The Tor Browser / file comparison
comparison: content/base/test/test_x-frame-options.html
content/base/test/test_x-frame-options.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:c111054c5219 |
|---|---|
| 1 <!DOCTYPE HTML> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Test for X-Frame-Options response header</title> | |
| 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 7 </head> | |
| 8 <body> | |
| 9 <p id="display"></p> | |
| 10 <div id="content" style="display: none"> | |
| 11 | |
| 12 </div> | |
| 13 | |
| 14 <iframe style="width:100%;height:300px;" id="harness"></iframe> | |
| 15 <script class="testbody" type="text/javascript"> | |
| 16 | |
| 17 function examiner() { | |
| 18 SpecialPowers.addObserver(this, "http-on-examine-response", false); | |
| 19 } | |
| 20 examiner.prototype = { | |
| 21 observe: function(subject, topic, data) { | |
| 22 subject = SpecialPowers.wrap(subject); | |
| 23 if(!subject.QueryInterface) | |
| 24 return; | |
| 25 | |
| 26 if (topic == "http-on-examine-response") { | |
| 27 var chan = subject.QueryInterface(SpecialPowers.Ci.nsIHttpChannel); | |
| 28 var uri = chan.URI | |
| 29 if (!uri.path.match(/^\/tests\/content\/base\/test\/file_x-frame-options_page\.sjs/)) | |
| 30 return; | |
| 31 dump(">>>> PATH: "+uri.path+"\n"); | |
| 32 dump(">>> REQUEST:\n>>> "+chan.requestMethod+" "+uri.asciiSpec+"\n"); | |
| 33 dump(">>> RESPONSE HEADERS:\n"); | |
| 34 chan.visitResponseHeaders({ | |
| 35 visitHeader: function(header, value) { | |
| 36 dump(">>> "+header+": "+value+"\n"); | |
| 37 } | |
| 38 }); | |
| 39 } | |
| 40 }, | |
| 41 | |
| 42 remove: function() { | |
| 43 SpecialPowers.removeObserver(this, "http-on-examine-response"); | |
| 44 } | |
| 45 } | |
| 46 | |
| 47 window.examiner = new examiner(); | |
| 48 | |
| 49 var path = "/tests/content/base/test/"; | |
| 50 | |
| 51 var testFramesLoaded = function() { | |
| 52 var harness = SpecialPowers.wrap(document).getElementById("harness"); | |
| 53 | |
| 54 // iframe from same origin, no X-F-O header - should load | |
| 55 var frame = harness.contentDocument.getElementById("control1"); | |
| 56 var test1 = frame.contentDocument.getElementById("test").textContent; | |
| 57 is(test1, "control1", "test control1"); | |
| 58 | |
| 59 // iframe from different origin, no X-F-O header - should load | |
| 60 frame = harness.contentDocument.getElementById("control2"); | |
| 61 var test2 = frame.contentDocument.getElementById("test").textContent; | |
| 62 is(test2, "control2", "test control2"); | |
| 63 | |
| 64 // iframe from same origin, X-F-O: DENY - should not load | |
| 65 frame = harness.contentDocument.getElementById("deny"); | |
| 66 var test3 = frame.contentDocument.getElementById("test"); | |
| 67 is(test3, null, "test deny"); | |
| 68 | |
| 69 // iframe from same origin, X-F-O: SAMEORIGIN - should load | |
| 70 frame = harness.contentDocument.getElementById("sameorigin1"); | |
| 71 var test4 = frame.contentDocument.getElementById("test").textContent; | |
| 72 is(test4, "sameorigin1", "test sameorigin1"); | |
| 73 | |
| 74 // iframe from different origin, X-F-O: SAMEORIGIN - should not load | |
| 75 frame = harness.contentDocument.getElementById("sameorigin2"); | |
| 76 var test5 = frame.contentDocument.getElementById("test"); | |
| 77 is(test5, null, "test sameorigin2"); | |
| 78 | |
| 79 // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load | |
| 80 frame = harness.contentDocument.getElementById("sameorigin5"); | |
| 81 var test6 = frame.contentDocument.getElementById("test"); | |
| 82 is(test6, null, "test sameorigin5"); | |
| 83 | |
| 84 // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load | |
| 85 frame = harness.contentDocument.getElementById("sameorigin6"); | |
| 86 var test7 = frame.contentDocument.getElementById("test").textContent; | |
| 87 is(test7, "sameorigin6", "test sameorigin6"); | |
| 88 | |
| 89 // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load | |
| 90 frame = harness.contentDocument.getElementById("sameorigin7"); | |
| 91 var test8 = frame.contentDocument.getElementById("test").textContent; | |
| 92 is(test8, "sameorigin7", "test sameorigin7"); | |
| 93 | |
| 94 // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load | |
| 95 frame = harness.contentDocument.getElementById("sameorigin8"); | |
