1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/test_x-frame-options.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,190 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for X-Frame-Options response header</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 +</head>
1.11 +<body>
1.12 +<p id="display"></p>
1.13 +<div id="content" style="display: none">
1.14 +
1.15 +</div>
1.16 +
1.17 +<iframe style="width:100%;height:300px;" id="harness"></iframe>
1.18 +<script class="testbody" type="text/javascript">
1.19 +
1.20 +function examiner() {
1.21 + SpecialPowers.addObserver(this, "http-on-examine-response", false);
1.22 +}
1.23 +examiner.prototype = {
1.24 + observe: function(subject, topic, data) {
1.25 + subject = SpecialPowers.wrap(subject);
1.26 + if(!subject.QueryInterface)
1.27 + return;
1.28 +
1.29 + if (topic == "http-on-examine-response") {
1.30 + var chan = subject.QueryInterface(SpecialPowers.Ci.nsIHttpChannel);
1.31 + var uri = chan.URI
1.32 + if (!uri.path.match(/^\/tests\/content\/base\/test\/file_x-frame-options_page\.sjs/))
1.33 + return;
1.34 + dump(">>>> PATH: "+uri.path+"\n");
1.35 + dump(">>> REQUEST:\n>>> "+chan.requestMethod+" "+uri.asciiSpec+"\n");
1.36 + dump(">>> RESPONSE HEADERS:\n");
1.37 + chan.visitResponseHeaders({
1.38 + visitHeader: function(header, value) {
1.39 + dump(">>> "+header+": "+value+"\n");
1.40 + }
1.41 + });
1.42 + }
1.43 + },
1.44 +
1.45 + remove: function() {
1.46 + SpecialPowers.removeObserver(this, "http-on-examine-response");
1.47 + }
1.48 +}
1.49 +
1.50 +window.examiner = new examiner();
1.51 +
1.52 +var path = "/tests/content/base/test/";
1.53 +
1.54 +var testFramesLoaded = function() {
1.55 + var harness = SpecialPowers.wrap(document).getElementById("harness");
1.56 +
1.57 + // iframe from same origin, no X-F-O header - should load
1.58 + var frame = harness.contentDocument.getElementById("control1");
1.59 + var test1 = frame.contentDocument.getElementById("test").textContent;
1.60 + is(test1, "control1", "test control1");
1.61 +
1.62 + // iframe from different origin, no X-F-O header - should load
1.63 + frame = harness.contentDocument.getElementById("control2");
1.64 + var test2 = frame.contentDocument.getElementById("test").textContent;
1.65 + is(test2, "control2", "test control2");
1.66 +
1.67 + // iframe from same origin, X-F-O: DENY - should not load
1.68 + frame = harness.contentDocument.getElementById("deny");
1.69 + var test3 = frame.contentDocument.getElementById("test");
1.70 + is(test3, null, "test deny");
1.71 +
1.72 + // iframe from same origin, X-F-O: SAMEORIGIN - should load
1.73 + frame = harness.contentDocument.getElementById("sameorigin1");
1.74 + var test4 = frame.contentDocument.getElementById("test").textContent;
1.75 + is(test4, "sameorigin1", "test sameorigin1");
1.76 +
1.77 + // iframe from different origin, X-F-O: SAMEORIGIN - should not load
1.78 + frame = harness.contentDocument.getElementById("sameorigin2");
1.79 + var test5 = frame.contentDocument.getElementById("test");
1.80 + is(test5, null, "test sameorigin2");
1.81 +
1.82 + // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
1.83 + frame = harness.contentDocument.getElementById("sameorigin5");
1.84 + var test6 = frame.contentDocument.getElementById("test");
1.85 + is(test6, null, "test sameorigin5");
1.86 +
1.87 + // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
1.88 + frame = harness.contentDocument.getElementById("sameorigin6");
1.89 + var test7 = frame.contentDocument.getElementById("test").textContent;
1.90 + is(test7, "sameorigin6", "test sameorigin6");
1.91 +
1.92 + // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
1.93 + frame = harness.contentDocument.getElementById("sameorigin7");
1.94 + var test8 = frame.contentDocument.getElementById("test").textContent;
1.95 + is(test8, "sameorigin7", "test sameorigin7");
1.96 +
1.97 + // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
1.98 + frame = harness.contentDocument.getElementById("sameorigin8");
