diff options
Diffstat (limited to 'dom/security/test/csp/test_meta_header_dual.html')
-rw-r--r-- | dom/security/test/csp/test_meta_header_dual.html | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_meta_header_dual.html b/dom/security/test/csp/test_meta_header_dual.html new file mode 100644 index 0000000000..679512d068 --- /dev/null +++ b/dom/security/test/csp/test_meta_header_dual.html @@ -0,0 +1,135 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta charset="utf-8"> + <title>Bug 663570 - Implement Content Security Policy via meta tag</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<p id="display"></p> +<iframe style="width:100%;" id="testframe"></iframe> + +<script class="testbody" type="text/javascript"> + +/* Description of the test: + * We test all sorts of CSPs on documents, including documents with no + * CSP, with meta CSP and with meta CSP in combination with a CSP header. + */ + +const TESTS = [ + { + /* load image without any CSP */ + query: "test1", + result: "img-loaded", + policyLen: 0, + desc: "no CSP should allow load", + }, + { + /* load image where meta denies load */ + query: "test2", + result: "img-blocked", + policyLen: 1, + desc: "meta (img-src 'none') should block load" + }, + { + /* load image where meta allows load */ + query: "test3", + result: "img-loaded", + policyLen: 1, + desc: "meta (img-src http://mochi.test) should allow load" + }, + { + /* load image where meta allows but header blocks */ + query: "test4", // triggers speculative load + result: "img-blocked", + policyLen: 2, + desc: "meta (img-src http://mochi.test), header (img-src 'none') should block load" + }, + { + /* load image where meta blocks but header allows */ + query: "test5", // triggers speculative load + result: "img-blocked", + policyLen: 2, + desc: "meta (img-src 'none'), header (img-src http://mochi.test) should block load" + }, + { + /* load image where meta allows and header allows */ + query: "test6", // triggers speculative load + result: "img-loaded", + policyLen: 2, + desc: "meta (img-src http://mochi.test), header (img-src http://mochi.test) should allow load" + }, + { + /* load image where meta1 allows but meta2 blocks */ + query: "test7", + result: "img-blocked", + policyLen: 2, + desc: "meta1 (img-src http://mochi.test), meta2 (img-src 'none') should allow blocked" + }, + { + /* load image where meta1 allows and meta2 allows */ + query: "test8", + result: "img-loaded", + policyLen: 2, + desc: "meta1 (img-src http://mochi.test), meta2 (img-src http://mochi.test) should allow allowed" + }, +]; + +var curTest; +var counter = -1; + +function finishTest() { + window.removeEventListener("message", receiveMessage); + SimpleTest.finish(); +} + +function checkResults(result) { + // make sure the image got loaded or blocked + is(result, curTest.result, curTest.query + ": " + curTest.desc); + + if (curTest.policyLen != 0) { + // make sure that meta policy got not parsed and appended twice + try { + // get the csp in JSON notation from the principal + var frame = document.getElementById("testframe"); + var contentDoc = SpecialPowers.wrap(frame.contentDocument); + var cspOBJ = JSON.parse(contentDoc.cspJSON); + // make sure that the speculative policy and the actual policy + // are not appended twice. + var policies = cspOBJ["csp-policies"]; + is(policies.length, curTest.policyLen, curTest.query + " should have: " + curTest.policyLen + " policies"); + } + catch (e) { + ok(false, "uuh, something went wrong within cspToJSON in " + curTest.query); + } + } + // move on to the next test + runNextTest(); +} + +// a postMessage handler used to bubble up the +// onsuccess/onerror state from within the iframe. +window.addEventListener("message", receiveMessage); +function receiveMessage(event) { + checkResults(event.data.result); +} + +function runNextTest() { + if (++counter == TESTS.length) { + finishTest(); + return; + } + curTest = TESTS[counter]; + // load next test + document.getElementById("testframe").src = "file_meta_header_dual.sjs?" + curTest.query; +} + +// start the test +SimpleTest.waitForExplicitFinish(); +runNextTest(); + +</script> +</body> +</html> |