| 96 var test9 = frame.contentDocument.getElementById("test"); | |
| 97 is(test9, null, "test sameorigin8"); | |
| 98 | |
| 99 // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load | |
| 100 frame = harness.contentDocument.getElementById("mixedpolicy"); | |
| 101 var test10 = frame.contentDocument.getElementById("test"); | |
| 102 is(test10, null, "test mixedpolicy"); | |
| 103 | |
| 104 // iframe from different origin, allow-from: this origin - should load | |
| 105 frame = harness.contentDocument.getElementById("allow-from-allow"); | |
| 106 var test11 = frame.contentDocument.getElementById("test").textContent; | |
| 107 is(test11, "allow-from-allow", "test allow-from-allow"); | |
| 108 | |
| 109 // iframe from different origin, with allow-from: other - should not load | |
| 110 frame = harness.contentDocument.getElementById("allow-from-deny"); | |
| 111 var test12 = frame.contentDocument.getElementById("test"); | |
| 112 is(test12, null, "test allow-from-deny"); | |
| 113 | |
| 114 // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load | |
| 115 frame = harness.contentDocument.getElementById("sameorigin-multipart"); | |
| 116 var test13 = frame.contentDocument.getElementById("test"); | |
| 117 is(test13, null, "test sameorigin-multipart"); | |
| 118 | |
| 119 // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load | |
| 120 frame = harness.contentDocument.getElementById("sameorigin-multipart2"); | |
| 121 var test14 = frame.contentDocument.getElementById("test").textContent; | |
| 122 is(test14, "sameorigin-multipart2", "test sameorigin-multipart2"); | |
| 123 | |
| 124 | |
| 125 // frames from bug 836132 tests | |
| 126 { | |
| 127 frame = harness.contentDocument.getElementById("allow-from-allow-1"); | |
| 128 var theTestResult = frame.contentDocument.getElementById("test"); | |
| 129 isnot(theTestResult, null, "test afa1 should have been allowed"); | |
| 130 if(theTestResult) { | |
| 131 is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1"); | |
| 132 } | |
| 133 } | |
| 134 for (var i = 1; i<=14; i++) { | |
| 135 frame = harness.contentDocument.getElementById("allow-from-deny-" + i); | |
| 136 var theTestResult = frame.contentDocument.getElementById("test"); | |
| 137 is(theTestResult, null, "test allow-from-deny-" + i); | |
| 138 } | |
| 139 | |
| 140 // call tests to check principal comparison, e.g. a document can open a window | |
| 141 // to a data: or javascript: document which frames an | |
| 142 // X-Frame-Options: SAMEORIGIN document and the frame should load | |
| 143 testFrameInJSURI(); | |
| 144 } | |
| 145 | |
| 146 // test that a document can be framed under a javascript: URL opened by the | |
| 147 // same site as the frame | |
| 148 var testFrameInJSURI = function() { | |
| 149 var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>'; | |
| 150 var win = window.open(); | |
| 151 win.onload = function() { | |
| 152 var test = win.document.getElementById("sameorigin3") | |
| 153 .contentDocument.getElementById("test"); | |
| 154 ok(test != null, "frame under javascript: URL should have loaded."); | |
| 155 win.close(); | |
| 156 | |
| 157 // run last test | |
| 158 testFrameInDataURI(); | |
| 159 } | |
| 160 win.location.href = "javascript:document.write('"+html+"');document.close();"; | |
| 161 } | |
| 162 | |
| 163 // test that a document can be framed under a data: URL opened by the | |
| 164 // same site as the frame | |
| 165 var testFrameInDataURI = function() { | |
| 166 var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>'; | |
| 167 var win = window.open(); | |
| 168 win.onload = function() { | |
| 169 var test = win.document.getElementById("sameorigin4") | |
| 170 .contentDocument.getElementById("test"); | |
| 171 ok(test != null, "frame under data: URL should have loaded."); | |
| 172 win.close(); | |
| 173 | |
| 174 // finalize test | |
| 175 window.examiner.remove(); | |
| 176 SimpleTest.finish(); | |
| 177 } | |
| 178 win.location.href = "data:text/html,"+html; | |
| 179 } | |
| 180 | |
| 181 SimpleTest.waitForExplicitFinish(); | |
| 182 | |
| 183 // load the test harness | |
| 184 document.getElementById("harness").src = "file_x-frame-options_main.html"; | |
| 185 | |
| 186 </script> | |
| 187 </pre> | |
| 188 | |
| 189 </body> | |
| 190 </html> |
