<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>Bug 663570 - Implement Content Security Policy via <meta> tag</title> <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> <script src="/tests/SimpleTest/SimpleTest.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> </head> <body> <p id="display"></p> <iframe style="width:100%;" id="testframe" src="file_meta_element.html"></iframe> <script class="testbody" type="text/javascript"> /* Description of the test: * The test is twofold: * First, by loading a page using meta csp (into an iframe) we make sure that * images get correctly blocked as the csp policy includes "img-src 'none'"; * * Second, we make sure meta csp ignores the following directives: * * report-uri * * frame-ancestors * * sandbox * * Please note that the CSP sanbdox directive (bug 671389) has not landed yet. * Once bug 671389 lands this test will fail and needs to be updated. */ SimpleTest.waitForExplicitFinish(); const EXPECTED_DIRS = ["img-src", "script-src"]; function finishTest() { window.removeEventListener("message", receiveMessage); SimpleTest.finish(); } function checkResults(result) { is(result, "img-blocked", "loading images should be blocked by meta csp"); try { // get the csp in JSON notation from the principal var frame = document.getElementById("testframe"); var contentDoc = SpecialPowers.wrap(frame.contentDocument); var cspJSON = contentDoc.cspJSON; ok(cspJSON, "CSP applied through meta element"); // parse the cspJSON in a csp-object var cspOBJ = JSON.parse(cspJSON); ok(cspOBJ, "was able to parse the JSON"); // make sure we only got one policy var policies = cspOBJ["csp-policies"]; is(policies.length, 1, "there should be one policy applied"); // iterate the policy and make sure to only encounter // expected directives. var policy = policies[0]; for (var dir in policy) { // special case handling for report-only which is not a directive // but present in the JSON notation of the CSP. if (dir === "report-only") { continue; } var index = EXPECTED_DIRS.indexOf(dir); isnot(index, -1, "meta csp contains directive: " + dir + "!"); // take the element out of the array so we can make sure // that we have seen all the expected values in the end. EXPECTED_DIRS.splice(index, 1); } is(EXPECTED_DIRS.length, 0, "have seen all the expected values"); } catch (e) { ok(false, "uuh, something went wrong within meta csp test"); } finishTest(); } // a postMessage handler used to bubble up the onsuccess/onerror state // from within the iframe. window.addEventListener("message", receiveMessage); function receiveMessage(event) { checkResults(event.data.result); } </script> </body> </html>