diff options
Diffstat (limited to 'dom/security/test/general/window_nosniff_navigation.html')
-rw-r--r-- | dom/security/test/general/window_nosniff_navigation.html | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/dom/security/test/general/window_nosniff_navigation.html b/dom/security/test/general/window_nosniff_navigation.html new file mode 100644 index 0000000000..cae2b15c65 --- /dev/null +++ b/dom/security/test/general/window_nosniff_navigation.html @@ -0,0 +1,95 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + <style> + iframe{ + border: 1px solid orange; + } + </style> + + <iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe> + <iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe> + <iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe> + <iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe> + <iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe> + <iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe> + + <hr> + <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe> + <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe> + <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe> + <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe> + <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe> + <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe> + <hr> + + <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe> + <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe> + <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe> + <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe> + <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe> + <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe> + + +</head> + +<body> + +<!-- add the two script tests --> +<script id="scriptCorrectType"></script> +<script id="scriptWrongType"></script> + +<script class="testbody" type="text/javascript"> +/* Description of the test: + * We're testing if Firefox respects the nosniff Header for Top-Level + * Navigations. + * If Firefox cant Display the Page, it will prompt a download + * and the URL of the Page will be about:blank. + * So we will try to open different content send with + * no-mime, mismatched-mime and garbage-mime types. + * + */ + +SimpleTest.waitForExplicitFinish(); + +window.addEventListener("load", ()=>{ + let noMimeFrames = Array.from(document.querySelectorAll(".no-mime")); + + noMimeFrames.forEach( frame => { + // In case of no Provided Content Type, not rendering or assuming text/plain is valid + let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain"; + let sniffTarget = (new URL(frame.src)).search; + window.opener.ok(result, `${sniffTarget} without MIME - was not Sniffed`); + }); + + let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime")); + mismatchedMimes.forEach(frame => { + // In case the Server mismatches the Mime Type (sends content X as image/png) + // assert that we do not sniff and correct this. + let result = frame.contentWindow.document.contentType == "image/png"; + let sniffTarget = (new URL(frame.src)).search; + window.opener.ok(result, `${sniffTarget} send as image/png - was not Sniffed`); + }); + + let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime")); + + badMimeFrames.forEach( frame => { + // In the case we got a bogous mime, assert that we dont sniff. + // We must not default here to text/plain + // as the Server at least provided a mime type. + let result = frame.contentWindow.document.URL == "about:blank"; + let sniffTarget = (new URL(frame.src)).search; + window.opener.ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`); + }); + + window.opener.SimpleTest.finish(); + this.close(); +}); +</script> +</body> + +</html>
\ No newline at end of file |