1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_bug888172.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,78 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Bug 888172 - CSP 1.0 does not process 'unsafe-inline' or 'unsafe-eval' for default-src</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 +</head>
1.11 +<body>
1.12 +<p id="display"></p>
1.13 +<div id="content" style="display: none">
1.14 +</div>
1.15 +
1.16 +<iframe style="width:100%;" id='testframe1'></iframe>
1.17 +<iframe style="width:100%;" id='testframe2'></iframe>
1.18 +<iframe style="width:100%;" id='testframe3'></iframe>
1.19 +<script class="testbody" type="text/javascript">
1.20 +
1.21 +//////////////////////////////////////////////////////////////////////
1.22 +// set up and go
1.23 +SimpleTest.waitForExplicitFinish();
1.24 +
1.25 +// utilities for check functions
1.26 +// black means the style wasn't applied, applied styles are green
1.27 +var green = 'rgb(0, 128, 0)';
1.28 +var black = 'rgb(0, 0, 0)';
1.29 +
1.30 +function getElementColorById(doc, id) {
1.31 + return window.getComputedStyle(doc.contentDocument.getElementById(id)).color;
1.32 +}
1.33 +
1.34 +// We test both script and style execution by observing changes in computed styles
1.35 +function checkDefaultSrcOnly() {
1.36 + var testframe = document.getElementById('testframe1');
1.37 +
1.38 + ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed");
1.39 + ok(getElementColorById(testframe, 'unsafe-eval-script') === green, "Eval should be allowed");
1.40 + ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed");
1.41 +}
1.42 +
1.43 +function checkDefaultSrcWithScriptSrc() {
1.44 + var testframe = document.getElementById('testframe2');
1.45 +
1.46 + ok(getElementColorById(testframe, 'unsafe-inline-script') === black, "Inline script should be blocked");
1.47 + ok(getElementColorById(testframe, 'unsafe-eval-script') === black, "Eval should be blocked");
1.48 + ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed");
1.49 +}
1.50 +
1.51 +function checkDefaultSrcWithStyleSrc() {
1.52 + var testframe = document.getElementById('testframe3');
1.53 +
1.54 + ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed");
1.55 + ok(getElementColorById(testframe, 'unsafe-eval-script') === green, "Eval should be allowed");
1.56 + ok(getElementColorById(testframe, 'unsafe-inline-style') === black, "Inline style should be blocked");
1.57 +
1.58 + // last test calls finish
1.59 + SimpleTest.finish();
1.60 +}
1.61 +
1.62 +SpecialPowers.pushPrefEnv(
1.63 + {'set':[["security.csp.speccompliant", true]]},
1.64 + function () {
1.65 + document.getElementById('testframe1').src = 'file_CSP_bug888172.sjs?csp=' +
1.66 + escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'");
1.67 + document.getElementById('testframe1').addEventListener('load', checkDefaultSrcOnly, false);
1.68 +
1.69 + document.getElementById('testframe2').src = 'file_CSP_bug888172.sjs?csp=' +
1.70 + escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self'");
1.71 + document.getElementById('testframe2').addEventListener('load', checkDefaultSrcWithScriptSrc, false);
1.72 +
1.73 + document.getElementById('testframe3').src = 'file_CSP_bug888172.sjs?csp=' +
1.74 + escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self'");
1.75 + document.getElementById('testframe3').addEventListener('load', checkDefaultSrcWithStyleSrc, false);
1.76 + }
1.77 +);
1.78 +</script>
1.79 +</pre>
1.80 +</body>
1.81 +</html>
