def test_same_origin(self):
self.reqs = empty_requests('test_content_sri_sameorigin1.html')
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain, but without a protocol
self.reqs = empty_requests('test_content_sri_sameorigin3.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
# On the same second-level domain, with https:// specified
self.reqs = empty_requests('test_content_sri_sameorigin2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
# And the same, but with a 404 status code
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
def test_same_origin(self):
self.reqs = empty_requests('test_content_sri_sameorigin1.html')
result = subresource_integrity(self.reqs)
self.assertEquals(result['result'], 'sri-not-implemented-but-all-scripts-loaded-from-secure-origin')
self.assertTrue(result['pass'])
# On the same second-level domain, but without a protocol
self.reqs = empty_requests('test_content_sri_sameorigin3.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
# On the same second-level domain, with https:// specified
self.reqs = empty_requests('test_content_sri_sameorigin2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
# And the same, but with a 404 status code
self.reqs['responses']['auto'].status_code = 404
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result'])
self.assertTrue(result['pass'])
def test_no_unsafe_default_src_none(self):
values = (
"default-src", # no value == 'none'
"default-src 'none'; script-src 'strict-dynamic' 'nonce-abc123' 'unsafe-inline'",
"default-src 'none'; script-src https://mozilla.org;" +
"style-src https://mozilla.org; upgrade-insecure-requests;",
"default-src 'none'; object-src https://mozilla.org")
for value in values:
self.reqs['responses']['auto'].headers[
'Content-Security-Policy'] = value
result = content_security_policy(self.reqs)
self.assertEquals(
'csp-implemented-with-no-unsafe-default-src-none',
result['result'])
self.assertTrue(result['http'])
self.assertFalse(result['meta'])
self.assertTrue(result['pass'])
self.assertTrue(result['policy']['defaultNone'])
# Do the same with an HTTP equiv
self.reqs = empty_requests('test_parse_http_equiv_headers_csp1.html')
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none',
result['result'])
self.assertFalse(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
# Do the same with an HTTP equiv
self.reqs = empty_requests(
'test_parse_http_equiv_headers_csp_multiple_http_equiv1.html')
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none',
result['result'])
self.assertFalse(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
# And that same thing, but with both a header and a CSP policy
self.reqs['responses']['auto'].headers[
'Content-Security-Policy'] = "script-src https://mozilla.org;"
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none',
result['result'])
self.assertTrue(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
def test_no_scripts(self):
self.reqs = empty_requests('test_content_sri_no_scripts.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result'])
self.assertTrue(result['pass'])
def test_header_private(self):
for policy in [
'no-referrer', 'same-origin', 'strict-origin', 'STRICT-ORIGIN',
'strict-origin-when-cross-origin'
]:
self.reqs['responses']['auto'].headers['Referrer-Policy'] = policy
result = referrer_policy(self.reqs)
self.assertEquals('referrer-policy-private', result['result'])
self.assertTrue(result['http'])
self.assertFalse(result['meta'])
self.assertTrue(result['pass'])
# Do that same test with a <meta> http-equiv
self.reqs = empty_requests(
'test_parse_http_equiv_headers_referrer1.html')
result = referrer_policy(self.reqs)
self.assertEquals('referrer-policy-private', result['result'])
self.assertEquals('no-referrer, same-origin', result['data'])
self.assertFalse(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
# Note that <meta> http-equiv comes before the HTTP header
self.reqs['responses']['auto'].headers[
'Referrer-Policy'] = 'unsafe-url'
result = referrer_policy(self.reqs)
self.assertEquals('referrer-policy-private', result['result'])
self.assertEquals('unsafe-url, no-referrer, same-origin',
result['data'])
self.assertTrue(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self):
# load from a remote site
self.reqs = empty_requests('test_content_sri_impl_external_https1.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
# load from an intranet / localhost
self.reqs = empty_requests('test_content_sri_impl_external_https2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_header_private(self):
for policy in ['no-referrer',
'same-origin',
'strict-origin',
'STRICT-ORIGIN',
'strict-origin-when-cross-origin']:
self.reqs['responses']['auto'].headers['Referrer-Policy'] = policy
result = referrer_policy(self.reqs)
self.assertEquals('referrer-policy-private', result['result'])
self.assertTrue(result['http'])
self.assertFalse(result['meta'])
self.assertTrue(result['pass'])
