Bug 1384741 - Part 4: Test that we don't send CSP violation reports for cached fonts we don't actually use. r?jfkthame
MozReview-Commit-ID: Hlu6Dp1Hc1D
new file mode 100644
index 0000000000000000000000000000000000000000..ac81cb03165ab831a36abb59145ff7a2f5675fb9
GIT binary patch
literal 12480
zc%1E84RjRM75?UDXJ>zaB*qvc(wA)rRAWfcQlu0?0u3}ECV)t-u-TntgW27<yCI1J
z1#8hp{)!YMrU;QA1w|CJ0U`n-0-~a(ND-DaT8uOzMW7x8);lkgh){caPTO;Ao!Rr|
z-MQa;_ucpIH}6g0LIB{vbV$g$rJz^u%2C5-143WYPW1TQWnK0q4FxQvfD$Tphs$sU
zY(Ump!sCidtBQuLiyR;WO+bp*r@6iR>PB`Ytbs}&A1SPMIf>+xRMLF@NaY5Gsbs$f
zkQz&a9ycrR;R4cgNZ0CjSC-*(-M)}a?ODL>*QO=Tst0;z(fGcyU^p^+@72{nCiNGS
zq5Cf2=7cM5EuPS&|0&p{7Sdo{aKi0+z2&;q!+=;{sYPP+C_zNqMg1feqdB&<r@Mf!
zU#Ga{6jY<n#W)QwwFvWIA)!Gek1)5b7G6bfK_V?=TU*2Fz_W2+x$PZqyM8b*5bU^U
z_`tA}L5Lryd&0P<jQcdz@Xah{G0Xo!;d>A-a-OlHbfqVf#B?a4-PmX@-fM)8eM`hY
zzXW3pnf4_GR@%MvJ;+Y`yAz$z8C?*EcqHI5B;s-;(O#a6E0Kb$$d9Yh4d0`kClxMy
zA8F{0bo4+^`~cVBT4dllWTF?ckd5BB9yj2J=z|}jFK$FX{22Z56AZvjw66`q%@~Xv
z48c(R6uB6N;rJQyFajfS3r68q<f8ziF$QCC8^+;wjK|M$2Y!J&F#!|FUpETjffpKz
zPz)bRFbQ{|6n+E{L>cZz2w_A}j>)J%C8}@_?!^?^FQ?&`wB5ds8MqI>!u>deUt=a7
zz=QYzzd<#Q;vvjJ3ufc5XvG}N#fLb8zn~ExV;+8scQGFiV*!4Lh4=_>;}g7tM^J+(
zt?42>hFZLdx9~^o!+!h;zsF)cj$>GYy=cZ#G~v&D{STrJ@8JLr;|VOoa;(5gJc*~U
z3ajxno}m_N@GREiIXsVbSdSO*BL0ASY`{irqLWi5Hh@-ZAVsk=MPV9ZLbgyKR0{LO
z*Th}oA!&j1l+++?VR0;xrLb<y#nM?8>&J3ZU8(6V(WSV$xDs3`u5PYtUAeA_F3okK
z`|jgnEXL24o>)Tm^0~boWN-fk_AX<|tSe*O-i=?g7w@{V!=9JhLo62iAl6JL?2Ooy
z*tpnDz`0f`1I}G@_T6)dhht6KfTo6~O-=Pp&o-@WT6}ox;b)@F(LK?9`Z7g#M>j{8
zN2{X`9Qxw@w75?V_71<0%on{1=f8pXtrUezuSY44IuDjoq+cR7R1**8Q9Ku7J8|L#
zV##d0hMmNWxx|w?TK^ryfg0?_F1$`GSVXaVf}*bT@gZX5O5)@)isot~nwyECYj{L!
