1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_frameancestors.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,136 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Content Security Policy Frame Ancestors directive</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 +</head>
1.11 +<body>
1.12 +<p id="display"></p>
1.13 +<div id="content" style="display: none">
1.14 +</div>
1.15 +<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
1.16 +<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
1.17 +<script class="testbody" type="text/javascript">
1.18 +
1.19 +var path = "/tests/content/base/test/csp/";
1.20 +
1.21 +// These are test results: -1 means it hasn't run,
1.22 +// true/false is the pass/fail result.
1.23 +var framesThatShouldLoad = {
1.24 + aa_allow: -1, /* innermost frame allows a */
1.25 + //aa_block: -1, /* innermost frame denies a */
1.26 + ab_allow: -1, /* innermost frame allows a */
1.27 + //ab_block: -1, /* innermost frame denies a */
1.28 + aba_allow: -1, /* innermost frame allows b,a */
1.29 + //aba_block: -1, /* innermost frame denies b */
1.30 + //aba2_block: -1, /* innermost frame denies a */
1.31 + abb_allow: -1, /* innermost frame allows b,a */
1.32 + //abb_block: -1, /* innermost frame denies b */
1.33 + //abb2_block: -1, /* innermost frame denies a */
1.34 + aa_allow_spec_compliant: -1, /* innermost frame allows a *
1.35 + //aa_block_spec_compliant: -1, /* innermost frame denies a */
1.36 + ab_allow_spec_compliant: -1, /* innermost frame allows a */
1.37 + //ab_block_spec_compliant: -1, /* innermost frame denies a */
1.38 + aba_allow_spec_compliant: -1, /* innermost frame allows b,a */
1.39 + //aba_block_spec_compliant: -1, /* innermost frame denies b */
1.40 + //aba2_block_spec_compliant: -1, /* innermost frame denies a */
1.41 + abb_allow_spec_compliant: -1, /* innermost frame allows b,a */
1.42 + //abb_block_spec_compliant: -1, /* innermost frame denies b */
1.43 + //abb2_block_spec_compliant: -1, /* innermost frame denies a */
1.44 +};
1.45 +
1.46 +var expectedViolationsLeft = 12;
1.47 +
1.48 +// This is used to watch the blocked data bounce off CSP and allowed data
1.49 +// get sent out to the wire.
1.50 +function examiner() {
1.51 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.52 +}
1.53 +examiner.prototype = {
1.54 + observe: function(subject, topic, data) {
1.55 + // subject should be an nsURI, and should be either allowed or blocked.
1.56 + if (!SpecialPowers.can_QI(subject))
1.57 + return;
1.58 +
1.59 + if (topic === "csp-on-violate-policy") {
1.60 + //these were blocked... record that they were blocked
1.61 + var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.62 + window.frameBlocked(asciiSpec, data);
1.63 + }
1.64 + },
1.65 +
1.66 + // must eventually call this to remove the listener,
1.67 + // or mochitests might get borked.
1.68 + remove: function() {
1.69 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.70 + }
1.71 +}
1.72 +
1.73 +// called when a frame is loaded
1.74 +// -- if it's not enumerated above, it should not load!
1.75 +var frameLoaded = function(testname, uri) {
1.76 + //test already complete.... forget it... remember the first result.
1.77 + if (window.framesThatShouldLoad[testname] != -1)
1.78 + return;
1.79 +
1.80 + if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
1.81 + // uh-oh, we're not expecting this frame to load!
1.82 + ok(false, testname + ' framed site should not have loaded: ' + uri);
1.83 + } else {
1.84 + framesThatShouldLoad[testname] = true;
1.85 + ok(true, testname + ' framed site when allowed by csp (' + uri + ')');
1.86 + }
1.87 + checkTestResults();
1.88 +}
1.89 +
1.90 +// called when a frame is blocked
1.91 +// -- we can't determine *which* frame was blocked, but at least we can count them
1.92 +var frameBlocked = function(uri, policy) {
1.93 + ok(true, 'a CSP policy blocked frame from being loaded: ' + policy);
1.94 + expectedViolationsLeft--;
1.95 + checkTestResults();
1.96 +}
1.97 +
1.98 +
1.99 +// Check to see if all the tests have run
1.100 +var checkTestResults = function() {
1.101 + // if any test is incomplete, keep waiting
1.102 + for (var v in framesThatShouldLoad)
1.103 + if(window.framesThatShouldLoad[v] == -1)
1.104 + return;
1.105 +
1.106 + if (window.expectedViolationsLeft > 0)
1.107 + return;
1.108 +
1.109 + // ... otherwise, finish
1.110 + window.examiner.remove();
1.111 + SimpleTest.finish();
1.112 +}
1.113 +
1.114 +window.addEventListener("message", receiveMessage, false);
1.115 +
1.116 +function receiveMessage(event) {
1.117 + if (event.data.call && event.data.call == 'frameLoaded')
1.118 + frameLoaded(event.data.testname, event.data.uri);
1.119 +}
1.120 +
1.121 +//////////////////////////////////////////////////////////////////////
1.122 +// set up and go
1.123 +window.examiner = new examiner();
1.124 +SimpleTest.waitForExplicitFinish();
1.125 +
1.126 +// added this so the tests run even if we don't flip the pref on by default.
1.127 +SpecialPowers.pushPrefEnv(
1.128 + {'set':[["security.csp.speccompliant", true]]},
1.129 + function() {
1.130 + // save this for last so that our listeners are registered.
1.131 + // ... this loads the testbed of good and bad requests.
1.132 + document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
1.133 + document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
1.134 + });
1.135 +
1.136 +</script>
1.137 +</pre>
1.138 +</body>
1.139 +</html>
