content/base/test/csp/test_CSP_inlinescript.html@b8a032363ba2 (annotated)
content/base/test/csp/test_CSP_inlinescript.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test for Content Security Policy Frame Ancestors directive</title> |
| michael@0 | 5 | <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script> |
| michael@0 | 7 | <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |
| michael@0 | 8 | </head> |
| michael@0 | 9 | <body> |
| michael@0 | 10 | <p id="display"></p> |
| michael@0 | 11 | <div id="content" style="display: none"> |
| michael@0 | 12 | </div> |
| michael@0 | 13 | |
| michael@0 | 14 | <iframe style="width:100%;height:300px;" id='cspframe'></iframe> |
| michael@0 | 15 | <iframe style="width:100%;height:300px;" id='cspframe2'></iframe> |
| michael@0 | 16 | <iframe style="width:100%;height:300px;" id='cspframe3'></iframe> |
| michael@0 | 17 | <script class="testbody" type="text/javascript"> |
| michael@0 | 18 | |
| michael@0 | 19 | var path = "/tests/content/base/test/csp/"; |
| michael@0 | 20 | |
| michael@0 | 21 | var inlineScriptsThatRan = 0; |
| michael@0 | 22 | var inlineScriptsBlocked = 0; |
| michael@0 | 23 | var inlineScriptsTotal = 12; |
| michael@0 | 24 | |
| michael@0 | 25 | // This is used to watch the blocked data bounce off CSP and allowed data |
| michael@0 | 26 | // get sent out to the wire. |
| michael@0 | 27 | function examiner() { |
| michael@0 | 28 | SpecialPowers.addObserver(this, "csp-on-violate-policy", false); |
| michael@0 | 29 | } |
| michael@0 | 30 | examiner.prototype = { |
| michael@0 | 31 | observe: function(subject, topic, data) { |
| michael@0 | 32 | // subject should be an nsURI, and should be either allowed or blocked. |
| michael@0 | 33 | if (!SpecialPowers.can_QI(subject)) |
| michael@0 | 34 | return; |
| michael@0 | 35 | |
| michael@0 | 36 | if (topic === "csp-on-violate-policy") { |
| michael@0 | 37 | var what = null; |
| michael@0 | 38 | try { |
| michael@0 | 39 | //these were blocked... record that they were blocked |
| michael@0 | 40 | what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); |
| michael@0 | 41 | } catch(e) { |
| michael@0 | 42 | //if that fails, the subject is probably a string |
| michael@0 | 43 | what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data"); |
| michael@0 | 44 | } |
| michael@0 | 45 | window.scriptBlocked(what, data); |
| michael@0 | 46 | } |
| michael@0 | 47 | }, |
| michael@0 | 48 | |
| michael@0 | 49 | // must eventually call this to remove the listener, |
| michael@0 | 50 | // or mochitests might get borked. |
| michael@0 | 51 | remove: function() { |
| michael@0 | 52 | SpecialPowers.removeObserver(this, "csp-on-violate-policy"); |
| michael@0 | 53 | } |
| michael@0 | 54 | } |
| michael@0 | 55 | |
| michael@0 | 56 | // called by scripts that run |
| michael@0 | 57 | // the first argument is whether the script expects to be allowed or not. |
| michael@0 | 58 | var scriptRan = function(result, testname, data) { |
| michael@0 | 59 | inlineScriptsThatRan++; |
| michael@0 | 60 | ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')'); |
| michael@0 | 61 | checkTestResults(); |
| michael@0 | 62 | } |
| michael@0 | 63 | |
| michael@0 | 64 | // called when a script is blocked |
| michael@0 | 65 | // -- we can't determine *which* frame was blocked, but at least we can count them |
| michael@0 | 66 | var scriptBlocked = function(testname, data) { |
| michael@0 | 67 | inlineScriptsBlocked++; |
| michael@0 | 68 | ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')'); |
| michael@0 | 69 | checkTestResults(); |
| michael@0 | 70 | } |
| michael@0 | 71 | |
| michael@0 | 72 | |
| michael@0 | 73 | // Check to see if all the tests have run |
| michael@0 | 74 | var checkTestResults = function() { |
| michael@0 | 75 | // if any test is incomplete, keep waiting |
| michael@0 | 76 | if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal) |
| michael@0 | 77 | return; |
| michael@0 | 78 | |
| michael@0 | 79 | // The four scripts in the page with 'unsafe-inline' should run. |
| michael@0 | 80 | is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran"); |
| michael@0 | 81 | |
| michael@0 | 82 | // The other eight scripts in the other two pages should be blocked. |
| michael@0 | 83 | is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked"); |
| michael@0 | 84 | |
| michael@0 | 85 | // ... otherwise, finish |
| michael@0 | 86 | window.examiner.remove(); |
| michael@0 | 87 | SimpleTest.finish(); |
| michael@0 | 88 | } |
| michael@0 | 89 | |
| michael@0 | 90 | ////////////////////////////////////////////////////////////////////// |
| michael@0 | 91 | // set up and go |
| michael@0 | 92 | window.examiner = new examiner(); |
| michael@0 | 93 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 94 | |
| michael@0 | 95 | function clickit() { |
| michael@0 | 96 | var cspframe = document.getElementById('cspframe'); |
| michael@0 | 97 | var a = cspframe.contentDocument.getElementById('anchortoclick'); |
| michael@0 | 98 | sendMouseEvent({type:'click'}, a, cspframe.contentWindow); |
| michael@0 | 99 | } |
| michael@0 | 100 | |
| michael@0 | 101 | function clickit2() { |
| michael@0 | 102 | var cspframe2 = document.getElementById('cspframe2'); |
| michael@0 | 103 | var a = cspframe2.contentDocument.getElementById('anchortoclick'); |
| michael@0 | 104 | sendMouseEvent({type:'click'}, a, cspframe2.contentWindow); |
| michael@0 | 105 | } |
| michael@0 | 106 | |
| michael@0 | 107 | function clickit3() { |
| michael@0 | 108 | var cspframe3 = document.getElementById('cspframe3'); |
| michael@0 | 109 | var a = cspframe3.contentDocument.getElementById('anchortoclick'); |
| michael@0 | 110 | sendMouseEvent({type:'click'}, a, cspframe3.contentWindow); |
| michael@0 | 111 | } |
| michael@0 | 112 | |
| michael@0 | 113 | SpecialPowers.pushPrefEnv( |
| michael@0 | 114 | {'set':[["security.csp.speccompliant", true]]}, |
| michael@0 | 115 | function() { |
| michael@0 | 116 | // save this for last so that our listeners are registered. |
| michael@0 | 117 | // ... this loads the testbed of good and bad requests. |
| michael@0 | 118 | document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html'; |
| michael@0 | 119 | document.getElementById('cspframe').addEventListener('load', clickit, false); |
| michael@0 | 120 | document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html'; |
| michael@0 | 121 | document.getElementById('cspframe2').addEventListener('load', clickit2, false); |
| michael@0 | 122 | document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html'; |
| michael@0 | 123 | document.getElementById('cspframe3').addEventListener('load', clickit3, false); |
| michael@0 | 124 | }); |
| michael@0 | 125 | </script> |
| michael@0 | 126 | </pre> |
| michael@0 | 127 | </body> |
| michael@0 | 128 | </html> |
