summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_bug1764343.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/test/csp/test_bug1764343.html')
-rw-r--r--dom/security/test/csp/test_bug1764343.html116
1 files changed, 116 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_bug1764343.html b/dom/security/test/csp/test_bug1764343.html
new file mode 100644
index 0000000000..1af9a710fe
--- /dev/null
+++ b/dom/security/test/csp/test_bug1764343.html
@@ -0,0 +1,116 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta charset="utf-8">
+ <title>Bug 1764343 - CSP inheritance for same-origin iframes</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+ <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'nonce-parent' 'nonce-a' 'nonce-b' 'nonce-c'; img-src 'self' data:">
+</head>
+<body>
+ <iframe id="sameOriginMetaFrame"></iframe>
+ <iframe id="aboutBlankMetaFrame"></iframe>
+<script nonce='parent'>
+SimpleTest.waitForExplicitFinish();
+
+const NEW_HTML =`
+ <head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-a' 'nonce-c' 'nonce-d';">
+ </head>
+ <body>
+ <style>
+ body { background-color: rgb(255, 0, 0); }
+ </style>
+ <script nonce="a">
+ document.a = true;
+ <\/script>
+ <script nonce="b">
+ document.b = true;
+ <\/script>
+ <script nonce="c">
+ document.c = true;
+ <\/script>
+ <script nonce="d">
+ document.d = true;
+ <\/script>
+ <img id="testInlineImage"></img>
+ </body>
+ `;
+
+// test file's CSP meta tags shouldn't overwrite same-origin iframe's CSP meta tags
+async function testBlocked() {
+ info("testBlocked");
+
+ let sameOriginMetaFrame = document.getElementById("sameOriginMetaFrame");
+ let onFrameLoad = new Promise(resolve => {
+ sameOriginMetaFrame.addEventListener('load', resolve, {once: true});
+ });
+ sameOriginMetaFrame.src = 'file_bug1764343.html';
+ await onFrameLoad;
+
+ let doc = sameOriginMetaFrame.contentDocument;
+ doc.open();
+ doc.write(NEW_HTML);
+
+ let bgcolor = window.getComputedStyle(doc.body).getPropertyValue("background-color");
+ is(bgcolor, "rgba(0, 0, 0, 0)", "inital background value in FF should be 'transparent'");
+
+ let img = doc.getElementById("testInlineImage");
+ let onImgError = new Promise(resolve => {
+ img.addEventListener('error', resolve, {once: true});
+ });
+ img.src = "//mochi.test:8888/tests/image/test/mochitest/blue.png";
+ await onImgError;
+ is(img.complete, false, "image should not be loaded");
+
+ // Make sure that CSP policy can further restrict (no 'nonce-b'), but not weak (adding 'nonce-c' or 'nonce-d')
+ is(doc.a, true, "doc.a should be true (script 'nonce-a' allowed)");
+ is(doc.b, undefined, "doc.b should be undefined (script 'nonce-b' blocked)");
+ is(doc.c, undefined, "doc.c should be undefined (script 'nonce-c' blocked)");
+ is(doc.d, undefined, "doc.d should be undefined (script 'nonce-d' blocked)");
+}
+
+ // test file's CSP meta tags should apply to about blank iframe's CSP meta tags
+async function testNotBlocked() {
+ info("testNotBlocked");
+
+ let aboutBlankMetaFrame = document.getElementById("aboutBlankMetaFrame");
+ let onFrameLoad = new Promise(resolve => {
+ aboutBlankMetaFrame.addEventListener('load', resolve, {once: true});
+ });
+ aboutBlankMetaFrame.src = 'about:blank';
+ await onFrameLoad;
+
+ let doc = aboutBlankMetaFrame.contentDocument;
+ doc.open();
+ doc.write(NEW_HTML);
+
+ let bgcolor = window.getComputedStyle(doc.body).getPropertyValue("background-color");
+ is(bgcolor, "rgb(255, 0, 0)", "background value should be updated to red");
+
+ let img = doc.getElementById("testInlineImage");
+ let onImgLoad = new Promise(resolve => {
+ img.addEventListener('load', resolve, {once: true});
+ });
+ img.src = "//mochi.test:8888/tests/image/test/mochitest/blue.png";
+ await onImgLoad;
+ is(img.complete, true, "image should be loaded");
+
+ // New HTML contains 'nonce-a/c/d' and no CSP in about:blank.
+ // (Can not weaken parent with 'nonce-d')
+ is(doc.a, true, "doc.a should be true (script 'nonce-a' allowed)");
+ is(doc.b, undefined, "doc.b should be undefined (script 'nonce-b' blocked)");
+ is(doc.c, true, "doc.c should be true (script 'nonce-c' allowed)");
+ is(doc.d, undefined, "doc.d should be true (script 'nonce-d' blocked)");
+}
+
+(async function () {
+ await testBlocked();
+ await testNotBlocked();
+ SimpleTest.finish();
+})();
+</script>
+</body>
+</html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-28 12:46:26 +0000