content/base/test/csp/test_bothCSPheaders.html@deefc01c0e14
content/base/test/csp/test_bothCSPheaders.html
Thu, 15 Jan 2015 21:03:48 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 15 Jan 2015 21:03:48 +0100
- branch
- TOR_BUG_9701
- changeset 11
- deefc01c0e14
- permissions
- -rw-r--r--
Integrate friendly tips from Tor colleagues to make (or not) 4.5 alpha 3;
This includes removal of overloaded (but unused) methods, and addition of
a overlooked call to DataStruct::SetData(nsISupports, uint32_t, bool.)
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>
5 <!-- When both headers are present, we should ignore the pre-1.0 header and
6 only recognize the 1.0 spec-compliant header. -->
7 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
9 </head>
10 <body>
11 <p id="display"></p>
12 <div id="content" style="display: none">
13 </div>
15 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
16 <script class="testbody" type="text/javascript">
18 var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";
19 var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";
20 var testsRun = 0;
21 var totalTests = 2;
23 // This is used to watch the blocked data bounce off CSP and allowed data
24 // get sent out to the wire.
25 function examiner() {
26 SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
27 SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
28 }
29 examiner.prototype = {
30 observe: function(subject, topic, data) {
31 if (topic === "specialpowers-http-notify-request") {
32 var allowedUri = data;
33 if (allowedUri == prefixedHeaderImgURL || allowedUri == unprefixedHeaderImgURL) {
34 is(allowedUri, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");
35 testRan();
36 }
37 }
39 if (topic === "csp-on-violate-policy") {
40 // the load was blocked, this is a pass, the Content-Security-Policy
41 // header doesn't allow the load, but the X-Content-Security-Header does
42 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
43 if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
44 is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
45 testRan();
46 }
47 }
48 },
50 // must eventually call this to remove the listener,
51 // or mochitests might get borked.
52 remove: function() {
53 SpecialPowers.removeObserver(this, "csp-on-violate-policy");
54 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
55 }
56 }
58 window.examiner = new examiner();
59 SimpleTest.waitForExplicitFinish();
61 function testRan() {
62 testsRun++;
63 if (testsRun == totalTests) {
64 window.examiner.remove();
65 SimpleTest.finish();
66 }
67 }
69 SpecialPowers.pushPrefEnv(
70 {'set':[["security.csp.speccompliant", true]]},
71 function loadTestRequests() {
72 var cspframe = document.getElementById('cspframe');
73 cspframe.src = 'file_bothCSPheaders.html';
74 }
75 );
76 </script>
77 </pre>
78 </body>
79 </html>
