tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_frameancestors_userpass.html (4889B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test for Userpass in Frame Ancestors directive</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      7 </head>
      8 <body>
      9 <p id="display"></p>
     10 <div id="content" style="display: none">
     11 </div>
     12 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
     13 <script class="testbody" type="text/javascript">
     14 
     15 // These are test results: -1 means it hasn't run,
     16 // true/false is the pass/fail result.
     17 var framesThatShouldLoad = {
     18  frame_a: -1,    /* frame a allowed */
     19  frame_b: -1,    /* frame b allowed */
     20 };
     21 
     22 // Number of tests that pass for this file should be 1
     23 var expectedViolationsLeft = 1;
     24 
     25 // CSP frame-ancestor checks happen in the parent, hence we have to
     26 // proxy the csp violation notifications.
     27 SpecialPowers.registerObservers("csp-on-violate-policy");
     28 
     29 // This is used to watch the blocked data bounce off CSP and allowed data
     30 // get sent out to the wire.
     31 function examiner() {
     32  SpecialPowers.addObserver(this, "specialpowers-csp-on-violate-policy");
     33 }
     34 examiner.prototype  = {
     35  observe(subject, topic, data) {
     36    // subject should be an nsURI... though could be null since CSP
     37    // prohibits cross-origin URI reporting during frame ancestors checks.
     38    if (subject && !SpecialPowers.can_QI(subject))
     39      return;
     40 
     41    var asciiSpec = subject;
     42 
     43    try {
     44      asciiSpec = SpecialPowers.getPrivilegedProps(
     45                    SpecialPowers.do_QueryInterface(subject, "nsIURI"),
     46                    "asciiSpec");
     47 
     48      // skip checks on the test harness -- can't do this skipping for
     49      // cross-origin blocking since the observer doesn't get the URI.  This
     50      // can cause this test to over-succeed (but only in specific cases).
     51      if (asciiSpec.includes("test_frameancestors_userpass.html")) {
     52        return;
     53      }
     54    } catch (ex) {
     55      // was not an nsIURI, so it was probably a cross-origin report.
     56    }
     57 
     58    if (topic === "specialpowers-csp-on-violate-policy") {
     59      //these were blocked... record that they were blocked
     60      window.frameBlocked(asciiSpec, data);
     61    }
     62  },
     63 
     64  // must eventually call this to remove the listener,
     65  // or mochitests might get borked.
     66  remove() {
     67    SpecialPowers.removeObserver(this, "specialpowers-csp-on-violate-policy");
     68  }
     69 }
     70 
     71 // called when a frame is loaded
     72 // -- if it's not enumerated above, it should not load!
     73 var frameLoaded = function(testname, uri) {
     74  //test already complete.... forget it... remember the first result.
     75  if (window.framesThatShouldLoad[testname] != -1)
     76    return;
     77 
     78  if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
     79    // uh-oh, we're not expecting this frame to load!
     80    ok(false, testname + ' framed site should not have loaded: ' + uri);
     81  } else {
     82    //Check if @ symbol is there in URI.
     83    if (uri.includes('@')) {
     84      ok(false, ' URI contains userpass. Fetched URI is ' + uri);
     85    } else {
     86      framesThatShouldLoad[testname] = true;
     87      ok(true, ' URI doesn\'t contain userpass. Fetched URI is ' + uri);
     88    }
     89  }
     90  checkTestResults();
     91 }
     92 
     93 // called when a frame is blocked
     94 // -- we can't determine *which* frame was blocked, but at least we can count them
     95 var frameBlocked = function(uri, policy) {
     96 
     97  //Check if @ symbol is there in URI or in csp policy.
     98  // Bug 1557712: Intermittent failure -> not sure why the 'uri' might ever
     99  // be non existing at this point, however if there is no uri, there can
    100  // also be no userpass!
    101  if (policy.includes('@') ||
    102      (typeof uri === 'string' && uri.includes('@'))) {
    103    ok(false, ' a CSP policy blocked frame from being loaded. But contains' +
    104      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );
    105  } else {
    106    ok(true, ' a CSP policy blocked frame from being loaded. Doesn\'t contain'+
    107      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );
    108  }
    109  expectedViolationsLeft--;
    110  checkTestResults();
    111 }
    112 
    113 
    114 // Check to see if all the tests have run
    115 var checkTestResults = function() {
    116  // if any test is incomplete, keep waiting
    117  for (var v in framesThatShouldLoad)
    118    if(window.framesThatShouldLoad[v] == -1)
    119      return;
    120 
    121  if (window.expectedViolationsLeft > 0)
    122    return;
    123 
    124  // ... otherwise, finish
    125  window.examiner.remove();
    126  SimpleTest.finish();
    127 }
    128 
    129 window.addEventListener("message", receiveMessage);
    130 
    131 function receiveMessage(event) {
    132  if (event.data.call && event.data.call == 'frameLoaded')
    133    frameLoaded(event.data.testname, event.data.uri);
    134 }
    135 
    136 //////////////////////////////////////////////////////////////////////
    137 // set up and go
    138 window.examiner = new examiner();
    139 SimpleTest.waitForExplicitFinish();
    140 
    141 // save this for last so that our listeners are registered.
    142 // ... this loads the testbed of good and bad requests.
    143 document.getElementById('cspframe').src = 'file_frameancestors_userpass.html';
    144 
    145 </script>
    146 </pre>
    147 </body>
    148 </html>