def test_same_origin(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
</head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="https://www.mozilla.org/static/js/foo.js"></script>
</head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
def test_same_origin(self):
self.reqs['resources']['/'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
</head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals(
result['result'],
'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain
self.reqs['resources']['/'] = """
<html>
<head>
<script src="https://www.mozilla.com/static/js/foo.js"></script>
</head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals(
'sri-not-implemented-but-all-scripts-loaded-from-secure-origin',
result['result'])
self.assertTrue(result['pass'])
def test_same_origin(self):
self.reqs = empty_requests('test_content_sri_sameorigin1.html')
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain, but without a protocol
self.reqs = empty_requests('test_content_sri_sameorigin3.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
# On the same second-level domain, with https:// specified
self.reqs = empty_requests('test_content_sri_sameorigin2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
# And the same, but with a 404 status code
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
def test_same_origin(self):
self.reqs = empty_requests('test_content_sri_sameorigin1.html')
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain, but without a protocol
self.reqs = empty_requests('test_content_sri_sameorigin3.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
# On the same second-level domain, with https:// specified
self.reqs = empty_requests('test_content_sri_sameorigin2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
# And the same, but with a 404 status code
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
def test_not_implemented_external_scripts_noproto(self):
self.reqs = empty_requests('test_content_sri_notimpl_external_noproto.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_implemented_same_origin(self):
self.reqs = empty_requests('test_content_sri_impl_sameorigin.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self):
# load from a remote site
self.reqs = empty_requests('test_content_sri_impl_external_https1.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
# load from an intranet / localhost
self.reqs = empty_requests('test_content_sri_impl_external_https2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_not_status_code_200(self):
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'request-did-not-return-status-code-200')
self.assertFalse(result['pass'])
def test_no_scripts(self):
self.reqs = empty_requests('test_content_sri_no_scripts.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result'])
self.assertTrue(result['pass'])
def test_implemented_same_origin(self):
self.reqs = empty_requests('test_content_sri_impl_sameorigin.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_not_implemented_external_scripts_noproto(self):
self.reqs = empty_requests('test_content_sri_notimpl_external_noproto.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_implemented_external_scripts_https(self):
# load from a remote site
self.reqs = empty_requests('test_content_sri_impl_external_https1.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
# load from an intranet / localhost
self.reqs = empty_requests('test_content_sri_impl_external_https2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_no_scripts(self):
self.reqs = empty_requests('test_content_sri_no_scripts.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result'])
self.assertTrue(result['pass'])
def test_not_status_code_200(self):
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'],
'request-did-not-return-status-code-200')
self.assertFalse(result['pass'])
def test_implemented_external_scripts_https(self):
# load from a remote site
self.reqs['resources']['/'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="https://fb.me/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous">
</script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals(
'sri-implemented-and-external-scripts-loaded-securely',
result['result'])
self.assertTrue(result['pass'])
# load from an intranet / localhost
self.reqs['resources']['/'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="https://localhost/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous">
</script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals(
'sri-implemented-and-external-scripts-loaded-securely',
result['result'])
self.assertTrue(result['pass'])
def test_no_scripts(self):
self.reqs['resources']['__path__'] = """
<html>
<head></head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result'])
self.assertTrue(result['pass'])
def test_no_scripts(self):
self.reqs['resources']['__path__'] = """
<html>
<head></head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result'])
self.assertTrue(result['pass'])
def test_not_html(self):
# invalid html
self.reqs['resources']['__path__'] = '<![..]>'
result = subresource_integrity(self.reqs)
self.assertEquals('html-not-parsable', result['result'])
self.assertFalse(result['pass'])
# json, like what an API might return
self.reqs['responses']['auto'].headers['Content-Type'] = 'application/json'
self.reqs['resources']['__path__'] = """
{
'foo': 'bar'
}
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-response-not-html', result['result'])
self.assertTrue(result['pass'])
def test_not_html(self):
# invalid html
self.reqs['resources']['__path__'] = '<![..]>'
result = subresource_integrity(self.reqs)
self.assertEquals('html-not-parsable', result['result'])
self.assertFalse(result['pass'])
# json, like what an API might return
self.reqs['responses']['auto'].headers['Content-Type'] = 'application/json'
self.reqs['resources']['__path__'] = """
{
'foo': 'bar'
}
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-response-not-html', result['result'])
self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self):
# load from a remote site
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="https://fb.me/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous">
</script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
# load from an intranet / localhost
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="https://localhost/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous">
</script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_same_origin(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
</head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="https://www.mozilla.org/static/js/foo.js"></script>
</head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
# And the same, but with a 404 status code
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
def test_not_implemented_external_scripts_http(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="http://fb.me/react-0.14.6.min.js"></script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_not_implemented_external_scripts_http(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="http://fb.me/react-0.14.6.min.js"></script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_implemented_same_origin(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous">
</script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_implemented_same_origin(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous">
</script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_implemented_external_scripts_http(self):
self.reqs['resources']['__path__'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="http://fb.me/react-0.14.6.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous"></script>
<script src="https://fb.me/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous"></script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-but-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_implemented_external_scripts_http(self):
self.reqs['resources']['/'] = """
<html>
<head>
<script src="/static/js/foo.js"></script>
<script src="http://fb.me/react-0.14.6.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous"></script>
<script src="https://fb.me/react-0.14.7.min.js"
integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ"
crossorigin="anonymous"></script>
<head>
<body></body>
</html>
"""
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-but-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
