summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--content/policy_enforcing.js4
-rw-r--r--test/haketilo_test/data/pages/scripts_to_block_1.html3
-rw-r--r--test/haketilo_test/unit/test_policy_enforcing.py29
3 files changed, 23 insertions, 13 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js
index 0bbe3c6..29990b8 100644
--- a/content/policy_enforcing.js
+++ b/content/policy_enforcing.js
@@ -118,12 +118,12 @@ function block_attribute(node, attr, ns=null, replace_with=null) {
* relatively easily accessed in case they contain some useful data.
*/
const construct_name = [attr];
- while (hasa(node, construct_name.join("")))
+ while (hasa(node, construct_name.join("-")))
construct_name.unshift(blocked_str);
while (construct_name.length > 1) {
construct_name.shift();
- const name = construct_name.join("");
+ const name = construct_name.join("-");
seta(node, `${blocked_str}-${name}`, geta(node, name));
}
diff --git a/test/haketilo_test/data/pages/scripts_to_block_1.html b/test/haketilo_test/data/pages/scripts_to_block_1.html
index 164979d..e7793ee 100644
--- a/test/haketilo_test/data/pages/scripts_to_block_1.html
+++ b/test/haketilo_test/data/pages/scripts_to_block_1.html
@@ -30,7 +30,8 @@
</head>
<body>
<button id="clickme1"
- onclick="window.__run = [...(window.__run || []), 'on'];">
+ onclick="window.__run = [...(window.__run || []), 'on'];"
+ blocked-onclick="some useful data">
Click Meee!
</button>
<a id="clickme2"
diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py
index 4b7c173..c5dd20e 100644
--- a/test/haketilo_test/unit/test_policy_enforcing.py
+++ b/test/haketilo_test/unit/test_policy_enforcing.py
@@ -75,6 +75,23 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
"""
A test case of sanitizing <script>s and intrinsic javascript in pages.
"""
+ def assert_properly_blocked():
+ for i in range(1, 3):
+ driver.find_element_by_id(f'clickme{i}').click()
+
+ assert set(driver.execute_script('return window.__run || [];')) == set()
+ assert bool(csp_off_setting) == are_scripts_allowed(driver)
+
+ for attr in ('onclick', 'href', 'src', 'data'):
+ elem = driver.find_element_by_css_selector(f'[blocked-{attr}]')
+
+ assert 'blocked' in elem.get_attribute(attr)
+ assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}')
+
+ but1 = driver.find_element_by_id('clickme1')
+ assert but1.get_attribute('blocked-blocked-onclick') == \
+ "some useful data"
+
# First, see if scripts run when not blocked.
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
'policy': allow_policy,
@@ -94,11 +111,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
**csp_off_setting
})
- for i in range(1, 3):
- driver.find_element_by_id(f'clickme{i}').click()
-
- assert set(driver.execute_script('return window.__run || [];')) == set()
- assert bool(csp_off_setting) == are_scripts_allowed(driver)
+ assert_properly_blocked()
# Now, verify only scripts with nonce can run when payload is injected.
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
@@ -106,9 +119,5 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
**csp_off_setting
})
- for i in range(1, 3):
- driver.find_element_by_id(f'clickme{i}').click()
-
- assert set(driver.execute_script('return window.__run || [];')) == set()
- assert bool(csp_off_setting) == are_scripts_allowed(driver)
+ assert_properly_blocked()
assert are_scripts_allowed(driver, nonce)