test_multi_policy_injection_bypass.html (3497B)
1 <!DOCTYPE HTML> 2 <html> 3 <!-- 4 https://bugzilla.mozilla.org/show_bug.cgi?id=717511 5 --> 6 <head> 7 <title>Test for Bug 717511</title> 8 <script src="/tests/SimpleTest/SimpleTest.js"></script> 9 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 10 </head> 11 <body> 12 <p id="display"></p> 13 <div id="content" style="display: none"> 14 15 16 </div> 17 18 <iframe style="width:200px;height:200px;" id='cspframe'></iframe> 19 <iframe style="width:200px;height:200px;" id='cspframe2'></iframe> 20 <script class="testbody" type="text/javascript"> 21 22 var path = "/tests/dom/security/test/csp/"; 23 24 // These are test results: -1 means it hasn't run, 25 // true/false is the pass/fail result. 26 // This is not exhaustive, just double-checking the 'self' vs * policy conflict in the two HTTP headers. 27 window.tests = { 28 img_good: -1, 29 img_bad: -1, 30 script_good: -1, 31 script_bad: -1, 32 img2_good: -1, 33 img2_bad: -1, 34 script2_good: -1, 35 script2_bad: -1, 36 }; 37 38 39 // This is used to watch the blocked data bounce off CSP and allowed data 40 // get sent out to the wire. 41 function examiner() { 42 SpecialPowers.addObserver(this, "csp-on-violate-policy"); 43 SpecialPowers.addObserver(this, "specialpowers-http-notify-request"); 44 } 45 examiner.prototype = { 46 observe(subject, topic, data) { 47 var testpat = new RegExp("testid=([a-z0-9_]+)"); 48 49 //_good things better be allowed! 50 //_bad things better be stopped! 51 52 if (topic === "specialpowers-http-notify-request") { 53 //these things were allowed by CSP 54 var asciiSpec = data; 55 if (!testpat.test(asciiSpec)) return; 56 var testid = testpat.exec(asciiSpec)[1]; 57 window.testResult(testid, 58 /_good/.test(testid), 59 asciiSpec + " allowed by csp"); 60 61 } 62 63 if(topic === "csp-on-violate-policy") { 64 // subject should be an nsIURI for csp-on-violate-policy 65 if (!SpecialPowers.can_QI(subject)) { 66 return; 67 } 68 69 //these were blocked... record that they were blocked 70 var asciiSpec = SpecialPowers.getPrivilegedProps( 71 SpecialPowers.do_QueryInterface(subject, "nsIURI"), 72 "asciiSpec"); 73 if (!testpat.test(asciiSpec)) return; 74 var testid = testpat.exec(asciiSpec)[1]; 75 window.testResult(testid, 76 /_bad/.test(testid), 77 asciiSpec + " blocked by \"" + data + "\""); 78 } 79 }, 80 81 // must eventually call this to remove the listener, 82 // or mochitests might get borked. 83 remove() { 84 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); 85 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); 86 } 87 } 88 89 window.examiner = new examiner(); 90 91 window.testResult = function(testname, result, msg) { 92 93 //test already complete.... forget it... remember the first result. 94 if (window.tests[testname] != -1) 95 return; 96 97 window.tests[testname] = result; 98 is(result, true, testname + ' test: ' + msg); 99 100 // if any test is incomplete, keep waiting 101 for (var v in window.tests) 102 if(tests[v] == -1) 103 return; 104 105 // ... otherwise, finish 106 window.examiner.remove(); 107 SimpleTest.finish(); 108 } 109 110 SimpleTest.waitForExplicitFinish(); 111 112 // save this for last so that our listeners are registered. 113 // ... this loads the testbed of good and bad requests. 114 document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html'; 115 document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html'; 116 </script> 117 </pre> 118 </body> 119 </html>