content/base/test/csp/test_CSP_frameancestors.html@b8a032363ba2
content/base/test/csp/test_CSP_frameancestors.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>Test for Content Security Policy Frame Ancestors directive</title>
5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
7 </head>
8 <body>
9 <p id="display"></p>
10 <div id="content" style="display: none">
11 </div>
12 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
13 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
14 <script class="testbody" type="text/javascript">
16 var path = "/tests/content/base/test/csp/";
18 // These are test results: -1 means it hasn't run,
19 // true/false is the pass/fail result.
20 var framesThatShouldLoad = {
21 aa_allow: -1, /* innermost frame allows a */
22 //aa_block: -1, /* innermost frame denies a */
23 ab_allow: -1, /* innermost frame allows a */
24 //ab_block: -1, /* innermost frame denies a */
25 aba_allow: -1, /* innermost frame allows b,a */
26 //aba_block: -1, /* innermost frame denies b */
27 //aba2_block: -1, /* innermost frame denies a */
28 abb_allow: -1, /* innermost frame allows b,a */
29 //abb_block: -1, /* innermost frame denies b */
30 //abb2_block: -1, /* innermost frame denies a */
31 aa_allow_spec_compliant: -1, /* innermost frame allows a *
32 //aa_block_spec_compliant: -1, /* innermost frame denies a */
33 ab_allow_spec_compliant: -1, /* innermost frame allows a */
34 //ab_block_spec_compliant: -1, /* innermost frame denies a */
35 aba_allow_spec_compliant: -1, /* innermost frame allows b,a */
36 //aba_block_spec_compliant: -1, /* innermost frame denies b */
37 //aba2_block_spec_compliant: -1, /* innermost frame denies a */
38 abb_allow_spec_compliant: -1, /* innermost frame allows b,a */
39 //abb_block_spec_compliant: -1, /* innermost frame denies b */
40 //abb2_block_spec_compliant: -1, /* innermost frame denies a */
41 };
43 var expectedViolationsLeft = 12;
45 // This is used to watch the blocked data bounce off CSP and allowed data
46 // get sent out to the wire.
47 function examiner() {
48 SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
49 }
50 examiner.prototype = {
51 observe: function(subject, topic, data) {
52 // subject should be an nsURI, and should be either allowed or blocked.
53 if (!SpecialPowers.can_QI(subject))
54 return;
56 if (topic === "csp-on-violate-policy") {
57 //these were blocked... record that they were blocked
58 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
59 window.frameBlocked(asciiSpec, data);
60 }
61 },
63 // must eventually call this to remove the listener,
64 // or mochitests might get borked.
65 remove: function() {
66 SpecialPowers.removeObserver(this, "csp-on-violate-policy");
67 }
68 }
70 // called when a frame is loaded
71 // -- if it's not enumerated above, it should not load!
72 var frameLoaded = function(testname, uri) {
73 //test already complete.... forget it... remember the first result.
74 if (window.framesThatShouldLoad[testname] != -1)
75 return;
77 if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
78 // uh-oh, we're not expecting this frame to load!
79 ok(false, testname + ' framed site should not have loaded: ' + uri);
80 } else {
81 framesThatShouldLoad[testname] = true;
82 ok(true, testname + ' framed site when allowed by csp (' + uri + ')');
83 }
84 checkTestResults();
85 }
87 // called when a frame is blocked
88 // -- we can't determine *which* frame was blocked, but at least we can count them
89 var frameBlocked = function(uri, policy) {
90 ok(true, 'a CSP policy blocked frame from being loaded: ' + policy);
91 expectedViolationsLeft--;
92 checkTestResults();
93 }
96 // Check to see if all the tests have run
97 var checkTestResults = function() {
98 // if any test is incomplete, keep waiting
99 for (var v in framesThatShouldLoad)
100 if(window.framesThatShouldLoad[v] == -1)
101 return;
103 if (window.expectedViolationsLeft > 0)
104 return;
106 // ... otherwise, finish
107 window.examiner.remove();
108 SimpleTest.finish();
109 }
111 window.addEventListener("message", receiveMessage, false);
113 function receiveMessage(event) {
114 if (event.data.call && event.data.call == 'frameLoaded')
115 frameLoaded(event.data.testname, event.data.uri);
116 }
118 //////////////////////////////////////////////////////////////////////
119 // set up and go
120 window.examiner = new examiner();
121 SimpleTest.waitForExplicitFinish();
123 // added this so the tests run even if we don't flip the pref on by default.
124 SpecialPowers.pushPrefEnv(
125 {'set':[["security.csp.speccompliant", true]]},
126 function() {
127 // save this for last so that our listeners are registered.
128 // ... this loads the testbed of good and bad requests.
129 document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
130 document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
131 });
133 </script>
134 </pre>
135 </body>
136 </html>
