1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_bug663567.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,81 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test if XSLT stylesheet is subject to document's CSP</title>
1.8 + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
1.9 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.10 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.11 +</head>
1.12 +<body>
1.13 + <p id="display"></p>
1.14 + <div id="content" style="display: none"></div>
1.15 + <iframe style="width:100%;" id='xsltframe'></iframe>
1.16 + <iframe style="width:100%;" id='xsltframe2'></iframe>
1.17 +
1.18 +<script class="testbody" type="text/javascript">
1.19 +
1.20 +SimpleTest.waitForExplicitFinish();
1.21 +
1.22 +// define the expected output of this test
1.23 +var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
1.24 +
1.25 +var finishedTests = 0;
1.26 +var numberOfTests = 2;
1.27 +
1.28 +var checkExplicitFinish = function() {
1.29 + finishedTests++;
1.30 + if (finishedTests == numberOfTests) {
1.31 + SimpleTest.finish();
1.32 + }
1.33 +}
1.34 +
1.35 +function checkAllowed () {
1.36 + /* The policy for this test is:
1.37 + * Content-Security-Policy: default-src 'self'
1.38 + *
1.39 + * we load the xsl file using:
1.40 + * <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467.xsl"?>
1.41 + */
1.42 + try {
1.43 + var cspframe = document.getElementById('xsltframe');
1.44 + var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
1.45 + is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
1.46 + }
1.47 + catch (e) {
1.48 + ok(false, "Error: could not access content in xsltframe!")
1.49 + }
1.50 + checkExplicitFinish();
1.51 +}
1.52 +
1.53 +function checkBlocked () {
1.54 + /* The policy for this test is:
1.55 + * Content-Security-Policy: default-src *.example.com
1.56 + *
1.57 + * we load the xsl file using:
1.58 + * <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467.xsl"?>
1.59 + */
1.60 + try {
1.61 + var cspframe = document.getElementById('xsltframe2');
1.62 + var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
1.63 + is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
1.64 + }
1.65 + catch (e) {
1.66 + ok(false, "Error: could not access content in xsltframe2!")
1.67 + }
1.68 + checkExplicitFinish();
1.69 +}
1.70 +
1.71 +SpecialPowers.pushPrefEnv(
1.72 + {'set':[["security.csp.speccompliant", true]]},
1.73 + function () {
1.74 + document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
1.75 + document.getElementById('xsltframe').src = 'file_CSP_bug663567_allows.xml';
1.76 +
1.77 + document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
1.78 + document.getElementById('xsltframe2').src = 'file_CSP_bug663567_blocks.xml';
1.79 + }
1.80 +);
1.81 +
1.82 +</script>
1.83 +</body>
1.84 +</html>
