This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch geckoview-102.3.0esr-12.0-1 in repository tor-browser.
commit 302870fce229a5556c0f8f94b424bd79761233c4 Author: Paul Zuehlcke pbz@mozilla.com AuthorDate: Mon Aug 15 11:45:20 2022 +0000
Bug 1772290 - tests, r=smaug a=test-only
Depends on D146914
Differential Revision: https://phabricator.services.mozilla.com/D146915 --- docshell/test/browser/browser.ini | 4 ++ .../browser_csp_sandbox_no_script_js_uri.js | 55 ++++++++++++++++++++++ .../browser/file_csp_sandbox_no_script_js_uri.html | 11 +++++ ...file_csp_sandbox_no_script_js_uri.html^headers^ | 1 + 4 files changed, 71 insertions(+)
diff --git a/docshell/test/browser/browser.ini b/docshell/test/browser/browser.ini index cbedf66c17f71..6f38846db04fd 100644 --- a/docshell/test/browser/browser.ini +++ b/docshell/test/browser/browser.ini @@ -141,6 +141,10 @@ skip-if = verify [browser_bug852909.js] skip-if = (verify && debug && (os == 'win')) [browser_bug92473.js] +[browser_csp_sandbox_no_script_js_uri.js] +support-files = + file_csp_sandbox_no_script_js_uri.html + file_csp_sandbox_no_script_js_uri.html^headers^ [browser_data_load_inherit_csp.js] [browser_dataURI_unique_opaque_origin.js] [browser_fission_maxOrigins.js] diff --git a/docshell/test/browser/browser_csp_sandbox_no_script_js_uri.js b/docshell/test/browser/browser_csp_sandbox_no_script_js_uri.js new file mode 100644 index 0000000000000..d0b92084ec4c3 --- /dev/null +++ b/docshell/test/browser/browser_csp_sandbox_no_script_js_uri.js @@ -0,0 +1,55 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +const TEST_PATH = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); + +/** + * Test that javascript URIs in CSP-sandboxed contexts can't be used to bypass + * script restrictions. + */ +add_task(async function test_csp_sandbox_no_script_js_uri() { + await BrowserTestUtils.withNewTab( + TEST_PATH + "dummy_page.html", + async browser => { + info("Register observer and wait for javascript-uri-blocked message."); + let observerPromise = SpecialPowers.spawn(browser, [], () => { + return new Promise(resolve => { + SpecialPowers.addObserver(function obs(subject) { + ok( + subject == content, + "Should block script spawned via javascript uri" + ); + SpecialPowers.removeObserver( + obs, + "javascript-uri-blocked-by-sandbox" + ); + resolve(); + }, "javascript-uri-blocked-by-sandbox"); + }); + }); + + info("Spawn csp-sandboxed iframe with javascript URI"); + let frameBC = await SpecialPowers.spawn( + browser, + [TEST_PATH + "file_csp_sandbox_no_script_js_uri.html"], + async url => { + let frame = content.document.createElement("iframe"); + let loadPromise = ContentTaskUtils.waitForEvent(frame, "load", true); + frame.src = url; + content.document.body.appendChild(frame); + await loadPromise; + return frame.browsingContext; + } + ); + + info("Click javascript URI link in iframe"); + BrowserTestUtils.synthesizeMouseAtCenter("a", {}, frameBC); + await observerPromise; + } + ); +}); diff --git a/docshell/test/browser/file_csp_sandbox_no_script_js_uri.html b/docshell/test/browser/file_csp_sandbox_no_script_js_uri.html new file mode 100644 index 0000000000000..49341f7481f57 --- /dev/null +++ b/docshell/test/browser/file_csp_sandbox_no_script_js_uri.html @@ -0,0 +1,11 @@ +<!DOCTYPE HTML> +<html> +<head> +<meta charset="utf-8"> +<title>Test Javascript URI with no script</title> +</head> +<body> +<noscript>no scripts allowed here</noscript> +<a href="javascript:alert(`origin=${origin} location=${location}`)" target="_parent">click me</a> +</body> +</html> diff --git a/docshell/test/browser/file_csp_sandbox_no_script_js_uri.html^headers^ b/docshell/test/browser/file_csp_sandbox_no_script_js_uri.html^headers^ new file mode 100644 index 0000000000000..461f7f99ce2c4 --- /dev/null +++ b/docshell/test/browser/file_csp_sandbox_no_script_js_uri.html^headers^ @@ -0,0 +1 @@ +Content-Security-Policy: sandbox allow-same-origin allow-top-navigation;