|
|
@ -920,21 +920,30 @@ define([
|
|
|
|
});
|
|
|
|
});
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
var validateCSP = function (raw, expected) {
|
|
|
|
var validateCSP = function (raw, msg, expected) {
|
|
|
|
var CSP = parseCSP(raw);
|
|
|
|
var CSP = parseCSP(raw);
|
|
|
|
var checkRule = function (attr, rules) {
|
|
|
|
var checkRule = function (attr, rules) {
|
|
|
|
var h = CSP[attr];
|
|
|
|
var v = CSP[attr];
|
|
|
|
// return `true` if you fail this test...
|
|
|
|
// return `true` if you fail this test...
|
|
|
|
if (typeof(h) !== 'string' || !h) { return true; }
|
|
|
|
if (typeof(v) !== 'string' || !v) { return true; }
|
|
|
|
var l = rules.length;
|
|
|
|
var l = rules.length;
|
|
|
|
for (var i = 0;i < l;i++) {
|
|
|
|
for (var i = 0;i < l;i++) {
|
|
|
|
if (!h.includes(rules[i])) {
|
|
|
|
if (typeof(rules[i]) !== 'undefined' && !v.includes(rules[i])) {
|
|
|
|
console.log("BAD_HEADER", rules[i]);
|
|
|
|
console.log("BAD_HEADER", rules[i]);
|
|
|
|
|
|
|
|
//msg.appendChild(h('br'));
|
|
|
|
|
|
|
|
//msg.appendChild(h('br'));
|
|
|
|
|
|
|
|
msg.appendChild(h('p', [
|
|
|
|
|
|
|
|
'A value of ',
|
|
|
|
|
|
|
|
code('"' + rules.filter(Boolean).join(' ') + '"'),
|
|
|
|
|
|
|
|
' was expected for the ',
|
|
|
|
|
|
|
|
code(attr),
|
|
|
|
|
|
|
|
' directive.',
|
|
|
|
|
|
|
|
]));
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
h = h.replace(rules[i], '');
|
|
|
|
v = v.replace(rules[i], '');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return h.trim();
|
|
|
|
return v.trim();
|
|
|
|
};
|
|
|
|
};
|
|
|
|
if (Object.keys(expected).some(function (dir) {
|
|
|
|
if (Object.keys(expected).some(function (dir) {
|
|
|
|
var result = checkRule(dir, expected[dir]);
|
|
|
|
var result = checkRule(dir, expected[dir]);
|
|
|
@ -956,7 +965,14 @@ define([
|
|
|
|
assert(function (_cb, msg) {
|
|
|
|
assert(function (_cb, msg) {
|
|
|
|
var url = '/sheet/inner.html';
|
|
|
|
var url = '/sheet/inner.html';
|
|
|
|
var cb = Util.once(Util.mkAsync(_cb));
|
|
|
|
var cb = Util.once(Util.mkAsync(_cb));
|
|
|
|
msg.appendChild(CSP_WARNING(url));
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
|
|
|
|
code(trimmedUnsafe + url),
|
|
|
|
|
|
|
|
' was served with incorrect ',
|
|
|
|
|
|
|
|
code('Content-Security-Policy'),
|
|
|
|
|
|
|
|
' headers.',
|
|
|
|
|
|
|
|
]));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//msg.appendChild(CSP_WARNING(url));
|
|
|
|
deferredPostMessage({
|
|
|
|
deferredPostMessage({
|
|
|
|
command: 'GET_HEADER',
|
|
|
|
command: 'GET_HEADER',
|
|
|
|
content: {
|
|
|
|
content: {
|
|
|
@ -966,7 +982,7 @@ define([
|
|
|
|
}, function (raw) {
|
|
|
|
}, function (raw) {
|
|
|
|
var $outer = trimmedUnsafe;
|
|
|
|
var $outer = trimmedUnsafe;
|
|
|
|
var $sandbox = trimmedSafe;
|
|
|
|
var $sandbox = trimmedSafe;
|
|
|
|
var result = validateCSP(raw, {
|
|
|
|
var result = validateCSP(raw, msg, {
|
|
|
|
'default-src': ["'none'"],
|
|
|
|
'default-src': ["'none'"],
|
|
|
|
'style-src': ["'unsafe-inline'", "'self'", $outer],
|
|
|
|
'style-src': ["'unsafe-inline'", "'self'", $outer],
|
|
|
|
'font-src': ["'self'", 'data:', $outer],
|
|
|
|
'font-src': ["'self'", 'data:', $outer],
|
|
|
@ -997,13 +1013,16 @@ define([
|
|
|
|
assert(function (cb, msg) {
|
|
|
|
assert(function (cb, msg) {
|
|
|
|
var header = 'content-security-policy';
|
|
|
|
var header = 'content-security-policy';
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
header,
|
|
|
|
code(trimmedUnsafe + '/'),
|
|
|
|
|
|
|
|
' was served with incorrect ',
|
|
|
|
|
|
|
|
code('Content-Security-Policy'),
|
|
|
|
|
|
|
|
' headers.',
|
|
|
|
]));
|
|
|
|
]));
|
|
|
|
Tools.common_xhr('/', function (xhr) {
|
|
|
|
Tools.common_xhr('/', function (xhr) {
|
|
|
|
var raw = xhr.getResponseHeader(header);
|
|
|
|
var raw = xhr.getResponseHeader(header);
|
|
|
|
var $outer = trimmedUnsafe;
|
|
|
|
var $outer = trimmedUnsafe;
|
|
|
|
var $sandbox = trimmedSafe;
|
|
|
|
var $sandbox = trimmedSafe;
|
|
|
|
var result = validateCSP(raw, {
|
|
|
|
var result = validateCSP(raw, msg, {
|
|
|
|
'default-src': ["'none'"],
|
|
|
|
'default-src': ["'none'"],
|
|
|
|
'style-src': ["'unsafe-inline'", "'self'", $outer],
|
|
|
|
'style-src': ["'unsafe-inline'", "'self'", $outer],
|
|
|
|
'font-src': ["'self'", 'data:', $outer],
|
|
|
|
'font-src': ["'self'", 'data:', $outer],
|
|
|
|