diff options
Diffstat (limited to 'dom/security/test/mixedcontentblocker/test_windowOpen.html')
-rw-r--r-- | dom/security/test/mixedcontentblocker/test_windowOpen.html | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/dom/security/test/mixedcontentblocker/test_windowOpen.html b/dom/security/test/mixedcontentblocker/test_windowOpen.html new file mode 100644 index 0000000000..ae286c38f8 --- /dev/null +++ b/dom/security/test/mixedcontentblocker/test_windowOpen.html @@ -0,0 +1,82 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta charset="utf-8"> + <title>Tests for Mixed Content Navigation with window.open</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> + +<body> + +<script class="testbody" type="text/javascript"> + +SimpleTest.waitForExplicitFinish(); + +let testsCompleted = 0; +const numberOfTestCases = 2; + +function markTestCaseComplete() { + testsCompleted++; + + if (testsCompleted == numberOfTestCases) { + SimpleTest.finish(); + } +} + +window.onmessage = function(event) { + if (event.data.src.includes("test1")) { + // eslint-disable-next-line @microsoft/sdl/no-insecure-url + is(event.data.target, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe."); + is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window."); + is(event.data.method, "http", "messages from test1 iframe should be http."); + markTestCaseComplete(); + } + else if (event.data.src.includes("test2")) { + if (event.data.outcome != 'csp-error') { + is(event.data.target, "https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "event message received for successful iframe load should be from test2's iframe."); + is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file."); + is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window."); + is(event.data.method, "https", "messages from test2 iframe should be https"); + } + markTestCaseComplete(); + } +}; + +function testURLInOpenedWindow(testURL) { + let openedWindow = window.open("javascript:''","_blank"); + openedWindow.onload = function() { + openedWindow.document.body.innerHTML = '<iframe id="testframe">' + + let testframe = openedWindow.document.getElementById("testframe"); + testframe.onload = function(event) { + try { + let triggeringPrincipal = SpecialPowers.wrap(this.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec; + openedWindow.opener.postMessage({outcome: 'loaded', method: this.src.split(":")[0], src: this.src, target: event.target.src, triggeringPrincipal}, '*'); + } + catch (error) { + // If we can't get the docShell due to CSP blocking access to the iframe's docShell then skip this test case + if (error.name === "SecurityError" && error.message === 'Permission denied to access property "docShell" on cross-origin object') { + openedWindow.opener.postMessage({outcome: 'csp-error', method: this.src.split(":")[0], src: this.src}, '*'); + } + else throw error; + } + openedWindow.close(); + } + testframe.onerror = function(error) { + openedWindow.opener.postMessage({outcome: 'blocked', method: this.src.split(":")[0], src: this.src, target: error.target.src}, '*'); + openedWindow.close(); + } + + testframe.src = testURL; + }; +}; + +// eslint-disable-next-line @microsoft/sdl/no-insecure-url +testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html"); +testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html"); + +</script> +</body> +</html> |