1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
const Cc = Components.classes;
const Ci = Components.interfaces;
const Cu = Components.utils;
const Cr = Components.results;
Cu.import('resource://gre/modules/CSPUtils.jsm');
Cu.import('resource://gre/modules/NetUtil.jsm');
// load the HTTP server
Cu.import("resource://testing-common/httpd.js");
const REPORT_SERVER_PORT = 9000;
const REPORT_SERVER_URI = "http://localhost";
const REPORT_SERVER_PATH = "/report";
var httpServer = null;
var testsToFinish = 0;
/**
* Construct a callback that listens to a report submission and either passes
* or fails a test based on what it gets.
*/
function makeReportHandler(testpath, message, expectedJSON) {
return function(request, response) {
// we only like "POST" submissions for reports!
if (request.method !== "POST") {
do_throw("violation report should be a POST request");
return;
}
// obtain violation report
var reportObj = JSON.parse(
NetUtil.readInputStreamToString(
request.bodyInputStream,
request.bodyInputStream.available()));
dump("GOT REPORT:\n" + JSON.stringify(reportObj) + "\n");
dump("TESTPATH: " + testpath + "\n");
dump("EXPECTED: \n" + JSON.stringify(expectedJSON) + "\n\n");
for (var i in expectedJSON)
do_check_eq(expectedJSON[i], reportObj['csp-report'][i]);
// self-destroy
testsToFinish--;
httpServer.registerPathHandler(testpath, null);
if (testsToFinish < 1)
httpServer.stop(do_test_finished);
else
do_test_finished();
};
}
function makeTest(id, expectedJSON, callback) {
testsToFinish++;
do_test_pending();
// set up a new CSP instance for each test.
var csp = Cc["@mozilla.org/contentsecuritypolicy;1"]
.createInstance(Ci.nsIContentSecurityPolicy);
var policy = "allow 'none'; " +
"report-uri " + REPORT_SERVER_URI +
":" + REPORT_SERVER_PORT +
"/test" + id;
var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
":" + REPORT_SERVER_PORT +
"/foo/self");
var selfchan = NetUtil.newChannel(selfuri);
dump("Created test " + id + " : " + policy + "\n\n");
// make the reports seem authentic by "binding" them to a channel.
csp.scanRequestData(selfchan);
// Load up the policy
csp.refinePolicy(policy, selfuri, false);
// prime the report server
var handler = makeReportHandler("/test" + id, "Test " + id, expectedJSON);
httpServer.registerPathHandler("/test" + id, handler);
//trigger the violation
callback(csp);
}
function run_test() {
var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
":" + REPORT_SERVER_PORT +
"/foo/self");
httpServer = new HttpServer();
httpServer.start(REPORT_SERVER_PORT);
// test that inline script violations cause a report.
makeTest(0, {"blocked-uri": "self"},
function(csp) {
if(!csp.allowsInlineScript) {
// force the logging, since the getter doesn't.
csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
selfuri.asciiSpec,
"script sample",
0);
}
});
makeTest(1, {"blocked-uri": "self"},
function(csp) {
if(!csp.allowsEval) {
// force the logging, since the getter doesn't.
csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
selfuri.asciiSpec,
"script sample",
1);
}
});
makeTest(2, {"blocked-uri": "http://blocked.test/foo.js"},
function(csp) {
csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SCRIPT,
NetUtil.newURI("http://blocked.test/foo.js"),
null, null, null, null);
});
}
|
