tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_bug1764343.html (4020B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <meta charset="utf-8">
      5  <title>Bug 1764343 - CSP inheritance for same-origin iframes</title>
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7 
      8  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      9 
     10  <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'nonce-parent' 'nonce-a' 'nonce-b' 'nonce-c'; img-src 'self' data:">
     11 </head>
     12 <body>
     13  <iframe id="sameOriginMetaFrame"></iframe>
     14  <iframe id="aboutBlankMetaFrame"></iframe>
     15 <script nonce='parent'>
     16 SimpleTest.waitForExplicitFinish();
     17 
     18 const NEW_HTML =`
     19  <head>
     20    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-a' 'nonce-c' 'nonce-d';">
     21  </head>
     22  <body>
     23    <style>
     24      body { background-color: rgb(255, 0, 0); }
     25    </style>
     26    <script nonce="a">
     27      document.a = true;
     28    <\/script>
     29    <script nonce="b">
     30      document.b = true;
     31    <\/script>
     32    <script nonce="c">
     33      document.c = true;
     34    <\/script>
     35    <script nonce="d">
     36      document.d = true;
     37    <\/script>
     38    <img id="testInlineImage"></img>
     39  </body>
     40  `;
     41 
     42 // test file's CSP meta tags shouldn't overwrite same-origin iframe's CSP meta tags
     43 async function testBlocked() {
     44  info("testBlocked");
     45 
     46  let sameOriginMetaFrame = document.getElementById("sameOriginMetaFrame");
     47  let onFrameLoad = new Promise(resolve => {
     48    sameOriginMetaFrame.addEventListener('load', resolve, {once: true});
     49  });
     50  sameOriginMetaFrame.src = 'file_bug1764343.html';
     51  await onFrameLoad;
     52 
     53  let doc = sameOriginMetaFrame.contentDocument;
     54  doc.open();
     55  doc.write(NEW_HTML);
     56 
     57  let bgcolor = window.getComputedStyle(doc.body).getPropertyValue("background-color");
     58  is(bgcolor, "rgba(0, 0, 0, 0)", "inital background value in FF should be 'transparent'");
     59 
     60  let img = doc.getElementById("testInlineImage");
     61  let onImgError = new Promise(resolve => {
     62    img.addEventListener('error', resolve, {once: true});
     63  });
     64  img.src = "//mochi.test:8888/tests/image/test/mochitest/blue.png";
     65  await onImgError;
     66  is(img.complete, false, "image should not be loaded");
     67 
     68  // Make sure that CSP policy can further restrict (no 'nonce-b'), but not weak (adding 'nonce-c' or 'nonce-d')
     69  is(doc.a, true, "doc.a should be true (script 'nonce-a' allowed)");
     70  is(doc.b, undefined, "doc.b should be undefined (script 'nonce-b' blocked)");
     71  is(doc.c, undefined, "doc.c should be undefined (script 'nonce-c' blocked)");
     72  is(doc.d, undefined, "doc.d should be undefined (script 'nonce-d' blocked)");
     73 }
     74 
     75  // test file's CSP meta tags should apply to about blank iframe's CSP meta tags
     76 async function testNotBlocked() {
     77  info("testNotBlocked");
     78 
     79  let aboutBlankMetaFrame = document.getElementById("aboutBlankMetaFrame");
     80  let onFrameLoad = new Promise(resolve => {
     81    aboutBlankMetaFrame.addEventListener('load', resolve, {once: true});
     82  });
     83  aboutBlankMetaFrame.src = 'about:blank';
     84  await onFrameLoad;
     85 
     86  let doc = aboutBlankMetaFrame.contentDocument;
     87  doc.open();
     88  doc.write(NEW_HTML);
     89 
     90  let bgcolor = window.getComputedStyle(doc.body).getPropertyValue("background-color");
     91  is(bgcolor, "rgb(255, 0, 0)", "background value should be updated to red");
     92 
     93  let img = doc.getElementById("testInlineImage");
     94  let onImgLoad = new Promise(resolve => {
     95    img.addEventListener('load', resolve, {once: true});
     96  });
     97  img.src = "//mochi.test:8888/tests/image/test/mochitest/blue.png";
     98  await onImgLoad;
     99  is(img.complete, true, "image should be loaded");
    100 
    101  // New HTML contains 'nonce-a/c/d' and no CSP in about:blank.
    102  // (Can not weaken parent with 'nonce-d')
    103  is(doc.a, true, "doc.a should be true (script 'nonce-a' allowed)");
    104  is(doc.b, undefined, "doc.b should be undefined (script 'nonce-b' blocked)");
    105  is(doc.c, true, "doc.c should be true (script 'nonce-c' allowed)");
    106  is(doc.d, undefined, "doc.d should be true (script 'nonce-d' blocked)");
    107 }
    108 
    109 (async function () {
    110  await testBlocked();
    111  await testNotBlocked();
    112  SimpleTest.finish();
    113 })();
    114 </script>
    115 </body>
    116 </html>