Project

General

Profile

« Previous | Next » 

Revision 70923829

Added by koszko over 1 year ago

fix setting of 'blocked-blocked<...>-' attributes and add tests

View differences:

test/haketilo_test/unit/test_policy_enforcing.py
75 75 
    """
76 76 
    A test case of sanitizing <script>s and intrinsic javascript in pages.
77 77 
    """
78 
    def assert_properly_blocked():
79 
        for i in range(1, 3):
80 
            driver.find_element_by_id(f'clickme{i}').click()
81 

  		




  
  82
  
    
        assert set(driver.execute_script('return window.__run || [];')) == set()


  		




  
  83
  
    
        assert bool(csp_off_setting) == are_scripts_allowed(driver)


  		




  
  84
  
    

  		




  
  85
  
    
        for attr in ('onclick', 'href', 'src', 'data'):


  		




  
  86
  
    
            elem = driver.find_element_by_css_selector(f'[blocked-{attr}]')


  		




  
  87
  
    

  		




  
  88
  
    
            assert 'blocked' in elem.get_attribute(attr)


  		




  
  89
  
    
            assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}')


  		




  
  90
  
    

  		




  
  91
  
    
        but1 = driver.find_element_by_id('clickme1')


  		




  
  92
  
    
        assert but1.get_attribute('blocked-blocked-onclick') == \


  		




  
  93
  
    
            "some useful data"


  		




  
  94
  
    

  		




  78
  95
  
    
    # First, see if scripts run when not blocked.


  		




  79
  96
  
    
    get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {


  		




  80
  97
  
    
        'policy': allow_policy,


  		




  ......




  94
  111
  
    
        **csp_off_setting


  		




  95
  112
  
    
    })


  		




  96
  113
  
    

  		




  97
  
  
    
    for i in range(1, 3):


  		




  98
  
  
    
        driver.find_element_by_id(f'clickme{i}').click()


  		




  99
  
  
    

  		




  100
  
  
    
    assert set(driver.execute_script('return window.__run || [];')) == set()


  		




  101
  
  
    
    assert bool(csp_off_setting) == are_scripts_allowed(driver)


  		




  
  114
  
    
    assert_properly_blocked()


  		




  102
  115
  
    

  		




  103
  116
  
    
    # Now, verify only scripts with nonce can run when payload is injected.


  		




  104
  117
  
    
    get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {


  		




  ......




  106
  119
  
    
        **csp_off_setting


  		




  107
  120
  
    
    })


  		




  108
  121
  
    

  		




  109
  
  
    
    for i in range(1, 3):


  		




  110
  
  
    
        driver.find_element_by_id(f'clickme{i}').click()


  		




  111
  
  
    

  		




  112
  
  
    
    assert set(driver.execute_script('return window.__run || [];')) == set()


  		




  113
  
  
    
    assert bool(csp_off_setting) == are_scripts_allowed(driver)


  		




  
  122
  
    
    assert_properly_blocked()


  		




  114
  123
  
    
    assert are_scripts_allowed(driver, nonce)


  		












Also available in:  Unified diff