CSP support & Page.setBypassCSP (#418)

Meir017 · kblok · commit 3e985c5f1b24 · 2018-07-18T09:54:16.000-03:00
diff --git a/lib/PuppeteerSharp.TestServer/PuppeteerSharp.TestServer.csproj b/lib/PuppeteerSharp.TestServer/PuppeteerSharp.TestServer.csproj
@@ -4,10 +4,6 @@
     <OutputType>Library</OutputType>
   </PropertyGroup>
 
-  <ItemGroup>
-    <Folder Include="wwwroot\" />
-  </ItemGroup>
-
   <ItemGroup>
     <None Remove="testCert.cer" />
   </ItemGroup>
diff --git a/lib/PuppeteerSharp.TestServer/SimpleServer.cs b/lib/PuppeteerSharp.TestServer/SimpleServer.cs
@@ -17,6 +17,7 @@ public class SimpleServer
         private readonly IDictionary<string, Action<HttpRequest>> _requestSubscribers;
         private readonly IDictionary<string, RequestDelegate> _routes;
         private readonly IDictionary<string, (string username, string password)> _auths;
+        private readonly IDictionary<string, string> _csp;
         private readonly IWebHost _webHost;
 
         public static SimpleServer Create(int port, string contentRoot) => new SimpleServer(port, contentRoot, isHttps: false);
@@ -27,6 +28,7 @@ public SimpleServer(int port, string contentRoot, bool isHttps)
             _requestSubscribers = new ConcurrentDictionary<string, Action<HttpRequest>>();
             _routes = new ConcurrentDictionary<string, RequestDelegate>();
             _auths = new ConcurrentDictionary<string, (string username, string password)>();
+            _csp = new ConcurrentDictionary<string, string>();
             _webHost = new WebHostBuilder()
                 .ConfigureAppConfiguration((context, builder) => builder
                     .SetBasePath(context.HostingEnvironment.ContentRootPath)
@@ -50,7 +52,16 @@ public SimpleServer(int port, string contentRoot, bool isHttps)
                         }
                         return next();
                     })
-                    .UseStaticFiles())
+                    .UseStaticFiles(new StaticFileOptions
+                    {
+                        OnPrepareResponse = fileResponseContext =>
+                        {
+                            if(_csp.TryGetValue(fileResponseContext.Context.Request.Path, out var csp))
+                            {
+                                fileResponseContext.Context.Response.Headers["Content-Security-Policy"] = csp;
+                            }
+                        }
+                    }))
                 .UseKestrel(options =>
                 {
                     if (isHttps)
@@ -66,10 +77,9 @@ public SimpleServer(int port, string contentRoot, bool isHttps)
                 .Build();
         }
 
-        public void SetAuth(string path, string username, string password)
-        {
-            _auths.Add(path, (username, password));
-        }
+        public void SetAuth(string path, string username, string password) => _auths.Add(path, (username, password));
+
+        public void SetCSP(string path, string csp) => _csp.Add(path, csp);
 
         public Task StartAsync() => _webHost.StartAsync();
 
@@ -84,26 +94,21 @@ public void Reset()
         {
             _routes.Clear();
             _auths.Clear();
+            _csp.Clear();
             foreach (var subscriber in _requestSubscribers.Values)
             {
                 subscriber(null);
             }
             _requestSubscribers.Clear();
         }
 
-        public void SetRoute(string path, RequestDelegate handler)
-        {
-            _routes.Add(path, handler);
-        }
+        public void SetRoute(string path, RequestDelegate handler) => _routes.Add(path, handler);
 
-        public void SetRedirect(string from, string to)
+        public void SetRedirect(string from, string to) => SetRoute(from, context =>
         {
-            SetRoute(from, context =>
-            {
-                context.Response.Redirect(to);
-                return Task.CompletedTask;
-            });
-        }
+            context.Response.Redirect(to);
+            return Task.CompletedTask;
+        });
 
         public async Task<T> WaitForRequest<T>(string path, Func<HttpRequest, T> selector)
         {
diff --git a/lib/PuppeteerSharp.TestServer/wwwroot/csp.html b/lib/PuppeteerSharp.TestServer/wwwroot/csp.html
@@ -0,0 +1 @@
+﻿<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
diff --git a/lib/PuppeteerSharp.Tests/FrameTests/WaitForFunctionTests.cs b/lib/PuppeteerSharp.Tests/FrameTests/WaitForFunctionTests.cs
@@ -49,6 +49,19 @@ public async Task ShouldPollOnRaf()
             await watchdog;
         }
 
