diff options
Diffstat (limited to 'dom/security/test/csp/test_frameancestors_userpass.html')
-rw-r--r-- | dom/security/test/csp/test_frameancestors_userpass.html | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_frameancestors_userpass.html b/dom/security/test/csp/test_frameancestors_userpass.html new file mode 100644 index 0000000000..332318fe17 --- /dev/null +++ b/dom/security/test/csp/test_frameancestors_userpass.html @@ -0,0 +1,148 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test for Userpass in Frame Ancestors directive</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<iframe style="width:100%;height:300px;" id='cspframe'></iframe> +<script class="testbody" type="text/javascript"> + +// These are test results: -1 means it hasn't run, +// true/false is the pass/fail result. +var framesThatShouldLoad = { + frame_a: -1, /* frame a allowed */ + frame_b: -1, /* frame b allowed */ +}; + +// Number of tests that pass for this file should be 1 +var expectedViolationsLeft = 1; + +// CSP frame-ancestor checks happen in the parent, hence we have to +// proxy the csp violation notifications. +SpecialPowers.registerObservers("csp-on-violate-policy"); + +// This is used to watch the blocked data bounce off CSP and allowed data +// get sent out to the wire. +function examiner() { + SpecialPowers.addObserver(this, "specialpowers-csp-on-violate-policy"); +} +examiner.prototype = { + observe(subject, topic, data) { + // subject should be an nsURI... though could be null since CSP + // prohibits cross-origin URI reporting during frame ancestors checks. + if (subject && !SpecialPowers.can_QI(subject)) + return; + + var asciiSpec = subject; + + try { + asciiSpec = SpecialPowers.getPrivilegedProps( + SpecialPowers.do_QueryInterface(subject, "nsIURI"), + "asciiSpec"); + + // skip checks on the test harness -- can't do this skipping for + // cross-origin blocking since the observer doesn't get the URI. This + // can cause this test to over-succeed (but only in specific cases). + if (asciiSpec.includes("test_frameancestors_userpass.html")) { + return; + } + } catch (ex) { + // was not an nsIURI, so it was probably a cross-origin report. + } + + if (topic === "specialpowers-csp-on-violate-policy") { + //these were blocked... record that they were blocked + window.frameBlocked(asciiSpec, data); + } + }, + + // must eventually call this to remove the listener, + // or mochitests might get borked. + remove() { + SpecialPowers.removeObserver(this, "specialpowers-csp-on-violate-policy"); + } +} + +// called when a frame is loaded +// -- if it's not enumerated above, it should not load! +var frameLoaded = function(testname, uri) { + //test already complete.... forget it... remember the first result. + if (window.framesThatShouldLoad[testname] != -1) + return; + + if (typeof window.framesThatShouldLoad[testname] === 'undefined') { + // uh-oh, we're not expecting this frame to load! + ok(false, testname + ' framed site should not have loaded: ' + uri); + } else { + //Check if @ symbol is there in URI. + if (uri.includes('@')) { + ok(false, ' URI contains userpass. Fetched URI is ' + uri); + } else { + framesThatShouldLoad[testname] = true; + ok(true, ' URI doesn\'t contain userpass. Fetched URI is ' + uri); + } + } + checkTestResults(); +} + +// called when a frame is blocked +// -- we can't determine *which* frame was blocked, but at least we can count them +var frameBlocked = function(uri, policy) { + + //Check if @ symbol is there in URI or in csp policy. + // Bug 1557712: Intermittent failure -> not sure why the 'uri' might ever + // be non existing at this point, however if there is no uri, there can + // also be no userpass! + if (policy.includes('@') || + (typeof uri === 'string' && uri.includes('@'))) { + ok(false, ' a CSP policy blocked frame from being loaded. But contains' + + ' userpass. Policy is: ' + policy + ';URI is: ' + uri ); + } else { + ok(true, ' a CSP policy blocked frame from being loaded. Doesn\'t contain'+ + ' userpass. Policy is: ' + policy + ';URI is: ' + uri ); + } + expectedViolationsLeft--; + checkTestResults(); +} + + +// Check to see if all the tests have run +var checkTestResults = function() { + // if any test is incomplete, keep waiting + for (var v in framesThatShouldLoad) + if(window.framesThatShouldLoad[v] == -1) + return; + + if (window.expectedViolationsLeft > 0) + return; + + // ... otherwise, finish + window.examiner.remove(); + SimpleTest.finish(); +} + +window.addEventListener("message", receiveMessage); + +function receiveMessage(event) { + if (event.data.call && event.data.call == 'frameLoaded') + frameLoaded(event.data.testname, event.data.uri); +} + +////////////////////////////////////////////////////////////////////// +// set up and go +window.examiner = new examiner(); +SimpleTest.waitForExplicitFinish(); + +// save this for last so that our listeners are registered. +// ... this loads the testbed of good and bad requests. +document.getElementById('cspframe').src = 'file_frameancestors_userpass.html'; + +</script> +</pre> +</body> +</html> |