1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_bug885433.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,65 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Content Security Policy inline stylesheets stuff</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 +</head>
1.11 +<body>
1.12 +<p id="display"></p>
1.13 +<div id="content" style="display: none">
1.14 +</div>
1.15 +
1.16 +<iframe style="width:100%;" id='cspframe'></iframe>
1.17 +<iframe style="width:100%;" id='cspframe2'></iframe>
1.18 +<script class="testbody" type="text/javascript">
1.19 +
1.20 +//////////////////////////////////////////////////////////////////////
1.21 +// set up and go
1.22 +SimpleTest.waitForExplicitFinish();
1.23 +
1.24 +// utilities for check functions
1.25 +// black means the style wasn't applied, applied styles are green
1.26 +var green = 'rgb(0, 128, 0)';
1.27 +var black = 'rgb(0, 0, 0)';
1.28 +
1.29 +// We test both script and style execution by observing changes in computed styles
1.30 +function checkAllowed () {
1.31 + var cspframe = document.getElementById('cspframe');
1.32 + var color;
1.33 +
1.34 + color = window.getComputedStyle(cspframe.contentDocument.getElementById('unsafe-inline-script-allowed')).color;
1.35 + ok(color === green, "Inline script should be allowed");
1.36 + color = window.getComputedStyle(cspframe.contentDocument.getElementById('unsafe-eval-script-allowed')).color;
1.37 + ok(color === green, "Eval should be allowed");
1.38 + color = window.getComputedStyle(cspframe.contentDocument.getElementById('unsafe-inline-style-allowed')).color;
1.39 + ok(color === green, "Inline style should be allowed");
1.40 +}
1.41 +
1.42 +function checkBlocked () {
1.43 + var cspframe = document.getElementById('cspframe2');
1.44 + var color;
1.45 +
1.46 + color = window.getComputedStyle(cspframe.contentDocument.getElementById('unsafe-inline-script-blocked')).color;
1.47 + ok(color === black, "Inline script should be blocked");
1.48 + color = window.getComputedStyle(cspframe.contentDocument.getElementById('unsafe-eval-script-blocked')).color;
1.49 + ok(color === black, "Eval should be blocked");
1.50 + color = window.getComputedStyle(cspframe.contentDocument.getElementById('unsafe-inline-style-blocked')).color;
1.51 + ok(color === black, "Inline style should be blocked");
1.52 +
1.53 + SimpleTest.finish();
1.54 +}
1.55 +
1.56 +SpecialPowers.pushPrefEnv(
1.57 + {'set':[["security.csp.speccompliant", true]]},
1.58 + function () {
1.59 + document.getElementById('cspframe').src = 'file_CSP_bug885433_allows.html';
1.60 + document.getElementById('cspframe').addEventListener('load', checkAllowed, false);
1.61 + document.getElementById('cspframe2').src = 'file_CSP_bug885433_blocks.html';
1.62 + document.getElementById('cspframe2').addEventListener('load', checkBlocked, false);
1.63 + }
1.64 +);
1.65 +</script>
1.66 +</pre>
1.67 +</body>
1.68 +</html>
