diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /dom/security/test/csp/test_ignore_xfo.html | |
parent | Initial commit. (diff) | |
download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dom/security/test/csp/test_ignore_xfo.html')
-rw-r--r-- | dom/security/test/csp/test_ignore_xfo.html | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_ignore_xfo.html b/dom/security/test/csp/test_ignore_xfo.html new file mode 100644 index 0000000000..5dbfecd18d --- /dev/null +++ b/dom/security/test/csp/test_ignore_xfo.html @@ -0,0 +1,120 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<iframe style="width:100%;" id="csp_testframe"></iframe> +<iframe style="width:100%;" id="csp_testframe_no_xfo"></iframe> +<iframe style="width:100%;" id="csp_ro_testframe"></iframe> + +<script class="testbody" type="text/javascript"> + +/* + * We load two frames using: + * x-frame-options: deny + * where the first frame uses a csp and the second a csp_ro including frame-ancestors. + * We make sure that xfo is ignored for regular csp but not for csp_ro. + */ + +SimpleTest.waitForExplicitFinish(); + +var script = SpecialPowers.loadChromeScript(() => { +/* eslint-env mozilla/chrome-script */ + let ignoreCount = 0; + function listener(msg) { + if(msg.message.includes("Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.")) { + ignoreCount++; + if(ignoreCount == 2) { + ok(false, 'The "Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning should only appear once for the csp_testframe.'); + } + } + } + Services.console.registerListener(listener); + + addMessageListener("cleanup", () => { + Services.console.unregisterListener(listener); + }); +}); + +SimpleTest.registerCleanupFunction(async () => { + await script.sendQuery("cleanup"); +}); + +var testcounter = 0; +function checkFinished() { + testcounter++; + if (testcounter < 4) { + return; + } + // remove the listener and we are done. + window.examiner.remove(); + SimpleTest.finish(); +} + +// X-Frame-Options checks happen in the parent, hence we have to +// proxy the xfo violation notifications. +SpecialPowers.registerObservers("xfo-on-violate-policy"); + +function examiner() { + SpecialPowers.addObserver(this, "specialpowers-xfo-on-violate-policy"); +} +examiner.prototype = { + observe(subject, topic, data) { + var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); + + is(asciiSpec, "http://mochi.test:8888/tests/dom/security/test/csp/file_ro_ignore_xfo.html", "correct subject"); + ok(topic.endsWith("xfo-on-violate-policy"), "correct topic"); + is(data, "deny", "correct data"); + checkFinished(); + }, + remove() { + SpecialPowers.removeObserver(this, "specialpowers-xfo-on-violate-policy"); + } +} +window.examiner = new examiner(); + +// 1) test XFO with CSP +var csp_testframe = document.getElementById("csp_testframe"); +csp_testframe.onload = function() { + var msg = csp_testframe.contentDocument.getElementById("cspmessage"); + is(msg.innerHTML, "Ignoring XFO because of CSP", "Loading frame with with XFO and CSP"); + checkFinished(); +} +csp_testframe.onerror = function() { + ok(false, "sanity: should not fire onerror for csp_testframe"); + checkFinished(); +} +csp_testframe.src = "file_ignore_xfo.html"; + +// 2) test XFO with CSP_RO +var csp_ro_testframe = document.getElementById("csp_ro_testframe"); +// If XFO denies framing then the onload event should fire. +csp_ro_testframe.onload = function() { + ok(true, "sanity: should fire onload for csp_ro_testframe"); + checkFinished(); +} +csp_ro_testframe.onerror = function() { + ok(false, "sanity: should not fire onerror for csp_ro_testframe"); + checkFinished(); +} +csp_ro_testframe.src = "file_ro_ignore_xfo.html"; + +var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo"); +csp_testframe_no_xfo.onload = function() { + var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage"); + is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP"); + checkFinished(); +} +csp_testframe_no_xfo.onerror = function() { + ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo"); + checkFinished(); +} +csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html"; + +</script> +</body> +</html> |