diff options
| -rw-r--r-- | content/policy_enforcing.js | 4 | ||||
| -rw-r--r-- | test/haketilo_test/data/pages/scripts_to_block_1.html | 3 | ||||
| -rw-r--r-- | test/haketilo_test/unit/test_policy_enforcing.py | 29 |
3 files changed, 23 insertions, 13 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js index 0bbe3c6..29990b8 100644 --- a/content/policy_enforcing.js +++ b/content/policy_enforcing.js @@ -118,12 +118,12 @@ function block_attribute(node, attr, ns=null, replace_with=null) { * relatively easily accessed in case they contain some useful data. */ const construct_name = [attr]; - while (hasa(node, construct_name.join(""))) + while (hasa(node, construct_name.join("-"))) construct_name.unshift(blocked_str); while (construct_name.length > 1) { construct_name.shift(); - const name = construct_name.join(""); + const name = construct_name.join("-"); seta(node, `${blocked_str}-${name}`, geta(node, name)); } diff --git a/test/haketilo_test/data/pages/scripts_to_block_1.html b/test/haketilo_test/data/pages/scripts_to_block_1.html index 164979d..e7793ee 100644 --- a/test/haketilo_test/data/pages/scripts_to_block_1.html +++ b/test/haketilo_test/data/pages/scripts_to_block_1.html @@ -30,7 +30,8 @@ </head> <body> <button id="clickme1" - onclick="window.__run = [...(window.__run || []), 'on'];"> + onclick="window.__run = [...(window.__run || []), 'on'];" + blocked-onclick="some useful data"> Click Meee! </button> <a id="clickme2" diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py index 4b7c173..c5dd20e 100644 --- a/test/haketilo_test/unit/test_policy_enforcing.py +++ b/test/haketilo_test/unit/test_policy_enforcing.py @@ -75,6 +75,23 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): """ A test case of sanitizing <script>s and intrinsic javascript in pages. """ + def assert_properly_blocked(): + for i in range(1, 3): + driver.find_element_by_id(f'clickme{i}').click() + + assert set(driver.execute_script('return window.__run || [];')) == set() + assert bool(csp_off_setting) == are_scripts_allowed(driver) + + for attr in ('onclick', 'href', 'src', 'data'): + elem = driver.find_element_by_css_selector(f'[blocked-{attr}]') + + assert 'blocked' in elem.get_attribute(attr) + assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}') + + but1 = driver.find_element_by_id('clickme1') + assert but1.get_attribute('blocked-blocked-onclick') == \ + "some useful data" + # First, see if scripts run when not blocked. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { 'policy': allow_policy, @@ -94,11 +111,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): **csp_off_setting }) - for i in range(1, 3): - driver.find_element_by_id(f'clickme{i}').click() - - assert set(driver.execute_script('return window.__run || [];')) == set() - assert bool(csp_off_setting) == are_scripts_allowed(driver) + assert_properly_blocked() # Now, verify only scripts with nonce can run when payload is injected. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { @@ -106,9 +119,5 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): **csp_off_setting }) - for i in range(1, 3): - driver.find_element_by_id(f'clickme{i}').click() - - assert set(driver.execute_script('return window.__run || [];')) == set() - assert bool(csp_off_setting) == are_scripts_allowed(driver) + assert_properly_blocked() assert are_scripts_allowed(driver, nonce) |