Revision 96efcc33
Added by koszko over 1 year ago
test/haketilo_test/unit/test_policy_enforcing.py | ||
---|---|---|
73 | 73 |
@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}]) |
74 | 74 |
def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting): |
75 | 75 |
""" |
76 |
A test case of sanitizing <script>s and intrinsic javascript in pages.
|
|
76 |
A test case of sanitizing <script>s and intrinsic JavaScript in HTML pages.
|
|
77 | 77 |
""" |
78 |
def assert_properly_blocked():
|
|
78 |
def click_all():
|
|
79 | 79 |
for i in range(1, 3): |
80 | 80 |
driver.find_element_by_id(f'clickme{i}').click() |
81 | 81 |
|
82 |
def assert_properly_blocked(): |
|
83 |
click_all() |
|
84 |
|
|
82 | 85 |
assert set(driver.execute_script('return window.__run || [];')) == set() |
83 | 86 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
84 | 87 |
|
... | ... | |
98 | 101 |
**csp_off_setting |
99 | 102 |
}) |
100 | 103 |
|
101 |
for i in range(1, 3): |
|
102 |
driver.find_element_by_id(f'clickme{i}').click() |
|
104 |
click_all() |
|
103 | 105 |
|
104 | 106 |
assert set(driver.execute_script('return window.__run || [];')) == \ |
105 | 107 |
{'inline', 'on', 'href', 'src', 'data'} |
... | ... | |
121 | 123 |
|
122 | 124 |
assert_properly_blocked() |
123 | 125 |
assert are_scripts_allowed(driver, nonce) |
126 |
|
|
127 |
# Test function analogous to that for HTML page. |
|
128 |
@pytest.mark.ext_data({'content_script': content_script}) |
|
129 |
@pytest.mark.usefixtures('webextension') |
|
130 |
@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}]) |
|
131 |
def test_policy_enforcing_xml(driver, execute_in_page, csp_off_setting): |
|
132 |
""" |
|
133 |
A test case of sanitizing <script>s and intrinsic JavaScript in XML |
|
134 |
documents. |
|
135 |
""" |
|
136 |
def click_all(): |
|
137 |
for name in ('idaret', 'nowamak', 'mango', 'annoying'): |
|
138 |
elem = driver.find_element_by_id(f'{name}_circle') |
|
139 |
try: |
|
140 |
elem.click() |
|
141 |
except: |
|
142 |
pass |
|
143 |
|
|
144 |
def assert_properly_blocked(): |
|
145 |
click_all() |
|
146 |
|
|
147 |
try: |
|
148 |
assert set(driver.execute_script('return window.__run || [];')) == set() |
|
149 |
except: |
|
150 |
from time import sleep |
|
151 |
sleep(100000) |
|
152 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
|
153 |
|
|
154 |
# First, see if scripts run when not blocked. |
|
155 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', { |
|
156 |
'policy': allow_policy, |
|
157 |
**csp_off_setting |
|
158 |
}) |
|
159 |
|
|
160 |
click_all() |
|
161 |
|
|
162 |
assert set(driver.execute_script('return window.__run || [];')) == \ |
|
163 |
{'grape', 'raspberry', 'idaret', 'melon'} |
|
164 |
assert are_scripts_allowed(driver) |
|
165 |
|
|
166 |
# Now, verify scripts don't run when blocked. |
|
167 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', { |
|
168 |
'policy': block_policy, |
|
169 |
**csp_off_setting |
|
170 |
}) |
|
171 |
|
|
172 |
assert_properly_blocked() |
|
173 |
|
|
174 |
# Now, verify only scripts with nonce can run when payload is injected. |
|
175 |
get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', { |
|
176 |
'policy': payload_policy, |
|
177 |
**csp_off_setting |
|
178 |
}) |
|
179 |
|
|
180 |
assert_properly_blocked() |
|
181 |
assert are_scripts_allowed(driver, nonce) |
Also available in: Unified diff
improve script blocking in non-HTML documents (XML)