ziK(v=v!3H|EyfmXBi@w|cP9~V?;_^TC+?OJdv)$ch`l;@Uncfe5r6L??%qpGdYB?T
zl{0uNULjVkBQCTtV-vAtBj?+D#MkZQ>qjO_OqTo$EYZ&l`i_+DqVGzHP6S*ZpBmpi
zH9mE!c<kI<;pBOz#LhNNB`ygaU&?eoQKM9;<!my6$!!a4VkTx{CT3zLW@0Ax-^RfI
zPR>rfoMSt`l|Gu-e-6|Ch2#>f>D%Y0iJ6#*nV5;0n2DK~iJ6#*nV5;0*mo8K5{;h=
zSr~vkjE4`CaX;o`3D%$iyRjcfa8eM3IH8-6A@mb+g|UKH2no}LIYO<lN~jlh2#rFs
za9lVqI>i*Rr`Si#5%a}~VnCcCR*N;_3UR%-P24L+#a8i*q)JIrn$%kwD2<fvkS0l$
z(oAWAR41*KHcNY?1LWyxS(X!ICTGh1<>B%;*(-<S>GB-8R$e97%RA&oxmi9gpSL(I
zDVCm=K9(FyzGb2%V3}g6w$xZwSk_y%S@v3@mR8FdMOBiNG^MvPP#LM*p-fULm6^%{
zrA}F^Y*zLt2b31&v{kkySeZ4`+TS|dI?h^Tjacuq&a*DIK5gA--D%xt{m^<sh1yx|
zs$Qe^rQc9>v|6Z^sngV1>LT??^+k2N`i|P99#hZS?6zcEy6pzr&9+gtJ8h-5du$Kd
z7TT8Cp0{nWy=gmWJ8JvfuGkapE_;@JfIZJX-tMzcw%>1`Z(m|xV{fqUw(qwev7dB^
zjyOj*M~0)HBiAw3;dO)@(;aghwT@MeddCh&qodhz+;QINbf!3aI{P?tocYd)&VX}@
zv)WnXT;W{r+~(Ztj5=GLXF92!k~*bz>P@k}O8Dx3Ul*f8gxc{WqO-8VkR>o-y&=og
zrqPfsND>YjvO@Y3I>Y$&mT<<91<2wqLl$8b-!Nneablw(%hcvWL$<&nw&(IGr2ov2
z<4FFyA;*)QFAO;WvLuo<LC@6_7E6jD(_G|bhD>vjpEhKgi@ed0X)f{sL#DaN&4x^K
zkv})&IH(pFay&X)R6|Z6eG*0>$n#hjJoL7>5u)OuXN~8#Fs{+4ju5KX8vJw*<8G82
zSO(WtQZEf<+)_G*U=Tf*b33|?0K8PY2zT-J6+ELxA5pjEBOfYwyD+yBpnko0?#)-v
z3`I0rkdNN(OCj%}p_FU|sLmwa7_KRzu}gWMAoXJ04}F$;yJ9|9-BKB!dkNPE3DJG2
z;_dWVhPk~_d{i&l(>?L>QLE@anrrpvq2z^+S_Sx;T{vc&mxED2KSsq(R?GPcm!Jn<
z-9m1?g8O`_pP96ZKJH6C-HZ90^fe!AM5o>BY-*WJb$jdf`X9G5&=J9Kgn4}KklPc{
zLSg0(X)NN?nC55UyUXb*gK3o>tt`UQhYa$RM>OURc$urrmBA`}B_1CO`+^nB9rkE}
zNH4F(YgQBr`ni=tcUUVe322#YOjs)_FJ(o+5Q}KxNJ*fWd4m43V7Mew5)80#RXC#g
z!<lSUDCjNsXkJ!W#YP9cUN+S23k9@LTTe1MxS)U)xc%iJcS(;hD+~oI!di#T%t1cQ
zpRW~{m%2k^X*#;;?96PYtMzh$u3crc)<yFz_^!SM-(b64E4Cd5v3u#O0v%_=SJx?0
ziqLoO3$q>nmogpy-8{z`JjYSbaD0$wH$H^fn8WiJAI3sF!ZU%EU@7W&9-^L$q-P=N
zxrc4}LL2cCUg5b-yXgDub?m_#Jil=--p0FV<av(o@l3}9cpnFG2vHp7S&l9E7)N;y
z<tI3XPjMW7!wGzblN6QHJUV)I<0h=YlXx7D@jS=vJk#-2+=p#=0IRVBoAEMz8O}lt
y7U5AWr*Fkt%;njaE3pCZU<<Yi5=23kM~=zM6LUvPIYaXJ>91$y$3ck2Abkl9&3O_4
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_report_font_cache-1.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<style>
+@font-face {
+ font-family: "CSP Report Test Font 1";
+ src: url(Ahem.ttf?report_font_cache-1);
+}
+@font-face {
+ font-family: "CSP Report Test Font 2";
+ src: url(Ahem.ttf?report_font_cache-2);
+}
+@font-face {
+ font-family: "CSP Report Test Font 3";
+ src: url(Ahem.ttf?report_font_cache-3);
+}
+.x { font: 24px "CSP Report Test Font 1"; }
+.y { font: 24px "CSP Report Test Font 2"; }
+.z { font: 24px "CSP Report Test Font 3"; }
+</style>
+<p class=x>A</p>
+<p class=y>A</p>
+<p class=z>A</p>
+<script>
+// Wait until the fonts would have been added to the user font cache.
