blob: 1287e451b1be29cbd5112be719ad668418683296 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
<style>
iframe{
border: 1px solid orange;
}
</style>
<!-- Using Content-Type: */* -->
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=xml"></iframe>
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=html"></iframe>
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=css" ></iframe>
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=json"></iframe>
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=img"></iframe>
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=pdf"></iframe>
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*"></iframe>
<hr>
<!-- Using Content-Type: image/png -->
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=xml"></iframe>
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=html"></iframe>
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=css"></iframe>
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=json"></iframe>
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=img"></iframe>
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=pdf"></iframe>
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng"></iframe>
<hr>
<!-- Using Content-Type: garbage/garbage -->
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=xml"> </iframe>
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=html"></iframe>
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=css" ></iframe>
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=json"></iframe>
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=img"></iframe>
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=pdf"></iframe>
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage"></iframe>
</head>
<body>
<!-- add the two script tests -->
<script id="scriptCorrectType"></script>
<script id="scriptWrongType"></script>
<script class="testbody" type="text/javascript">
/* Description of the test:
* We're testing if Firefox respects the nosniff Header for Top-Level
* Navigations.
* If Firefox cant Display the Page, it will prompt a download
* and the URL of the Page will be about:blank.
* So we will try to open different content send with
* no-mime, mismatched-mime and garbage-mime types.
*
*/
SimpleTest.waitForExplicitFinish();
window.addEventListener("load", ()=>{
let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
noMimeFrames.forEach(frame => {
let doc = frame.contentWindow.document;
// In case of no Provided Content Type, not rendering or assuming text/plain is valid
let result = doc.URL == "about:blank" || doc.contentType == "text/plain";
let sniffTarget = (new URL(frame.src)).searchParams.get("content");
window.opener.ok(result, `${sniffTarget} without MIME - was not sniffed`);
});
let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
mismatchedMimes.forEach(frame => {
// In case the Server mismatches the Mime Type (sends content X as image/png)
// assert that we do not sniff and correct this.
let result = frame.contentWindow.document.contentType == "image/png";
let sniffTarget = (new URL(frame.src)).searchParams.get("content");
window.opener.ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
});
let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
badMimeFrames.forEach(frame => {
// In the case we got a bogous mime, assert that we dont sniff.
// We must not default here to text/plain
// as the Server at least provided a mime type.
let result = frame.contentWindow.document.URL == "about:blank";
let sniffTarget = (new URL(frame.src)).searchParams.get("content");
window.opener.ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
});
window.opener.SimpleTest.finish();
this.close();
});
</script>
</body>
</html>
|
