1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/test_bothCSPheaders.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,79 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>
1.8 + <!-- When both headers are present, we should ignore the pre-1.0 header and
1.9 + only recognize the 1.0 spec-compliant header. -->
1.10 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.11 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.12 +</head>
1.13 +<body>
1.14 +<p id="display"></p>
1.15 +<div id="content" style="display: none">
1.16 +</div>
1.17 +
1.18 +<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
1.19 +<script class="testbody" type="text/javascript">
1.20 +
1.21 +var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";
1.22 +var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";
1.23 +var testsRun = 0;
1.24 +var totalTests = 2;
1.25 +
1.26 +// This is used to watch the blocked data bounce off CSP and allowed data
1.27 +// get sent out to the wire.
1.28 +function examiner() {
1.29 + SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
1.30 + SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
1.31 +}
1.32 +examiner.prototype = {
1.33 + observe: function(subject, topic, data) {
1.34 + if (topic === "specialpowers-http-notify-request") {
1.35 + var allowedUri = data;
1.36 + if (allowedUri == prefixedHeaderImgURL || allowedUri == unprefixedHeaderImgURL) {
1.37 + is(allowedUri, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");
1.38 + testRan();
1.39 + }
1.40 + }
1.41 +
1.42 + if (topic === "csp-on-violate-policy") {
1.43 + // the load was blocked, this is a pass, the Content-Security-Policy
1.44 + // header doesn't allow the load, but the X-Content-Security-Header does
1.45 + var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
1.46 + if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
1.47 + is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
1.48 + testRan();
1.49 + }
1.50 + }
1.51 + },
1.52 +
1.53 + // must eventually call this to remove the listener,
1.54 + // or mochitests might get borked.
1.55 + remove: function() {
1.56 + SpecialPowers.removeObserver(this, "csp-on-violate-policy");
1.57 + SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
1.58 + }
1.59 +}
1.60 +
1.61 +window.examiner = new examiner();
1.62 +SimpleTest.waitForExplicitFinish();
1.63 +
1.64 +function testRan() {
1.65 + testsRun++;
1.66 + if (testsRun == totalTests) {
1.67 + window.examiner.remove();
1.68 + SimpleTest.finish();
1.69 + }
1.70 +}
1.71 +
1.72 +SpecialPowers.pushPrefEnv(
1.73 + {'set':[["security.csp.speccompliant", true]]},
1.74 + function loadTestRequests() {
1.75 + var cspframe = document.getElementById('cspframe');
1.76 + cspframe.src = 'file_bothCSPheaders.html';
1.77 + }
1.78 +);
1.79 +</script>
1.80 +</pre>
1.81 +</body>
1.82 +</html>
