1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,139 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Content Security Policy Connections</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 +</head>
1.11 +<body>
1.12 +<p id="display"></p>
1.13 +<div id="content" style="display: none">
1.14 +</div>
1.15 +<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
1.16 +<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
1.17 +<script class="testbody" type="text/javascript">
1.18 +
1.19 +var path = "/tests/content/base/test/csp/";
1.20 +
1.21 +// These are test results: -1 means it hasn't run,
1.22 +// true/false is the pass/fail result.
1.23 +window.tests = {
1.24 + img_good: -1,
1.25 + img_bad: -1,
1.26 + style_good: -1,
1.27 + style_bad: -1,
1.28 + frame_good: -1,
1.29 + frame_bad: -1,
1.30 + script_good: -1,
1.31 + script_bad: -1,
1.32 + xhr_good: -1,
1.33 + xhr_bad: -1,
1.34 + media_good: -1,
1.35 + media_bad: -1,
1.36 + font_good: -1,
1.37 + font_bad: -1,
1.38 + object_good: -1,
1.39 + object_bad: -1,
1.40 + img_spec_compliant_good: -1,
1.41 + img_spec_compliant_bad: -1,
1.42 + style_spec_compliant_good: -1,
1.43 + style_spec_compliant_bad: -1,
1.44 + frame_spec_compliant_good: -1,
1.45 + frame_spec_compliant_bad: -1,
1.46 + script_spec_compliant_good: -1,
1.47 + script_spec_compliant_bad: -1,
1.48 + xhr_spec_compliant_good: -1,
1.49 + xhr_spec_compliant_bad: -1,
1.50 + media_spec_compliant_good: -1,
1.51 + media_spec_compliant_bad: -1,
1.52 + font_spec_compliant_good: -1,
1.53 + font_spec_compliant_bad: -1,
1.54 + object_spec_compliant_good: -1,
1.55 + object_spec_compliant_bad: -1,
1.56 +};
1.57 +
1.58 +// This is used to watch the blocked data bounce off CSP and allowed data
1.59 +// get sent out to the wire.
1.60 +function examiner() {
1.61 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.62 + SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
1.63 +}
1.64 +examiner.prototype = {
1.65 + observe: function(subject, topic, data) {
1.66 + var testpat = new RegExp("testid=([a-z0-9_]+)");
1.67 +
1.68 + //_good things better be allowed!
1.69 + //_bad things better be stopped!
1.70 +
1.71 + // This is a special observer topic that is proxied from
1.72 + // http-on-modify-request in the parent process to inform us when a URI is
1.73 + // loaded
1.74 + if (topic === "specialpowers-http-notify-request") {
1.75 + var uri = data;
1.76 + if (!testpat.test(uri)) return;
1.77 + var testid = testpat.exec(uri)[1];
1.78 +
1.79 + window.testResult(testid,
1.80 + /_good/.test(testid),
1.81 + uri + " allowed by csp");
1.82 + }
1.83 +
1.84 + if (topic === "csp-on-violate-policy") {
1.85 + // these were blocked... record that they were blocked
1.86 + var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.87 + if (!testpat.test(asciiSpec)) return;
1.88 + var testid = testpat.exec(asciiSpec)[1];
1.89 + window.testResult(testid,
1.90 + /_bad/.test(testid),
1.91 + asciiSpec + " blocked by \"" + data + "\"");
1.92 + }
1.93 + },
1.94 +
1.95 + // must eventually call this to remove the listener,
1.96 + // or mochitests might get borked.
1.97 + remove: function() {
1.98 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.99 + SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
1.100 + }
1.101 +}
1.102 +
1.103 +window.examiner = new examiner();
1.104 +
1.105 +window.testResult = function(testname, result, msg) {
1.106 + //test already complete.... forget it... remember the first result.
1.107 + if (window.tests[testname] != -1)
1.108 + return;
1.109 +
1.110 + window.tests[testname] = result;
1.111 + is(result, true, testname + ' test: ' + msg);
1.112 +
1.113 + // if any test is incomplete, keep waiting
1.114 + for (var v in window.tests)
1.115 + if(tests[v] == -1)
1.116 + return;
1.117 +
1.118 + // ... otherwise, finish
1.119 + window.examiner.remove();
1.120 + SimpleTest.finish();
1.121 +}
1.122 +
1.123 +SimpleTest.waitForExplicitFinish();
1.124 +
1.125 +SpecialPowers.pushPrefEnv(
1.126 + {'set':[["security.csp.speccompliant", true],
1.127 + // This defaults to 0 ("preload none") on mobile (B2G/Android), which
1.128 + // blocks loading the resource until the user interacts with a
1.129 + // corresponding widget, which breaks the media_* tests. We set it
1.130 + // back to the default used by desktop Firefox to get consistent
1.131 + // behavior.
1.132 + ["media.preload.default", 2]]},
1.133 + function() {
1.134 + // save this for last so that our listeners are registered.
1.135 + // ... this loads the testbed of good and bad requests.
1.136 + document.getElementById('cspframe').src = 'file_CSP_main.html';
1.137 + document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
1.138 + });
1.139 +</script>
1.140 +</pre>
1.141 +</body>
1.142 +</html>
