripts that run
// the first argument is whether the script expects to be allowed or not.
var scriptRan = function(result, testname, data) {
inlineScriptsThatRan++;
ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
checkTestResults();
}
// called when a script is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var scriptBlocked = function(testname, data) {
inlineScriptsBlocked++;
ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
dump("**** checkTestResults - ran : " + inlineScriptsThatRan + " blocked : " + inlineScriptsBlocked + " total: " + inlineScriptsTotal + "\n");
// if any test is incomplete, keep waiting
if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
return;
// The four scripts in the page with 'unsafe-inline' should run.
is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
// The other eight scripts in the other two pages should be blocked.
is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
//////////////////////////////////////////////////////////////////////
// set up and go
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
function clickit() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var cspframe = document.getElementById('cspframe');
var a = cspframe.contentDocument.getElementById('anchortoclick');
var evt = cspframe.contentDocument.createEvent("MouseEvents");
evt.initMouseEvent("click", true, true, cspframe.contentWindow,
0,0,0,0,0, false, false, false, false, 0, null);
a.dispatchEvent(evt);
}
function clickit2() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var cspframe2 = document.getElementById('cspframe2');
var a = cspframe2.contentDocument.getElementById('anchortoclick');
var evt = cspframe2.contentDocument.createEvent("MouseEvents");
evt.initMouseEvent("click", true, true, cspframe2.contentWindow,
0,0,0,0,0, false, false, false, false, 0, null);
a.dispatchEvent(evt);
}
function clickit3() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var cspframe3 = document.getElementById('cspframe3');
var a = cspframe3.contentDocument.getElementById('anchortoclick');
var evt = cspframe3.contentDocument.createEvent("MouseEvents");
evt.initMouseEvent("click", true, true, cspframe3.contentWindow,
0,0,0,0,0, false, false, false, false, 0, null);
a.dispatchEvent(evt);
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
document.getElementById('cspframe').addEventListener('load', clickit, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
document.getElementById('cspframe3').addEventListener('load', clickit3, false);
});
</script>
</pre>
</body>
</html>
|
