The Tor Browser / annotate

content/base/test/csp/test_CSP_bug910139.html@b8a032363ba2 (annotated)

content/base/test/csp/test_CSP_bug910139.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 <!DOCTYPE HTML>
michael@0 2 <html>
michael@0 3 <head>
michael@0 4 <title>CSP should block XSLT as script, not as style</title>
michael@0 5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
michael@0 6 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
michael@0 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
michael@0 8 </head>
michael@0 9 <body>
michael@0 10 <p id="display"></p>
michael@0 11 <div id="content" style="display: none"></div>
michael@0 12 <iframe style="width:100%;" id='xsltframe'></iframe>
michael@0 13 <iframe style="width:100%;" id='xsltframe2'></iframe>
michael@0 14
michael@0 15 <script class="testbody" type="text/javascript">
michael@0 16
michael@0 17 SimpleTest.waitForExplicitFinish();
michael@0 18
michael@0 19 // define the expected output of this test
michael@0 20 var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
michael@0 21
michael@0 22 function checkAllowed () {
michael@0 23 /* The policy for this test is:
michael@0 24 * Content-Security-Policy: default-src 'self'; script-src 'self'
michael@0 25 *
michael@0 26 * we load the xsl file using:
michael@0 27 * <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
michael@0 28 */
michael@0 29 try {
michael@0 30 var cspframe = document.getElementById('xsltframe');
michael@0 31 var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
michael@0 32 is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
michael@0 33 }
michael@0 34 catch (e) {
michael@0 35 ok(false, "Error: could not access content in xsltframe!")
michael@0 36 }
michael@0 37
michael@0 38 // continue with the next test
michael@0 39 document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
michael@0 40 document.getElementById('xsltframe2').src = 'file_CSP_bug910139.sjs';
michael@0 41 }
michael@0 42
michael@0 43 function checkBlocked () {
michael@0 44 /* The policy for this test is:
michael@0 45 * Content-Security-Policy: default-src 'self'; script-src *.example.com
michael@0 46 *
michael@0 47 * we load the xsl file using:
michael@0 48 * <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
michael@0 49 */
michael@0 50 try {
michael@0 51 var cspframe = document.getElementById('xsltframe2');
michael@0 52 var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
michael@0 53 is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
michael@0 54 }
michael@0 55 catch (e) {
michael@0 56 ok(false, "Error: could not access content in xsltframe2!")
michael@0 57 }
michael@0 58 SimpleTest.finish();
michael@0 59 }
michael@0 60
michael@0 61 SpecialPowers.pushPrefEnv(
michael@0 62 {'set':[["security.csp.speccompliant", true]]},
michael@0 63 function () {
michael@0 64 document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
michael@0 65 document.getElementById('xsltframe').src = 'file_CSP_bug910139.sjs';
michael@0 66 }
michael@0 67 );
michael@0 68
michael@0 69 </script>
michael@0 70 </body>
michael@0 71 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial