tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_report.html (4145B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <!--
      4 https://bugzilla.mozilla.org/show_bug.cgi?id=548193
      5 -->
      6 <head>
      7  <title>Test for Bug 548193</title>
      8  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      9  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
     10 </head>
     11 <body>
     12 <p id="display"></p>
     13 <div id="content" style="display: none">
     14 </div>
     15 
     16 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
     17 <script class="testbody" type="text/javascript">
     18 
     19 /*
     20 * Description of the test:
     21 * We try to load an inline-src using a policy that constrains
     22 * all scripts from running (default-src 'none'). We verify that
     23 * the generated csp-report contains the expceted values. If any
     24 * of the JSON is not formatted properly (e.g. not properly escaped)
     25 * then JSON.parse will fail, which allows to pinpoint such errors
     26 * in the catch block, and the test will fail. Since we use an
     27 * observer, we can set the actual report-uri to a foo value.
     28 */
     29 
     30 const testfile = "tests/dom/security/test/csp/file_report.html";
     31 const reportURI = "http://mochi.test:8888/foo.sjs";
     32 const policy = "default-src 'none' 'report-sample'; report-uri " + reportURI;
     33 const docUri = "http://mochi.test:8888/tests/dom/security/test/csp/file_testserver.sjs" +
     34               "?file=tests/dom/security/test/csp/file_report.html" +
     35               "&csp=default-src%20%27none%27%20%27report-sample%27%3B%20report-uri%20http%3A//mochi.test%3A8888/foo.sjs";
     36 
     37 window.checkResults = function(reportObj) {
     38  var cspReport = reportObj["csp-report"];
     39 
     40  // The following uris' fragments should be stripped before reporting:
     41  //    * document-uri
     42  //    * blocked-uri
     43  //    * source-file
     44  // see http://www.w3.org/TR/CSP11/#violation-reports
     45  is(cspReport["document-uri"], docUri, "Incorrect document-uri");
     46 
     47  // we can not test for the whole referrer since it includes platform specific information
     48  ok(cspReport.referrer.startsWith("http://mochi.test:8888/tests/dom/security/test/csp/test_report.html"),
     49     "Incorrect referrer");
     50 
     51  is(cspReport["blocked-uri"], "inline", "Incorrect blocked-uri");
     52 
     53  is(cspReport["effective-directive"], "script-src-elem", "Incorrect effective-directive");
     54  is(cspReport["violated-directive"], "script-src-elem", "Incorrect violated-directive");
     55 
     56  is(cspReport["original-policy"], "default-src 'none' 'report-sample'; report-uri http://mochi.test:8888/foo.sjs",
     57     "Incorrect original-policy");
     58 
     59  is(cspReport.disposition, "enforce", "Incorrect disposition");
     60 
     61  is(cspReport["status-code"], 200, "Incorrect status-code");
     62 
     63  is(cspReport["source-file"], docUri, "Incorrect source-file");
     64 
     65  is(cspReport["script-sample"], "\n    var foo = \"propEscFoo\";\n    var bar…",
     66     "Incorrect script-sample");
     67 
     68  is(cspReport["line-number"], 7, "Incorrect line-number");
     69 }
     70 
     71 var chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
     72 var script = SpecialPowers.loadChromeScript(chromeScriptUrl);
     73 
     74 script.addMessageListener('opening-request-completed', function ml(msg) {
     75  if (msg.error) {
     76    ok(false, "Could not query report (exception: " + msg.error + ")");
     77  } else {
     78    try {
     79      var reportObj = JSON.parse(msg.report);
     80    } catch (e) {
     81      ok(false, "Could not parse JSON (exception: " + e + ")");
     82    }
     83    try {
     84      // test for the proper values in the report object
     85      window.checkResults(reportObj);
     86    } catch (e) {
     87      ok(false, "Could not query report (exception: " + e + ")");
     88    }
     89  }
     90 
     91  script.removeMessageListener('opening-request-completed', ml);
     92  script.sendAsyncMessage("finish");
     93  SimpleTest.finish();
     94 });
     95 
     96 SimpleTest.waitForExplicitFinish();
     97 
     98 // load the resource which will generate a CSP violation report
     99 // save this for last so that our listeners are registered.
    100 var src = "file_testserver.sjs";
    101 // append the file that should be served
    102 src += "?file=" + escape(testfile);
    103 // append the CSP that should be used to serve the file
    104 src += "&csp=" + escape(policy);
    105 // appending a fragment so we can test that it's correctly stripped
    106 // for document-uri and source-file.
    107 src += "#foo";
    108 document.getElementById("cspframe").src = src;
    109 
    110 </script>
    111 </pre>
    112 </body>
    113 </html>