The Tor Browser / file revision

content/base/test/csp/test_bothCSPheaders.html@b8a032363ba2

content/base/test/csp/test_bothCSPheaders.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>

     5   <!-- When both headers are present, we should ignore the pre-1.0 header and

     6        only recognize the 1.0 spec-compliant header. -->

     7   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     8   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     9 </head>

    10 <body>

    11 <p id="display"></p>

    12 <div id="content" style="display: none">

    13 </div>

    14 

    15 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>

    16 <script class="testbody" type="text/javascript">

    17 

    18 var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";

    19 var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";

    20 var testsRun = 0;

    21 var totalTests = 2;

    22 

    23 // This is used to watch the blocked data bounce off CSP and allowed data

    24 // get sent out to the wire.

    25 function examiner() {

    26   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);

    27   SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);

    28 }

    29 examiner.prototype  = {

    30   observe: function(subject, topic, data) {

    31     if (topic === "specialpowers-http-notify-request") {

    32       var allowedUri = data;

    33       if (allowedUri == prefixedHeaderImgURL || allowedUri == unprefixedHeaderImgURL) {

    34         is(allowedUri, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");

    35         testRan();

    36       }

    37     }

    38 

    39     if (topic === "csp-on-violate-policy") {

    40       // the load was blocked, this is a pass, the Content-Security-Policy

    41       // header doesn't allow the load, but the X-Content-Security-Header does

    42       var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");

    43       if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {

    44         is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");

    45         testRan();

    46       }

    47     }

    48   },

    49 

    50   // must eventually call this to remove the listener,

    51   // or mochitests might get borked.

    52   remove: function() {

    53     SpecialPowers.removeObserver(this, "csp-on-violate-policy");

    54     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");

    55   }

    56 }

    57 

    58 window.examiner = new examiner();

    59 SimpleTest.waitForExplicitFinish();

    60 

    61 function testRan() {

    62   testsRun++;

    63   if (testsRun == totalTests) {

    64     window.examiner.remove();

    65     SimpleTest.finish();

    66   }

    67 }

    68 

    69 SpecialPowers.pushPrefEnv(

    70   {'set':[["security.csp.speccompliant", true]]},

    71   function loadTestRequests() {

    72     var cspframe = document.getElementById('cspframe');

    73     cspframe.src = 'file_bothCSPheaders.html';

    74   }

    75 );

    76 </script>

    77 </pre>

    78 </body>

    79 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial