summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_ignore_xfo.html
blob: 5dbfecd18dc09bcba8f1d29d9686078fec2c618d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<!DOCTYPE HTML>
<html>
<head>
  <title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title>
  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="csp_testframe"></iframe>
<iframe style="width:100%;" id="csp_testframe_no_xfo"></iframe>
<iframe style="width:100%;" id="csp_ro_testframe"></iframe>

<script class="testbody" type="text/javascript">

/*
 * We load two frames using:
 *   x-frame-options: deny
 * where the first frame uses a csp and the second a csp_ro including frame-ancestors.
 * We make sure that xfo is ignored for regular csp but not for csp_ro.
 */

SimpleTest.waitForExplicitFinish();

var script = SpecialPowers.loadChromeScript(() => {
/* eslint-env mozilla/chrome-script */
  let ignoreCount = 0;
  function listener(msg) {
    if(msg.message.includes("Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.")) {
      ignoreCount++;
      if(ignoreCount == 2) {
        ok(false, 'The "Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning should only appear once for the csp_testframe.');
      }
    }
  }
  Services.console.registerListener(listener);

  addMessageListener("cleanup", () => {
    Services.console.unregisterListener(listener);
  });
});

SimpleTest.registerCleanupFunction(async () => {
  await script.sendQuery("cleanup");
});

var testcounter = 0;
function checkFinished() {
  testcounter++;
  if (testcounter < 4) {
    return;
  }
  // remove the listener and we are done.
  window.examiner.remove();
  SimpleTest.finish();
}

// X-Frame-Options checks happen in the parent, hence we have to
// proxy the xfo violation notifications.
SpecialPowers.registerObservers("xfo-on-violate-policy");

function examiner() {
  SpecialPowers.addObserver(this, "specialpowers-xfo-on-violate-policy");
}
examiner.prototype  = {
  observe(subject, topic, data) {
    var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");

    is(asciiSpec, "http://mochi.test:8888/tests/dom/security/test/csp/file_ro_ignore_xfo.html", "correct subject");  
    ok(topic.endsWith("xfo-on-violate-policy"), "correct topic");
    is(data, "deny", "correct data");
    checkFinished();
  },
  remove() {
    SpecialPowers.removeObserver(this, "specialpowers-xfo-on-violate-policy");
  }
}
window.examiner = new examiner();

// 1) test XFO with CSP
var csp_testframe = document.getElementById("csp_testframe");
csp_testframe.onload = function() {
  var msg = csp_testframe.contentDocument.getElementById("cspmessage");
  is(msg.innerHTML, "Ignoring XFO because of CSP", "Loading frame with with XFO and CSP");
  checkFinished();
}
csp_testframe.onerror = function() {
  ok(false, "sanity: should not fire onerror for csp_testframe");
  checkFinished();
}
csp_testframe.src = "file_ignore_xfo.html";

// 2) test XFO with CSP_RO
var csp_ro_testframe = document.getElementById("csp_ro_testframe");
// If XFO denies framing then the onload event should fire.
csp_ro_testframe.onload = function() {
  ok(true, "sanity: should fire onload for csp_ro_testframe");
  checkFinished();
}
csp_ro_testframe.onerror = function() {
  ok(false, "sanity: should not fire onerror for csp_ro_testframe");
  checkFinished();
}
csp_ro_testframe.src = "file_ro_ignore_xfo.html";

var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo");
csp_testframe_no_xfo.onload = function() {
  var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage");
  is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP");
  checkFinished();
}
csp_testframe_no_xfo.onerror = function() {
  ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo");
  checkFinished();
}
csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html";

</script>
</body>
</html>