Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: verify OR http3 OR http2
- Manifest: dom/security/test/csp/mochitest.toml
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy multiple policy support (regular and Report-Only mode)</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/dom/security/test/csp/";
// These are test results: verified indicates whether or not the test has run.
// true/false is the pass/fail result.
window.loads = {
css_self: {expected: true, verified: false},
img_self: {expected: false, verified: false},
script_self: {expected: true, verified: false},
};
window.violation_reports = {
css_self:
{expected: 0, expected_ro: 0}, /* totally fine */
img_self:
{expected: 1, expected_ro: 0}, /* violates enforced CSP */
script_self:
{expected: 0, expected_ro: 1}, /* violates report-only */
};
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire. This also watches for violation reports to go out.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy");
SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
}
examiner.prototype = {
observe(subject, topic, data) {
var testpat = new RegExp("testid=([a-z0-9_]+)");
if (topic === "specialpowers-http-notify-request") {
var uri = data;
if (!testpat.test(uri)) return;
var testid = testpat.exec(uri)[1];
// violation reports don't come through here, but the requested resources do
// if the test has already finished, move on. Some things throw multiple
// requests (preloads and such)
try {
if (window.loads[testid].verified) return;
} catch(e) { return; }
// these are requests that were allowed by CSP
var testid = testpat.exec(uri)[1];
window.testResult(testid, 'allowed', uri + " allowed by csp");
}
if(topic === "csp-on-violate-policy") {
// if the violated policy was report-only, the resource will still be
// loaded even if this topic is notified.
var asciiSpec = SpecialPowers.getPrivilegedProps(
SpecialPowers.do_QueryInterface(subject, "nsIURI"),
"asciiSpec");
if (!testpat.test(asciiSpec)) return;
var testid = testpat.exec(asciiSpec)[1];
// if the test has already finished, move on.
try {
if (window.loads[testid].verified) return;
} catch(e) { return; }
// record the ones that were supposed to be blocked, but don't use this
// as an indicator for tests that are not blocked but do generate reports.
// We skip recording the result if the load is expected since a
// report-only policy will generate a request *and* a violation note.
if (!window.loads[testid].expected) {
window.testResult(testid,
'blocked',
asciiSpec + " blocked by \"" + data + "\"");
}
}
// if any test is unverified, keep waiting
for (var v in window.loads) {
if(!window.loads[v].verified) {
return;
}
}
window.bug836922examiner.remove();
window.resultPoller.pollForFinish();
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.bug836922examiner = new examiner();
// Poll for results and see if enough reports came in. Keep trying
// for a few seconds before failing with lack of reports.
// Have to do this because there's a race between the async reporting
// and this test finishing, and we don't want to win the race.
window.resultPoller = {
POLL_ATTEMPTS_LEFT: 14,
pollForFinish() {
var vr = resultPoller.tallyReceivedReports();
if (resultPoller.verifyReports(vr, resultPoller.POLL_ATTEMPTS_LEFT < 1)) {
// report success condition.
resultPoller.resetReportServer();
SimpleTest.finish();
} else {
resultPoller.POLL_ATTEMPTS_LEFT--;
// try again unless we reached the threshold.
setTimeout(resultPoller.pollForFinish, 100);
}
},
resetReportServer() {
var xhr = new XMLHttpRequest();
var xhr_ro = new XMLHttpRequest();
xhr.open("GET", "file_bug836922_npolicies_violation.sjs?reset", false);
xhr_ro.open("GET", "file_bug836922_npolicies_ro_violation.sjs?reset", false);
xhr.send(null);
xhr_ro.send(null);
},
tallyReceivedReports() {
var xhr = new XMLHttpRequest();
var xhr_ro = new XMLHttpRequest();
xhr.open("GET", "file_bug836922_npolicies_violation.sjs?results", false);
xhr_ro.open("GET", "file_bug836922_npolicies_ro_violation.sjs?results", false);
xhr.send(null);
xhr_ro.send(null);
var received = JSON.parse(xhr.responseText);
var received_ro = JSON.parse(xhr_ro.responseText);
var results = {enforced: {}, reportonly: {}};
for (var r in window.violation_reports) {
results.enforced[r] = 0;
results.reportonly[r] = 0;
}
for (var r in received) {
results.enforced[r] += received[r];
}
for (var r in received_ro) {
results.reportonly[r] += received_ro[r];
}
return results;
},
verifyReports(receivedCounts, lastAttempt) {
for (var r in window.violation_reports) {
var exp = window.violation_reports[r].expected;
var exp_ro = window.violation_reports[r].expected_ro;
var rec = receivedCounts.enforced[r];
var rec_ro = receivedCounts.reportonly[r];
// if this test breaks, these are helpful dumps:
//dump(">>> Verifying " + r + "\n");
//dump(" > Expected: " + exp + " / " + exp_ro + " (ro)\n");
//dump(" > Received: " + rec + " / " + rec_ro + " (ro) \n");
// in all cases, we're looking for *at least* the expected number of
// reports of each type (there could be more in some edge cases).
// If there are not enough, we keep waiting and poll the server again
// later. If there are enough, we can successfully finish.
if (exp == 0)
is(rec, 0,
"Expected zero enforced-policy violation " +
"reports for " + r + ", got " + rec);
else if (lastAttempt)
ok(rec >= exp,
"Received (" + rec + "/" + exp + ") " +
"enforced-policy reports for " + r);
else if (rec < exp)
return false; // continue waiting for more
if(exp_ro == 0)
is(rec_ro, 0,
"Expected zero report-only-policy violation " +
"reports for " + r + ", got " + rec_ro);
else if (lastAttempt)
ok(rec_ro >= exp_ro,
"Received (" + rec_ro + "/" + exp_ro + ") " +
"report-only-policy reports for " + r);
else if (rec_ro < exp_ro)
return false; // continue waiting for more
}
// if we complete the loop, we've found all of the violation
// reports we expect.
if (lastAttempt) return true;
// Repeat successful tests once more to record successes via ok()
return resultPoller.verifyReports(receivedCounts, true);
}
};
window.testResult = function(testname, result, msg) {
// otherwise, make sure the allowed ones are expected and blocked ones are not.
if (window.loads[testname].expected) {
is(result, 'allowed', ">> " + msg);
} else {
is(result, 'blocked', ">> " + msg);
}
window.loads[testname].verified = true;
}
SimpleTest.waitForExplicitFinish();
SimpleTest.requestFlakyTimeout("untriaged");
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'http://mochi.test:8888' + path + 'file_bug836922_npolicies.html';
</script>
</pre>
</body>
</html>