test script blocking with and without the CSP-based approach on

author: Wojtek Kosior <koszko@koszko.org> 2022-01-17 14:15:43 +0100
committer: Wojtek Kosior <koszko@koszko.org> 2022-01-17 14:15:43 +0100
commit: 31cc63c2b429b768379e1b2ef7598242d0b36d18 (patch)
tree: e279b77e3bb331e1b7e4807b7f755edf63197431 /test
parent: 7bedbcbd80eba9359d2e905b7693923c76ce563d (diff)
download: browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.tar.gz
browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.zip
2 files changed, 24 insertions, 20 deletions
diff --git a/test/unit/test_policy_enforcing.py b/test/unit/test_policy_enforcing.py
index 2f7bc80..4b7c173 100644
--- a/test/unit/test_policy_enforcing.py
+++ b/test/unit/test_policy_enforcing.py
@@ -41,25 +41,17 @@ payload_policy = {
 
 content_script = load_script('content/policy_enforcing.js') + ''';{
 const smuggled_what_to_do = /^[^#]*#?(.*)$/.exec(document.URL)[1];
-const what_to_do = smuggled_what_to_do === "" ? {allow: true} :
+const what_to_do = smuggled_what_to_do === "" ? {policy: {allow: true}} :
                    JSON.parse(decodeURIComponent(smuggled_what_to_do));
 
 if (what_to_do.csp_off) {
     const orig_DOMParser = window.DOMParser;
     window.DOMParser = function() {
-        parser = new orig_DOMParser();
+        const parser = new orig_DOMParser();
         this.parseFromString = () => parser.parseFromString('', 'text/html');
     }
 }
 
-if (what_to_do.onbeforescriptexecute_off)
-    prevent_script_execution = () => {};
-
-if (what_to_do.sanitize_script_off) {
-    sanitize_script = () => {};
-    desanitize_script = () => {};
-}
-
 enforce_blocking(what_to_do.policy);
 }'''
 
@@ -71,13 +63,22 @@ def get(driver, page, what_to_do):
 
 @pytest.mark.ext_data({'content_script': content_script})
 @pytest.mark.usefixtures('webextension')
-def test_policy_enforcing(driver, execute_in_page):
+# Under Mozilla we use several mechanisms of script blocking. Some serve as
+# fallbacks in case others break. CSP one of those mechanisms. Here we run the
+# test once with CSP blocking on and once without it. This allows us to verify
+# that the CSP-less blocking approaches by themselves also work. We don't do the
+# reverse (CSP on and other mechanisms off) because CSP rules added through
+# <meta> injection are not reliable enough - they do not always take effect
+# immediately and there's nothing we can do to fix it.
+@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}])
+def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
     """
-    A test case of sanitizing <script>s and <meta>s in pages.
+    A test case of sanitizing <script>s and intrinsic javascript in pages.
     """
     # First, see if scripts run when not blocked.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
-        'policy': allow_policy
+        'policy': allow_policy,
+        **csp_off_setting
     })
 
     for i in range(1, 3):
@@ -85,26 +86,29 @@ def test_policy_enforcing(driver, execute_in_page):
 
     assert set(driver.execute_script('return window.__run || [];')) == \
         {'inline', 'on', 'href', 'src', 'data'}
+    assert are_scripts_allowed(driver)
 
     # Now, verify scripts don't run when blocked.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
-        'policy': block_policy
+        'policy': block_policy,
+        **csp_off_setting
     })
 
     for i in range(1, 3):
         driver.find_element_by_id(f'clickme{i}').click()
 
     assert set(driver.execute_script('return window.__run || [];')) == set()
-    assert not are_scripts_allowed(driver)
+    assert bool(csp_off_setting) == are_scripts_allowed(driver)
 
     # Now, verify only scripts with nonce can run when payload is injected.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
-        'policy': payload_policy
+        'policy': payload_policy,
+        **csp_off_setting
     })
 
     for i in range(1, 3):
         driver.find_element_by_id(f'clickme{i}').click()
 
     assert set(driver.execute_script('return window.__run || [];')) == set()
-    assert not are_scripts_allowed(driver)
+    assert bool(csp_off_setting) == are_scripts_allowed(driver)
     assert are_scripts_allowed(driver, nonce)
diff --git a/test/unit/utils.py b/test/unit/utils.py
index 8e04d91..4d8766e 100644
--- a/test/unit/utils.py
+++ b/test/unit/utils.py
@@ -191,12 +191,12 @@ broker_js = lambda: load_script('background/broadcast_broker.js') + ';start();'
 def are_scripts_allowed(driver, nonce=None):
         return driver.execute_script(
             '''
-            document.scripts_allowed = false;
+            document.haketilo_scripts_allowed = false;
             const script = document.createElement("script");
-            script.innerHTML = "document.scripts_allowed = true;";
+            script.innerHTML = "document.haketilo_scripts_allowed = true;";
             if (arguments[0])
                 script.setAttribute("nonce", arguments[0]);
             document.head.append(script);
-            return document.scripts_allowed;
+            return document.haketilo_scripts_allowed;
             ''',
             nonce)
author	Wojtek Kosior <koszko@koszko.org>	2022-01-17 14:15:43 +0100
committer	Wojtek Kosior <koszko@koszko.org>	2022-01-17 14:15:43 +0100
commit	31cc63c2b429b768379e1b2ef7598242d0b36d18 (patch)
tree	e279b77e3bb331e1b7e4807b7f755edf63197431 /test
parent	7bedbcbd80eba9359d2e905b7693923c76ce563d (diff)
download	browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.tar.gz browser-extension-31cc63c2b429b768379e1b2ef7598242d0b36d18.zip