Bug 1297156: Test that favicon loads are correctly blocked by content security policies.
MozReview-Commit-ID: 4hMwr42wZU8
--- a/dom/security/test/csp/browser.ini
+++ b/dom/security/test/csp/browser.ini
@@ -3,11 +3,16 @@ support-files =
!/dom/security/test/csp/file_testserver.sjs
!/dom/security/test/csp/file_web_manifest.html
!/dom/security/test/csp/file_web_manifest.json
!/dom/security/test/csp/file_web_manifest.json^headers^
!/dom/security/test/csp/file_web_manifest_https.html
!/dom/security/test/csp/file_web_manifest_https.json
!/dom/security/test/csp/file_web_manifest_mixed_content.html
!/dom/security/test/csp/file_web_manifest_remote.html
+ file_favicon.html
+ file_favicon.html^headers^
+ file_favicon.ico
+
[browser_test_web_manifest.js]
[browser_test_web_manifest_mixed_content.js]
[browser_manifest-src-override-default-src.js]
+[browser_favicon.js]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/browser_favicon.js
@@ -0,0 +1,57 @@
+add_task(async function() {
+ const url = "http://example.org/tests/dom/security/test/csp/file_favicon.html";
+ let loadCount = 0;
+
+ const observer = (subject, topic, data) => {
+ switch (topic) {
+ case "http-on-modify-request": {
+ let channel = subject.QueryInterface(Ci.nsIHttpChannel);
+ let url = channel.URI.spec;
+
+ // We see requests for both the linked favicon and http://example.org/favicon.ico
+ if (url.endsWith("favicon.ico")) {
+ ok(false, `Should not have seen a favicon network request for ${url}`);
+ loadCount++;
+ }
+ break;
+ }
+ case "csp-on-violate-policy": {
+ let url = subject.QueryInterface(Ci.nsIURI).spec;
+ if (url.endsWith("favicon.ico")) {
+ ok(true, `Should have seen a blocked favicon network request for ${url}`);
+ loadCount++;
+ }
+ break;
+ }
+ }
+ };
+
+ Services.obs.addObserver(observer, "csp-on-violate-policy");
+ Services.obs.addObserver(observer, "http-on-modify-request");
+
+ registerCleanupFunction(() => {
+ Services.obs.removeObserver(observer, "csp-on-violate-policy");
+ Services.obs.removeObserver(observer, "http-on-modify-request");
+ });
+
+ let tab = await BrowserTestUtils.openNewForegroundTab({
+ gBrowser,
+ url,
+ waitForLoad: false,
+ });
+
+ let favicon = document.getAnonymousElementByAttribute(tab, "anonid", "tab-icon-image");
+ let browser = gBrowser.getBrowserForTab(tab);
+
+ await Promise.all([
+ Promise.race([
+ BrowserTestUtils.waitForEvent(favicon, "load"),
+ BrowserTestUtils.waitForEvent(favicon, "error"),
+ ]),
+ BrowserTestUtils.browserLoaded(browser, false, url),
+ ]);
+
+ BrowserTestUtils.removeTab(tab);
+
+ is(loadCount, 3, "Should have seen three requests for favicons.");
+});
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_favicon.html
@@ -0,0 +1,9 @@
+<html>
+<head>
+ <meta charset='utf-8'/>
+ <link rel='icon' href='file_favicon.ico'>
+</head>
+<body>
+Make sure favicon is blocked by CSP.
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_favicon.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: img-src 'none'
new file mode 100644
index 0000000000000000000000000000000000000000..d44438903b751f4732f5365783eb0229b0501f9a
GIT binary patch
literal 1406
zc${sNu}d656o=n};bd8o)56N#Jtc-%Pi19LTfxTKZb)No6UbH8fq*bwiX@OCjeo&a
zDdN=H#L7bO4x$jyCB@74W-i8r?B3hk_q&<*`*z;kiWHpvzNF*jBasEZpA#kxh(c!b
zkA?g>iii0yePlSyUv_dc8jWQ1Z6w!UKg!I^jLgo?N>x=dH#a8>3k$NixG2lZ%d)z<
zD!aS8vc0`68yg$4wzek2S1LO@DsSafbQ0yu>32E3yp%VeKI7mBPXr?7)NyfW4$YaS
zd5A~%+<0`4?ln&f=m9;D1oWV(ltlE19?>I0L|1Yp*O;x+>4`v?rrDm0gTcYzU~n)b
zBp4hF4h9E<gCSwU;9zhtI2arZ2^|IpgM-1r;9ziy28V;g8HZ|qyhLJWAR?jpkzw(e
zdyG6qJuGP%_|bFYVezn}Wr4%P;o<PXG|fu|hljz#;9;<(^Kf_=JPZ*p<(ifdpM1vY
z^14J6oaLIA8t(v8z%*bGU<!B#ehd@|!D?x4NAgC;Kj0tmw-yEbgXu5?7=mhQTkeEU
z?nY+qjW9&~B5V<kh+k^0aj*svj%XY_SZX(uA}kS>2t>p%Z2?#!6C;BnLWIS(MKl(A
z5@Ct99*M<vgLNUKt)wt03<`t7pfIHE1Ve;DVNe(%3~7tOpfD&53WLHxX#yPvg+XCZ
z02Kd7F=e7M$b0J%eN^+X+BU|^l6;W8y*)WNIFQ4`LpeG+l9Q7YIX*s?v$HcfKR=g?
ziwn8Bx{{ll8@ao?lk1-<@87-Se{BC~O&_tkDYLqks+9jZdPPy~Pwz!~n{79!=kH$}
z<GSmLr_<Msl#^avbPO2hT+6EM$RF49<MriRDSK7X4Z4C$(Ttb&wO_ZL%_!=6ywx`4
zgyE!JUClFXORIXNvkFB!=(@IFPD&fltZ*GPJq*jH8?3a&i}`+QhPP$YHpR1|=~tQH
w$7Vff2Tfh~eiKjn_2%S0`}?qUxPHyMZW^-w&wKL0`*KK);S<IY*Xw!iFYO$~&;S4c