Mirror/monolith
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

include font-src into CSP

Browse source
This commit is contained in:
Sunshine 2020-06-26 18:14:46 -04:00
parent ae5d6d2df4
commit 2ac964fae5
No known key found for this signature in database
GPG key ID: B80CA68703CD8AB1
5 changed files with 85 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/html.rs
View file

@ -1076,6 +1076,7 @@ fn get_child_node_by_name(handle: &Handle, node_name: &str) -> Handle {
pub fn stringify_document(
handle: &Handle,
opt_no_css: bool,
opt_no_fonts: bool,
opt_no_frames: bool,
opt_no_js: bool,
opt_no_images: bool,
@ -1088,7 +1089,7 @@ pub fn stringify_document(
let mut result = String::from_utf8(buf).unwrap();
// Take care of CSP
if opt_isolate || opt_no_css || opt_no_frames || opt_no_js || opt_no_images {
if opt_isolate || opt_no_css || opt_no_fonts || opt_no_frames || opt_no_js || opt_no_images {
let mut buf: Vec<u8> = Vec::new();
let mut dom = html_to_dom(&result);
let doc = dom.get_document();
@ -1097,6 +1098,7 @@ pub fn stringify_document(
let csp_content: String = csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -1137,6 +1139,7 @@ pub fn stringify_document(
pub fn csp(
opt_isolate: bool,
opt_no_css: bool,
opt_no_fonts: bool,
opt_no_frames: bool,
opt_no_js: bool,
opt_no_images: bool,
@ -1151,6 +1154,10 @@ pub fn csp(
string_list.push("style-src 'none';");
}
if opt_no_fonts {
string_list.push("font-src 'none';");
}
if opt_no_frames {
string_list.push("frame-src 'none';");
string_list.push("child-src 'none';");

1
src/main.rs
View file

@ -152,6 +152,7 @@ fn main() {
let mut result: String = stringify_document(
&dom.document,
app_args.no_css,
app_args.no_fonts,
app_args.no_frames,
app_args.no_js,
app_args.no_images,

30
src/tests/cli.rs
View file

@ -128,13 +128,41 @@ mod passing {
Ok(())
}
#[test]
fn remove_fonts_from_data_url() -> Result<(), Box<dyn std::error::Error>> {
let mut cmd = Command::cargo_bin(env!("CARGO_PKG_NAME"))?;
let out = cmd
.arg("-M")
.arg("-F")
.arg("data:text/html,<style>@font-face { font-family: myFont; src: url(font.woff); }</style>Hi")
.output()
.unwrap();
// STDOUT should contain HTML with no web fonts
assert_eq!(
std::str::from_utf8(&out.stdout).unwrap(),
"<html><head>\
<meta http-equiv=\"Content-Security-Policy\" content=\"font-src 'none';\"></meta>\
<style> </style>\
</head><body>Hi</body></html>\n"
);
// STDERR should be empty
assert_eq!(std::str::from_utf8(&out.stderr).unwrap(), "");
// The exit code should be 0
out.assert().code(0);
Ok(())
}
#[test]
fn remove_frames_from_data_url() -> Result<(), Box<dyn std::error::Error>> {
let mut cmd = Command::cargo_bin(env!("CARGO_PKG_NAME"))?;
let out = cmd
.arg("-M")
.arg("-f")
.arg("data:text/html,<iframe src=\"https://google.com\"></iframe>Hi")
.arg("data:text/html,<iframe src=\"https://duckduckgo.com\"></iframe>Hi")
.output()
.unwrap();

34
src/tests/html/csp.rs
View file

@ -13,12 +13,14 @@ mod passing {
fn isolated() {
let opt_isolate: bool = true;
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -31,12 +33,14 @@ mod passing {
fn no_css() {
let opt_isolate: bool = false;
let opt_no_css: bool = true;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -45,16 +49,38 @@ mod passing {
assert_eq!(csp_content, "style-src 'none';");
}
#[test]
fn no_fonts() {
let opt_isolate: bool = false;
let opt_no_css: bool = false;
let opt_no_fonts: bool = true;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
);
assert_eq!(csp_content, "font-src 'none';");
}
#[test]
fn no_frames() {
let opt_isolate: bool = false;
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = true;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -67,12 +93,14 @@ mod passing {
fn no_js() {
let opt_isolate: bool = false;
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = true;
let opt_no_images: bool = false;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -85,12 +113,14 @@ mod passing {
fn no_image() {
let opt_isolate: bool = false;
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = true;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -103,17 +133,19 @@ mod passing {
fn all() {
let opt_isolate: bool = true;
let opt_no_css: bool = true;
let opt_no_fonts: bool = true;
let opt_no_frames: bool = true;
let opt_no_js: bool = true;
let opt_no_images: bool = true;
let csp_content = html::csp(
opt_isolate,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
);
assert_eq!(csp_content, "default-src 'unsafe-inline' data:; style-src 'none'; frame-src 'none'; child-src 'none'; script-src 'none'; img-src data:;");
assert_eq!(csp_content, "default-src 'unsafe-inline' data:; style-src 'none'; font-src 'none'; frame-src 'none'; child-src 'none'; script-src 'none'; img-src data:;");
}
}

18
src/tests/html/stringify_document.rs
View file

@ -15,6 +15,7 @@ mod passing {
let dom = html::html_to_dom(&html);
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
@ -24,6 +25,7 @@ mod passing {
html::stringify_document(
&dom.document,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -42,6 +44,7 @@ mod passing {
let dom = html::html_to_dom(&html);
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
@ -51,6 +54,7 @@ mod passing {
html::stringify_document(
&dom.document,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -81,6 +85,7 @@ mod passing {
let dom = html::html_to_dom(&html);
let opt_no_css: bool = true;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = false;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
@ -90,6 +95,7 @@ mod passing {
html::stringify_document(
&dom.document,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -116,6 +122,7 @@ mod passing {
let dom = html::html_to_dom(&html);
let opt_no_css: bool = false;
let opt_no_fonts: bool = false;
let opt_no_frames: bool = true;
let opt_no_js: bool = false;
let opt_no_images: bool = false;
@ -125,6 +132,7 @@ mod passing {
html::stringify_document(
&dom.document,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -149,14 +157,15 @@ mod passing {
<meta http-equiv=\"Content-Security-Policy\" content=\"default-src https:\">\
<link rel=\"stylesheet\" href=\"some.css\">\
<div>\
<script src=\"some.js\"></script>\
<img style=\"width: 100%;\" src=\"some.png\" />\
<iframe src=\"some.html\"></iframe>\
<script src=\"some.js\"></script>\
<img style=\"width: 100%;\" src=\"some.png\" />\
<iframe src=\"some.html\"></iframe>\
</div>";
let dom = html::html_to_dom(&html);
let opt_isolate: bool = true;
let opt_no_css: bool = true;
let opt_no_fonts: bool = true;
let opt_no_frames: bool = true;
let opt_no_js: bool = true;
let opt_no_images: bool = true;
@ -165,6 +174,7 @@ mod passing {
html::stringify_document(
&dom.document,
opt_no_css,
opt_no_fonts,
opt_no_frames,
opt_no_js,
opt_no_images,
@ -173,7 +183,7 @@ mod passing {
"<!DOCTYPE html>\
<html>\
<head>\
<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'unsafe-inline' data:; style-src 'none'; frame-src 'none'; child-src 'none'; script-src 'none'; img-src data:;\"></meta>\
<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'unsafe-inline' data:; style-src 'none'; font-src 'none'; frame-src 'none'; child-src 'none'; script-src 'none'; img-src data:;\"></meta>\
<title>no-frame no-css no-js no-image isolated document</title>\
<meta http-equiv=\"Content-Security-Policy\" content=\"default-src https:\">\
<link rel=\"stylesheet\" href=\"some.css\">\