diff options
author | Wojtek Kosior <koszko@koszko.org> | 2022-01-17 14:15:43 +0100 |
---|---|---|
committer | Wojtek Kosior <koszko@koszko.org> | 2022-01-17 14:15:43 +0100 |
commit | 31cc63c2b429b768379e1b2ef7598242d0b36d18 (patch) | |
tree | e279b77e3bb331e1b7e4807b7f755edf63197431 /test/unit | |
parent | 7bedbcbd80eba9359d2e905b7693923c76ce563d (diff) | |
download | browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.tar.gz browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.zip |
test script blocking with and without the CSP-based approach on
Diffstat (limited to 'test/unit')
-rw-r--r-- | test/unit/test_policy_enforcing.py | 38 | ||||
-rw-r--r-- | test/unit/utils.py | 6 |
2 files changed, 24 insertions, 20 deletions
diff --git a/test/unit/test_policy_enforcing.py b/test/unit/test_policy_enforcing.py index 2f7bc80..4b7c173 100644 --- a/test/unit/test_policy_enforcing.py +++ b/test/unit/test_policy_enforcing.py @@ -41,25 +41,17 @@ payload_policy = { content_script = load_script('content/policy_enforcing.js') + ''';{ const smuggled_what_to_do = /^[^#]*#?(.*)$/.exec(document.URL)[1]; -const what_to_do = smuggled_what_to_do === "" ? {allow: true} : +const what_to_do = smuggled_what_to_do === "" ? {policy: {allow: true}} : JSON.parse(decodeURIComponent(smuggled_what_to_do)); if (what_to_do.csp_off) { const orig_DOMParser = window.DOMParser; window.DOMParser = function() { - parser = new orig_DOMParser(); + const parser = new orig_DOMParser(); this.parseFromString = () => parser.parseFromString('', 'text/html'); } } -if (what_to_do.onbeforescriptexecute_off) - prevent_script_execution = () => {}; - -if (what_to_do.sanitize_script_off) { - sanitize_script = () => {}; - desanitize_script = () => {}; -} - enforce_blocking(what_to_do.policy); }''' @@ -71,13 +63,22 @@ def get(driver, page, what_to_do): @pytest.mark.ext_data({'content_script': content_script}) @pytest.mark.usefixtures('webextension') -def test_policy_enforcing(driver, execute_in_page): +# Under Mozilla we use several mechanisms of script blocking. Some serve as +# fallbacks in case others break. CSP one of those mechanisms. Here we run the +# test once with CSP blocking on and once without it. This allows us to verify +# that the CSP-less blocking approaches by themselves also work. We don't do the +# reverse (CSP on and other mechanisms off) because CSP rules added through +# <meta> injection are not reliable enough - they do not always take effect +# immediately and there's nothing we can do to fix it. +@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}]) +def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): """ - A test case of sanitizing <script>s and <meta>s in pages. + A test case of sanitizing <script>s and intrinsic javascript in pages. """ # First, see if scripts run when not blocked. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { - 'policy': allow_policy + 'policy': allow_policy, + **csp_off_setting }) for i in range(1, 3): @@ -85,26 +86,29 @@ def test_policy_enforcing(driver, execute_in_page): assert set(driver.execute_script('return window.__run || [];')) == \ {'inline', 'on', 'href', 'src', 'data'} + assert are_scripts_allowed(driver) # Now, verify scripts don't run when blocked. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { - 'policy': block_policy + 'policy': block_policy, + **csp_off_setting }) for i in range(1, 3): driver.find_element_by_id(f'clickme{i}').click() assert set(driver.execute_script('return window.__run || [];')) == set() - assert not are_scripts_allowed(driver) + assert bool(csp_off_setting) == are_scripts_allowed(driver) # Now, verify only scripts with nonce can run when payload is injected. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { - 'policy': payload_policy + 'policy': payload_policy, + **csp_off_setting }) for i in range(1, 3): driver.find_element_by_id(f'clickme{i}').click() assert set(driver.execute_script('return window.__run || [];')) == set() - assert not are_scripts_allowed(driver) + assert bool(csp_off_setting) == are_scripts_allowed(driver) assert are_scripts_allowed(driver, nonce) diff --git a/test/unit/utils.py b/test/unit/utils.py index 8e04d91..4d8766e 100644 --- a/test/unit/utils.py +++ b/test/unit/utils.py @@ -191,12 +191,12 @@ broker_js = lambda: load_script('background/broadcast_broker.js') + ';start();' def are_scripts_allowed(driver, nonce=None): return driver.execute_script( ''' - document.scripts_allowed = false; + document.haketilo_scripts_allowed = false; const script = document.createElement("script"); - script.innerHTML = "document.scripts_allowed = true;"; + script.innerHTML = "document.haketilo_scripts_allowed = true;"; if (arguments[0]) script.setAttribute("nonce", arguments[0]); document.head.append(script); - return document.scripts_allowed; + return document.haketilo_scripts_allowed; ''', nonce) |