1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_bug910139.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,71 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>CSP should block XSLT as script, not as style</title>
1.8 + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
1.9 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.10 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.11 +</head>
1.12 +<body>
1.13 + <p id="display"></p>
1.14 + <div id="content" style="display: none"></div>
1.15 + <iframe style="width:100%;" id='xsltframe'></iframe>
1.16 + <iframe style="width:100%;" id='xsltframe2'></iframe>
1.17 +
1.18 +<script class="testbody" type="text/javascript">
1.19 +
1.20 +SimpleTest.waitForExplicitFinish();
1.21 +
1.22 +// define the expected output of this test
1.23 +var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
1.24 +
1.25 +function checkAllowed () {
1.26 + /* The policy for this test is:
1.27 + * Content-Security-Policy: default-src 'self'; script-src 'self'
1.28 + *
1.29 + * we load the xsl file using:
1.30 + * <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
1.31 + */
1.32 + try {
1.33 + var cspframe = document.getElementById('xsltframe');
1.34 + var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
1.35 + is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
1.36 + }
1.37 + catch (e) {
1.38 + ok(false, "Error: could not access content in xsltframe!")
1.39 + }
1.40 +
1.41 + // continue with the next test
1.42 + document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
1.43 + document.getElementById('xsltframe2').src = 'file_CSP_bug910139.sjs';
1.44 +}
1.45 +
1.46 +function checkBlocked () {
1.47 + /* The policy for this test is:
1.48 + * Content-Security-Policy: default-src 'self'; script-src *.example.com
1.49 + *
1.50 + * we load the xsl file using:
1.51 + * <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
1.52 + */
1.53 + try {
1.54 + var cspframe = document.getElementById('xsltframe2');
1.55 + var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
1.56 + is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
1.57 + }
1.58 + catch (e) {
1.59 + ok(false, "Error: could not access content in xsltframe2!")
1.60 + }
1.61 + SimpleTest.finish();
1.62 +}
1.63 +
1.64 +SpecialPowers.pushPrefEnv(
1.65 + {'set':[["security.csp.speccompliant", true]]},
1.66 + function () {
1.67 + document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
1.68 + document.getElementById('xsltframe').src = 'file_CSP_bug910139.sjs';
1.69 + }
1.70 +);
1.71 +
1.72 +</script>
1.73 +</body>
1.74 +</html>
