tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_nonce_source.html (4431B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test CSP 1.1 nonce-source for scripts and styles</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <script src="/tests/SimpleTest/EventUtils.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10 <p id="display"></p>
     11 <div id="content" style="visibility:hidden">
     12  <iframe style="width:100%;" id='cspframe'></iframe>
     13 </div>
     14 <script class="testbody" type="text/javascript">
     15 
     16 var testsRun = 0;
     17 var totalTests = 20;
     18 
     19 // This is used to watch the blocked data bounce off CSP
     20 function examiner() {
     21  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
     22  SpecialPowers.addObserver(this, "csp-on-violate-policy");
     23 }
     24 
     25 examiner.prototype = {
     26  observe(subject, topic, data) {
     27    var testid_re = new RegExp("testid=([a-z0-9_]+)");
     28 
     29    //_good things better be allowed!
     30    //_bad things better be blocked!
     31 
     32    if (topic === "specialpowers-http-notify-request") {
     33      var uri = data;
     34      if (!testid_re.test(uri)) return;
     35      var testid = testid_re.exec(uri)[1];
     36      ok(/_good/.test(testid), "should allow URI with good testid " + testid);
     37      ranTests(1);
     38    }
     39 
     40    if (topic === "csp-on-violate-policy") {
     41      try {
     42        // if it is an blocked external load, subject will be the URI of the resource
     43        var blocked_uri = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
     44        if (!testid_re.test(blocked_uri)) return;
     45        var testid = testid_re.exec(blocked_uri)[1];
     46        ok(/_bad/.test(testid), "should block URI with bad testid " + testid);
     47        ranTests(1);
     48      } catch (e) {
     49        // if the subject is blocked inline, data will be a violation message
     50        // we can't distinguish which resources triggered these, so we ignore them
     51      }
     52    }
     53  },
     54  // must eventually call this to remove the listener, or mochitests might get borked.
     55  remove() {
     56    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
     57    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
     58  }
     59 }
     60 
     61 function cleanup() {
     62  // remove the observer so we don't bork other tests
     63  window.examiner.remove();
     64  // finish the tests
     65  SimpleTest.finish();
     66 }
     67 
     68 function ranTests(num) {
     69  testsRun += num;
     70  if (testsRun < totalTests) {
     71    return;
     72  }
     73  cleanup();
     74 }
     75 
     76 function checkInlineScriptsAndStyles () {
     77  var cspframe = document.getElementById('cspframe');
     78  var getElementColorById = function (id) {
     79    return window.getComputedStyle(cspframe.contentDocument.getElementById(id)).color;
     80  };
     81  // Inline style tries to change an element's color to green. If blocked, the
     82  // element's color will be the (unchanged) default black.
     83  var green = "rgb(0, 128, 0)";
     84  var red = "rgb(255,0,0)";
     85  var black = "rgb(0, 0, 0)";
     86 
     87  // inline script tests
     88  is(getElementColorById('inline-script-correct-nonce'), green,
     89     "Inline script with correct nonce should execute");
     90  is(getElementColorById('inline-script-incorrect-nonce'), black,
     91     "Inline script with incorrect nonce should not execute");
     92  is(getElementColorById('inline-script-correct-style-nonce'), black,
     93     "Inline script with correct nonce for styles (but not for scripts) should not execute");
     94  is(getElementColorById('inline-script-no-nonce'), black,
     95     "Inline script with no nonce should not execute");
     96 
     97  // inline style tests
     98  is(getElementColorById('inline-style-correct-nonce'), green,
     99     "Inline style with correct nonce should be allowed");
    100  is(getElementColorById('inline-style-incorrect-nonce'), black,
    101     "Inline style with incorrect nonce should be blocked");
    102  is(getElementColorById('inline-style-correct-script-nonce'), black,
    103     "Inline style with correct nonce for scripts (but incorrect nonce for styles) should be blocked");
    104  is(getElementColorById('inline-style-no-nonce'), black,
    105     "Inline style with no nonce should be blocked");
    106 
    107  ranTests(8);
    108 }
    109 
    110 //////////////////////////////////////////////////////////////////////
    111 // set up and go
    112 window.examiner = new examiner();
    113 SimpleTest.waitForExplicitFinish();
    114 
    115 // save this for last so that our listeners are registered.
    116 // ... this loads the testbed of good and bad requests.
    117 document.getElementById('cspframe').src = 'file_nonce_source.html';
    118 document.getElementById('cspframe').addEventListener('load', checkInlineScriptsAndStyles);
    119 </script>
    120 </pre>
    121 </body>
    122 </html>