summaryrefslogtreecommitdiff
path: root/tests/end2end
diff options
context:
space:
mode:
Diffstat (limited to 'tests/end2end')
-rw-r--r--tests/end2end/data/misc/qutescheme_csrf.html20
-rw-r--r--tests/end2end/features/qutescheme.feature57
-rw-r--r--tests/end2end/test_invocations.py6
3 files changed, 81 insertions, 2 deletions
diff --git a/tests/end2end/data/misc/qutescheme_csrf.html b/tests/end2end/data/misc/qutescheme_csrf.html
new file mode 100644
index 000000000..66c8fe240
--- /dev/null
+++ b/tests/end2end/data/misc/qutescheme_csrf.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>CSRF issues with qute://settings</title>
+ <script type="text/javascript">
+ function add_img() {
+ const elem = document.createElement("img")
+ elem.src = "qute://settings/set?option=auto_save.interval&value=invalid";
+ document.body.appendChild(elem);
+ }
+ </script>
+ </head>
+ <body>
+ <form action="qute://settings/set?option=auto_save.interval&value=invalid" method="post"><button type="submit" id="via-form">Via form</button></form>
+ <input type="button" onclick="add_img()" value="Via img" id="via-img">
+ <a href="qute://settings/set?option=auto_save.interval&value=invalid" id="via-link">Via link</a>
+ <a href="/redirect-to?url=qute://settings/set%3Foption=auto_save.interval%26value=invalid" id="via-redirect">Via redirect</a>
+ </body>
+</html>
diff --git a/tests/end2end/features/qutescheme.feature b/tests/end2end/features/qutescheme.feature
index 1abaadd87..74b11b344 100644
--- a/tests/end2end/features/qutescheme.feature
+++ b/tests/end2end/features/qutescheme.feature
@@ -130,6 +130,63 @@ Feature: Special qute:// pages
And I press the key "<Tab>"
Then "Invalid value 'foo' *" should be logged
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via img (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-img
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via link (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-link
+ Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via redirect (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-redirect
+ Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via form (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-form
+ Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF token (webengine)
+ When I open qute://settings
+ And I run :jseval const xhr = new XMLHttpRequest(); xhr.open("GET", "qute://settings/set"); xhr.send()
+ Then "Error while handling qute://* URL" should be logged
+ And the error "Invalid CSRF token for qute://settings!" should be shown
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via img (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-img
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via link (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-link
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+ And "Error while loading qute://settings/set?*: Invalid qute://settings request" should be logged
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via redirect (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-redirect
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+ And "Error while loading qute://settings/set?*: Invalid qute://settings request" should be logged
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via form (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-form
+ Then "Error while loading qute://settings/set?*: Unsupported request type" should be logged
+
# pdfjs support
@qtwebengine_skip: pdfjs is not implemented yet
diff --git a/tests/end2end/test_invocations.py b/tests/end2end/test_invocations.py
index d6b4b1300..4ee0f36de 100644
--- a/tests/end2end/test_invocations.py
+++ b/tests/end2end/test_invocations.py
@@ -366,8 +366,10 @@ def test_qute_settings_persistence(short_tmpdir, request, quteproc_new):
"""Make sure settings from qute://settings are persistent."""
args = _base_args(request.config) + ['--basedir', str(short_tmpdir)]
quteproc_new.start(args)
- quteproc_new.open_path(
- 'qute://settings/set?option=search.ignore_case&value=always')
+ quteproc_new.open_path('qute://settings/')
+ quteproc_new.send_cmd(':jseval --world main '
+ 'cset("search.ignore_case", "always")')
+
assert quteproc_new.get_setting('search.ignore_case') == 'always'
quteproc_new.send_cmd(':quit')
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion