The Tor Browser / annotate

content/base/test/test_x-frame-options.html@b8a032363ba2 (annotated)

content/base/test/test_x-frame-options.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 <!DOCTYPE HTML>
michael@0 2 <html>
michael@0 3 <head>
michael@0 4 <title>Test for X-Frame-Options response header</title>
michael@0 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
michael@0 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
michael@0 7 </head>
michael@0 8 <body>
michael@0 9 <p id="display"></p>
michael@0 10 <div id="content" style="display: none">
michael@0 11
michael@0 12 </div>
michael@0 13
michael@0 14 <iframe style="width:100%;height:300px;" id="harness"></iframe>
michael@0 15 <script class="testbody" type="text/javascript">
michael@0 16
michael@0 17 function examiner() {
michael@0 18 SpecialPowers.addObserver(this, "http-on-examine-response", false);
michael@0 19 }
michael@0 20 examiner.prototype = {
michael@0 21 observe: function(subject, topic, data) {
michael@0 22 subject = SpecialPowers.wrap(subject);
michael@0 23 if(!subject.QueryInterface)
michael@0 24 return;
michael@0 25
michael@0 26 if (topic == "http-on-examine-response") {
michael@0 27 var chan = subject.QueryInterface(SpecialPowers.Ci.nsIHttpChannel);
michael@0 28 var uri = chan.URI
michael@0 29 if (!uri.path.match(/^\/tests\/content\/base\/test\/file_x-frame-options_page\.sjs/))
michael@0 30 return;
michael@0 31 dump(">>>> PATH: "+uri.path+"\n");
michael@0 32 dump(">>> REQUEST:\n>>> "+chan.requestMethod+" "+uri.asciiSpec+"\n");
michael@0 33 dump(">>> RESPONSE HEADERS:\n");
michael@0 34 chan.visitResponseHeaders({
michael@0 35 visitHeader: function(header, value) {
michael@0 36 dump(">>> "+header+": "+value+"\n");
michael@0 37 }
michael@0 38 });
michael@0 39 }
michael@0 40 },
michael@0 41
michael@0 42 remove: function() {
michael@0 43 SpecialPowers.removeObserver(this, "http-on-examine-response");
michael@0 44 }
michael@0 45 }
michael@0 46
michael@0 47 window.examiner = new examiner();
michael@0 48
michael@0 49 var path = "/tests/content/base/test/";
michael@0 50
michael@0 51 var testFramesLoaded = function() {
michael@0 52 var harness = SpecialPowers.wrap(document).getElementById("harness");
michael@0 53
michael@0 54 // iframe from same origin, no X-F-O header - should load
michael@0 55 var frame = harness.contentDocument.getElementById("control1");
michael@0 56 var test1 = frame.contentDocument.getElementById("test").textContent;
michael@0 57 is(test1, "control1", "test control1");
michael@0 58
michael@0 59 // iframe from different origin, no X-F-O header - should load
michael@0 60 frame = harness.contentDocument.getElementById("control2");
michael@0 61 var test2 = frame.contentDocument.getElementById("test").textContent;
michael@0 62 is(test2, "control2", "test control2");
michael@0 63
michael@0 64 // iframe from same origin, X-F-O: DENY - should not load
michael@0 65 frame = harness.contentDocument.getElementById("deny");
michael@0 66 var test3 = frame.contentDocument.getElementById("test");
michael@0 67 is(test3, null, "test deny");
michael@0 68
michael@0 69 // iframe from same origin, X-F-O: SAMEORIGIN - should load
michael@0 70 frame = harness.contentDocument.getElementById("sameorigin1");
michael@0 71 var test4 = frame.contentDocument.getElementById("test").textContent;
michael@0 72 is(test4, "sameorigin1", "test sameorigin1");
michael@0 73
michael@0 74 // iframe from different origin, X-F-O: SAMEORIGIN - should not load
michael@0 75 frame = harness.contentDocument.getElementById("sameorigin2");
michael@0 76 var test5 = frame.contentDocument.getElementById("test");
michael@0 77 is(test5, null, "test sameorigin2");
michael@0 78
michael@0 79 // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
michael@0 80 frame = harness.contentDocument.getElementById("sameorigin5");
michael@0 81 var test6 = frame.contentDocument.getElementById("test");
michael@0 82 is(test6, null, "test sameorigin5");
michael@0 83
michael@0 84 // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
michael@0 85 frame = harness.contentDocument.getElementById("sameorigin6");
michael@0 86 var test7 = frame.contentDocument.getElementById("test").textContent;
michael@0 87 is(test7, "sameorigin6", "test sameorigin6");
michael@0 88
michael@0 89 // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
michael@0 90 frame = harness.contentDocument.getElementById("sameorigin7");
michael@0 91 var test8 = frame.contentDocument.getElementById("test").textContent;
michael@0 92 is(test8, "sameorigin7", "test sameorigin7");
michael@0 93
michael@0 94 // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
michael@0 95 frame = harness.contentDocument.getElementById("sameorigin8");
michael@0 96 var test9 = frame.contentDocument.getElementById("test");
michael@0 97 is(test9, null, "test sameorigin8");
michael@0 98
michael@0 99 // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
michael@0 100 frame = harness.contentDocument.getElementById("mixedpolicy");
michael@0 101 var test10 = frame.contentDocument.getElementById("test");
michael@0 102 is(test10, null, "test mixedpolicy");
michael@0 103
michael@0 104 // iframe from different origin, allow-from: this origin - should load
michael@0 105 frame = harness.contentDocument.getElementById("allow-from-allow");
michael@0 106 var test11 = frame.contentDocument.getElementById("test").textContent;
michael@0 107 is(test11, "allow-from-allow", "test allow-from-allow");
michael@0 108
michael@0 109 // iframe from different origin, with allow-from: other - should not load
michael@0 110 frame = harness.contentDocument.getElementById("allow-from-deny");
michael@0 111 var test12 = frame.contentDocument.getElementById("test");
michael@0 112 is(test12, null, "test allow-from-deny");
michael@0 113
michael@0 114 // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
michael@0 115 frame = harness.contentDocument.getElementById("sameorigin-multipart");
michael@0 116 var test13 = frame.contentDocument.getElementById("test");
michael@0 117 is(test13, null, "test sameorigin-multipart");
michael@0 118
michael@0 119 // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
michael@0 120 frame = harness.contentDocument.getElementById("sameorigin-multipart2");
michael@0 121 var test14 = frame.contentDocument.getElementById("test").textContent;
michael@0 122 is(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
michael@0 123
michael@0 124
michael@0 125 // frames from bug 836132 tests
michael@0 126 {
michael@0 127 frame = harness.contentDocument.getElementById("allow-from-allow-1");
michael@0 128 var theTestResult = frame.contentDocument.getElementById("test");
michael@0 129 isnot(theTestResult, null, "test afa1 should have been allowed");
michael@0 130 if(theTestResult) {
michael@0 131 is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
michael@0 132 }
michael@0 133 }
michael@0 134 for (var i = 1; i<=14; i++) {
michael@0 135 frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
michael@0 136 var theTestResult = frame.contentDocument.getElementById("test");
michael@0 137 is(theTestResult, null, "test allow-from-deny-" + i);
michael@0 138 }
michael@0 139
michael@0 140 // call tests to check principal comparison, e.g. a document can open a window
michael@0 141 // to a data: or javascript: document which frames an
michael@0 142 // X-Frame-Options: SAMEORIGIN document and the frame should load
michael@0 143 testFrameInJSURI();
michael@0 144 }
michael@0 145
michael@0 146 // test that a document can be framed under a javascript: URL opened by the
michael@0 147 // same site as the frame
michael@0 148 var testFrameInJSURI = function() {
michael@0 149 var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
michael@0 150 var win = window.open();
michael@0 151 win.onload = function() {
michael@0 152 var test = win.document.getElementById("sameorigin3")
michael@0 153 .contentDocument.getElementById("test");
michael@0 154 ok(test != null, "frame under javascript: URL should have loaded.");
michael@0 155 win.close();
michael@0 156
michael@0 157 // run last test
michael@0 158 testFrameInDataURI();
michael@0 159 }
michael@0 160 win.location.href = "javascript:document.write('"+html+"');document.close();";
michael@0 161 }
michael@0 162
michael@0 163 // test that a document can be framed under a data: URL opened by the
michael@0 164 // same site as the frame
michael@0 165 var testFrameInDataURI = function() {
michael@0 166 var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
michael@0 167 var win = window.open();
michael@0 168 win.onload = function() {
michael@0 169 var test = win.document.getElementById("sameorigin4")
michael@0 170 .contentDocument.getElementById("test");
michael@0 171 ok(test != null, "frame under data: URL should have loaded.");
michael@0 172 win.close();
michael@0 173
michael@0 174 // finalize test
michael@0 175 window.examiner.remove();
michael@0 176 SimpleTest.finish();
michael@0 177 }
michael@0 178 win.location.href = "data:text/html,"+html;
michael@0 179 }
michael@0 180
michael@0 181 SimpleTest.waitForExplicitFinish();
michael@0 182
michael@0 183 // load the test harness
michael@0 184 document.getElementById("harness").src = "file_x-frame-options_main.html";
michael@0 185
michael@0 186 </script>
michael@0 187 </pre>
michael@0 188
michael@0 189 </body>
michael@0 190 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial