diff options
Diffstat (limited to '')
-rw-r--r-- | dom/security/test/csp/test_inlinescript.html | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_inlinescript.html b/dom/security/test/csp/test_inlinescript.html new file mode 100644 index 0000000000..99b055f0c7 --- /dev/null +++ b/dom/security/test/csp/test_inlinescript.html @@ -0,0 +1,123 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta charset="utf-8"> + <title>Test for Content Security Policy Frame Ancestors directive</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script src="/tests/SimpleTest/EventUtils.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<p id="display"></p> +<div id="content" style="display: none"> +</div> +<iframe style="width:100%;height:300px;" id='testframe'></iframe> + +<script class="testbody" type="text/javascript"> + +var tests = [ + { + /* test allowed */ + csp: "default-src 'self'; script-src 'self' 'unsafe-inline'", + results: ["body-onload-fired", "text-node-fired", + "javascript-uri-fired", "javascript-uri-anchor-fired"], + desc: "allow inline scripts", + received: 0, // counter to make sure we received all 4 reports + }, + { + /* test blocked */ + csp: "default-src 'self'", + results: ["inline-script-blocked"], + desc: "block inline scripts", + received: 0, // counter to make sure we received all 4 reports + } +]; + +var counter = 0; +var curTest; + +// This is used to watch the blocked data bounce off CSP and allowed data +// get sent out to the wire. +function examiner() { + SpecialPowers.addObserver(this, "csp-on-violate-policy"); +} +examiner.prototype = { + observe(subject, topic, data) { + if (topic !== "csp-on-violate-policy") { + return; + } + + var what = SpecialPowers.getPrivilegedProps(SpecialPowers. + do_QueryInterface(subject, "nsISupportsCString"), "data"); + + if (!what.includes("Inline Script had invalid hash") && + !what.includes("Inline Scripts will not execute")) { + return; + } + window.checkResults("inline-script-blocked"); + }, + remove() { + SpecialPowers.removeObserver(this, "csp-on-violate-policy"); + } +} + +function finishTest() { + window.examiner.remove(); + window.removeEventListener("message", receiveMessage); + SimpleTest.finish(); +} + +// Check to see if all the tests have run +var checkResults = function(result) { + var index = curTest.results.indexOf(result); + isnot(index, -1, "should find result (" + result +") within test: " + curTest.desc); + if (index > -1) { + curTest.received += 1; + } + + // make sure we receive all the 4 reports for the 4 inline scripts + if (curTest.received < 4) { + return; + } + + if (counter < tests.length) { + loadNextTest(); + return; + } + finishTest(); +} + +// a postMessage handler that is used to bubble up results from the testframe +window.addEventListener("message", receiveMessage); +function receiveMessage(event) { + checkResults(event.data); +} + +function clickit() { + document.getElementById("testframe").removeEventListener('load', clickit); + var testframe = document.getElementById('testframe'); + var a = testframe.contentDocument.getElementById('anchortoclick'); + sendMouseEvent({type:'click'}, a, testframe.contentWindow); +} + +function loadNextTest() { + curTest = tests[counter++]; + var src = "file_testserver.sjs?file="; + // append the file that should be served + src += escape("tests/dom/security/test/csp/file_inlinescript.html"); + // append the CSP that should be used to serve the file + src += "&csp=" + escape(curTest.csp); + + document.getElementById("testframe").src = src; + document.getElementById("testframe").addEventListener("load", clickit); +} + +// set up the test and go +window.examiner = new examiner(); +SimpleTest.waitForExplicitFinish(); +loadNextTest(); + +</script> + +</body> +</html> |