The Tor Browser / file comparison

comparison: content/base/test/csp/test_CSP_bug910139.html

content/base/test/csp/test_CSP_bug910139.html

branch
TOR_BUG_9701
changeset 15
b8a032363ba2
equal deleted inserted replaced
-1:000000000000 0:8f03f2248caa
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>CSP should block XSLT as script, not as style</title>
5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
6 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
8 </head>
9 <body>
10 <p id="display"></p>
11 <div id="content" style="display: none"></div>
12 <iframe style="width:100%;" id='xsltframe'></iframe>
13 <iframe style="width:100%;" id='xsltframe2'></iframe>
14
15 <script class="testbody" type="text/javascript">
16
17 SimpleTest.waitForExplicitFinish();
18
19 // define the expected output of this test
20 var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
21
22 function checkAllowed () {
23 /* The policy for this test is:
24 * Content-Security-Policy: default-src 'self'; script-src 'self'
25 *
26 * we load the xsl file using:
27 * <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
28 */
29 try {
30 var cspframe = document.getElementById('xsltframe');
31 var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
32 is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
33 }
34 catch (e) {
35 ok(false, "Error: could not access content in xsltframe!")
36 }
37
38 // continue with the next test
39 document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
40 document.getElementById('xsltframe2').src = 'file_CSP_bug910139.sjs';
41 }
42
43 function checkBlocked () {
44 /* The policy for this test is:
45 * Content-Security-Policy: default-src 'self'; script-src *.example.com
46 *
47 * we load the xsl file using:
48 * <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
49 */
50 try {
51 var cspframe = document.getElementById('xsltframe2');
52 var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
53 is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
54 }
55 catch (e) {
56 ok(false, "Error: could not access content in xsltframe2!")
57 }
58 SimpleTest.finish();
59 }
60
61 SpecialPowers.pushPrefEnv(
62 {'set':[["security.csp.speccompliant", true]]},
63 function () {
64 document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
65 document.getElementById('xsltframe').src = 'file_CSP_bug910139.sjs';
66 }
67 );
68
69 </script>
70 </body>
71 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial