summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_ignore_xfo.html
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /dom/security/test/csp/test_ignore_xfo.html
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dom/security/test/csp/test_ignore_xfo.html')
-rw-r--r--dom/security/test/csp/test_ignore_xfo.html120
1 files changed, 120 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_ignore_xfo.html b/dom/security/test/csp/test_ignore_xfo.html
new file mode 100644
index 0000000000..73c0dea44f
--- /dev/null
+++ b/dom/security/test/csp/test_ignore_xfo.html
@@ -0,0 +1,120 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title>
+ <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="csp_testframe"></iframe>
+<iframe style="width:100%;" id="csp_testframe_no_xfo"></iframe>
+<iframe style="width:100%;" id="csp_ro_testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/*
+ * We load two frames using:
+ * x-frame-options: deny
+ * where the first frame uses a csp and the second a csp_ro including frame-ancestors.
+ * We make sure that xfo is ignored for regular csp but not for csp_ro.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+var script = SpecialPowers.loadChromeScript(() => {
+/* eslint-env mozilla/chrome-script */
+ let ignoreCount = 0;
+ function listener(msg) {
+ if(msg.message.includes("Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.")) {
+ ignoreCount++;
+ if(ignoreCount == 2) {
+ ok(false, 'The "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning should only appear once for the csp_testframe.');
+ }
+ }
+ }
+ Services.console.registerListener(listener);
+
+ addMessageListener("cleanup", () => {
+ Services.console.unregisterListener(listener);
+ });
+});
+
+SimpleTest.registerCleanupFunction(async () => {
+ await script.sendQuery("cleanup");
+});
+
+var testcounter = 0;
+function checkFinished() {
+ testcounter++;
+ if (testcounter < 4) {
+ return;
+ }
+ // remove the listener and we are done.
+ window.examiner.remove();
+ SimpleTest.finish();
+}
+
+// X-Frame-Options checks happen in the parent, hence we have to
+// proxy the xfo violation notifications.
+SpecialPowers.registerObservers("xfo-on-violate-policy");
+
+function examiner() {
+ SpecialPowers.addObserver(this, "specialpowers-xfo-on-violate-policy");
+}
+examiner.prototype = {
+ observe(subject, topic, data) {
+ var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+
+ is(asciiSpec, "http://mochi.test:8888/tests/dom/security/test/csp/file_ro_ignore_xfo.html", "correct subject");
+ ok(topic.endsWith("xfo-on-violate-policy"), "correct topic");
+ is(data, "deny", "correct data");
+ checkFinished();
+ },
+ remove() {
+ SpecialPowers.removeObserver(this, "specialpowers-xfo-on-violate-policy");
+ }
+}
+window.examiner = new examiner();
+
+// 1) test XFO with CSP
+var csp_testframe = document.getElementById("csp_testframe");
+csp_testframe.onload = function() {
+ var msg = csp_testframe.contentDocument.getElementById("cspmessage");
+ is(msg.innerHTML, "Ignoring XFO because of CSP", "Loading frame with with XFO and CSP");
+ checkFinished();
+}
+csp_testframe.onerror = function() {
+ ok(false, "sanity: should not fire onerror for csp_testframe");
+ checkFinished();
+}
+csp_testframe.src = "file_ignore_xfo.html";
+
+// 2) test XFO with CSP_RO
+var csp_ro_testframe = document.getElementById("csp_ro_testframe");
+// If XFO denies framing then the onload event should fire.
+csp_ro_testframe.onload = function() {
+ ok(true, "sanity: should fire onload for csp_ro_testframe");
+ checkFinished();
+}
+csp_ro_testframe.onerror = function() {
+ ok(false, "sanity: should not fire onerror for csp_ro_testframe");
+ checkFinished();
+}
+csp_ro_testframe.src = "file_ro_ignore_xfo.html";
+
+var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo");
+csp_testframe_no_xfo.onload = function() {
+ var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage");
+ is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP");
+ checkFinished();
+}
+csp_testframe_no_xfo.onerror = function() {
+ ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo");
+ checkFinished();
+}
+csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html";
+
+</script>
+</body>
+</html>