The Tor Browser / file comparison
comparison: content/base/test/csp/test_bothCSPheaders.html
content/base/test/csp/test_bothCSPheaders.html
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:0025f4937a75 |
|---|---|
| 1 <!DOCTYPE HTML> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title> | |
| 5 <!-- When both headers are present, we should ignore the pre-1.0 header and | |
| 6 only recognize the 1.0 spec-compliant header. --> | |
| 7 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 9 </head> | |
| 10 <body> | |
| 11 <p id="display"></p> | |
| 12 <div id="content" style="display: none"> | |
| 13 </div> | |
| 14 | |
| 15 <iframe style="width:200px;height:200px;" id='cspframe'></iframe> | |
| 16 <script class="testbody" type="text/javascript"> | |
| 17 | |
| 18 var prefixedHeaderImgURL = "http://example.org/prefixed.jpg"; | |
| 19 var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg"; | |
| 20 var testsRun = 0; | |
| 21 var totalTests = 2; | |
| 22 | |
| 23 // This is used to watch the blocked data bounce off CSP and allowed data | |
| 24 // get sent out to the wire. | |
| 25 function examiner() { | |
| 26 SpecialPowers.addObserver(this, "csp-on-violate-policy", false); | |
| 27 SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false); | |
| 28 } | |
| 29 examiner.prototype = { | |
| 30 observe: function(subject, topic, data) { | |
| 31 if (topic === "specialpowers-http-notify-request") { | |
| 32 var allowedUri = data; | |
| 33 if (allowedUri == prefixedHeaderImgURL || allowedUri == unprefixedHeaderImgURL) { | |
| 34 is(allowedUri, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)"); | |
| 35 testRan(); | |
| 36 } | |
| 37 } | |
| 38 | |
| 39 if (topic === "csp-on-violate-policy") { | |
| 40 // the load was blocked, this is a pass, the Content-Security-Policy | |
| 41 // header doesn't allow the load, but the X-Content-Security-Header does | |
| 42 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); | |
| 43 if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) { | |
| 44 is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored"); | |
| 45 testRan(); | |
| 46 } | |
| 47 } | |
| 48 }, | |
| 49 | |
| 50 // must eventually call this to remove the listener, | |
| 51 // or mochitests might get borked. | |
| 52 remove: function() { | |
| 53 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); | |
| 54 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); | |
| 55 } | |
| 56 } | |
| 57 | |
| 58 window.examiner = new examiner(); | |
| 59 SimpleTest.waitForExplicitFinish(); | |
| 60 | |
| 61 function testRan() { | |
| 62 testsRun++; | |
| 63 if (testsRun == totalTests) { | |
| 64 window.examiner.remove(); | |
| 65 SimpleTest.finish(); | |
| 66 } | |
| 67 } | |
| 68 | |
| 69 SpecialPowers.pushPrefEnv( | |
| 70 {'set':[["security.csp.speccompliant", true]]}, | |
| 71 function loadTestRequests() { | |
| 72 var cspframe = document.getElementById('cspframe'); | |
| 73 cspframe.src = 'file_bothCSPheaders.html'; | |
| 74 } | |
| 75 ); | |
| 76 </script> | |
| 77 </pre> | |
| 78 </body> | |
| 79 </html> |
