1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/browser_bug593387.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,65 @@
1.4 +/*
1.5 + * Test for bug 593387
1.6 + * Loads a chrome document in a content docshell and then inserts a
1.7 + * X-Frame-Options: DENY iframe into the document and verifies that the document
1.8 + * loads. The policy we are enforcing is outlined here:
1.9 + * https://bugzilla.mozilla.org/show_bug.cgi?id=593387#c17
1.10 +*/
1.11 +var newBrowser;
1.12 +
1.13 +function test() {
1.14 + waitForExplicitFinish();
1.15 +
1.16 + var newTab = gBrowser.addTab();
1.17 + gBrowser.selectedTab = newTab;
1.18 + newBrowser = gBrowser.getBrowserForTab(newTab);
1.19 + //alert(newBrowser.contentWindow);
1.20 +
1.21 + newBrowser.addEventListener("load", testXFOFrameInChrome, true);
1.22 + newBrowser.contentWindow.location = "chrome://global/content/mozilla.xhtml";
1.23 +}
1.24 +
1.25 +function testXFOFrameInChrome() {
1.26 + newBrowser.removeEventListener("load", testXFOFrameInChrome, true);
1.27 +
1.28 + // Insert an iframe that specifies "X-Frame-Options: DENY" and verify
1.29 + // that it loads, since the top context is chrome
1.30 + var frame = newBrowser.contentDocument.createElement("iframe");
1.31 + frame.src = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny";
1.32 + frame.addEventListener("load", function() {
1.33 + frame.removeEventListener("load", arguments.callee, true);
1.34 +
1.35 + // Test that the frame loaded
1.36 + var test = this.contentDocument.getElementById("test");
1.37 + is(test.tagName, "H1", "wrong element type");
1.38 + is(test.textContent, "deny", "wrong textContent");
1.39 +
1.40 + // Run next test (try the same with a content top-level context)
1.41 + newBrowser.addEventListener("load", testXFOFrameInContent, true);
1.42 + newBrowser.contentWindow.location = "http://example.com/";
1.43 + }, true);
1.44 +
1.45 + newBrowser.contentDocument.body.appendChild(frame);
1.46 +}
1.47 +
1.48 +function testXFOFrameInContent() {
1.49 + newBrowser.removeEventListener("load", testXFOFrameInContent, true);
1.50 +
1.51 + // Insert an iframe that specifies "X-Frame-Options: DENY" and verify that it
1.52 + // is blocked from loading since the top browsing context is another site
1.53 + var frame = newBrowser.contentDocument.createElement("iframe");
1.54 + frame.src = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny";
1.55 + frame.addEventListener("load", function() {
1.56 + frame.removeEventListener("load", arguments.callee, true);
1.57 +
1.58 + // Test that the frame DID NOT load
1.59 + var test = this.contentDocument.getElementById("test");
1.60 + is(test, undefined, "should be about:blank");
1.61 +
1.62 + // Finalize the test
1.63 + gBrowser.removeCurrentTab();
1.64 + finish();
1.65 + }, true);
1.66 +
1.67 + newBrowser.contentDocument.body.appendChild(frame);
1.68 +}
