michael@0: /* michael@0: * Test for bug 593387 michael@0: * Loads a chrome document in a content docshell and then inserts a michael@0: * X-Frame-Options: DENY iframe into the document and verifies that the document michael@0: * loads. The policy we are enforcing is outlined here: michael@0: * https://bugzilla.mozilla.org/show_bug.cgi?id=593387#c17 michael@0: */ michael@0: var newBrowser; michael@0: michael@0: function test() { michael@0: waitForExplicitFinish(); michael@0: michael@0: var newTab = gBrowser.addTab(); michael@0: gBrowser.selectedTab = newTab; michael@0: newBrowser = gBrowser.getBrowserForTab(newTab); michael@0: //alert(newBrowser.contentWindow); michael@0: michael@0: newBrowser.addEventListener("load", testXFOFrameInChrome, true); michael@0: newBrowser.contentWindow.location = "chrome://global/content/mozilla.xhtml"; michael@0: } michael@0: michael@0: function testXFOFrameInChrome() { michael@0: newBrowser.removeEventListener("load", testXFOFrameInChrome, true); michael@0: michael@0: // Insert an iframe that specifies "X-Frame-Options: DENY" and verify michael@0: // that it loads, since the top context is chrome michael@0: var frame = newBrowser.contentDocument.createElement("iframe"); michael@0: frame.src = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny"; michael@0: frame.addEventListener("load", function() { michael@0: frame.removeEventListener("load", arguments.callee, true); michael@0: michael@0: // Test that the frame loaded michael@0: var test = this.contentDocument.getElementById("test"); michael@0: is(test.tagName, "H1", "wrong element type"); michael@0: is(test.textContent, "deny", "wrong textContent"); michael@0: michael@0: // Run next test (try the same with a content top-level context) michael@0: newBrowser.addEventListener("load", testXFOFrameInContent, true); michael@0: newBrowser.contentWindow.location = "http://example.com/"; michael@0: }, true); michael@0: michael@0: newBrowser.contentDocument.body.appendChild(frame); michael@0: } michael@0: michael@0: function testXFOFrameInContent() { michael@0: newBrowser.removeEventListener("load", testXFOFrameInContent, true); michael@0: michael@0: // Insert an iframe that specifies "X-Frame-Options: DENY" and verify that it michael@0: // is blocked from loading since the top browsing context is another site michael@0: var frame = newBrowser.contentDocument.createElement("iframe"); michael@0: frame.src = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny"; michael@0: frame.addEventListener("load", function() { michael@0: frame.removeEventListener("load", arguments.callee, true); michael@0: michael@0: // Test that the frame DID NOT load michael@0: var test = this.contentDocument.getElementById("test"); michael@0: is(test, undefined, "should be about:blank"); michael@0: michael@0: // Finalize the test michael@0: gBrowser.removeCurrentTab(); michael@0: finish(); michael@0: }, true); michael@0: michael@0: newBrowser.contentDocument.body.appendChild(frame); michael@0: }