tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_iframe_srcdoc.html (4863B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1073952 - Test CSP enforcement within iframe srcdoc</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10 <iframe style="width:100%;" id="testframe"></iframe>
     11 
     12 <script class="testbody" type="text/javascript">
     13 
     14 /*
     15 * Description of the test:
     16 * (1) We serve a site which makes use of script-allowed sandboxed iframe srcdoc
     17 *     and make sure that CSP applies to the nested browsing context
     18 *     within the iframe.
     19 *     [PAGE WITH CSP [IFRAME SANDBOX SRCDOC [SCRIPT]]]
     20 *
     21 * (2) We serve a site which nests script within an script-allowed sandboxed
     22 *     iframe srcdoc within another script-allowed sandboxed iframe srcdoc and
     23 *     make sure that CSP applies to the nested browsing context
     24 *     within the iframe*s*.
     25 *     [PAGE WITH CSP [IFRAME SANDBOX SRCDOC [IFRAME SANDBOX SRCDOC [SCRIPT]]]]
     26 *
     27 * Please note that the test relies on the "csp-on-violate-policy" observer.
     28 * Whenever the script within the iframe is blocked observers are notified.
     29 * In turn, this renders the 'result' within tests[] unused. In case the script
     30 * would execute however, the postMessageHandler would bubble up 'allowed' and
     31 * the test would fail.
     32 */
     33 
     34 SimpleTest.waitForExplicitFinish();
     35 
     36 var tests = [
     37  // [PAGE *WITHOUT* CSP [IFRAME SRCDOC [SCRIPT]]]
     38  { csp: "",
     39    result: "allowed",
     40    query: "simple_iframe_srcdoc",
     41    desc: "No CSP should run script within script-allowed sandboxed iframe srcdoc"
     42  },
     43  { csp: "script-src https://test1.com",
     44    result: "blocked",
     45    query: "simple_iframe_srcdoc",
     46    desc: "CSP should block script within script-allowed sandboxediframe srcdoc"
     47  },
     48  // [PAGE *WITHOUT* CSP [IFRAME SRCDOC [IFRAME SRCDOC [SCRIPT]]]]
     49  { csp: "",
     50    result: "allowed",
     51    query: "nested_iframe_srcdoc",
     52    desc: "No CSP should run script within script-allowed sandboxed iframe srcdoc nested within another script-allowed sandboxed iframe srcdoc"
     53  },
     54  // [PAGE WITH CSP [IFRAME SRCDOC ]]
     55  { csp: "script-src https://test2.com",
     56    result: "blocked",
     57    query: "nested_iframe_srcdoc",
     58    desc: "CSP should block script within script-allowed sandboxed iframe srcdoc nested within another script-allowed sandboxed iframe srcdoc"
     59  },
     60  { csp: "",
     61    result: "allowed",
     62    query: "nested_iframe_srcdoc_datauri",
     63    desc: "No CSP, should run script within script-allowed sandboxed iframe src with data URL nested within another script-allowed sandboxed iframe srcdoc"
     64  },
     65  { csp: "script-src https://test3.com",
     66    result: "blocked",
     67    query: "nested_iframe_srcdoc_datauri",
     68    desc: "CSP should block script within script-allowed sandboxed iframe src with data URL nested within another script-allowed sandboxed iframe srcdoc"
     69  },
     70 
     71 ];
     72 
     73 // initializing to -1 so we start at index 0 when we start the test
     74 var counter = -1;
     75 
     76 function finishTest() {
     77  window.removeEventListener("message", receiveMessage);
     78  window.examiner.remove();
     79  SimpleTest.finish();
     80 }
     81 
     82 window.addEventListener("message", receiveMessage);
     83 function receiveMessage(event) {
     84  var result = event.data.result;
     85  testComplete(result, tests[counter].result, tests[counter].desc);
     86 }
     87 
     88 function examiner() {
     89  SpecialPowers.addObserver(this, "csp-on-violate-policy");
     90 }
     91 
     92 examiner.prototype  = {
     93  observe(subject, topic, data) {
     94    if (topic === "csp-on-violate-policy") {
     95      var violationString = SpecialPowers.getPrivilegedProps(SpecialPowers.
     96                             do_QueryInterface(subject, "nsISupportsCString"), "data");
     97      // the violation subject for inline script violations is unfortunately vague,
     98      // all we can do is match the string.
     99      if (!violationString.includes("Inline Script")) {
    100        return
    101      }
    102      testComplete("blocked", tests[counter].result, tests[counter].desc);
    103    }
    104  },
    105  remove() {
    106    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
    107  }
    108 }
    109 
    110 function testComplete(result, expected, desc) {
    111  is(result, expected, desc);
    112  // ignore cases when we get csp violations and postMessage from  the same frame.
    113  var frameURL = new URL(document.getElementById("testframe").src);
    114  var params = new URLSearchParams(frameURL.search);
    115  var counterInFrame = params.get("counter");
    116  if (counterInFrame == counter) {
    117    loadNextTest();
    118  }
    119 }
    120 
    121 function loadNextTest() {
    122  counter++;
    123  if (counter == tests.length) {
    124    finishTest();
    125    return;
    126  }
    127  var src = "file_iframe_srcdoc.sjs";
    128  src += "?csp=" + escape(tests[counter].csp);
    129  src += "&action=" + escape(tests[counter].query);
    130  src += "&counter=" + counter;
    131  document.getElementById("testframe").src = src;
    132 }
    133 
    134 // start running the tests
    135 window.examiner = new examiner();
    136 loadNextTest();
    137 
    138 </script>
    139 </body>
    140 </html>