content/base/test/test_x-frame-options.html@6474c204b198
content/base/test/test_x-frame-options.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>Test for X-Frame-Options response header</title>
5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
7 </head>
8 <body>
9 <p id="display"></p>
10 <div id="content" style="display: none">
12 </div>
14 <iframe style="width:100%;height:300px;" id="harness"></iframe>
15 <script class="testbody" type="text/javascript">
17 function examiner() {
18 SpecialPowers.addObserver(this, "http-on-examine-response", false);
19 }
20 examiner.prototype = {
21 observe: function(subject, topic, data) {
22 subject = SpecialPowers.wrap(subject);
23 if(!subject.QueryInterface)
24 return;
26 if (topic == "http-on-examine-response") {
27 var chan = subject.QueryInterface(SpecialPowers.Ci.nsIHttpChannel);
28 var uri = chan.URI
29 if (!uri.path.match(/^\/tests\/content\/base\/test\/file_x-frame-options_page\.sjs/))
30 return;
31 dump(">>>> PATH: "+uri.path+"\n");
32 dump(">>> REQUEST:\n>>> "+chan.requestMethod+" "+uri.asciiSpec+"\n");
33 dump(">>> RESPONSE HEADERS:\n");
34 chan.visitResponseHeaders({
35 visitHeader: function(header, value) {
36 dump(">>> "+header+": "+value+"\n");
37 }
38 });
39 }
40 },
42 remove: function() {
43 SpecialPowers.removeObserver(this, "http-on-examine-response");
44 }
45 }
47 window.examiner = new examiner();
49 var path = "/tests/content/base/test/";
51 var testFramesLoaded = function() {
52 var harness = SpecialPowers.wrap(document).getElementById("harness");
54 // iframe from same origin, no X-F-O header - should load
55 var frame = harness.contentDocument.getElementById("control1");
56 var test1 = frame.contentDocument.getElementById("test").textContent;
57 is(test1, "control1", "test control1");
59 // iframe from different origin, no X-F-O header - should load
60 frame = harness.contentDocument.getElementById("control2");
61 var test2 = frame.contentDocument.getElementById("test").textContent;
62 is(test2, "control2", "test control2");
64 // iframe from same origin, X-F-O: DENY - should not load
65 frame = harness.contentDocument.getElementById("deny");
66 var test3 = frame.contentDocument.getElementById("test");
67 is(test3, null, "test deny");
69 // iframe from same origin, X-F-O: SAMEORIGIN - should load
70 frame = harness.contentDocument.getElementById("sameorigin1");
71 var test4 = frame.contentDocument.getElementById("test").textContent;
72 is(test4, "sameorigin1", "test sameorigin1");
74 // iframe from different origin, X-F-O: SAMEORIGIN - should not load
75 frame = harness.contentDocument.getElementById("sameorigin2");
76 var test5 = frame.contentDocument.getElementById("test");
77 is(test5, null, "test sameorigin2");
79 // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
80 frame = harness.contentDocument.getElementById("sameorigin5");
81 var test6 = frame.contentDocument.getElementById("test");
82 is(test6, null, "test sameorigin5");
84 // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
85 frame = harness.contentDocument.getElementById("sameorigin6");
86 var test7 = frame.contentDocument.getElementById("test").textContent;
87 is(test7, "sameorigin6", "test sameorigin6");
89 // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
90 frame = harness.contentDocument.getElementById("sameorigin7");
91 var test8 = frame.contentDocument.getElementById("test").textContent;
92 is(test8, "sameorigin7", "test sameorigin7");
94 // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
95 frame = harness.contentDocument.getElementById("sameorigin8");
96 var test9 = frame.contentDocument.getElementById("test");
97 is(test9, null, "test sameorigin8");
99 // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
100 frame = harness.contentDocument.getElementById("mixedpolicy");
101 var test10 = frame.contentDocument.getElementById("test");
102 is(test10, null, "test mixedpolicy");
104 // iframe from different origin, allow-from: this origin - should load
105 frame = harness.contentDocument.getElementById("allow-from-allow");
106 var test11 = frame.contentDocument.getElementById("test").textContent;
107 is(test11, "allow-from-allow", "test allow-from-allow");
109 // iframe from different origin, with allow-from: other - should not load
110 frame = harness.contentDocument.getElementById("allow-from-deny");
111 var test12 = frame.contentDocument.getElementById("test");
112 is(test12, null, "test allow-from-deny");
114 // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
115 frame = harness.contentDocument.getElementById("sameorigin-multipart");
116 var test13 = frame.contentDocument.getElementById("test");
117 is(test13, null, "test sameorigin-multipart");
119 // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
120 frame = harness.contentDocument.getElementById("sameorigin-multipart2");
121 var test14 = frame.contentDocument.getElementById("test").textContent;
122 is(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
125 // frames from bug 836132 tests
126 {
127 frame = harness.contentDocument.getElementById("allow-from-allow-1");
128 var theTestResult = frame.contentDocument.getElementById("test");
129 isnot(theTestResult, null, "test afa1 should have been allowed");
130 if(theTestResult) {
131 is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
132 }
133 }
134 for (var i = 1; i<=14; i++) {
135 frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
136 var theTestResult = frame.contentDocument.getElementById("test");
137 is(theTestResult, null, "test allow-from-deny-" + i);
138 }
140 // call tests to check principal comparison, e.g. a document can open a window
141 // to a data: or javascript: document which frames an
142 // X-Frame-Options: SAMEORIGIN document and the frame should load
143 testFrameInJSURI();
144 }
146 // test that a document can be framed under a javascript: URL opened by the
147 // same site as the frame
148 var testFrameInJSURI = function() {
149 var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
150 var win = window.open();
151 win.onload = function() {
152 var test = win.document.getElementById("sameorigin3")
153 .contentDocument.getElementById("test");
154 ok(test != null, "frame under javascript: URL should have loaded.");
155 win.close();
157 // run last test
158 testFrameInDataURI();
159 }
160 win.location.href = "javascript:document.write('"+html+"');document.close();";
161 }
163 // test that a document can be framed under a data: URL opened by the
164 // same site as the frame
165 var testFrameInDataURI = function() {
166 var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
167 var win = window.open();
168 win.onload = function() {
169 var test = win.document.getElementById("sameorigin4")
170 .contentDocument.getElementById("test");
171 ok(test != null, "frame under data: URL should have loaded.");
172 win.close();
174 // finalize test
175 window.examiner.remove();
176 SimpleTest.finish();
177 }
178 win.location.href = "data:text/html,"+html;
179 }
181 SimpleTest.waitForExplicitFinish();
183 // load the test harness
184 document.getElementById("harness").src = "file_x-frame-options_main.html";
186 </script>
187 </pre>
189 </body>
190 </html>
