Revision 70923829
Added by koszko over 1 year ago
test/haketilo_test/unit/test_policy_enforcing.py | ||
---|---|---|
75 | 75 |
""" |
76 | 76 |
A test case of sanitizing <script>s and intrinsic javascript in pages. |
77 | 77 |
""" |
78 |
def assert_properly_blocked(): |
|
79 |
for i in range(1, 3): |
|
80 |
driver.find_element_by_id(f'clickme{i}').click() |
|
81 |
|
|
82 |
assert set(driver.execute_script('return window.__run || [];')) == set() |
|
83 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
84 |
|
|
85 |
for attr in ('onclick', 'href', 'src', 'data'): |
|
86 |
elem = driver.find_element_by_css_selector(f'[blocked-{attr}]') |
|
87 |
|
|
88 |
assert 'blocked' in elem.get_attribute(attr) |
|
89 |
assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}') |
|
90 |
|
|
91 |
but1 = driver.find_element_by_id('clickme1') |
|
92 |
assert but1.get_attribute('blocked-blocked-onclick') == \ |
|
93 |
"some useful data" |
|
94 |
|
|
78 | 95 |
# First, see if scripts run when not blocked. |
79 | 96 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { |
80 | 97 |
'policy': allow_policy, |
... | ... | |
94 | 111 |
**csp_off_setting |
95 | 112 |
}) |
96 | 113 |
|
97 |
for i in range(1, 3): |
|
98 |
driver.find_element_by_id(f'clickme{i}').click() |
|
99 |
|
|
100 |
assert set(driver.execute_script('return window.__run || [];')) == set() |
|
101 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
114 |
assert_properly_blocked() |
|
102 | 115 |
|
103 | 116 |
# Now, verify only scripts with nonce can run when payload is injected. |
104 | 117 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', { |
... | ... | |
106 | 119 |
**csp_off_setting |
107 | 120 |
}) |
108 | 121 |
|
109 |
for i in range(1, 3): |
|
110 |
driver.find_element_by_id(f'clickme{i}').click() |
|
111 |
|
|
112 |
assert set(driver.execute_script('return window.__run || [];')) == set() |
|
113 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
122 |
assert_properly_blocked() |
|
114 | 123 |
assert are_scripts_allowed(driver, nonce) |
Also available in: Unified diff
fix setting of 'blocked-blocked<...>-' attributes and add tests