content/base/test/csp/test_CSP_bug663567.html@b8a032363ba2
content/base/test/csp/test_CSP_bug663567.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>Test if XSLT stylesheet is subject to document's CSP</title>
5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
6 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
8 </head>
9 <body>
10 <p id="display"></p>
11 <div id="content" style="display: none"></div>
12 <iframe style="width:100%;" id='xsltframe'></iframe>
13 <iframe style="width:100%;" id='xsltframe2'></iframe>
15 <script class="testbody" type="text/javascript">
17 SimpleTest.waitForExplicitFinish();
19 // define the expected output of this test
20 var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
22 var finishedTests = 0;
23 var numberOfTests = 2;
25 var checkExplicitFinish = function() {
26 finishedTests++;
27 if (finishedTests == numberOfTests) {
28 SimpleTest.finish();
29 }
30 }
32 function checkAllowed () {
33 /* The policy for this test is:
34 * Content-Security-Policy: default-src 'self'
35 *
36 * we load the xsl file using:
37 * <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467.xsl"?>
38 */
39 try {
40 var cspframe = document.getElementById('xsltframe');
41 var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
42 is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
43 }
44 catch (e) {
45 ok(false, "Error: could not access content in xsltframe!")
46 }
47 checkExplicitFinish();
48 }
50 function checkBlocked () {
51 /* The policy for this test is:
52 * Content-Security-Policy: default-src *.example.com
53 *
54 * we load the xsl file using:
55 * <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467.xsl"?>
56 */
57 try {
58 var cspframe = document.getElementById('xsltframe2');
59 var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
60 is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
61 }
62 catch (e) {
63 ok(false, "Error: could not access content in xsltframe2!")
64 }
65 checkExplicitFinish();
66 }
68 SpecialPowers.pushPrefEnv(
69 {'set':[["security.csp.speccompliant", true]]},
70 function () {
71 document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
72 document.getElementById('xsltframe').src = 'file_CSP_bug663567_allows.xml';
74 document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
75 document.getElementById('xsltframe2').src = 'file_CSP_bug663567_blocks.xml';
76 }
77 );
79 </script>
80 </body>
81 </html>