1.99 + var test9 = frame.contentDocument.getElementById("test");
1.100 + is(test9, null, "test sameorigin8");
1.101 +
1.102 + // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
1.103 + frame = harness.contentDocument.getElementById("mixedpolicy");
1.104 + var test10 = frame.contentDocument.getElementById("test");
1.105 + is(test10, null, "test mixedpolicy");
1.106 +
1.107 + // iframe from different origin, allow-from: this origin - should load
1.108 + frame = harness.contentDocument.getElementById("allow-from-allow");
1.109 + var test11 = frame.contentDocument.getElementById("test").textContent;
1.110 + is(test11, "allow-from-allow", "test allow-from-allow");
1.111 +
1.112 + // iframe from different origin, with allow-from: other - should not load
1.113 + frame = harness.contentDocument.getElementById("allow-from-deny");
1.114 + var test12 = frame.contentDocument.getElementById("test");
1.115 + is(test12, null, "test allow-from-deny");
1.116 +
1.117 + // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
1.118 + frame = harness.contentDocument.getElementById("sameorigin-multipart");
1.119 + var test13 = frame.contentDocument.getElementById("test");
1.120 + is(test13, null, "test sameorigin-multipart");
1.121 +
1.122 + // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
1.123 + frame = harness.contentDocument.getElementById("sameorigin-multipart2");
1.124 + var test14 = frame.contentDocument.getElementById("test").textContent;
1.125 + is(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
1.126 +
1.127 +
1.128 + // frames from bug 836132 tests
1.129 + {
1.130 + frame = harness.contentDocument.getElementById("allow-from-allow-1");
1.131 + var theTestResult = frame.contentDocument.getElementById("test");
1.132 + isnot(theTestResult, null, "test afa1 should have been allowed");
1.133 + if(theTestResult) {
1.134 + is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
1.135 + }
1.136 + }
1.137 + for (var i = 1; i<=14; i++) {
1.138 + frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
1.139 + var theTestResult = frame.contentDocument.getElementById("test");
1.140 + is(theTestResult, null, "test allow-from-deny-" + i);
1.141 + }
1.142 +
1.143 + // call tests to check principal comparison, e.g. a document can open a window
1.144 + // to a data: or javascript: document which frames an
1.145 + // X-Frame-Options: SAMEORIGIN document and the frame should load
1.146 + testFrameInJSURI();
1.147 +}
1.148 +
1.149 +// test that a document can be framed under a javascript: URL opened by the
1.150 +// same site as the frame
1.151 +var testFrameInJSURI = function() {
1.152 + var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
1.153 + var win = window.open();
1.154 + win.onload = function() {
1.155 + var test = win.document.getElementById("sameorigin3")
1.156 + .contentDocument.getElementById("test");
1.157 + ok(test != null, "frame under javascript: URL should have loaded.");
1.158 + win.close();
1.159 +
1.160 + // run last test
1.161 + testFrameInDataURI();
1.162 + }
1.163 + win.location.href = "javascript:document.write('"+html+"');document.close();";
1.164 +}
1.165 +
1.166 +// test that a document can be framed under a data: URL opened by the
1.167 +// same site as the frame
1.168 +var testFrameInDataURI = function() {
1.169 + var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
1.170 + var win = window.open();
1.171 + win.onload = function() {
1.172 + var test = win.document.getElementById("sameorigin4")
1.173 + .contentDocument.getElementById("test");
1.174 + ok(test != null, "frame under data: URL should have loaded.");
1.175 + win.close();
1.176 +
1.177 + // finalize test
1.178 + window.examiner.remove();
1.179 + SimpleTest.finish();
1.180 + }
1.181 + win.location.href = "data:text/html,"+html;
1.182 +}
1.183 +
1.184 +SimpleTest.waitForExplicitFinish();
1.185 +
1.186 +// load the test harness
1.187 +document.getElementById("harness").src = "file_x-frame-options_main.html";
1.188 +
1.189 +</script>
1.190 +</pre>
1.191 +
1.192 +</body>
1.193 +</html>
