4 https://bugzilla.mozilla.org/show_bug.cgi?id=671389
5 Bug 671389 - Implement CSP sandbox directive
9 <title>Tests for Bug
671389</title>
10 <script src=
"/tests/SimpleTest/SimpleTest.js"></script>
11 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css"/>
13 <script type=
"application/javascript">
15 SimpleTest.waitForExplicitFinish();
17 // Check if two sandbox flags are the same, ignoring case-sensitivity.
18 // getSandboxFlags returns a list of sandbox flags (if any) or
19 // null if the flag is not set.
20 // This function checks if two flags are the same, i.e., they're
21 // either not set or have the same flags.
22 function eqFlags(a, b) {
23 if (a === null && b === null) { return true; }
24 if (a === null || b === null) { return false; }
25 if (a.length !== b.length) { return false; }
26 var a_sorted = a.map(function(e) { return e.toLowerCase(); }).sort();
27 var b_sorted = b.map(function(e) { return e.toLowerCase(); }).sort();
28 for (var i in a_sorted) {
29 if (a_sorted[i] !== b_sorted[i]) {
36 // Get the sandbox flags of document doc.
37 // If the flag is not set sandboxFlagsAsString returns null,
38 // this function also returns null.
39 // If the flag is set it may have some flags; in this case
40 // this function returns the (potentially empty) list of flags.
41 function getSandboxFlags(doc) {
42 var flags = doc.sandboxFlagsAsString;
43 if (flags === null) { return null; }
44 return flags? flags.split(
" "):[];
47 // Constructor for a CSP sandbox flags test. The constructor
48 // expectes a description 'desc' and set of options 'opts':
49 // - sandboxAttribute: [null] or string corresponding to the iframe sandbox attributes
50 // - csp: [null] or string corresponding to the CSP sandbox flags
51 // - cspReportOnly: [null] or string corresponding to the CSP report-only sandbox flags
52 // - file: [null] or string corresponding to file the server should serve
53 // Above, we use [brackets] to denote default values.
54 function CSPFlagsTest(desc, opts) {
55 function ifundef(x, v) {
56 return (x !== undefined) ? x : v;
59 function intersect(as, bs) { // Intersect two csp attributes:
60 as = as === null ? null
61 : as.split(' ').filter(function(x) { return !!x; });
62 bs = bs === null ? null
63 : bs.split(' ').filter(function(x) { return !!x; });
65 if (as === null) { return bs; }
66 if (bs === null) { return as; }
69 as.forEach(function(a) {
70 if (a && bs.includes(a))
76 this.desc = desc ||
"Untitled test";
77 this.attr = ifundef(opts.sandboxAttribute, null);
78 this.csp = ifundef(opts.csp, null);
79 this.cspRO = ifundef(opts.cspReportOnly, null);
80 this.file = ifundef(opts.file, null);
81 this.expected = intersect(this.attr, this.csp);
84 // Return function that checks that the actual flags are the same as the
86 CSPFlagsTest.prototype.checkFlags = function(iframe) {
90 var actual = getSandboxFlags(SpecialPowers.wrap(iframe).contentDocument);
91 ok(eqFlags(actual, this_.expected),
92 this_.desc + ' - expected:
"' + this_.expected + '", got:
"' + actual + '"');
95 this_.desc + ' - expected:
"' + this_.expected + '", failed with:
"' + e + '"');
101 // Set the iframe src and sandbox attribute
102 CSPFlagsTest.prototype.runTest = function () {
103 var iframe = document.createElement('iframe');
104 document.getElementById(
"content").appendChild(iframe);
105 iframe.onload = this.checkFlags(iframe);
107 // set sandbox attribute
108 if (this.attr === null) {
109 iframe.removeAttribute('sandbox');
111 iframe.sandbox = this.attr;
115 var src = 'http://mochi.test:
8888/tests/dom/security/test/csp/file_testserver.sjs';
119 if (this.csp !== null) {
120 src += delim + 'csp=' + escape('sandbox ' + this.csp);
124 if (this.cspRO !== null) {
125 src += delim + 'cspRO=' + escape('sandbox ' + this.cspRO);
129 if (this.file !== null) {
130 src += delim + 'file=' + escape(this.file);
135 iframe.width = iframe.height =
10;
141 desc:
"Test 1: Header should not override attribute",
142 sandboxAttribute:
"",
143 csp:
"allow-forms aLLOw-POinter-lock alLOW-popups aLLOW-SAME-ORIGin ALLOW-SCRIPTS allow-top-navigation"
146 desc:
"Test 2: Attribute should not override header",
147 sandboxAttribute:
"sandbox allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation",
151 desc:
"Test 3: Header and attribute intersect",
152 sandboxAttribute:
"allow-same-origin allow-scripts",
153 csp:
"allow-forms allow-same-origin allow-scripts"
156 desc:
"Test 4: CSP sandbox sets the right flags (pt 1)",
157 csp:
"alLOW-FORms ALLOW-pointer-lock allow-popups allow-same-origin allow-scripts ALLOW-TOP-NAVIGation"
160 desc:
"Test 5: CSP sandbox sets the right flags (pt 2)",
161 csp:
"allow-same-origin allow-TOP-navigation"
164 desc:
"Test 6: CSP sandbox sets the right flags (pt 3)",
165 csp:
"allow-FORMS ALLOW-scripts"
168 desc:
"Test 7: CSP sandbox sets the right flags (pt 4)",
172 desc:
"Test 8: CSP sandbox sets the right flags (pt 5)",
176 desc:
"Test 9: Read-only header should not override attribute",
177 sandboxAttribute:
"",
178 cspReportOnly:
"allow-forms ALLOW-pointer-lock allow-POPUPS allow-same-origin ALLOW-scripts allow-top-NAVIGATION"
181 desc:
"Test 10: Read-only header should not override CSP header",
182 csp:
"allow-forms allow-scripts",
183 cspReportOnly:
"allow-forms aLlOw-PoInTeR-lOcK aLLow-pOPupS aLLoW-SaME-oRIgIN alLow-scripts allow-tOp-navigation"
186 desc:
"Test 11: Read-only header should not override attribute or CSP header",
187 sandboxAttribute:
"allow-same-origin allow-scripts",
188 csp:
"allow-forms allow-same-origin allow-scripts",
189 cspReportOnly:
"allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation"
192 desc:
"Test 12: CSP sandbox not affected by document.write()",
193 csp:
"allow-scripts",
194 file: 'tests/dom/security/test/csp/file_iframe_sandbox_document_write.html'
196 ].map(function(t) { return (new CSPFlagsTest(t.desc,t)); });
199 var testCaseIndex =
0;
201 // Track ok messages from iframes
202 var childMessages =
0;
203 var totalChildMessages =
1;
206 // Check to see if we ran all the tests and received all messges
207 // from child iframes. If so, finish.
208 function tryFinish() {
209 if (testCaseIndex === testCases.length && childMessages === totalChildMessages){
214 function runNextTest() {
218 if (testCaseIndex < testCases.length) {
219 testCases[testCaseIndex].runTest();
224 function receiveMessage(event) {
225 ok(event.data.ok, event.data.desc);
230 window.addEventListener(
"message", receiveMessage);
232 addLoadEvent(runNextTest);
235 <a target=
"_blank" href=
"https://bugzilla.mozilla.org/show_bug.cgi?id=671389">Mozilla Bug
671389</a> - Implement CSP sandbox directive