tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_blocked_uri_in_reports.html (2772B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1069762 - Check blocked-uri in csp-reports after redirect</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10 
     11 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
     12 <script class="testbody" type="text/javascript">
     13 
     14 SimpleTest.waitForExplicitFinish();
     15 
     16 /* Description of the test:
     17 * We try to load a script from:
     18 *   http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs
     19 * which gets redirected to:
     20 *  http://test1.example.com/tests/dom/security//test/csp/file_path_matching.js
     21 *
     22 * The blocked-uri in the csp-report should be the original URI:
     23 *   http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs
     24 * instead of the redirected URI:
     25 *  http://test1.example.com/tests/com/security/test/csp/file_path_matching.js
     26 *
     27 * see also: http://www.w3.org/TR/CSP/#violation-reports
     28 *
     29 * Note, that we reuse the test-setup from
     30 * test_path_matching_redirect.html
     31 */
     32 
     33 const reportURI = "http://mochi.test:8888/foo.sjs";
     34 const policy = "script-src http://example.com; report-uri " + reportURI;
     35 const testfile = "tests/dom/security/test/csp/file_path_matching_redirect.html";
     36 
     37 var chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
     38 var script = SpecialPowers.loadChromeScript(chromeScriptUrl);
     39 
     40 script.addMessageListener('opening-request-completed', function ml(msg) {
     41  if (msg.error) {
     42    ok(false, "Could not query report (exception: " + msg.error + ")");
     43  } else {
     44    try {
     45      var reportObj = JSON.parse(msg.report);
     46    } catch (e) {
     47      ok(false, "Could not parse JSON (exception: " + e + ")");
     48    }
     49    try {
     50      var cspReport = reportObj["csp-report"];
     51      // blocked-uri should only be the asciiHost instead of:
     52      // http://test1.example.com/tests/dom/security/test/csp/file_path_matching.js
     53      is(cspReport["blocked-uri"], "http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs", "Incorrect blocked-uri");
     54    } catch (e) {
     55      ok(false, "Could not query report (exception: " + e + ")");
     56    }
     57  }
     58 
     59  script.removeMessageListener('opening-request-completed', ml);
     60  script.sendAsyncMessage("finish");
     61  SimpleTest.finish();
     62 });
     63 
     64 SimpleTest.waitForExplicitFinish();
     65 
     66 function runTest() {
     67  var src = "file_testserver.sjs";
     68  // append the file that should be served
     69  src += "?file=" + escape(testfile);
     70  // append the CSP that should be used to serve the file
     71  src += "&csp=" + escape(policy);
     72 
     73  document.getElementById("cspframe").src = src;
     74 }
     75 
     76 runTest();
     77 
     78 </script>
     79 </body>
     80 </html>