Bug 1277248: add test to ensure that require-sri-for does not allow svg:scripts r?ckerschb
MozReview-Commit-ID: 1knIYZ93UeY
--- a/dom/security/test/sri/iframe_require-sri-for_main.html
+++ b/dom/security/test/sri/iframe_require-sri-for_main.html
@@ -1,31 +1,40 @@
<script>
window.hasCORSLoaded = false; // set through script_crossdomain1.js
</script>
-<!-- cors-enabled. should be loaded -->
+<!-- script tag cors-enabled. should be loaded -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
crossorigin=""
integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="
onload="parent.postMessage('good_sriLoaded', '*');"></script>
-<!-- cors but not using SRI. should trigger onerror -->
+<!-- script tag cors but not using SRI. should trigger onerror -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain5.js"
onload="parent.postMessage('bad_nonsriLoaded', '*');"
onerror="parent.postMessage('good_nonsriBlocked', '*');"></script>
-<!-- cors and integrity. it should just load fine. -->
+<!-- svg:script tag with cors but not using SRI. should trigger onerror -->
+<svg xmlns="http://www.w3.org/2000/svg">
+ <script xlink:href="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
+ onload="parent.postMessage('bad_svg_nonsriLoaded', '*');"
+ onerror="parent.postMessage('good_svg_nonsriBlocked', '*');"></script>
+ ></script>
+</svg>
+
+<!-- stylesheet with cors and integrity. it should just load fine. -->
<link rel="stylesheet" href="style1.css"
integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
onload="parent.postMessage('good_sriLoaded', '*');">
-<!-- not using SRI, should trigger onerror -->
+<!-- stylesheet not using SRI, should trigger onerror -->
<link rel="stylesheet" href="style3.css"
onload="parent.postMessage('bad_nonsriLoaded', '*');"
onerror="parent.postMessage('good_nonsriBlocked', '*');">
+
<p id="black-text">black text</p>
<script>
window.onload = function() {
parent.postMessage("finish", '*');
}
</script>
--- a/dom/security/test/sri/test_require-sri-for_csp_directive.html
+++ b/dom/security/test/sri/test_require-sri-for_csp_directive.html
@@ -22,16 +22,22 @@
ok(true, "Eligible SRI resources was correctly loaded.");
break;
case 'bad_nonsriLoaded':
ok(false, "Eligible non-SRI resource should be blocked by the CSP!");
break;
case 'good_nonsriBlocked':
ok(true, "Eligible non-SRI resources was correctly blocked by the CSP.");
break;
+ case 'bad_svg_nonsriLoaded':
+ ok(false, 'Eligible non-SRI resource should be blocked by the CSP.');
+ break;
+ case 'good_svg_nonsriBlocked':
+ ok(true, 'Eligible non-SRI svg script was correctly blocked by the CSP.');
+ break;
case 'finish':
var blackText = frame.contentDocument.getElementById('black-text');
var blackTextColor = frame.contentWindow.getComputedStyle(blackText, null).getPropertyValue('color');
ok(blackTextColor == 'rgb(0, 0, 0)', "The second part should not be black.");
removeEventListener('message', handler);
SimpleTest.finish();
break;
default: