summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_docwrite_meta.html
blob: 776f1bb32f4d67c970bbf161245484dc60e1795e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Bug 663570 - Implement Content Security Policy via meta tag</title>
  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<iframe style="width:100%;" id="writemetacspframe"></iframe>
<iframe style="width:100%;" id="commentmetacspframe"></iframe>


<script class="testbody" type="text/javascript">
/* Description of the test:
 * We load two frames, where the first frame does doc.write(meta csp) and
 * the second does doc.write(comment out meta csp).
 * We make sure to reuse/invalidate preloads depending on the policy.
 */

SimpleTest.waitForExplicitFinish();

var writemetacspframe = document.getElementById("writemetacspframe");
var commentmetacspframe = document.getElementById("commentmetacspframe");
var seenResults = 0;

function checkTestsDone() {
  seenResults++;
  if (seenResults < 2) {
    return;
  }
  SimpleTest.finish();
}

// document.write(<meta csp ...>) should block resources from being included in the doc
function checkResultsBlocked() {
  writemetacspframe.removeEventListener('load', checkResultsBlocked);

  // stylesheet: default background color within FF is transparent
  var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body)
                      .getPropertyValue("background-color");
  is(bgcolor, "rgba(0, 0, 0, 0)", "inital background value in FF should be 'transparent'");

  // image: make sure image is blocked
  var img = writemetacspframe.contentDocument.getElementById("testimage");
  is(img.naturalWidth, 0, "image width should be 0");
  is(img.naturalHeight, 0, "image height should be 0");

  // script: make sure defined variable in external script is undefined
  is(writemetacspframe.contentDocument.myMetaCSPScript, undefined, "myMetaCSPScript should be 'undefined'");

  checkTestsDone();
}

// document.write(<--) to comment out meta csp should allow resources to be loaded
// after the preload failed
function checkResultsAllowed() {
  commentmetacspframe.removeEventListener('load', checkResultsAllowed);

  // stylesheet: should be applied; bgcolor should be red
  var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue("background-color");
  is(bgcolor, "rgb(255, 0, 0)", "background should be red/rgb(255, 0, 0)");

  // image: should be completed
  var img = commentmetacspframe.contentDocument.getElementById("testimage");
  ok(img.complete, "image should not be loaded");

  // script: defined variable in external script should be accessible
  is(commentmetacspframe.contentDocument.myMetaCSPScript, "external-JS-loaded", "myMetaCSPScript should be 'external-JS-loaded'");

  checkTestsDone();
}

// doc.write(meta csp) should should allow preloads but should block actual loads
writemetacspframe.src = 'file_docwrite_meta.html';
writemetacspframe.addEventListener('load', checkResultsBlocked);

// commenting out a meta CSP should result in loaded image, script, style
commentmetacspframe.src = 'file_doccomment_meta.html';
commentmetacspframe.addEventListener('load', checkResultsAllowed);

</script>
</body>
</html>