+        [Fact]
+        public async Task ShouldWorkWithStrictCSPPolicy()
+        {
+            Server.SetCSP("/empty.html", "script-src " + TestConstants.ServerUrl);
+            await Page.GoToAsync(TestConstants.EmptyPage);
+            var watchdog = Page.WaitForFunctionAsync("() => window.__FOO === 'hit'", new WaitForFunctionOptions
+            {
+                Polling = WaitForFunctionPollingOption.Raf
+            });
+            await Page.EvaluateExpressionAsync("window.__FOO = 'hit'");
+            await watchdog;
+        }
+
         [Fact]
         public async Task ShouldThrowNegativePollingInterval()
         {
diff --git a/lib/PuppeteerSharp.Tests/PageTests/AddScriptTagTests.cs b/lib/PuppeteerSharp.Tests/PageTests/AddScriptTagTests.cs
@@ -105,5 +105,29 @@ public async Task ShouldWorkWithContent()
             Assert.NotNull(scriptHandle as ElementHandle);
             Assert.Equal(35, await Page.EvaluateExpressionAsync<int>("__injected"));
         }
+
+        [Fact]
+        public async Task ShouldThrowWhenAddedWithContentToTheCSPPage()
+        {
+            await Page.GoToAsync(TestConstants.ServerUrl + "/csp.html");
+            var exception = await Assert.ThrowsAsync<EvaluationFailedException>(
+                () => Page.AddScriptTagAsync(new AddTagOptions
+                {
+                    Content = "window.__injected = 35;"
+                }));
+            Assert.NotNull(exception);
+        }
+
+        [Fact]
+        public async Task ShouldThrowWhenAddedWithURLToTheCSPPage()
+        {
+            await Page.GoToAsync(TestConstants.ServerUrl + "/csp.html");
+            var exception = await Assert.ThrowsAsync<PuppeteerException>(
+                () => Page.AddScriptTagAsync(new AddTagOptions
+                {
+                    Url = TestConstants.CrossProcessUrl + "/injectedfile.js"
+                }));
+            Assert.NotNull(exception);
+        }
     }
 }
diff --git a/lib/PuppeteerSharp.Tests/PageTests/AddStyleTagTests.cs b/lib/PuppeteerSharp.Tests/PageTests/AddStyleTagTests.cs
@@ -72,5 +72,29 @@ public async Task ShouldWorkWithContent()
             Assert.Equal("rgb(0, 128, 0)", await Page.EvaluateExpressionAsync(
                 "window.getComputedStyle(document.querySelector('body')).getPropertyValue('background-color')"));
         }
+
+        [Fact]
+        public async Task ShouldThrowWhenAddedWithContentToTheCSPPage()
+        {
+            await Page.GoToAsync(TestConstants.ServerUrl + "/csp.html");
+            var exception = await Assert.ThrowsAsync<EvaluationFailedException>(
+                () => Page.AddStyleTagAsync(new AddTagOptions
+                {
+                    Content = "body { background-color: green; }"
+                }));
+            Assert.NotNull(exception);
+        }
+
+        [Fact]
+        public async Task ShouldThrowWhenAddedWithURLToTheCSPPage()
+        {
+            await Page.GoToAsync(TestConstants.ServerUrl + "/csp.html");
+            var exception = await Assert.ThrowsAsync<PuppeteerException>(
+                () => Page.AddStyleTagAsync(new AddTagOptions
+                {
+                    Url = TestConstants.CrossProcessUrl + "/injectedstyle.css"
+                }));
+            Assert.NotNull(exception);
+        }
     }
 }
diff --git a/lib/PuppeteerSharp.Tests/PageTests/EvaluateOnNewDocumentTests.cs b/lib/PuppeteerSharp.Tests/PageTests/EvaluateOnNewDocumentTests.cs
@@ -24,5 +24,23 @@ await Page.EvaluateOnNewDocumentAsync(@"function(){
             await Page.GoToAsync(TestConstants.ServerUrl + "/tamperable.html");
             Assert.Equal(123, await Page.EvaluateExpressionAsync<int>("window.result"));
         }
+
+        [Fact]
+        public async Task ShouldWorkWithCSP()
+        {
+            Server.SetCSP("/empty.html", "script-src " + TestConstants.ServerUrl);
+            await Page.EvaluateOnNewDocumentAsync(@"function(){
+                window.injected = 123;
+            }");
+            await Page.GoToAsync(TestConstants.EmptyPage);
+            Assert.Equal(123, await Page.EvaluateExpressionAsync<int>("window.injected"));
+
+            // Make sure CSP works.
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.e = 10;"
+            }).ContinueWith(_ => Task.CompletedTask);
+            Assert.Null(await Page.EvaluateExpressionAsync("window.e"));
+        }
     }
 }
diff --git a/lib/PuppeteerSharp.Tests/PageTests/SetBypassCSPTests.cs b/lib/PuppeteerSharp.Tests/PageTests/SetBypassCSPTests.cs
@@ -0,0 +1,76 @@
+﻿using System.Threading.Tasks;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace PuppeteerSharp.Tests.PageTests
+{
+    [Collection("PuppeteerLoaderFixture collection")]
+    public class SetBypassCSPTests : PuppeteerPageBaseTest
+    {
+        public SetBypassCSPTests(ITestOutputHelper output) : base(output)
+        {
+        }
+
+        [Fact]
+        public async Task ShouldBypassCSPMetaTag()
+        {
+            // Make sure CSP prohibits addScriptTag.
+            await Page.GoToAsync(TestConstants.ServerUrl + "/csp.html");
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.__injected = 42;"
+            }).ContinueWith(_ => Task.CompletedTask);
+            Assert.Null(await Page.EvaluateExpressionAsync("window.__injected"));
+
+            // By-pass CSP and try one more time.
+            await Page.SetBypassCSPAsync(true);
+            await Page.ReloadAsync();
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.__injected = 42;"
+            });
+            Assert.Equal(42, await Page.EvaluateExpressionAsync<int>("window.__injected"));
+        }
+
+        [Fact]
+        public async Task ShouldBypassCSPHeader()
+        {
+            // Make sure CSP prohibits addScriptTag.
+            Server.SetCSP("/empty.html", "default-src 'self'");
+            await Page.GoToAsync(TestConstants.EmptyPage);
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.__injected = 42;"
+            }).ContinueWith(_ => Task.CompletedTask);
+            Assert.Null(await Page.EvaluateExpressionAsync("window.__injected"));
+
+            // By-pass CSP and try one more time.
+            await Page.SetBypassCSPAsync(true);
+            await Page.ReloadAsync();
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.__injected = 42;"
+            });
+            Assert.Equal(42, await Page.EvaluateExpressionAsync<int>("window.__injected"));
+        }
+
+        [Fact]
+        public async Task ShouldBypassAfterCrossProcessNavigation()
+        {
+            await Page.SetBypassCSPAsync(true);
+            await Page.GoToAsync(TestConstants.ServerUrl + "/csp.html");
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.__injected = 42;"
+            });
+            Assert.Equal(42, await Page.EvaluateExpressionAsync<int>("window.__injected"));
+
+            await Page.GoToAsync(TestConstants.CrossProcessUrl+ "/csp.html");
+            await Page.AddScriptTagAsync(new AddTagOptions
+            {
+                Content = "window.__injected = 42;"
+            });
+            Assert.Equal(42, await Page.EvaluateExpressionAsync<int>("window.__injected"));
+        }
+    }
+}
diff --git a/lib/PuppeteerSharp/Frame.cs b/lib/PuppeteerSharp/Frame.cs
@@ -362,18 +362,24 @@ public async Task<ElementHandle> AddStyleTag(AddTagOptions options)
               const link = document.createElement('link');
               link.rel = 'stylesheet';
               link.href = url;
-              document.head.appendChild(link);
-              await new Promise((res, rej) => {
+              const promise = new Promise((res, rej) => {
                 link.onload = res;
                 link.onerror = rej;
               });
+              document.head.appendChild(link);
+              await promise;
               return link;
             }";
-            const string addStyleContent = @"function addStyleContent(content) {
+            const string addStyleContent = @"async function addStyleContent(content) {
               const style = document.createElement('style');
               style.type = 'text/css';
               style.appendChild(document.createTextNode(content));
+              const promise = new Promise((res, rej) => {
+                style.onload = res;
+                style.onerror = rej;
+              });
               document.head.appendChild(style);
+              await promise;
               return style;
             }";
 