+document.body.offsetWidth;
+document.fonts.ready.then(() => window.parent.postMessage("first-doc-ready", "*"));
+</script>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_report_font_cache-2.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<style>
+@font-face {
+ font-family: "CSP Report Test Font 1";
+ src: url(Ahem.ttf?report_font_cache-1);
+}
+@font-face {
+ font-family: "CSP Report Test Font 3";
+ src: url(Ahem.ttf?report_font_cache-3);
+}
+p { margin-right: 1ex; } /* cause cached CSP check to happen OMT (due to
+ font metrics lookup) */
+.x { font: 24px "CSP Report Test Font 1"; }
+.y { font: 24px "CSP Report Test Font 3"; }
+</style>
+<p class="x">A</p>
+<script>
+// First flush should dispatch the "Test Font 1" report that is stored
+// in the user font cache.
+document.body.offsetWidth;
+
+// Second flush should dispatch "Test Font 3" report.
+document.querySelector("p").className = "y";
+document.body.offsetWidth;
+</script>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_report_font_cache-2.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: font-src 'none'; report-uri http://mochi.test:8888/foo.sjs
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -213,16 +213,20 @@ support-files =
file_image_nonce.html
file_image_nonce.html^headers^
file_ignore_xfo.html
file_ignore_xfo.html^headers^
file_ro_ignore_xfo.html
file_ro_ignore_xfo.html^headers^
file_data_csp_inheritance.html
file_data_csp_merge.html
+ file_report_font_cache-1.html
+ file_report_font_cache-2.html
+ file_report_font_cache-2.html^headers^
+ Ahem.ttf
[test_base-uri.html]
[test_blob_data_schemes.html]
[test_connect-src.html]
[test_CSP.html]
[test_allow_https_schemes.html]
[test_bug663567.html]
[test_bug802872.html]
@@ -306,8 +310,9 @@ tags = mcb
[test_iframe_sandbox_srcdoc.html]
[test_iframe_srcdoc.html]
[test_image_nonce.html]
[test_websocket_self.html]
skip-if = toolkit == 'android'
[test_ignore_xfo.html]
[test_data_csp_inheritance.html]
[test_data_csp_merge.html]
+[test_report_font_cache.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_report_font_cache.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css">
+<iframe id="f"></iframe>
+
+<script>
+var chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
+var script = SpecialPowers.loadChromeScript(chromeScriptUrl);
+
+var reportedFont1 = false;
+var reportedFont3 = false;
+
+function reportListener(msg) {
+ if (!msg.error) {
+ // Step 3: Check the specific blocked URLs from the CSP reports.
+ let blocked = JSON.parse(msg.report)["csp-report"]["blocked-uri"]
+ .replace(/^.*\//, "");
+ switch (blocked) {
+ case "Ahem.ttf?report_font_cache-1":
+ ok(!reportedFont1, "should not have already reported Test Font 1");
+ ok(!reportedFont3, "should not have reported Test Font 3 before Test Font 1");
+ reportedFont1 = true;
+ break;
+ case "Ahem.ttf?report_font_cache-2":
+ ok(false, "should not have reported Test Font 2");
+ break;
+ case "Ahem.ttf?report_font_cache-3":
+ ok(!reportedFont3, "should not have already reported Test Font 3");
+ reportedFont3 = true;
+ break;
+ }
+ if (reportedFont1 && reportedFont3) {
+ script.removeMessageListener("opening-request-completed", reportListener);
+ script.sendAsyncMessage("finish");
+ SimpleTest.finish();
+ }
+ }
+}
+
+SimpleTest.waitForExplicitFinish();
+
+script.addMessageListener("opening-request-completed", reportListener);
+
+window.onmessage = function(message) {
+ // Step 2: Navigate to the second document, which will attempt to use the
+ // cached "Test Font 1" and then a new "Test Font 3", both of which will
+ // generate CSP reports. The "Test Font 2" entry in the user font cache
+ // should not cause a CSP report from this document.
+ is(message.data, "first-doc-ready");
+ f.src = "file_report_font_cache-2.html";
+};
+
+// Step 1: Prime the user font cache with entries for "Test Font 1",
+// "Test Font 2" and "Test Font 3".
+f.src = "file_report_font_cache-1.html";
+</script>