horok/firefox
1
0
Fork 0
Code Activity
firefox/dom/security/test/csp/test_ignore_xfo.html
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

120 lines
4 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="csp_testframe"></iframe>
<iframe style="width:100%;" id="csp_testframe_no_xfo"></iframe>
<iframe style="width:100%;" id="csp_ro_testframe"></iframe>
<script class="testbody" type="text/javascript">
/*
* We load two frames using:
* x-frame-options: deny
* where the first frame uses a csp and the second a csp_ro including frame-ancestors.
* We make sure that xfo is ignored for regular csp but not for csp_ro.
*/
SimpleTest.waitForExplicitFinish();
var script = SpecialPowers.loadChromeScript(() => {
/* eslint-env mozilla/chrome-script */
let ignoreCount = 0;
function listener(msg) {
if(msg.message.includes("Content-Security-Policy: Ignoring x-frame-options because of frame-ancestors directive.")) {
ignoreCount++;
if(ignoreCount == 2) {
ok(false, 'The "Content-Security-Policy: Ignoring x-frame-options because of frame-ancestors directive." warning should only appear once for the csp_testframe.');
}
}
}
Services.console.registerListener(listener);
addMessageListener("cleanup", () => {
Services.console.unregisterListener(listener);
});
});
SimpleTest.registerCleanupFunction(async () => {
await script.sendQuery("cleanup");
});
var testcounter = 0;
function checkFinished() {
testcounter++;
if (testcounter < 4) {
return;
}
// remove the listener and we are done.
window.examiner.remove();
SimpleTest.finish();
}
// X-Frame-Options checks happen in the parent, hence we have to
// proxy the xfo violation notifications.
SpecialPowers.registerObservers("xfo-on-violate-policy");
function examiner() {
SpecialPowers.addObserver(this, "specialpowers-xfo-on-violate-policy");
}
examiner.prototype = {
observe(subject, topic, data) {
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
is(asciiSpec, "http://mochi.test:8888/tests/dom/security/test/csp/file_ro_ignore_xfo.html", "correct subject");
ok(topic.endsWith("xfo-on-violate-policy"), "correct topic");
is(data, "deny", "correct data");
checkFinished();
},
remove() {
SpecialPowers.removeObserver(this, "specialpowers-xfo-on-violate-policy");
}
}
window.examiner = new examiner();
// 1) test XFO with CSP
var csp_testframe = document.getElementById("csp_testframe");
csp_testframe.onload = function() {
var msg = csp_testframe.contentDocument.getElementById("cspmessage");
is(msg.innerHTML, "Ignoring XFO because of CSP", "Loading frame with with XFO and CSP");
checkFinished();
}
csp_testframe.onerror = function() {
ok(false, "sanity: should not fire onerror for csp_testframe");
checkFinished();
}
csp_testframe.src = "file_ignore_xfo.html";
// 2) test XFO with CSP_RO
var csp_ro_testframe = document.getElementById("csp_ro_testframe");
// If XFO denies framing then the onload event should fire.
csp_ro_testframe.onload = function() {
ok(true, "sanity: should fire onload for csp_ro_testframe");
checkFinished();
}
csp_ro_testframe.onerror = function() {
ok(false, "sanity: should not fire onerror for csp_ro_testframe");
checkFinished();
}
csp_ro_testframe.src = "file_ro_ignore_xfo.html";
var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo");
csp_testframe_no_xfo.onload = function() {
var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage");
is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP");
checkFinished();
}
csp_testframe_no_xfo.onerror = function() {
ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo");
checkFinished();
}
csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html";
</script>
</body>
</html>
View git blame Copy permalink