The Tor Browser: content/base/test/csp/test_CSP

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test for Content Security Policy Frame Ancestors directive</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>

     7   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     8 </head>

     9 <body>

    10 <p id="display"></p>

    11 <div id="content" style="display: none">

    12 </div>

    14 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>

    15 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>

    16 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe>

    17 <script class="testbody" type="text/javascript">

    19 var path = "/tests/content/base/test/csp/";

    21 var inlineScriptsThatRan = 0;

    22 var inlineScriptsBlocked = 0;

    23 var inlineScriptsTotal = 12;

    25 // This is used to watch the blocked data bounce off CSP and allowed data

    26 // get sent out to the wire.

    27 function examiner() {

    28   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);

    29 }

    30 examiner.prototype  = {

    31   observe: function(subject, topic, data) {

    32     // subject should be an nsURI, and should be either allowed or blocked.

    33     if (!SpecialPowers.can_QI(subject))

    34       return;

    36     if (topic === "csp-on-violate-policy") {

    37       var what = null;

    38       try {

    39         //these were blocked... record that they were blocked

    40         what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");

    41       } catch(e) {

    42         //if that fails, the subject is probably a string

    43         what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");

    44       }

    45       window.scriptBlocked(what, data);

    46     }

    47   },

    49   // must eventually call this to remove the listener,

    50   // or mochitests might get borked.

    51   remove: function() {

    52     SpecialPowers.removeObserver(this, "csp-on-violate-policy");

    53   }

    54 }

    56 // called by scripts that run

    57 // the first argument is whether the script expects to be allowed or not.

    58 var scriptRan = function(result, testname, data) {

    59   inlineScriptsThatRan++;

    60   ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');

    61   checkTestResults();

    62 }

    64 // called when a script is blocked

    65 // -- we can't determine *which* frame was blocked, but at least we can count them

    66 var scriptBlocked = function(testname, data) {

    67   inlineScriptsBlocked++;

    68   ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');

    69   checkTestResults();

    70 }

    73 // Check to see if all the tests have run

    74 var checkTestResults = function() {

    75   // if any test is incomplete, keep waiting

    76   if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)

    77     return;

    79   // The four scripts in the page with 'unsafe-inline' should run.

    80   is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");

    82   // The other eight scripts in the other two pages should be blocked.

    83   is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");

    85   // ... otherwise, finish

    86   window.examiner.remove();

    87   SimpleTest.finish();

    88 }

    90 //////////////////////////////////////////////////////////////////////

    91 // set up and go

    92 window.examiner = new examiner();

    93 SimpleTest.waitForExplicitFinish();

    95 function clickit() {

    96   var cspframe = document.getElementById('cspframe');

    97   var a = cspframe.contentDocument.getElementById('anchortoclick');

    98   sendMouseEvent({type:'click'}, a, cspframe.contentWindow);

    99 }

   101 function clickit2() {

   102   var cspframe2 = document.getElementById('cspframe2');

   103   var a = cspframe2.contentDocument.getElementById('anchortoclick');

   104   sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);

   105 }

   107 function clickit3() {

   108   var cspframe3 = document.getElementById('cspframe3');

   109   var a = cspframe3.contentDocument.getElementById('anchortoclick');

   110   sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);

   111 }

   113 SpecialPowers.pushPrefEnv(

   114   {'set':[["security.csp.speccompliant", true]]},

   115   function() {

   116     // save this for last so that our listeners are registered.

   117     // ... this loads the testbed of good and bad requests.

   118     document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';

   119     document.getElementById('cspframe').addEventListener('load', clickit, false);

   120     document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';

   121     document.getElementById('cspframe2').addEventListener('load', clickit2, false);

   122     document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';

   123     document.getElementById('cspframe3').addEventListener('load', clickit3, false);

   124   });

   125 </script>

   126 </pre>

   127 </body>

   128 </html>

The Tor Browser / file revision