The Tor Browser / file comparison
comparison: content/base/test/csp/test_CSP_inlinescript.html
content/base/test/csp/test_CSP_inlinescript.html
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:6e138212a67b |
|---|---|
| 1 <!DOCTYPE HTML> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Test for Content Security Policy Frame Ancestors directive</title> | |
| 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 6 <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script> | |
| 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 8 </head> | |
| 9 <body> | |
| 10 <p id="display"></p> | |
| 11 <div id="content" style="display: none"> | |
| 12 </div> | |
| 13 | |
| 14 <iframe style="width:100%;height:300px;" id='cspframe'></iframe> | |
| 15 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe> | |
| 16 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe> | |
| 17 <script class="testbody" type="text/javascript"> | |
| 18 | |
| 19 var path = "/tests/content/base/test/csp/"; | |
| 20 | |
| 21 var inlineScriptsThatRan = 0; | |
| 22 var inlineScriptsBlocked = 0; | |
| 23 var inlineScriptsTotal = 12; | |
| 24 | |
| 25 // This is used to watch the blocked data bounce off CSP and allowed data | |
| 26 // get sent out to the wire. | |
| 27 function examiner() { | |
| 28 SpecialPowers.addObserver(this, "csp-on-violate-policy", false); | |
| 29 } | |
| 30 examiner.prototype = { | |
| 31 observe: function(subject, topic, data) { | |
| 32 // subject should be an nsURI, and should be either allowed or blocked. | |
| 33 if (!SpecialPowers.can_QI(subject)) | |
| 34 return; | |
| 35 | |
| 36 if (topic === "csp-on-violate-policy") { | |
| 37 var what = null; | |
| 38 try { | |
| 39 //these were blocked... record that they were blocked | |
| 40 what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); | |
| 41 } catch(e) { | |
| 42 //if that fails, the subject is probably a string | |
| 43 what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data"); | |
| 44 } | |
| 45 window.scriptBlocked(what, data); | |
| 46 } | |
| 47 }, | |
| 48 | |
| 49 // must eventually call this to remove the listener, | |
| 50 // or mochitests might get borked. | |
| 51 remove: function() { | |
| 52 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); | |
| 53 } | |
| 54 } | |
| 55 | |
| 56 // called by scripts that run | |
| 57 // the first argument is whether the script expects to be allowed or not. | |
| 58 var scriptRan = function(result, testname, data) { | |
| 59 inlineScriptsThatRan++; | |
| 60 ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')'); | |
| 61 checkTestResults(); | |
| 62 } | |
| 63 | |
| 64 // called when a script is blocked | |
| 65 // -- we can't determine *which* frame was blocked, but at least we can count them | |
| 66 var scriptBlocked = function(testname, data) { | |
| 67 inlineScriptsBlocked++; | |
| 68 ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')'); | |
| 69 checkTestResults(); | |
| 70 } | |
| 71 | |
| 72 | |
| 73 // Check to see if all the tests have run | |
| 74 var checkTestResults = function() { | |
| 75 // if any test is incomplete, keep waiting | |
| 76 if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal) | |
| 77 return; | |
| 78 | |
| 79 // The four scripts in the page with 'unsafe-inline' should run. | |
| 80 is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran"); | |
| 81 | |
| 82 // The other eight scripts in the other two pages should be blocked. | |
| 83 is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked"); | |
| 84 | |
| 85 // ... otherwise, finish | |
| 86 window.examiner.remove(); | |
| 87 SimpleTest.finish(); | |
| 88 } | |
| 89 | |
| 90 ////////////////////////////////////////////////////////////////////// | |
| 91 // set up and go | |
| 92 window.examiner = new examiner(); | |
| 93 SimpleTest.waitForExplicitFinish(); | |
| 94 | |
| 95 function clickit() { | |
| 96 var cspframe = document.getElementById('cspframe'); | |
| 97 var a = cspframe.contentDocument.getElementById('anchortoclick'); | |
| 98 sendMouseEvent({type:'click'}, a, cspframe.contentWindow); | |
| 99 } | |
| 100 | |
| 101 function clickit2() { | |
| 102 var cspframe2 = document.getElementById('cspframe2'); | |
| 103 var a = cspframe2.contentDocument.getElementById('anchortoclick'); | |
| 104 sendMouseEvent({type:'click'}, a, cspframe2.contentWindow); | |
| 105 } | |
| 106 | |
| 107 function clickit3() { | |
| 108 var cspframe3 = document.getElementById('cspframe3'); | |
| 109 var a = cspframe3.contentDocument.getElementById('anchortoclick'); | |
| 110 sendMouseEvent({type:'click'}, a, cspframe3.contentWindow); | |
| 111 } | |
| 112 | |
| 113 SpecialPowers.pushPrefEnv( | |
| 114 {'set':[["security.csp.speccompliant", true]]}, | |
| 115 function() { | |
| 116 // save this for last so that our listeners are registered. | |
| 117 // ... this loads the testbed of good and bad requests. | |
| 118 document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html'; | |
| 119 document.getElementById('cspframe').addEventListener('load', clickit, false); | |
| 120 document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html'; | |
| 121 document.getElementById('cspframe2').addEventListener('load', clickit2, false); | |
| 122 document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html'; | |
| 123 document.getElementById('cspframe3').addEventListener('load', clickit3, false); | |
| 124 }); | |
| 125 </script> | |
| 126 </pre> | |
| 127 </body> | |
| 128 </html> |
