diff options
Diffstat (limited to 'dom/security/test/csp/test_inlinestyle.html')
| -rw-r--r-- | dom/security/test/csp/test_inlinestyle.html | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_inlinestyle.html b/dom/security/test/csp/test_inlinestyle.html new file mode 100644 index 0000000000..dc15dc5078 --- /dev/null +++ b/dom/security/test/csp/test_inlinestyle.html @@ -0,0 +1,107 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test for Content Security Policy inline stylesheets stuff</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<p id="display"></p> +<div id="content" style="display: none"> +</div> + +<iframe style="width:100%;height:300px;" id='cspframe1'></iframe> +<iframe style="width:100%;height:300px;" id='cspframe2'></iframe> +<script class="testbody" type="text/javascript"> + +////////////////////////////////////////////////////////////////////// +// set up and go +SimpleTest.waitForExplicitFinish(); + +var done = 0; + +// When a CSP 1.0 compliant policy is specified we should block inline +// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags +// (when it's not explicitly allowed.) +function checkStyles(evt) { + var cspframe = document.getElementById('cspframe1'); + var color; + + // black means the style wasn't applied. green colors are used for styles + //expected to be applied. A color is red if a style is erroneously applied + color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv')).color; + ok('rgb(0, 255, 0)' === color, 'External Stylesheet (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv')).color; + ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv')).color; + ok('rgb(0, 0, 0)' === color, 'Style Attribute (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv')).color; + ok('rgb(0, 255, 0)' === color, 'cssText (' + color + ')'); + // SMIL tests + color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null)).fill; + ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null)).fill; + ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null)).fill; + ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null)).fill; + ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')'); + + color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv')).color; + ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')'); + + checkIfDone(); +} + +// When a CSP 1.0 compliant policy is specified we should allow inline +// styles when it is explicitly allowed. +function checkStylesAllowed(evt) { + var cspframe = document.getElementById('cspframe2'); + var color; + + // black means the style wasn't applied. green colors are used for styles + // expected to be applied. A color is red if a style is erroneously applied + color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv')).color; + ok('rgb(0, 255, 0)' === color, 'External Stylesheet (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv')).color; + ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv')).color; + ok('rgb(0, 255, 0)' === color, 'Style Attribute (' + color + ')'); + + // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks, + // since it relies on executing script to set .cssText + color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv')).color; + ok('rgb(0, 255, 0)' === color, 'style.cssText (' + color + ')'); + // SMIL tests + color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null)).fill; + ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null)).fill; + ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null)).fill; + ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')'); + color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null)).fill; + ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')'); + + color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv')).color; + ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')'); + + checkIfDone(); +} + +function checkIfDone() { + done++; + if (done == 2) + SimpleTest.finish(); +} + +// save this for last so that our listeners are registered. +// ... this loads the testbed of good and bad requests. +document.getElementById('cspframe1').src = 'file_inlinestyle_main.html'; +document.getElementById('cspframe1').addEventListener('load', checkStyles); +document.getElementById('cspframe2').src = 'file_inlinestyle_main_allowed.html'; +document.getElementById('cspframe2').addEventListener('load', checkStylesAllowed); + +</script> +</pre> +</body> +</html> |