From 31cc63c2b429b768379e1b2ef7598242d0b36d18 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Mon, 17 Jan 2022 14:15:43 +0100 Subject: test script blocking with and without the CSP-based approach on --- test/unit/test_policy_enforcing.py | 38 +++++++++++++++++++++----------------- test/unit/utils.py | 6 +++--- 2 files changed, 24 insertions(+), 20 deletions(-) (limited to 'test/unit') diff --git a/test/unit/test_policy_enforcing.py b/test/unit/test_policy_enforcing.py index 2f7bc80..4b7c173 100644 --- a/test/unit/test_policy_enforcing.py +++ b/test/unit/test_policy_enforcing.py @@ -41,25 +41,17 @@ payload_policy = { content_script = load_script('content/policy_enforcing.js') + ''';{ const smuggled_what_to_do = /^[^#]*#?(.*)$/.exec(document.URL)[1]; -const what_to_do = smuggled_what_to_do === "" ? {allow: true} : +const what_to_do = smuggled_what_to_do === "" ? {policy: {allow: true}} : JSON.parse(decodeURIComponent(smuggled_what_to_do)); if (what_to_do.csp_off) { const orig_DOMParser = window.DOMParser; window.DOMParser = function() { - parser = new orig_DOMParser(); + const parser = new orig_DOMParser(); this.parseFromString = () => parser.parseFromString('', 'text/html'); } } -if (what_to_do.onbeforescriptexecute_off) - prevent_script_execution = () => {}; - -if (what_to_do.sanitize_script_off) { - sanitize_script = () => {}; - desanitize_script = () => {}; -} - enforce_blocking(what_to_do.policy); }''' @@ -71,13 +63,22 @@ def get(driver, page, what_to_do): @pytest.mark.ext_data({'content_script': content_script}) @pytest.mark.usefixtures('webextension') -def test_policy_enforcing(driver, execute_in_page): +# Under Mozilla we use several mechanisms of script blocking. Some serve as +# fallbacks in case others break. CSP one of those mechanisms. Here we run the +# test once with CSP blocking on and once without it. This allows us to verify +# that the CSP-less blocking approaches by themselves also work. We don't do the +# reverse (CSP on and other mechanisms off) because CSP rules added through +# injection are not reliable enough - they do not always take effect +# immediately and there's nothing we can do to fix it. +@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}]) +def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): """ - A test case of sanitizing