| blob | 408760ffc767f45b1e0313c116ef0d9870324488 |
1 "use strict";
3 function isEvalAllowed(sandbox) {
4 try {
5 Cu.evalInSandbox("eval('1234')", sandbox);
6 return true;
7 } catch (e) {
8 Assert.equal(e.message, "call to eval() blocked by CSP", "Eval error msg");
9 return false;
10 }
11 }
13 add_task(function test_empty_csp() {
14 let sand = Cu.Sandbox(["http://example.com/"], {
15 sandboxContentSecurityPolicy: "",
16 });
17 Assert.ok(isEvalAllowed(sand), "eval() not blocked with empty CSP string");
18 });
20 add_task(function test_undefined_csp() {
21 let sand = Cu.Sandbox(["http://example.com/"], {
22 sandboxContentSecurityPolicy: undefined,
23 });
24 Assert.ok(isEvalAllowed(sand), "eval() not blocked with undefined CSP");
25 });
27 add_task(function test_malformed_csp() {
28 let sand = Cu.Sandbox(["http://example.com/"], {
29 sandboxContentSecurityPolicy: "This is not a valid CSP value",
30 });
31 Assert.ok(isEvalAllowed(sand), "eval() not blocked with undefined CSP");
32 });
34 add_task(function test_allowed_by_sandboxContentSecurityPolicy() {
35 let sand = Cu.Sandbox(["http://example.com/"], {
36 sandboxContentSecurityPolicy: "script-src 'unsafe-eval';",
37 });
38 Assert.ok(isEvalAllowed(sand), "eval() allowed by 'unsafe-eval' CSP");
39 });
41 add_task(function test_blocked_by_sandboxContentSecurityPolicy() {
42 let sand = Cu.Sandbox(["http://example.com/"], {
43 sandboxContentSecurityPolicy: "script-src 'none';",
44 });
46 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal.
47 Assert.ok(Cu.getObjectPrincipal(sand).isExpandedPrincipal, "Exp principal");
49 Assert.ok(!isEvalAllowed(sand), "eval() should be blocked by CSP");
50 // sandbox.eval is also blocked: callers should use Cu.evalInSandbox instead.
51 Assert.throws(
52 () => sand.eval("123"),
53 /EvalError: call to eval\(\) blocked by CSP/,
54 "sandbox.eval() is also blocked by CSP"
55 );
56 });
58 add_task(function test_sandboxContentSecurityPolicy_on_content_principal() {
59 Assert.throws(
60 () => {
61 Cu.Sandbox("http://example.com", {
62 sandboxContentSecurityPolicy: "script-src 'none';",
63 });
64 },
65 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/,
66 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal.
67 "sandboxContentSecurityPolicy does not work with content principal"
68 );
69 });
71 add_task(function test_sandboxContentSecurityPolicy_on_null_principal() {
72 Assert.throws(
73 () => {
74 Cu.Sandbox(null, { sandboxContentSecurityPolicy: "script-src 'none';" });
75 },
76 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/,
77 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal.
78 "sandboxContentSecurityPolicy does not work with content principal"
79 );
80 });
82 add_task(function test_sandboxContentSecurityPolicy_on_content_principal() {
83 Assert.throws(
84 () => {
85 Cu.Sandbox("http://example.com", {
86 sandboxContentSecurityPolicy: "script-src 'none';",
87 });
88 },
89 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/,
90 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal.
91 "sandboxContentSecurityPolicy does not work with content principal"
92 );
93 });
95 add_task(function test_sandboxContentSecurityPolicy_on_system_principal() {
96 const systemPrincipal = Services.scriptSecurityManager.getSystemPrincipal();
97 // Note: if we ever introduce support for CSP in non-Expanded principals,
98 // then the test should set security.allow_eval_with_system_principal=true
99 // to make sure that eval() is blocked because of CSP and not another reason.
100 Assert.throws(
101 () => {
102 Cu.Sandbox(systemPrincipal, {
103 sandboxContentSecurityPolicy: "script-src 'none';",
104 });
105 },
106 /Error: sandboxContentSecurityPolicy is currently only supported with ExpandedPrincipals/,
107 // Until bug 1548468 is fixed, CSP only works with an ExpandedPrincipal.
108 "sandboxContentSecurityPolicy does not work with system principal"
109 );
110 });