@@ -422,18 +428,23 @@ public async Task<ElementHandle> AddScriptTag(AddTagOptions options)
               script.src = url;
               if(type)
                 script.type = type;
-              document.head.appendChild(script);
-              await new Promise((res, rej) => {
+              const promise = new Promise((res, rej) => {
                 script.onload = res;
                 script.onerror = rej;
               });
+              document.head.appendChild(script);
+              await promise;
               return script;
             }";
             const string addScriptContent = @"function addScriptContent(content, type = 'text/javascript') {
               const script = document.createElement('script');
               script.type = type;
               script.text = content;
+              let error = null;
+              script.onerror = e => error = e;
               document.head.appendChild(script);
+              if (error)
+                throw error;
               return script;
             }";
 
diff --git a/lib/PuppeteerSharp/Page.cs b/lib/PuppeteerSharp/Page.cs
@@ -842,6 +842,17 @@ public async Task<byte[]> PdfDataAsync(PdfOptions options)
         public Task SetJavaScriptEnabledAsync(bool enabled)
             => Client.SendAsync("Emulation.setScriptExecutionDisabled", new { value = !enabled });
 
+        /// <summary>
+        /// Toggles bypassing page's Content-Security-Policy.
+        /// </summary>
+        /// <param name="enabled">sets bypassing of page's Content-Security-Policy.</param>
+        /// <returns></returns>
+        /// <remarks>
+        /// CSP bypassing happens at the moment of CSP initialization rather then evaluation.
+        /// Usually this means that <see cref="SetBypassCSPAsync(bool)"/> should be called before navigating to the domain.
+        /// </remarks>
+        public Task SetBypassCSPAsync(bool enabled) => Client.SendAsync("Page.setBypassCSP", new { enabled });
+
         /// <summary>
         /// Emulates a media such as screen or print.
         /// </summary>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">`