test_leading_wildcard.html (3315B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Bug 1032303 - CSP - Keep FULL STOP when matching *.foo.com to disallow loads from foo.com</title> 5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 8 </head> 9 <body> 10 <p id="display"></p> 11 <div id="content" style="visibility: hidden"> 12 <iframe style="width:100%;" id="testframe"></iframe> 13 </div> 14 15 <script class="testbody" type="text/javascript"> 16 17 /* 18 * Description of the test: 19 * We load a page with a CSP that allows scripts to be loaded from *.example.com. 20 * On that page we try to load two scripts: 21 * a) [allowed] leading_wildcard_allowed.js which is served from test1.example.com 22 * b) [blocked] leading_wildcard_blocked.js which is served from example.com 23 * 24 * We verify that only the allowed script executes by registering observers which listen 25 * to CSP violations and http-notifications. Please note that both scripts do *not* exist 26 * in the file system. The test just verifies that CSP blocks correctly. 27 */ 28 29 SimpleTest.waitForExplicitFinish(); 30 31 var policy = "default-src 'none' script-src *.example.com"; 32 var testsExecuted = 0; 33 34 function finishTest() { 35 if (++testsExecuted < 2) { 36 return; 37 } 38 window.wildCardExaminer.remove(); 39 SimpleTest.finish(); 40 } 41 42 // We use the examiner to identify requests that hit the wire and requests 43 // that are blocked by CSP. 44 function examiner() { 45 SpecialPowers.addObserver(this, "csp-on-violate-policy"); 46 SpecialPowers.addObserver(this, "specialpowers-http-notify-request"); 47 } 48 examiner.prototype = { 49 observe(subject, topic, data) { 50 51 // allowed requests 52 if (topic === "specialpowers-http-notify-request") { 53 if (data.includes("leading_wildcard_allowed.js")) { 54 ok (true, "CSP should allow file_leading_wildcard_allowed.js!"); 55 finishTest(); 56 } 57 if (data.includes("leading_wildcard_blocked.js")) { 58 ok(false, "CSP should not allow file_leading_wildcard_blocked.js!"); 59 finishTest(); 60 } 61 } 62 63 // blocked requests 64 if (topic === "csp-on-violate-policy") { 65 var asciiSpec = SpecialPowers.getPrivilegedProps( 66 SpecialPowers.do_QueryInterface(subject, "nsIURI"), 67 "asciiSpec"); 68 69 if (asciiSpec.includes("leading_wildcard_allowed.js")) { 70 ok (false, "CSP should not block file_leading_wildcard_allowed.js!"); 71 finishTest(); 72 } 73 if (asciiSpec.includes("leading_wildcard_blocked.js")) { 74 ok (true, "CSP should block file_leading_wildcard_blocked.js!"); 75 finishTest(); 76 } 77 } 78 }, 79 remove() { 80 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); 81 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); 82 } 83 } 84 window.wildCardExaminer = new examiner(); 85 86 function runTest() { 87 var src = "file_testserver.sjs"; 88 // append the file that should be served 89 src += "?file=" + escape("tests/dom/security/test/csp/file_leading_wildcard.html"); 90 // append the CSP that should be used to serve the file 91 src += "&csp=" + escape(policy); 92 93 document.getElementById("testframe").src = src; 94 } 95 96 // start running the tests 97 runTest(); 98 99 </script> 100 </body> 101 </html>