Bug 1312680: Test that require-sri-for blocks style loads via @import
r?francois
MozReview-Commit-ID: A8DPWH2S3sD
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/iframe_bug_1312680.html
@@ -0,0 +1,6 @@
+<!-- file should be loaded (text is blue), but subsequent files shouldn't (text is red) -->
+<link rel="stylesheet" href="style_importing.css"
+ integrity="sha384-m5Q2GOhAtLrdiv6rCmxY3GjEFMVInALcdTyDnEddUUiDH2uQvJSX5GSJYQiatpTK"
+ onload="parent.postMessage('finish', '*');"
+ onerror="parent.postMessage('finish', '*');">
+<p id="text-for-import-test">blue text</p>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/iframe_bug_1312680.html^headers^
@@ -0,0 +1,1 @@
+content-security-policy: require-sri-for script style
--- a/dom/security/test/sri/mochitest.ini
+++ b/dom/security/test/sri/mochitest.ini
@@ -1,11 +1,13 @@
[DEFAULT]
support-files =
file_bug_1271796.css
+ iframe_bug_1312680.html
+ iframe_bug_1312680.html^headers^
iframe_require-sri-for_main.html
iframe_require-sri-for_main.html^headers^
iframe_require-sri-for_no_csp.html
iframe_script_crossdomain.html
iframe_script_sameorigin.html
iframe_sri_disabled.html
iframe_style_crossdomain.html
iframe_style_sameorigin.html
@@ -36,17 +38,20 @@ support-files =
style3.css
style4.css
style4.css^headers^
style5.css
style6.css
style6.css^headers^
style_301.css
style_301.css^headers^
+ style_importing.css
+ style_imported.css
[test_script_sameorigin.html]
[test_script_crossdomain.html]
[test_sri_disabled.html]
[test_style_crossdomain.html]
[test_style_sameorigin.html]
[test_require-sri-for_csp_directive.html]
[test_require-sri-for_csp_directive_disabled.html]
[test_bug_1271796.html]
+[test_bug_1312680.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style_imported.css
@@ -0,0 +1,6 @@
+#text-for-import-test {
+ color: red;
+}
+#text-for-import-test::before {
+ content: 'Test failed';
+}
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/style_importing.css
@@ -0,0 +1,4 @@
+/* neither of them should load. trying multiple cases*/
+@import url("style_imported.css");
+@import 'style_imported.css';
+#text-for-import-test { color: blue; }
new file mode 100644
--- /dev/null
+++ b/dom/security/test/sri/test_bug_1312680.html
@@ -0,0 +1,42 @@
+<!--
+ Any copyright is dedicated to the Public Domain.
+ http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test for SRI require-sri-for CSP directive</title>
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1312680">Mozilla Bug 1312680</a><br>
+<iframe style="width:200px;height:200px;" id="test_frame"></iframe><br>
+</body>
+<script type="application/javascript">
+ var finished = 0;
+ SpecialPowers.setBoolPref("security.csp.experimentalEnabled", true);
+ SimpleTest.waitForExplicitFinish();
+ function handler(event) {
+ console.log(event);
+ switch (event.data) {
+ case 'finish':
+ // need finish message from iframe_require-sri-for_main onload event and
+ // from iframe_require-sri-for_no_csp, which spawns a Worker
+ var importText = frame.contentDocument.getElementById('text-for-import-test');
+ var importColor = frame.contentWindow.getComputedStyle(importText, null).getPropertyValue('color');
+ ok(importColor == 'rgb(0, 0, 255)', "The import should not work without integrity. The text is now red, but should not.");
+ removeEventListener('message', handler);
+ SimpleTest.finish();
+ break;
+ default:
+ ok(false, 'Something is wrong here');
+ break;
+ }
+ }
+ addEventListener("message", handler);
+ // This frame has a CSP that requires SRI
+ var frame = document.getElementById("test_frame");
+ frame.src = "iframe_bug_1312680.html";
+</script>
+</html>