content/base/test/csp/test_bothCSPheaders.html@6474c204b198 (annotated)
content/base/test/csp/test_bothCSPheaders.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title> |
| michael@0 | 5 | <!-- When both headers are present, we should ignore the pre-1.0 header and |
| michael@0 | 6 | only recognize the 1.0 spec-compliant header. --> |
| michael@0 | 7 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 8 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 9 | </head> |
| michael@0 | 10 | <body> |
| michael@0 | 11 | <p id="display"></p> |
| michael@0 | 12 | <div id="content" style="display: none"> |
| michael@0 | 13 | </div> |
| michael@0 | 14 | |
| michael@0 | 15 | <iframe style="width:200px;height:200px;" id='cspframe'></iframe> |
| michael@0 | 16 | <script class="testbody" type="text/javascript"> |
| michael@0 | 17 | |
| michael@0 | 18 | var prefixedHeaderImgURL = "http://example.org/prefixed.jpg"; |
| michael@0 | 19 | var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg"; |
| michael@0 | 20 | var testsRun = 0; |
| michael@0 | 21 | var totalTests = 2; |
| michael@0 | 22 | |
| michael@0 | 23 | // This is used to watch the blocked data bounce off CSP and allowed data |
| michael@0 | 24 | // get sent out to the wire. |
| michael@0 | 25 | function examiner() { |
| michael@0 | 26 | SpecialPowers.addObserver(this, "csp-on-violate-policy", false); |
| michael@0 | 27 | SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); |
| michael@0 | 28 | } |
| michael@0 | 29 | examiner.prototype = { |
| michael@0 | 30 | observe: function(subject, topic, data) { |
| michael@0 | 31 | if (topic === "specialpowers-http-notify-request") { |
| michael@0 | 32 | var allowedUri = data; |
| michael@0 | 33 | if (allowedUri == prefixedHeaderImgURL || allowedUri == unprefixedHeaderImgURL) { |
| michael@0 | 34 | is(allowedUri, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)"); |
| michael@0 | 35 | testRan(); |
| michael@0 | 36 | } |
| michael@0 | 37 | } |
| michael@0 | 38 | |
| michael@0 | 39 | if (topic === "csp-on-violate-policy") { |
| michael@0 | 40 | // the load was blocked, this is a pass, the Content-Security-Policy |
| michael@0 | 41 | // header doesn't allow the load, but the X-Content-Security-Header does |
| michael@0 | 42 | var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); |
| michael@0 | 43 | if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) { |
| michael@0 | 44 | is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored"); |
| michael@0 | 45 | testRan(); |
| michael@0 | 46 | } |
| michael@0 | 47 | } |
| michael@0 | 48 | }, |
| michael@0 | 49 | |
| michael@0 | 50 | // must eventually call this to remove the listener, |
| michael@0 | 51 | // or mochitests might get borked. |
| michael@0 | 52 | remove: function() { |
| michael@0 | 53 | SpecialPowers.removeObserver(this, "csp-on-violate-policy"); |
| michael@0 | 54 | SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); |
| michael@0 | 55 | } |
| michael@0 | 56 | } |
| michael@0 | 57 | |
| michael@0 | 58 | window.examiner = new examiner(); |
| michael@0 | 59 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 60 | |
| michael@0 | 61 | function testRan() { |
| michael@0 | 62 | testsRun++; |
| michael@0 | 63 | if (testsRun == totalTests) { |
| michael@0 | 64 | window.examiner.remove(); |
| michael@0 | 65 | SimpleTest.finish(); |
| michael@0 | 66 | } |
| michael@0 | 67 | } |
| michael@0 | 68 | |
| michael@0 | 69 | SpecialPowers.pushPrefEnv( |
| michael@0 | 70 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 71 | function loadTestRequests() { |
| michael@0 | 72 | var cspframe = document.getElementById('cspframe'); |
| michael@0 | 73 | cspframe.src = 'file_bothCSPheaders.html'; |
| michael@0 | 74 | } |
| michael@0 | 75 | ); |
| michael@0 | 76 | </script> |
| michael@0 | 77 | </pre> |
| michael@0 | 78 | </body> |
| michael@0 | 79 | </html> |
