chromium/third_party/blink/web_tests/wpt_internal/content-security-policy/support/checkReport.sub.js

(function () {

  // Get values from the substitution engine.
  // We can't just pull these from the document context
  // because this script is intended to be transcluded into
  // another document, and we want the GET values used to request it,
  // not the values for the including document

  // XXX these are unencoded, so there's an unavoidable
  // injection vulnerability in constructing this file...
  // need to upgrade the template engine.
  var reportField  = "{{GET[reportField]}}";
  var reportValue  = "{{GET[reportValue]}}";
  var reportExists = "{{GET[reportExists]}}";
  var noCookies = "{{GET[noCookies]}}";
  var reportCookieName = "{{GET[reportCookieName]}}"
  var testName = "{{GET[testName]}}"
  var cookiePresent = "{{GET[cookiePresent]}}"
  var reportCount = "{{GET[reportCount]}}"

  var location = window.location;
  if (reportCookieName == "") {
    // fallback on test file name if cookie name not specified
    reportCookieName = location.pathname.split('/')[location.pathname.split('/').length - 1].split('.')[0];
  }

  var reportID = "{{GET[reportID]}}";

  if (reportID == "") {
    var cookies = document.cookie.split(';');
    for (var i = 0; i < cookies.length; i++) {
      var cookieName = cookies[i].split('=')[0].trim();
      var cookieValue = cookies[i].split('=')[1].trim();

      if (cookieName == reportCookieName) {
        reportID = cookieValue;
        var cookieToDelete = cookieName + "=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=" + document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1);
        document.cookie = cookieToDelete;
        break;
      }
    }
  }

  // There is no real way to test (in this particular layer) that a CSP report
  // has *not* been sent, at least not without some major reworks and
  // involvement from all the platform participants. So the current "solution"
  // is to wait for some reasonable amount of time and if no report has been
  // received to conclude that no report has been generated. These timeouts must
  // not exceed the test timeouts set by vendors otherwise the test would fail.
  var timeout = document.querySelector("meta[name=timeout][content=long]") ? 20 : 3;
  var reportLocation = location.protocol + "//" + location.host + "/reporting/resources/report.py?op=retrieve_report&timeout=" + timeout + "&reportID=" + reportID;

  if (testName == "") testName = "Violation report status OK.";
  var reportTest = async_test(testName);

  function assert_field_value(field, value, field_name) {
    assert_true(field.indexOf(value.split(" ")[0]) != -1,
                field_name + " value of  \"" + field + "\" did not match " +
                value.split(" ")[0] + ".");
  }

  reportTest.step(function () {

    var report = new XMLHttpRequest();
    report.onload = reportTest.step_func(function () {
      var data = JSON.parse(report.responseText);

      if (data.error) {
        assert_equals("false", reportExists, data.error);
      } else {
        if (reportExists === "false") {
          assert_equals(data.length, 0,
                        "CSP report sent, but not expecting one.");
        } else {
          // With the 'report-uri' directive, the report is contained in
          // `data[0]["csp-report"]`. With the 'report-to' directive, the report
          // is contained in `data[0]["body"]`.
          const reportBody = data[0]["body"]
                ? data[0]["body"]
                : data[0]["csp-report"];

          assert_true(reportBody !== undefined,
                      "No CSP report sent, but expecting one.");
          // Firefox expands 'self' or origins in a policy to the actual origin value
          // so "www.example.com" becomes "http://www.example.com:80".
          // Accommodate this by just testing that the correct directive name
          // is reported, not the details...

          if (reportBody[reportField] !== undefined) {
            assert_field_value(reportBody[reportField], reportValue, reportField);
          } else {
            assert_equals(reportField, "", "Expected report field could not be found in report.");
          }
        }
      }

      reportTest.done();
    });

    report.open("GET", reportLocation, true);
    report.send();
  });

  if (noCookies || cookiePresent) {
      var cookieTest = async_test("Test report cookies.");
      var cookieReport = new XMLHttpRequest();
      cookieReport.onload = cookieTest.step_func(function () {
        var data = JSON.parse(cookieReport.responseText);
        if (noCookies) {
          assert_equals(data.reportCookies, "None", "Report should not contain any cookies");
        }

        if (cookiePresent) {
          assert_true(data.reportCookies.hasOwnProperty(cookiePresent), "Report should contain cookie: " + cookiePresent);
        }
        cookieTest.done();
      });
      var cReportLocation = location.protocol + "//" + location.host + "/reporting/resources/report.py?op=retrieve_cookies&timeout=" + timeout + "&reportID=" + reportID;
      cookieReport.open("GET", cReportLocation, true);
      cookieReport.send();
  }

  if (reportCount != "") {
      var reportCountTest = async_test("Test number of sent reports.");
      var reportCountReport = new XMLHttpRequest();
      reportCountReport.onload = reportCountTest.step_func(function () {
        var data = JSON.parse(reportCountReport.responseText);

        assert_equals(data.report_count, +reportCount, "Report count was not what was expected.");

        reportCountTest.done();
      });
      var cReportLocation = location.protocol + "//" + location.host + "/reporting/resources/report.py?op=retrieve_count&timeout=" + timeout + "&reportID=" + reportID;
      reportCountReport.open("GET", cReportLocation, true);
      reportCountReport.send();
  }

})();