tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

browser_webconsole_csp_violation.js (6315B)

      1 /* Any copyright is dedicated to the Public Domain.
      2 * http://creativecommons.org/publicdomain/zero/1.0/ */
      3 
      4 // Tests that the Web Console CSP messages for two META policies
      5 // are correctly displayed. See Bug 1247459.
      6 
      7 "use strict";
      8 
      9 add_task(async function () {
     10  const bundle = Services.strings.createBundle(
     11    "chrome://global/locale/security/csp.properties"
     12  );
     13 
     14  const TEST_URI =
     15    "data:text/html;charset=utf8,<!DOCTYPE html>Web Console CSP violation test";
     16  const hud = await openNewTabAndConsole(TEST_URI);
     17  await clearOutput(hud);
     18  {
     19    const TEST_VIOLATION =
     20      "https://example.com/browser/devtools/client/webconsole/" +
     21      "test/browser/test-csp-violation.html";
     22    const CSP_VIOLATION_MSG = bundle.formatStringFromName(
     23      "CSPGenericViolation",
     24      [
     25        "img-src https://example.com",
     26        "http://some.example.com/test.png",
     27        "img-src",
     28      ]
     29    );
     30    const onRepeatedMessage = waitForRepeatedMessageByType(
     31      hud,
     32      CSP_VIOLATION_MSG,
     33      ".error",
     34      2
     35    );
     36    await navigateTo(TEST_VIOLATION);
     37    await onRepeatedMessage;
     38    ok(true, "Received expected messages");
     39  }
     40  await clearOutput(hud);
     41  // Testing CSP Inline Violations
     42  {
     43    const TEST_VIOLATION =
     44      "https://example.com/browser/devtools/client/webconsole/" +
     45      "test/browser/test-csp-violation-inline.html";
     46    const CSP_VIOLATION_HTML = bundle.formatStringFromName(
     47      "CSPInlineStyleViolation2",
     48      [
     49        "style-src 'self'",
     50        "style-src-elem",
     51        "2YwGc88jHsmwFRHOYQiYrTWXjjokG0k/LG89vhXpsCc=",
     52      ]
     53    );
     54    const CSP_VIOLATION_JS = bundle.formatStringFromName(
     55      "CSPInlineStyleViolation2",
     56      [
     57        "style-src 'self'",
     58        "style-src-elem",
     59        "rAXgW7xeVBDlyedTG70gxFgD1Hm7EOWm6dPGHUDj6BE=",
     60      ]
     61    );
     62    const VIOLATION_LOCATION_HTML = "test-csp-violation-inline.html:18:1";
     63    const VIOLATION_LOCATION_JS = "test-csp-violation-inline.html:14:25";
     64    await navigateTo(TEST_VIOLATION);
     65    // Triggering the Violation via HTML
     66    let msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION_HTML));
     67    let locationNode = msg.querySelector(".message-location");
     68    info(`EXPECT ${VIOLATION_LOCATION_HTML} GOT: ${locationNode.textContent}`);
     69    Assert.equal(
     70      locationNode.textContent,
     71      VIOLATION_LOCATION_HTML,
     72      "Printed the CSP Violation with HTML Context"
     73    );
     74    // Triggering the Violation via JS
     75    await clearOutput(hud);
     76    msg = await executeAndWaitForErrorMessage(
     77      hud,
     78      "window.violate()",
     79      CSP_VIOLATION_JS
     80    );
     81    locationNode = msg.node.querySelector(".message-location");
     82    info(`EXPECT ${VIOLATION_LOCATION_JS} GOT: ${locationNode.textContent}`);
     83    Assert.equal(
     84      locationNode.textContent,
     85      VIOLATION_LOCATION_JS,
     86      "Printed the CSP Violation with JS Context"
     87    );
     88  }
     89  await clearOutput(hud);
     90  // Testing Base URI
     91  {
     92    const TEST_VIOLATION =
     93      "https://example.com/browser/devtools/client/webconsole/" +
     94      "test/browser/test-csp-violation-base-uri.html";
     95    const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [
     96      "base-uri 'self'",
     97      "https://evil.com/",
     98      "base-uri",
     99    ]);
    100    const VIOLATION_LOCATION = "test-csp-violation-base-uri.html:15:25";
    101    await navigateTo(TEST_VIOLATION);
    102    let msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION));
    103    ok(msg, "Base-URI validation was Printed");
    104    // Triggering the Violation via JS
    105    await clearOutput(hud);
    106    msg = await executeAndWaitForErrorMessage(
    107      hud,
    108      "window.violate()",
    109      CSP_VIOLATION
    110    );
    111    const locationNode = msg.node.querySelector(".message-location");
    112    console.log(locationNode.textContent);
    113    Assert.equal(
    114      locationNode.textContent,
    115      VIOLATION_LOCATION,
    116      "Base-URI validation was Printed with the Responsible JS Line"
    117    );
    118  }
    119  await clearOutput(hud);
    120  // Testing CSP Form Action
    121  {
    122    const TEST_VIOLATION =
    123      "https://example.com/browser/devtools/client/webconsole/" +
    124      "test/browser/test-csp-violation-form-action.html";
    125    const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [
    126      "form-action 'self'",
    127      "https://evil.com/evil.com",
    128      "form-action",
    129    ]);
    130    const VIOLATION_LOCATION = "test-csp-violation-form-action.html:14:40";
    131 
    132    await navigateTo(TEST_VIOLATION);
    133    const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION));
    134    const locationNode = msg.querySelector(".message-location");
    135    info(`EXPECT ${VIOLATION_LOCATION} GOT: ${locationNode.textContent}`);
    136    Assert.equal(
    137      locationNode.textContent,
    138      VIOLATION_LOCATION,
    139      "JS Line which Triggered the CSP-Form Action Violation was Printed"
    140    );
    141  }
    142  await clearOutput(hud);
    143  // Testing CSP Frame Ancestors Directive
    144  {
    145    const TEST_VIOLATION =
    146      "https://example.com/browser/devtools/client/webconsole/" +
    147      "test/browser/test-csp-violation-frame-ancestor-parent.html";
    148    const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [
    149      "frame-ancestors 'none'",
    150      TEST_VIOLATION,
    151      "frame-ancestors",
    152    ]);
    153    await navigateTo(TEST_VIOLATION);
    154    const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION));
    155    ok(msg, "Frame-Ancestors violation by html was printed");
    156  }
    157  await clearOutput(hud);
    158  // Testing CSP inline event handler violations
    159  {
    160    const TEST_VIOLATION =
    161      "https://example.com/browser/devtools/client/webconsole/" +
    162      "test/browser/test-csp-violation-event-handler.html";
    163    const CSP_VIOLATION =
    164      bundle.formatStringFromName("CSPEventHandlerScriptViolation2", [
    165        "script-src 'self'",
    166        "script-src-attr",
    167        "iQunOC0AqvwRlqLYRHadzdj8cEGCEZ48o1eX4M5ORzg=",
    168      ]) + `\nSource: document.body.textContent = 'JavaScript …`;
    169    // Future-Todo: Include line and column number.
    170    const VIOLATION_LOCATION = "test-csp-violation-event-handler.html";
    171    await navigateTo(TEST_VIOLATION);
    172    const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION));
    173    const locationNode = msg.querySelector(".message-location");
    174    is(
    175      locationNode.textContent,
    176      VIOLATION_LOCATION,
    177      "Inline event handler location doesn't yet include the line/column"
    178    );
    179  }
    180 });