content/base/test/csp/test_CSP_bug888172.html@6474c204b198
content/base/test/csp/test_CSP_bug888172.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>Bug 888172 - CSP 1.0 does not process 'unsafe-inline' or 'unsafe-eval' for default-src</title>
5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
7 </head>
8 <body>
9 <p id="display"></p>
10 <div id="content" style="display: none">
11 </div>
13 <iframe style="width:100%;" id='testframe1'></iframe>
14 <iframe style="width:100%;" id='testframe2'></iframe>
15 <iframe style="width:100%;" id='testframe3'></iframe>
16 <script class="testbody" type="text/javascript">
18 //////////////////////////////////////////////////////////////////////
19 // set up and go
20 SimpleTest.waitForExplicitFinish();
22 // utilities for check functions
23 // black means the style wasn't applied, applied styles are green
24 var green = 'rgb(0, 128, 0)';
25 var black = 'rgb(0, 0, 0)';
27 function getElementColorById(doc, id) {
28 return window.getComputedStyle(doc.contentDocument.getElementById(id)).color;
29 }
31 // We test both script and style execution by observing changes in computed styles
32 function checkDefaultSrcOnly() {
33 var testframe = document.getElementById('testframe1');
35 ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed");
36 ok(getElementColorById(testframe, 'unsafe-eval-script') === green, "Eval should be allowed");
37 ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed");
38 }
40 function checkDefaultSrcWithScriptSrc() {
41 var testframe = document.getElementById('testframe2');
43 ok(getElementColorById(testframe, 'unsafe-inline-script') === black, "Inline script should be blocked");
44 ok(getElementColorById(testframe, 'unsafe-eval-script') === black, "Eval should be blocked");
45 ok(getElementColorById(testframe, 'unsafe-inline-style') === green, "Inline style should be allowed");
46 }
48 function checkDefaultSrcWithStyleSrc() {
49 var testframe = document.getElementById('testframe3');
51 ok(getElementColorById(testframe, 'unsafe-inline-script') === green, "Inline script should be allowed");
52 ok(getElementColorById(testframe, 'unsafe-eval-script') === green, "Eval should be allowed");
53 ok(getElementColorById(testframe, 'unsafe-inline-style') === black, "Inline style should be blocked");
55 // last test calls finish
56 SimpleTest.finish();
57 }
59 SpecialPowers.pushPrefEnv(
60 {'set':[["security.csp.speccompliant", true]]},
61 function () {
62 document.getElementById('testframe1').src = 'file_CSP_bug888172.sjs?csp=' +
63 escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'");
64 document.getElementById('testframe1').addEventListener('load', checkDefaultSrcOnly, false);
66 document.getElementById('testframe2').src = 'file_CSP_bug888172.sjs?csp=' +
67 escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self'");
68 document.getElementById('testframe2').addEventListener('load', checkDefaultSrcWithScriptSrc, false);
70 document.getElementById('testframe3').src = 'file_CSP_bug888172.sjs?csp=' +
71 escape("default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self'");
72 document.getElementById('testframe3').addEventListener('load', checkDefaultSrcWithStyleSrc, false);
73 }
74 );
75 </script>
76 </pre>
77 </body>
78 </html>
