diff options
Diffstat (limited to 'test/haketilo_test')
-rw-r--r-- | test/haketilo_test/data/pages/scripts_to_block_1.html | 3 | ||||
-rw-r--r-- | test/haketilo_test/unit/test_policy_enforcing.py | 29 |
2 files changed, 21 insertions, 11 deletions
diff --git a/test/haketilo_test/data/pages/scripts_to_block_1.html b/test/haketilo_test/data/pages/scripts_to_block_1.html index 164979d..e7793ee 100644 --- a/test/haketilo_test/data/pages/scripts_to_block_1.html +++ b/test/haketilo_test/data/pages/scripts_to_block_1.html @@ -30,7 +30,8 @@ </head> <body> <button id="clickme1" - onclick="window.__run = [...(window.__run || []), 'on'];"> + onclick="window.__run = [...(window.__run || []), 'on'];" + blocked-onclick="some useful data"> Click Meee! </button> <a id="clickme2" diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py index 4b7c173..c5dd20e 100644 --- a/test/haketilo_test/unit/test_policy_enforcing.py +++ b/test/haketilo_test/unit/test_policy_enforcing.py @@ -75,6 +75,23 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): """ A test case of sanitizing <script>s and intrinsic javascript in pages. """ + def assert_properly_blocked(): + for i in range(1, 3): + driver.find_element_by_id(f'clickme{i}').click() + + assert set(driver.execute_script('return window.__run || [];')) == set() + assert bool(csp_off_setting) == are_scripts_allowed(driver) + + for attr in ('onclick', 'href', 'src', 'data'): + elem = driver.find_element_by_css_selector(f'[blocked-{attr}]') + + assert 'blocked' in elem.get_attribute(attr) + assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}') + + but1 = driver.find_element_by_id('clickme1') + assert but1.get_attribute('blocked-blocked-onclick') == \ + "some useful data" + # First, see if scripts run when not blocked. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { 'policy': allow_policy, @@ -94,11 +111,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): **csp_off_setting }) - for i in range(1, 3): - driver.find_element_by_id(f'clickme{i}').click() - - assert set(driver.execute_script('return window.__run || [];')) == set() - assert bool(csp_off_setting) == are_scripts_allowed(driver) + assert_properly_blocked() # Now, verify only scripts with nonce can run when payload is injected. get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { @@ -106,9 +119,5 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): **csp_off_setting }) - for i in range(1, 3): - driver.find_element_by_id(f'clickme{i}').click() - - assert set(driver.execute_script('return window.__run || [];')) == set() - assert bool(csp_off_setting) == are_scripts_allowed(driver) + assert_properly_blocked() assert are_scripts_allowed(driver, nonce) |