Revision 70923829
Added by koszko over 1 year ago
| content/policy_enforcing.js | ||
|---|---|---|
| 118 | 118 |
* relatively easily accessed in case they contain some useful data. |
| 119 | 119 |
*/ |
| 120 | 120 |
const construct_name = [attr]; |
| 121 |
while (hasa(node, construct_name.join("")))
|
|
| 121 |
while (hasa(node, construct_name.join("-")))
|
|
| 122 | 122 |
construct_name.unshift(blocked_str); |
| 123 | 123 |
|
| 124 | 124 |
while (construct_name.length > 1) {
|
| 125 | 125 |
construct_name.shift(); |
| 126 |
const name = construct_name.join("");
|
|
| 126 |
const name = construct_name.join("-");
|
|
| 127 | 127 |
seta(node, `${blocked_str}-${name}`, geta(node, name));
|
| 128 | 128 |
} |
| 129 | 129 |
|
| test/haketilo_test/data/pages/scripts_to_block_1.html | ||
|---|---|---|
| 30 | 30 |
</head> |
| 31 | 31 |
<body> |
| 32 | 32 |
<button id="clickme1" |
| 33 |
onclick="window.__run = [...(window.__run || []), 'on'];"> |
|
| 33 |
onclick="window.__run = [...(window.__run || []), 'on'];" |
|
| 34 |
blocked-onclick="some useful data"> |
|
| 34 | 35 |
Click Meee! |
| 35 | 36 |
</button> |
| 36 | 37 |
<a id="clickme2" |
| test/haketilo_test/unit/test_policy_enforcing.py | ||
|---|---|---|
| 75 | 75 |
""" |
| 76 | 76 |
A test case of sanitizing <script>s and intrinsic javascript in pages. |
| 77 | 77 |
""" |
| 78 |
def assert_properly_blocked(): |
|
| 79 |
for i in range(1, 3): |
|
| 80 |
driver.find_element_by_id(f'clickme{i}').click()
|
|
| 81 |
|
|
| 82 |
assert set(driver.execute_script('return window.__run || [];')) == set()
|
|
| 83 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
| 84 |
|
|
| 85 |
for attr in ('onclick', 'href', 'src', 'data'):
|
|
| 86 |
elem = driver.find_element_by_css_selector(f'[blocked-{attr}]')
|
|
| 87 |
|
|
| 88 |
assert 'blocked' in elem.get_attribute(attr) |
|
| 89 |
assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}')
|
|
| 90 |
|
|
| 91 |
but1 = driver.find_element_by_id('clickme1')
|
|
| 92 |
assert but1.get_attribute('blocked-blocked-onclick') == \
|
|
| 93 |
"some useful data" |
|
| 94 |
|
|
| 78 | 95 |
# First, see if scripts run when not blocked. |
| 79 | 96 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
|
| 80 | 97 |
'policy': allow_policy, |
| ... | ... | |
| 94 | 111 |
**csp_off_setting |
| 95 | 112 |
}) |
| 96 | 113 |
|
| 97 |
for i in range(1, 3): |
|
| 98 |
driver.find_element_by_id(f'clickme{i}').click()
|
|
| 99 |
|
|
| 100 |
assert set(driver.execute_script('return window.__run || [];')) == set()
|
|
| 101 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
| 114 |
assert_properly_blocked() |
|
| 102 | 115 |
|
| 103 | 116 |
# Now, verify only scripts with nonce can run when payload is injected. |
| 104 | 117 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
|
| ... | ... | |
| 106 | 119 |
**csp_off_setting |
| 107 | 120 |
}) |
| 108 | 121 |
|
| 109 |
for i in range(1, 3): |
|
| 110 |
driver.find_element_by_id(f'clickme{i}').click()
|
|
| 111 |
|
|
| 112 |
assert set(driver.execute_script('return window.__run || [];')) == set()
|
|
| 113 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
| 122 |
assert_properly_blocked() |
|
| 114 | 123 |
assert are_scripts_allowed(driver, nonce) |
Also available in: Unified diff
fix setting of 'blocked-blocked<...>-' attributes and add tests