1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_CSP_inlinescript.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,128 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Content Security Policy Frame Ancestors directive</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
1.10 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.11 +</head>
1.12 +<body>
1.13 +<p id="display"></p>
1.14 +<div id="content" style="display: none">
1.15 +</div>
1.16 +
1.17 +<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
1.18 +<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
1.19 +<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
1.20 +<script class="testbody" type="text/javascript">
1.21 +
1.22 +var path = "/tests/content/base/test/csp/";
1.23 +
1.24 +var inlineScriptsThatRan = 0;
1.25 +var inlineScriptsBlocked = 0;
1.26 +var inlineScriptsTotal = 12;
1.27 +
1.28 +// This is used to watch the blocked data bounce off CSP and allowed data
1.29 +// get sent out to the wire.
1.30 +function examiner() {
1.31 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.32 +}
1.33 +examiner.prototype = {
1.34 + observe: function(subject, topic, data) {
1.35 + // subject should be an nsURI, and should be either allowed or blocked.
1.36 + if (!SpecialPowers.can_QI(subject))
1.37 + return;
1.38 +
1.39 + if (topic === "csp-on-violate-policy") {
1.40 + var what = null;
1.41 + try {
1.42 + //these were blocked... record that they were blocked
1.43 + what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.44 + } catch(e) {
1.45 + //if that fails, the subject is probably a string
1.46 + what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
1.47 + }
1.48 + window.scriptBlocked(what, data);
1.49 + }
1.50 + },
1.51 +
1.52 + // must eventually call this to remove the listener,
1.53 + // or mochitests might get borked.
1.54 + remove: function() {
1.55 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.56 + }
1.57 +}
1.58 +
1.59 +// called by scripts that run
1.60 +// the first argument is whether the script expects to be allowed or not.
1.61 +var scriptRan = function(result, testname, data) {
1.62 + inlineScriptsThatRan++;
1.63 + ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
1.64 + checkTestResults();
1.65 +}
1.66 +
1.67 +// called when a script is blocked
1.68 +// -- we can't determine *which* frame was blocked, but at least we can count them
1.69 +var scriptBlocked = function(testname, data) {
1.70 + inlineScriptsBlocked++;
1.71 + ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
1.72 + checkTestResults();
1.73 +}
1.74 +
1.75 +
1.76 +// Check to see if all the tests have run
1.77 +var checkTestResults = function() {
1.78 + // if any test is incomplete, keep waiting
1.79 + if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
1.80 + return;
1.81 +
1.82 + // The four scripts in the page with 'unsafe-inline' should run.
1.83 + is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
1.84 +
1.85 + // The other eight scripts in the other two pages should be blocked.
1.86 + is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
1.87 +
1.88 + // ... otherwise, finish
1.89 + window.examiner.remove();
1.90 + SimpleTest.finish();
1.91 +}
1.92 +
1.93 +//////////////////////////////////////////////////////////////////////
1.94 +// set up and go
1.95 +window.examiner = new examiner();
1.96 +SimpleTest.waitForExplicitFinish();
1.97 +
1.98 +function clickit() {
1.99 + var cspframe = document.getElementById('cspframe');
1.100 + var a = cspframe.contentDocument.getElementById('anchortoclick');
1.101 + sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
1.102 +}
1.103 +
1.104 +function clickit2() {
1.105 + var cspframe2 = document.getElementById('cspframe2');
1.106 + var a = cspframe2.contentDocument.getElementById('anchortoclick');
1.107 + sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
1.108 +}
1.109 +
1.110 +function clickit3() {
1.111 + var cspframe3 = document.getElementById('cspframe3');
1.112 + var a = cspframe3.contentDocument.getElementById('anchortoclick');
1.113 + sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
1.114 +}
1.115 +
1.116 +SpecialPowers.pushPrefEnv(
1.117 + {'set':[["security.csp.speccompliant", true]]},
1.118 + function() {
1.119 + // save this for last so that our listeners are registered.
1.120 + // ... this loads the testbed of good and bad requests.
1.121 + document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
1.122 + document.getElementById('cspframe').addEventListener('load', clickit, false);
1.123 + document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
1.124 + document.getElementById('cspframe2').addEventListener('load', clickit2, false);
1.125 + document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
1.126 + document.getElementById('cspframe3').addEventListener('load', clickit3, false);
1.127 + });
1.128 +</script>
1.129 +</pre>
1.130 +</body>
1.131 +</html>
