1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=713980
-->
<head>
<meta charset="utf-8">
<title>Test for Bug 713980</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
<!-- Load a cross-origin webfont without CORS (common pain point) and some
other styles that require anonymous CORS -->
<style>
@font-face {
font-family: "bad_cross_origin_webfont";
src: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
}
div#bad_webfont { font-family: "bad_cross_origin_webfont"; }
div#bad_shape_outside { shape-outside: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=bad_shape_outside&type=image/png'); }
div#bad_mask_image { mask-image: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=bad_mask_image&type=image/svg+xml'); }
</style>
</head>
<body>
<pre id="test">
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
var tests = {
xhr : {
uri_test : "http://invalid",
result : null,
category: "CORSAllowOriginNotMatchingOrigin"
},
font : {
uri_test : "font_bad",
result : null,
category: "CORSMissingAllowOrigin2",
},
shape_outside : {
uri_test : "bad_shape_outside",
result : null,
category: "CORSMissingAllowOrigin2",
ignore_windowID: true,
},
mask_image : {
uri_test : "bad_mask_image",
result : null,
category: "CORSMissingAllowOrigin2",
ignore_windowID: true,
},
}
function testsComplete() {
for (var testName in tests) {
var test = tests[testName];
if (test.result == null) {
info("Still waiting on (at least) " + testName + ".");
return false;
}
}
return true;
}
SpecialPowers.registerConsoleListener(function CORSMsgListener(aMsg) {
if (!/Cross-Origin Request Blocked/.test(aMsg.message))
return;
for (var testName in tests) {
var test = tests[testName];
var category = test.category;
if (test.result != null)
continue;
var testRegexp = new RegExp(test.uri_test);
if (testRegexp.test(aMsg.message)) {
test.result = true;
ok(true, "Got \"Cross-site request blocked\" warning message for " + testName);
ok(aMsg.category == category,
"Got warning message with category \"" + aMsg.category + "\", expected \"" + category + "\"");
// Got the message we wanted - make sure it is destined for a valid inner window
if(!test.ignore_windowID) {
ok(aMsg.windowID != 0, "Valid (non-zero) windowID for the cross-site request blocked message.");
}
break;
}
}
if (testsComplete()) {
SimpleTest.executeSoon(cleanup);
}
});
function cleanup() {
SpecialPowers.postConsoleSentinel();
SimpleTest.finish();
}
// Send a cross-origin XHR request without CORS
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.org/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?allowOrigin=http://invalid", true);
xhr.send(null);
let badDiv;
// Create a div that triggers a cross-origin webfont request
// We do this in Javascript in order to guarantee the console listener has
// already been registered; otherwise, there could be a race.
badDiv = document.createElement('div');
badDiv.setAttribute('id', 'bad_webfont');
document.body.appendChild(badDiv);
// Create a div that triggers a cross-origin request for a shape-outside image
badDiv = document.createElement('div');
badDiv.setAttribute('id', 'bad_shape_outside');
document.body.appendChild(badDiv);
// Create a div that triggers a cross-origin request for a mask-image
badDiv = document.createElement('div');
badDiv.setAttribute('id', 'bad_mask_image');
document.body.appendChild(badDiv);
</script>
</pre>
</body>
</html>
|
