def test_same_origin(self): self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/foo.js"></script> </head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin') self.assertTrue(result['pass']) # On the same second-level domain self.reqs['resources']['__path__'] = """ <html> <head> <script src="https://www.mozilla.org/static/js/foo.js"></script> </head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass'])
def test_same_origin(self): self.reqs['resources']['/'] = """ <html> <head> <script src="/static/js/foo.js"></script> </head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals( result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin') self.assertTrue(result['pass']) # On the same second-level domain self.reqs['resources']['/'] = """ <html> <head> <script src="https://www.mozilla.com/static/js/foo.js"></script> </head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals( 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass'])
def test_same_origin(self): self.reqs = empty_requests('test_content_sri_sameorigin1.html') result = subresource_integrity(self.reqs) self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin') self.assertTrue(result['pass']) # On the same second-level domain, but without a protocol self.reqs = empty_requests('test_content_sri_sameorigin3.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result']) self.assertFalse(result['pass']) # On the same second-level domain, with https:// specified self.reqs = empty_requests('test_content_sri_sameorigin2.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass']) # And the same, but with a 404 status code self.reqs['responses']['auto'].status_code = 404 result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass'])
def test_not_implemented_external_scripts_noproto(self): self.reqs = empty_requests('test_content_sri_notimpl_external_noproto.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result']) self.assertFalse(result['pass'])
def test_implemented_same_origin(self): self.reqs = empty_requests('test_content_sri_impl_sameorigin.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result']) self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self): # load from a remote site self.reqs = empty_requests('test_content_sri_impl_external_https1.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result']) self.assertTrue(result['pass']) # load from an intranet / localhost self.reqs = empty_requests('test_content_sri_impl_external_https2.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result']) self.assertTrue(result['pass'])
def test_not_status_code_200(self): self.reqs['responses']['auto'].status_code = 404 result = subresource_integrity(self.reqs) self.assertEquals(result['result'], 'request-did-not-return-status-code-200') self.assertFalse(result['pass'])
def test_no_scripts(self): self.reqs = empty_requests('test_content_sri_no_scripts.html') result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result']) self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self): # load from a remote site self.reqs['resources']['/'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="https://fb.me/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"> </script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals( 'sri-implemented-and-external-scripts-loaded-securely', result['result']) self.assertTrue(result['pass']) # load from an intranet / localhost self.reqs['resources']['/'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="https://localhost/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"> </script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals( 'sri-implemented-and-external-scripts-loaded-securely', result['result']) self.assertTrue(result['pass'])
def test_no_scripts(self): self.reqs['resources']['__path__'] = """ <html> <head></head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result']) self.assertTrue(result['pass'])
def test_not_html(self): # invalid html self.reqs['resources']['__path__'] = '<![..]>' result = subresource_integrity(self.reqs) self.assertEquals('html-not-parsable', result['result']) self.assertFalse(result['pass']) # json, like what an API might return self.reqs['responses']['auto'].headers['Content-Type'] = 'application/json' self.reqs['resources']['__path__'] = """ { 'foo': 'bar' } """ result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-response-not-html', result['result']) self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self): # load from a remote site self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="https://fb.me/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"> </script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result']) self.assertTrue(result['pass']) # load from an intranet / localhost self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="https://localhost/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"> </script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result']) self.assertTrue(result['pass'])
def test_same_origin(self): self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/foo.js"></script> </head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin') self.assertTrue(result['pass']) # On the same second-level domain self.reqs['resources']['__path__'] = """ <html> <head> <script src="https://www.mozilla.org/static/js/foo.js"></script> </head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass']) # And the same, but with a 404 status code self.reqs['responses']['auto'].status_code = 404 result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass'])
def test_not_implemented_external_scripts_http(self): self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="http://fb.me/react-0.14.6.min.js"></script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result']) self.assertFalse(result['pass'])
def test_implemented_same_origin(self): self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"> </script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result']) self.assertTrue(result['pass'])
def test_implemented_external_scripts_http(self): self.reqs['resources']['__path__'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="http://fb.me/react-0.14.6.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"></script> <script src="https://fb.me/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"></script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-but-external-scripts-not-loaded-securely', result['result']) self.assertFalse(result['pass'])
def test_implemented_external_scripts_http(self): self.reqs['resources']['/'] = """ <html> <head> <script src="/static/js/foo.js"></script> <script src="http://fb.me/react-0.14.6.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"></script> <script src="https://fb.me/react-0.14.7.min.js" integrity="sha384-zTm/dblzLXQNp3CgY+hfaC/WJ6h4XtNrePh2CW2+rO9GPuNiPb9jmthvAL+oI/dQ" crossorigin="anonymous"></script> <head> <body></body> </html> """ result = subresource_integrity(self.reqs) self.assertEquals('sri-implemented-but-external-scripts-not-loaded-securely', result['result']) self.assertFalse(result['pass'])