[ tor-browser ].git.dasho

test_strict_dynamic.html (4296B)
      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1299483 - CSP: Implement 'strict-dynamic'</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10  <iframe style="width:100%;" id="testframe"></iframe>
     11 
     12 <script class="testbody" type="text/javascript">
     13 
     14 SimpleTest.waitForExplicitFinish();
     15 
     16 /* Description of the test:
     17 * We load scripts with a CSP of 'strict-dynamic' with valid
     18 * and invalid nonces and make sure scripts are allowed/blocked
     19 * accordingly. Different tests load inline and external scripts
     20 * also using a CSP including http: and https: making sure
     21 * other srcs are invalided by 'strict-dynamic'.
     22 */
     23 
     24 var tests = [
     25  {
     26    desc: "strict-dynamic with valid nonce should be allowed",
     27    result: "allowed",
     28    file: "file_strict_dynamic_script_extern.html",
     29    policy: "script-src 'strict-dynamic' 'nonce-foo' https: 'none' 'self'"
     30  },
     31  {
     32    desc: "strict-dynamic with invalid nonce should be blocked",
     33    result: "blocked",
     34    file: "file_strict_dynamic_script_extern.html",
     35    policy: "script-src 'strict-dynamic' 'nonce-bar' http: http://example.com"
     36  },
     37  {
     38    desc: "strict-dynamic, allowlist and invalid nonce should be blocked",
     39    result: "blocked",
     40    file: "file_strict_dynamic_script_extern.html",
     41    policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
     42  },
     43  {
     44    desc: "strict-dynamic with no 'nonce-' should be blocked",
     45    result: "blocked",
     46    file: "file_strict_dynamic_script_extern.html",
     47    policy: "script-src 'strict-dynamic'"
     48  },
     49  // inline scripts
     50  {
     51    desc: "strict-dynamic with valid nonce should be allowed",
     52    result: "allowed",
     53    file: "file_strict_dynamic_script_inline.html",
     54    policy: "script-src 'strict-dynamic' 'nonce-foo' https: 'none' 'self'"
     55  },
     56  {
     57    desc: "strict-dynamic with invalid nonce should be blocked",
     58    result: "blocked",
     59    file: "file_strict_dynamic_script_inline.html",
     60    policy: "script-src 'strict-dynamic' 'nonce-bar' http: http://example.com"
     61  },
     62  {
     63    desc: "strict-dynamic, unsafe-inline and invalid nonce should be blocked",
     64    result: "blocked",
     65    file: "file_strict_dynamic_script_inline.html",
     66    policy: "script-src 'strict-dynamic' 'nonce-bar' 'unsafe-inline' http: http://example.com"
     67  },
     68  {
     69    desc: "strict-dynamic with no 'nonce-' should be blocked",
     70    result: "blocked",
     71    file: "file_strict_dynamic_script_inline.html",
     72    policy: "script-src 'strict-dynamic'"
     73  },
     74  {
     75    desc: "strict-dynamic with DOM events should be blocked",
     76    result: "blocked",
     77    file: "file_strict_dynamic_script_events.html",
     78    policy: "script-src 'strict-dynamic' 'nonce-foo'"
     79  },
     80  {
     81    // marquee is a special snowflake
     82    desc: "strict-dynamic with DOM events should be blocked (marquee)",
     83    result: "blocked",
     84    file: "file_strict_dynamic_script_events_marquee.html",
     85    policy: "script-src 'strict-dynamic' 'nonce-foo'"
     86  },
     87  {
     88    desc: "strict-dynamic with JS URLs should be blocked",
     89    result: "blocked",
     90    file: "file_strict_dynamic_js_url.html",
     91    policy: "script-src 'strict-dynamic' 'nonce-foo'"
     92  },
     93 ];
     94 
     95 var counter = 0;
     96 var curTest;
     97 
     98 function loadNextTest() {
     99  if (counter == tests.length) {
    100    SimpleTest.finish();
    101    return;
    102  }
    103 
    104  curTest = tests[counter++];
    105  var src = "file_testserver.sjs?file=";
    106  // append the file that should be served
    107  src += escape("tests/dom/security/test/csp/" + curTest.file)
    108  // append the CSP that should be used to serve the file
    109  src += "&csp=" + escape(curTest.policy);
    110 
    111  document.getElementById("testframe").addEventListener("load", test);
    112  document.getElementById("testframe").src = src;
    113 }
    114 
    115 function test() {
    116  try {
    117    document.getElementById("testframe").removeEventListener('load', test);
    118    var testframe = document.getElementById("testframe");
    119    var divcontent = testframe.contentWindow.document.getElementById('testdiv').innerHTML;
    120    is(divcontent, curTest.result, curTest.desc);
    121  }
    122  catch (e) {
    123    ok(false, "ERROR: could not access content for test: '" + curTest.desc + "'");
    124  }
    125  loadNextTest();
    126 }
    127 
    128 // start running the tests
    129 loadNextTest();
    130 
    131 </script>
    132 </body>
    133 </html>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE