test_sandbox_csp.js (4007B)
1 "use strict"; 2 3 function isEvalAllowed(sandbox) { 4 try { 5 Cu.evalInSandbox("eval('1234')", sandbox); 6 return true; 7 } catch (e) { 8 Assert.equal(e.message, "call to eval() blocked by CSP", "Eval error msg"); 9 return false; 10 } 11 } 12 13 add_task(function test_empty_csp() { 14 let sand = Cu.Sandbox(["http://example.com/"], { 15 sandboxContentSecurityPolicy: "", 16 }); 17 Assert.ok(isEvalAllowed(sand), "eval() not blocked with empty CSP string"); 18 }); 19 20 add_task(function test_undefined_csp() { 21 let sand = Cu.Sandbox(["http://example.com/"], { 22 sandboxContentSecurityPolicy: undefined, 23 }); 24 Assert.ok(isEvalAllowed(sand), "eval() not blocked with undefined CSP"); 25 }); 26 27 add_task(function test_malformed_csp() { 28 let sand = Cu.Sandbox(["http://example.com/"], { 29 sandboxContentSecurityPolicy: "This is not a valid CSP value", 30 }); 31 Assert.ok(isEvalAllowed(sand), "eval() not blocked with undefined CSP"); 32 }); 33 34 add_task(function test_allowed_by_sandboxContentSecurityPolicy() { 35 let sand = Cu.Sandbox(["http://example.com/"], { 36 sandboxContentSecurityPolicy: "script-src 'unsafe-eval';", 37 }); 38 Assert.ok(isEvalAllowed(sand), "eval() allowed by 'unsafe-eval' CSP"); 39 }); 40 41 add_task(function test_blocked_by_sandboxContentSecurityPolicy() { 42 let sand = Cu.Sandbox(["http://example.com/"], { 43 sandboxContentSecurityPolicy: "script-src 'none';", 44 }); 45 46 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal. 47 Assert.ok(Cu.getObjectPrincipal(sand).isExpandedPrincipal, "Exp principal"); 48 49 Assert.ok(!isEvalAllowed(sand), "eval() should be blocked by CSP"); 50 // sandbox.eval is also blocked: callers should use Cu.evalInSandbox instead. 51 Assert.throws( 52 () => sand.eval("123"), 53 /EvalError: call to eval\(\) blocked by CSP/, 54 "sandbox.eval() is also blocked by CSP" 55 ); 56 }); 57 58 add_task(function test_sandboxContentSecurityPolicy_on_content_principal() { 59 Assert.throws( 60 () => { 61 Cu.Sandbox("http://example.com", { 62 sandboxContentSecurityPolicy: "script-src 'none';", 63 }); 64 }, 65 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/, 66 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal. 67 "sandboxContentSecurityPolicy does not work with content principal" 68 ); 69 }); 70 71 add_task(function test_sandboxContentSecurityPolicy_on_null_principal() { 72 Assert.throws( 73 () => { 74 Cu.Sandbox(null, { sandboxContentSecurityPolicy: "script-src 'none';" }); 75 }, 76 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/, 77 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal. 78 "sandboxContentSecurityPolicy does not work with content principal" 79 ); 80 }); 81 82 add_task(function test_sandboxContentSecurityPolicy_on_content_principal() { 83 Assert.throws( 84 () => { 85 Cu.Sandbox("http://example.com", { 86 sandboxContentSecurityPolicy: "script-src 'none';", 87 }); 88 }, 89 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/, 90 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal. 91 "sandboxContentSecurityPolicy does not work with content principal" 92 ); 93 }); 94 95 add_task(function test_sandboxContentSecurityPolicy_on_system_principal() { 96 const systemPrincipal = Services.scriptSecurityManager.getSystemPrincipal(); 97 // Note: if we ever introduce support for CSP in non-Expanded principals, 98 // then the test should set security.allow_eval_with_system_principal=true 99 // to make sure that eval() is blocked because of CSP and not another reason. 100 Assert.throws( 101 () => { 102 Cu.Sandbox(systemPrincipal, { 103 sandboxContentSecurityPolicy: "script-src 'none';", 104 }); 105 }, 106 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/, 107 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal. 108 "sandboxContentSecurityPolicy does not work with system principal" 109 ); 110 });