diff options
Diffstat (limited to '')
-rw-r--r-- | dom/security/test/csp/file_main.html | 55 | ||||
-rw-r--r-- | dom/security/test/csp/file_main.html^headers^ | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/dom/security/test/csp/file_main.html b/dom/security/test/csp/file_main.html new file mode 100644 index 0000000000..ddc8382617 --- /dev/null +++ b/dom/security/test/csp/file_main.html @@ -0,0 +1,55 @@ +<html> + <head> + <link rel='stylesheet' type='text/css' + href='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=style_bad&type=text/css' /> + <link rel='stylesheet' type='text/css' + href='file_CSP.sjs?testid=style_good&type=text/css' /> + + + <style> + /* CSS font embedding tests */ + @font-face { + font-family: "arbitrary_good"; + src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream'); + } + @font-face { + font-family: "arbitrary_bad"; + src: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream'); + } + + .div_arbitrary_good { font-family: "arbitrary_good"; } + .div_arbitrary_bad { font-family: "arbitrary_bad"; } + </style> + </head> + <body> + <!-- these should be stopped by CSP. :) --> + <img src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img_bad&type=img/png"> </img> + <audio src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=media_bad&type=audio/vorbis"></audio> + <script src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=script_bad&type=text/javascript'></script> + <iframe src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=frame_bad&content=FAIL'></iframe> + <object width="10" height="10"> + <param name="movie" value="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"> + <embed src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"></embed> + </object> + + <!-- these should load ok. :) --> + <img src="file_CSP.sjs?testid=img_good&type=img/png" /> + <audio src="file_CSP.sjs?testid=media_good&type=audio/vorbis"></audio> + <script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script> + <iframe src='file_CSP.sjs?testid=frame_good&content=PASS'></iframe> + + <object width="10" height="10"> + <param name="movie" value="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"> + <embed src="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"></embed> + </object> + + <!-- XHR tests... they're taken care of in this script, + and since the URI doesn't have any 'testid' values, + it will just be ignored by the test framework. --> + <script src='file_main.js'></script> + + <!-- Support elements for the @font-face test --> + <div class="div_arbitrary_good">arbitrary good</div> + <div class="div_arbitrary_bad">arbitrary_bad</div> + </body> +</html> diff --git a/dom/security/test/csp/file_main.html^headers^ b/dom/security/test/csp/file_main.html^headers^ new file mode 100644 index 0000000000..3338de389b --- /dev/null +++ b/dom/security/test/csp/file_main.html^headers^ @@ -0,0 +1 @@ +Content-Security-Policy: default-src 'self' blob: ; style-src 'unsafe-inline' 'self' |