blob: ee251020d2bd15b6d2ed560fa5a34a5b52a441c8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
// Script to populate the test frames in the frame ancestors mochitest.
//
function setupFrames() {
var $ = function(v) {
return document.getElementById(v);
};
var base = {
self: "/tests/dom/security/test/csp/file_frameancestors.sjs",
a:
"http://mochi.test:8888/tests/dom/security/test/csp/file_frameancestors.sjs",
b: "http://example.com/tests/dom/security/test/csp/file_frameancestors.sjs",
};
// In both cases (base.a, base.b) the path starts with /tests/. Let's make sure this
// path within the CSP policy is completely ignored when enforcing frame ancestors.
// To test this behavior we use /foo/ and /bar/ as dummy values for the path.
var host = {
a: "http://mochi.test:8888/foo/",
b: "http://example.com:80/bar/",
};
var innerframeuri = null;
var elt = null;
elt = $("aa_allow");
elt.src =
base.a +
"?testid=aa_allow&internalframe=aa_a&csp=" +
escape(
"default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'"
);
elt = $("aa_block");
elt.src =
base.a +
"?testid=aa_block&internalframe=aa_b&csp=" +
escape("default-src 'none'; frame-ancestors 'none'; script-src 'self'");
elt = $("ab_allow");
elt.src =
base.b +
"?testid=ab_allow&internalframe=ab_a&csp=" +
escape(
"default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'"
);
elt = $("ab_block");
elt.src =
base.b +
"?testid=ab_block&internalframe=ab_b&csp=" +
escape("default-src 'none'; frame-ancestors 'none'; script-src 'self'");
/* .... two-level framing */
elt = $("aba_allow");
innerframeuri =
base.a +
"?testid=aba_allow&double=1&internalframe=aba_a&csp=" +
escape(
"default-src 'none'; frame-ancestors " +
host.a +
" " +
host.b +
"; script-src 'self'"
);
elt.src =
base.b +
"?externalframe=" +
escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $("aba_block");
innerframeuri =
base.a +
"?testid=aba_allow&double=1&internalframe=aba_b&csp=" +
escape(
"default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'"
);
elt.src =
base.b +
"?externalframe=" +
escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $("aba2_block");
innerframeuri =
base.a +
"?testid=aba_allow&double=1&internalframe=aba2_b&csp=" +
escape(
"default-src 'none'; frame-ancestors " + host.b + "; script-src 'self'"
);
elt.src =
base.b +
"?externalframe=" +
escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $("abb_allow");
innerframeuri =
base.b +
"?testid=abb_allow&double=1&internalframe=abb_a&csp=" +
escape(
"default-src 'none'; frame-ancestors " +
host.a +
" " +
host.b +
"; script-src 'self'"
);
elt.src =
base.b +
"?externalframe=" +
escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $("abb_block");
innerframeuri =
base.b +
"?testid=abb_allow&double=1&internalframe=abb_b&csp=" +
escape(
"default-src 'none'; frame-ancestors " + host.a + "; script-src 'self'"
);
elt.src =
base.b +
"?externalframe=" +
escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $("abb2_block");
innerframeuri =
base.b +
"?testid=abb_allow&double=1&internalframe=abb2_b&csp=" +
escape(
"default-src 'none'; frame-ancestors " + host.b + "; script-src 'self'"
);
elt.src =
base.b +
"?externalframe=" +
escape('<iframe src="' + innerframeuri + '"></iframe>');
}
window.addEventListener("load", setupFrames);
|