let ssm = Services.scriptSecurityManager; // This will show a directory listing, but we never actually load these so that's OK. const kDummyPage = getRootDirectory(gTestPath);
// Can link to ourselves:
["about:test-unknown-unlinkable", true, true, true], // Can't link to unlinkable content if we're not sure it's privileged:
["about:test-unknown-unlinkable2", false, false, true],
// Because this page doesn't have SAFE_FOR_UNTRUSTED, the web can't link to it:
["about:test-unknown-linkable", false, false, true],
],
],
[ "about:test-content-unlinkable",
[
["about:test-chrome-privs", false, false, true],
// Can't link to unlinkable content if we're not sure it's privileged:
["about:test-unknown-unlinkable", false, false, true],
// ... but it can link to other linkable content.
["about:test-content-linkable", true, true, true],
// Can link to ourselves:
["about:test-unknown-linkable", true, true, true],
// Because this page doesn't have SAFE_FOR_UNTRUSTED, the web can't link to it:
["about:test-unknown-linkable2", false, false, true],
],
],
[ "about:test-content-linkable",
[
["about:test-chrome-privs", false, false, true],
// Linkable content can't link to unlinkable content.
["about:test-unknown-unlinkable", false, false, true],
// ... but it can link to itself and other linkable content.
["about:test-content-linkable", true, true, true],
["about:test-content-linkable2", true, true, true],
// Because this page doesn't have SAFE_FOR_UNTRUSTED, the web can't link to it:
["about:test-unknown-linkable", false, false, true],
],
],
]);
function testURL(
source,
target,
canLoad,
canLoadWithoutInherit,
canCreate,
flags
) { function getPrincipalDesc(principal) { if (principal.spec != "") { return principal.spec;
} if (principal.isSystemPrincipal) { return"system principal";
} if (principal.isNullPrincipal) { return"null principal";
} return"unknown principal";
}
let threw = false;
let targetURI; try {
targetURI = Services.io.newURI(target);
} catch (ex) {
ok(
!canCreate, "Shouldn't be passing URIs that we can't create. Failed to create: " +
target
); return;
}
ok(
canCreate, "Created a URI for " +
target + " which should " +
(canCreate ? "" : "not ") + "be possible."
); try {
ssm.checkLoadURIWithPrincipal(source, targetURI, flags);
} catch (ex) {
info(ex.message);
threw = true;
}
let inheritDisallowed = flags & ssm.DISALLOW_INHERIT_PRINCIPAL;
let shouldThrow = inheritDisallowed ? !canLoadWithoutInherit : !canLoad; Assert.equal(
threw,
shouldThrow, "Should " +
(shouldThrow ? "" : "not ") + "throw an error when loading " +
target + " from " +
getPrincipalDesc(source) +
(inheritDisallowed ? " without" : " with") + " principal inheritance."
);
}
add_task(async function () { // In this test we want to verify both http and https load // restrictions, hence we explicitly switch off the https-first // upgrading mechanism.
await SpecialPowers.pushPrefEnv({
set: [["dom.security.https_first", false]],
});
await kAboutPagesRegistered;
let baseFlags = ssm.STANDARD | ssm.DONT_REPORT_ERRORS; for (let [sourceString, targetsAndExpectations] of URLs) {
let source; if (sourceString.startsWith("about:test-chrome-privs")) {
source = ssm.getSystemPrincipal();
} else {
source = ssm.createContentPrincipal(Services.io.newURI(sourceString), {});
} for (let [
target,
canLoad,
canLoadWithoutInherit,
canCreate,
] of targetsAndExpectations) {
testURL(
source,
target,
canLoad,
canLoadWithoutInherit,
canCreate,
baseFlags
);
testURL(
source,
target,
canLoad,
canLoadWithoutInherit,
canCreate,
baseFlags | ssm.DISALLOW_INHERIT_PRINCIPAL
);
}
}
// Now test blob URIs, which we need to do in-content.
await BrowserTestUtils.withNewTab( "http://www.example.com/",
async function (browser) {
await SpecialPowers.spawn(
browser,
[testURL.toString()],
async function (testURLFn) { // eslint-disable-next-line no-shadow , no-eval
let testURL = eval("(" + testURLFn + ")"); // eslint-disable-next-line no-shadow
let ssm = Services.scriptSecurityManager; // eslint-disable-next-line no-shadow
let baseFlags = ssm.STANDARD | ssm.DONT_REPORT_ERRORS; // eslint-disable-next-line no-unused-vars
let b = new content.Blob(["I am a blob"]);
let contentBlobURI = content.URL.createObjectURL(b);
let contentPrincipal = content.document.nodePrincipal; // Loading this blob URI from the content page should work:
testURL(
contentPrincipal,
contentBlobURI, true, true, true,
baseFlags
);
testURL(
contentPrincipal,
contentBlobURI, true, true, true,
baseFlags | ssm.DISALLOW_INHERIT_PRINCIPAL
);
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
