blob: 137d459654ae58869a0d42bd1615b2ea5d7bc443 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
<!DOCTYPE HTML>
<html>
<head>
<title>Test if XSLT stylesheet is subject to document's CSP</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none"></div>
<iframe style="width:100%;" id='xsltframe'></iframe>
<iframe style="width:100%;" id='xsltframe2'></iframe>
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
// define the expected output of this test
var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
var finishedTests = 0;
var numberOfTests = 2;
var checkExplicitFinish = function() {
finishedTests++;
if (finishedTests == numberOfTests) {
SimpleTest.finish();
}
}
function checkAllowed () {
/* The policy for this test is:
* Content-Security-Policy: default-src 'self'
*
* we load the xsl file using:
* <?xml-stylesheet type="text/xsl" href="file_bug663467.xsl"?>
*/
try {
var cspframe = document.getElementById('xsltframe');
var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
}
catch (e) {
ok(false, "Error: could not access content in xsltframe!")
}
checkExplicitFinish();
}
function checkBlocked () {
/* The policy for this test is:
* Content-Security-Policy: default-src *.example.com
*
* we load the xsl file using:
* <?xml-stylesheet type="text/xsl" href="file_bug663467.xsl"?>
*/
try {
var cspframe = document.getElementById('xsltframe2');
var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
}
catch (e) {
ok(false, "Error: could not access content in xsltframe2!")
}
checkExplicitFinish();
}
document.getElementById('xsltframe').addEventListener('load', checkAllowed);
document.getElementById('xsltframe').src = 'file_bug663567_allows.xml';
document.getElementById('xsltframe2').addEventListener('load', checkBlocked);
document.getElementById('xsltframe2').src = 'file_bug663567_blocks.xml';
</script>
</body>
</html>
|