1 files changed, 45 insertions, 0 deletions

diff --git a/dom/security/test/csp/browser_pdfjs_not_subject_to_csp.js b/dom/security/test/csp/browser_pdfjs_not_subject_to_csp.js
new file mode 100644
index 0000000000..2391e955ba
--- /dev/null
+++ b/dom/security/test/csp/browser_pdfjs_not_subject_to_csp.js
@@ -0,0 +1,45 @@
+"use strict";
+
+const TEST_PATH = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+
+add_task(async function () {
+  await BrowserTestUtils.withNewTab(
+    TEST_PATH + "file_pdfjs_not_subject_to_csp.html",
+    async function (browser) {
+      let pdfPromise = BrowserTestUtils.waitForContentEvent(
+        browser,
+        "documentloaded",
+        false,
+        null,
+        true
+      );
+
+      await ContentTask.spawn(browser, {}, async function () {
+        let pdfButton = content.document.getElementById("pdfButton");
+        pdfButton.click();
+      });
+
+      await pdfPromise;
+
+      await ContentTask.spawn(browser, {}, async function () {
+        let pdfFrame = content.document.getElementById("pdfFrame");
+        // 1) Sanity that we have loaded the PDF using a blob
+        ok(pdfFrame.src.startsWith("blob:"), "it's a blob URL");
+
+        // 2) Ensure that the PDF has actually loaded
+        ok(
+          pdfFrame.contentDocument.querySelector("div#viewer"),
+          "document content has viewer UI"
+        );
+
+        // 3) Ensure we have the correct CSP attached
+        let cspJSON = pdfFrame.contentDocument.cspJSON;
+        ok(cspJSON.includes("script-src"), "found script-src directive");
+        ok(cspJSON.includes("allowPDF"), "found script-src nonce value");
+      });
+    }
+  );
+});