1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Tests for Mixed Content Navigation with window.open</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
let testsCompleted = 0;
const numberOfTestCases = 2;
function markTestCaseComplete() {
testsCompleted++;
if (testsCompleted == numberOfTestCases) {
SimpleTest.finish();
}
}
window.onmessage = function(event) {
if (event.data.src.includes("test1")) {
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
is(event.data.target, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
is(event.data.method, "http", "messages from test1 iframe should be http.");
markTestCaseComplete();
}
else if (event.data.src.includes("test2")) {
if (event.data.outcome != 'csp-error') {
is(event.data.target, "https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "event message received for successful iframe load should be from test2's iframe.");
is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
is(event.data.method, "https", "messages from test2 iframe should be https");
}
markTestCaseComplete();
}
};
function testURLInOpenedWindow(testURL) {
let openedWindow = window.open("javascript:''","_blank");
openedWindow.onload = function() {
openedWindow.document.body.innerHTML = '<iframe id="testframe">'
let testframe = openedWindow.document.getElementById("testframe");
testframe.onload = function(event) {
try {
let triggeringPrincipal = SpecialPowers.wrap(this.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
openedWindow.opener.postMessage({outcome: 'loaded', method: this.src.split(":")[0], src: this.src, target: event.target.src, triggeringPrincipal}, '*');
}
catch (error) {
// If we can't get the docShell due to CSP blocking access to the iframe's docShell then skip this test case
if (error.name === "SecurityError" && error.message === 'Permission denied to access property "docShell" on cross-origin object') {
openedWindow.opener.postMessage({outcome: 'csp-error', method: this.src.split(":")[0], src: this.src}, '*');
}
else throw error;
}
openedWindow.close();
}
testframe.onerror = function(error) {
openedWindow.opener.postMessage({outcome: 'blocked', method: this.src.split(":")[0], src: this.src, target: error.target.src}, '*');
openedWindow.close();
}
testframe.src = testURL;
};
};
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
</script>
</body>
</html>
|
