Project

General

Profile

« Previous | Next » 

Revision 70923829

Added by koszko over 1 year ago

fix setting of 'blocked-blocked<...>-' attributes and add tests

View differences:

content/policy_enforcing.js
118 118
     * relatively easily accessed in case they contain some useful data.
119 119
     */
120 120
    const construct_name = [attr];
121
    while (hasa(node, construct_name.join("")))
121
    while (hasa(node, construct_name.join("-")))
122 122
	construct_name.unshift(blocked_str);
123 123

  
124 124
    while (construct_name.length > 1) {
125 125
	construct_name.shift();
126
	const name = construct_name.join("");
126
	const name = construct_name.join("-");
127 127
	seta(node, `${blocked_str}-${name}`, geta(node, name));
128 128
    }
129 129

  
test/haketilo_test/data/pages/scripts_to_block_1.html
30 30
  </head>
31 31
  <body>
32 32
    <button id="clickme1"
33
	    onclick="window.__run = [...(window.__run || []), 'on'];">
33
	    onclick="window.__run = [...(window.__run || []), 'on'];"
34
	    blocked-onclick="some useful data">
34 35
      Click Meee!
35 36
    </button>
36 37
    <a id="clickme2"
test/haketilo_test/unit/test_policy_enforcing.py
75 75
    """
76 76
    A test case of sanitizing <script>s and intrinsic javascript in pages.
77 77
    """
78
    def assert_properly_blocked():
79
        for i in range(1, 3):
80
            driver.find_element_by_id(f'clickme{i}').click()
81

  
82
        assert set(driver.execute_script('return window.__run || [];')) == set()
83
        assert bool(csp_off_setting) == are_scripts_allowed(driver)
84

  
85
        for attr in ('onclick', 'href', 'src', 'data'):
86
            elem = driver.find_element_by_css_selector(f'[blocked-{attr}]')
87

  
88
            assert 'blocked' in elem.get_attribute(attr)
89
            assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}')
90

  
91
        but1 = driver.find_element_by_id('clickme1')
92
        assert but1.get_attribute('blocked-blocked-onclick') == \
93
            "some useful data"
94

  
78 95
    # First, see if scripts run when not blocked.
79 96
    get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
80 97
        'policy': allow_policy,
......
94 111
        **csp_off_setting
95 112
    })
96 113

  
97
    for i in range(1, 3):
98
        driver.find_element_by_id(f'clickme{i}').click()
99

  
100
    assert set(driver.execute_script('return window.__run || [];')) == set()
101
    assert bool(csp_off_setting) == are_scripts_allowed(driver)
114
    assert_properly_blocked()
102 115

  
103 116
    # Now, verify only scripts with nonce can run when payload is injected.
104 117
    get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
......
106 119
        **csp_off_setting
107 120
    })
108 121

  
109
    for i in range(1, 3):
110
        driver.find_element_by_id(f'clickme{i}').click()
111

  
112
    assert set(driver.execute_script('return window.__run || [];')) == set()
113
    assert bool(csp_off_setting) == are_scripts_allowed(driver)
122
    assert_properly_blocked()
114 123
    assert are_scripts_allowed(driver, nonce)

Also available in: Unified diff