# Do that same test with a <meta> http-equiv
self.reqs = empty_requests('test_parse_http_equiv_headers_referrer1.html')
result = referrer_policy(self.reqs)
self.assertEquals('referrer-policy-private', result['result'])
self.assertEquals('no-referrer, same-origin', result['data'])
self.assertFalse(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
# Note that <meta> http-equiv comes before the HTTP header
self.reqs['responses']['auto'].headers['Referrer-Policy'] = 'unsafe-url'
result = referrer_policy(self.reqs)
self.assertEquals('referrer-policy-private', result['result'])
self.assertEquals('unsafe-url, no-referrer, same-origin', result['data'])
self.assertTrue(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
def test_implemented_same_origin(self):
self.reqs = empty_requests('test_content_sri_impl_sameorigin.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_not_implemented_external_scripts_noproto(self):
self.reqs = empty_requests('test_content_sri_notimpl_external_noproto.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_not_implemented_external_scripts_noproto(self):
self.reqs = empty_requests('test_content_sri_notimpl_external_noproto.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-and-external-scripts-not-loaded-securely', result['result'])
self.assertFalse(result['pass'])
def test_implemented_same_origin(self):
self.reqs = empty_requests('test_content_sri_impl_sameorigin.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-all-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_implemented_external_scripts_https(self):
# load from a remote site
self.reqs = empty_requests('test_content_sri_impl_external_https1.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
# load from an intranet / localhost
self.reqs = empty_requests('test_content_sri_impl_external_https2.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-implemented-and-external-scripts-loaded-securely', result['result'])
self.assertTrue(result['pass'])
def test_no_scripts(self):
self.reqs = empty_requests('test_content_sri_no_scripts.html')
result = subresource_integrity(self.reqs)
self.assertEquals('sri-not-implemented-but-no-scripts-loaded', result['result'])
self.assertTrue(result['pass'])
def test_multiple_http_equivs(self):
reqs = empty_requests('test_parse_http_equiv_headers_csp_multiple_http_equiv1.html')
self.assertEquals(reqs['responses']['auto'].http_equiv['Content-Security-Policy'],
"default-src 'none'; object-src 'none'; media-src 'none';; connect-src 'self'; " +
"font-src 'self'; child-src 'self'; img-src 'self'; style-src 'self' " +
"'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ; script-src 'self' 'unsafe-inline' " +
"'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ'")
def test_no_unsafe_default_src_none(self):
values = ("default-src", # no value == 'none'
"default-src 'none'; script-src 'strict-dynamic' 'nonce-abc123' 'unsafe-inline'",
"default-src 'none'; script-src https://mozilla.org;" +
"style-src https://mozilla.org; upgrade-insecure-requests;",
"default-src 'none'; object-src https://mozilla.org")
for value in values:
self.reqs['responses']['auto'].headers['Content-Security-Policy'] = value
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none', result['result'])
self.assertTrue(result['http'])
self.assertFalse(result['meta'])
self.assertTrue(result['pass'])
self.assertTrue(result['policy']['defaultNone'])
# Do the same with an HTTP equiv
self.reqs = empty_requests('test_parse_http_equiv_headers_csp1.html')
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none', result['result'])
self.assertFalse(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
# Do the same with an HTTP equiv
self.reqs = empty_requests('test_parse_http_equiv_headers_csp_multiple_http_equiv1.html')
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none', result['result'])
self.assertFalse(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
# And that same thing, but with both a header and a CSP policy
self.reqs['responses']['auto'].headers['Content-Security-Policy'] = "script-src https://mozilla.org;"
result = content_security_policy(self.reqs)
self.assertEquals('csp-implemented-with-no-unsafe-default-src-none', result['result'])
self.assertTrue(result['http'])
self.assertTrue(result['meta'])
self.assertTrue(result['pass'])
def setUp(self):
self.reqs = empty_requests()
def test_header_case_insensitivity(self):
reqs = empty_requests('test_parse_http_equiv_headers_csp1.html')
self.assertEquals(reqs['responses']['auto'].http_equiv['content-security-policy'], 'default-src \'none\';')
self.assertEquals(reqs['responses']['auto'].http_equiv['content-SECURITY-policy'], 'default-src \'none\';')
def test_header_match(self):
reqs = empty_requests('test_parse_http_equiv_headers_csp1.html')
self.assertEquals(reqs['responses']['auto'].http_equiv, {'Content-Security-Policy': 'default-src \'none\';'})
def setUp(self):
self.reqs = empty_requests()
