aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2022-01-17 14:15:43 +0100
committerWojtek Kosior <koszko@koszko.org>2022-01-17 14:15:43 +0100
commit31cc63c2b429b768379e1b2ef7598242d0b36d18 (patch)
treee279b77e3bb331e1b7e4807b7f755edf63197431 /test
parent7bedbcbd80eba9359d2e905b7693923c76ce563d (diff)
downloadbrowser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.tar.gz
browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.zip
test script blocking with and without the CSP-based approach on
Diffstat (limited to 'test')
-rw-r--r--test/unit/test_policy_enforcing.py38
-rw-r--r--test/unit/utils.py6
2 files changed, 24 insertions, 20 deletions
diff --git a/test/unit/test_policy_enforcing.py b/test/unit/test_policy_enforcing.py
index 2f7bc80..4b7c173 100644
--- a/test/unit/test_policy_enforcing.py
+++ b/test/unit/test_policy_enforcing.py
@@ -41,25 +41,17 @@ payload_policy = {
content_script = load_script('content/policy_enforcing.js') + ''';{
const smuggled_what_to_do = /^[^#]*#?(.*)$/.exec(document.URL)[1];
-const what_to_do = smuggled_what_to_do === "" ? {allow: true} :
+const what_to_do = smuggled_what_to_do === "" ? {policy: {allow: true}} :
JSON.parse(decodeURIComponent(smuggled_what_to_do));
if (what_to_do.csp_off) {
const orig_DOMParser = window.DOMParser;
window.DOMParser = function() {
- parser = new orig_DOMParser();
+ const parser = new orig_DOMParser();
this.parseFromString = () => parser.parseFromString('', 'text/html');
}
}
-if (what_to_do.onbeforescriptexecute_off)
- prevent_script_execution = () => {};
-
-if (what_to_do.sanitize_script_off) {
- sanitize_script = () => {};
- desanitize_script = () => {};
-}
-
enforce_blocking(what_to_do.policy);
}'''
@@ -71,13 +63,22 @@ def get(driver, page, what_to_do):
@pytest.mark.ext_data({'content_script': content_script})
@pytest.mark.usefixtures('webextension')
-def test_policy_enforcing(driver, execute_in_page):
+# Under Mozilla we use several mechanisms of script blocking. Some serve as
+# fallbacks in case others break. CSP one of those mechanisms. Here we run the
+# test once with CSP blocking on and once without it. This allows us to verify
+# that the CSP-less blocking approaches by themselves also work. We don't do the
+# reverse (CSP on and other mechanisms off) because CSP rules added through
+# <meta> injection are not reliable enough - they do not always take effect
+# immediately and there's nothing we can do to fix it.
+@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}])
+def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
"""
- A test case of sanitizing <script>s and <meta>s in pages.
+ A test case of sanitizing <script>s and intrinsic javascript in pages.
"""
# First, see if scripts run when not blocked.
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
- 'policy': allow_policy
+ 'policy': allow_policy,
+ **csp_off_setting
})
for i in range(1, 3):
@@ -85,26 +86,29 @@ def test_policy_enforcing(driver, execute_in_page):
assert set(driver.execute_script('return window.__run || [];')) == \
{'inline', 'on', 'href', 'src', 'data'}
+ assert are_scripts_allowed(driver)
# Now, verify scripts don't run when blocked.
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
- 'policy': block_policy
+ 'policy': block_policy,
+ **csp_off_setting
})
for i in range(1, 3):
driver.find_element_by_id(f'clickme{i}').click()
assert set(driver.execute_script('return window.__run || [];')) == set()
- assert not are_scripts_allowed(driver)
+ assert bool(csp_off_setting) == are_scripts_allowed(driver)
# Now, verify only scripts with nonce can run when payload is injected.
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
- 'policy': payload_policy
+ 'policy': payload_policy,
+ **csp_off_setting
})
for i in range(1, 3):
driver.find_element_by_id(f'clickme{i}').click()
assert set(driver.execute_script('return window.__run || [];')) == set()
- assert not are_scripts_allowed(driver)
+ assert bool(csp_off_setting) == are_scripts_allowed(driver)
assert are_scripts_allowed(driver, nonce)
diff --git a/test/unit/utils.py b/test/unit/utils.py
index 8e04d91..4d8766e 100644
--- a/test/unit/utils.py
+++ b/test/unit/utils.py
@@ -191,12 +191,12 @@ broker_js = lambda: load_script('background/broadcast_broker.js') + ';start();'
def are_scripts_allowed(driver, nonce=None):
return driver.execute_script(
'''
- document.scripts_allowed = false;
+ document.haketilo_scripts_allowed = false;
const script = document.createElement("script");
- script.innerHTML = "document.scripts_allowed = true;";
+ script.innerHTML = "document.haketilo_scripts_allowed = true;";
if (arguments[0])
script.setAttribute("nonce", arguments[0]);
document.head.append(script);
- return document.scripts_allowed;
+ return document.haketilo_scripts_allowed;
''',
nonce)