diff options
author | Wojtek Kosior <koszko@koszko.org> | 2022-03-04 18:14:55 +0100 |
---|---|---|
committer | Wojtek Kosior <koszko@koszko.org> | 2022-03-04 18:14:55 +0100 |
commit | 709238294ea83525e62476ce59d734c57c11fd3f (patch) | |
tree | 206671384cb5eba3ea9a26e2870b063c6910f55c /test/haketilo_test/unit | |
parent | 33b6872c33ec2a68ac5abda6eb0de23fc9d9fdaa (diff) | |
download | browser-extension-709238294ea83525e62476ce59d734c57c11fd3f.tar.gz browser-extension-709238294ea83525e62476ce59d734c57c11fd3f.zip |
fix setting of 'blocked-blocked<...>-<name>' attributes and add tests
Diffstat (limited to 'test/haketilo_test/unit')
-rw-r--r-- | test/haketilo_test/unit/test_policy_enforcing.py | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py index 4b7c173..c5dd20e 100644 --- a/test/haketilo_test/unit/test_policy_enforcing.py +++ b/test/haketilo_test/unit/test_policy_enforcing.py @@ -75,6 +75,23 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): """ A test case of sanitizing <script>s and intrinsic javascript in pages. """ + def assert_properly_blocked(): + for i in range(1, 3): + driver.find_element_by_id(f'clickme{i}').click() + + assert set(driver.execute_script('return window.__run || [];')) == set() + assert bool(csp_off_setting) == are_scripts_allowed(driver) + + for attr in ('onclick', 'href', 'src', 'data'): + elem = driver.find_element_by_css_selector(f'[blocked-{attr}]') + + assert 'blocked' in elem.get_attribute(attr) + assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}') + + but1 = driver.find_element_by_id('clickme1') + assert but1.get_attribute('blocked-blocked-onclick') == \ + "some useful data" + # First, see if scripts run when not blocked. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { 'policy': allow_policy, @@ -94,11 +111,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): **csp_off_setting }) - for i in range(1, 3): - driver.find_element_by_id(f'clickme{i}').click() - - assert set(driver.execute_script('return window.__run || [];')) == set() - assert bool(csp_off_setting) == are_scripts_allowed(driver) + assert_properly_blocked() # Now, verify only scripts with nonce can run when payload is injected. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { @@ -106,9 +119,5 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): **csp_off_setting }) - for i in range(1, 3): - driver.find_element_by_id(f'clickme{i}').click() - - assert set(driver.execute_script('return window.__run || [];')) == set() - assert bool(csp_off_setting) == are_scripts_allowed(driver) + assert_properly_blocked() assert are_scripts_allowed(driver, nonce) |