<!
DOCTYPE HTML>
<
html>
<
head>
<
title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</
title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<
script src=
"/tests/SimpleTest/SimpleTest.js"></
script>
<
link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
</
head>
<
body>
<
iframe style=
"width:100%;" id=
"csp_testframe"></
iframe>
<
iframe style=
"width:100%;" id=
"csp_testframe_no_xfo"></
iframe>
<
iframe style=
"width:100%;" id=
"csp_ro_testframe"></
iframe>
<
script class=
"testbody" type=
"text/javascript">
/*
* We load two frames using:
* x-frame-options: deny
* where the first
frame uses a csp and the second a csp_ro including frame-ancestors.
* We make sure that xfo is ignored for regular csp but not for csp_ro.
*/
SimpleTest.waitForExplicitFinish();
var script = SpecialPowers.loadChromeScript(() => {
/* eslint-env mozilla/chrome-script */
let ignoreCount = 0;
function listener(msg) {
if(msg.message.includes(
"Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.")) {
ignoreCount++;
if(ignoreCount == 2) {
ok(false,
'The "Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning should only appear once for the csp_testframe.');
}
}
}
Services.console.registerListener(listener);
addMessageListener(
"cleanup", () => {
Services.console.unregisterListener(listener);
});
});
SimpleTest.registerCleanupFunction(async () => {
await
script.sendQuery(
"cleanup");
});
var testcounter = 0;
function checkFinished() {
testcounter++;
if (testcounter < 4) {
return;
}
// remove the listener and we are done.
window.examiner.remove();
SimpleTest.finish();
}
// X-Frame-Options checks happen in the parent, hence we have to
// proxy the xfo violation notifications.
SpecialPowers.registerObservers(
"xfo-on-violate-policy");
function examiner() {
SpecialPowers.addObserver(this,
"specialpowers-xfo-on-violate-policy");
}
examiner.prototype = {
observe(subject, topic, data) {
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(su
bject, "nsIURI"), "asciiSpec");
is(asciiSpec, "http://mochi.test:8888/tests/dom/security/test/csp/file_ro_ignore_xfo.html", "correct subject");
ok(topic.endsWith("xfo-on-violate-policy"), "correct topic");
is(data, "deny", "correct data");
checkFinished();
},
remove() {
SpecialPowers.removeObserver(this, "specialpowers-xfo-on-violate-policy");
}
}
window.examiner = new examiner();
// 1) test XFO with CSP
var csp_testframe = document.getElementById("csp_testframe");
csp_testframe.onload = function() {
var msg = csp_testframe.contentDocument.getElementById("cspmessage");
is(msg.innerHTML, "Ignoring XFO because of CSP", "Loading frame with with XFO and CSP");
checkFinished();
}
csp_testframe.onerror = function() {
ok(false, "sanity: should not fire onerror for csp_testframe");
checkFinished();
}
csp_testframe.src = "file_ignore_xfo.html";
// 2) test XFO with CSP_RO
var csp_ro_testframe = document.getElementById("csp_ro_testframe");
// If XFO denies framing then the onload event should fire.
csp_ro_testframe.onload = function() {
ok(true, "sanity: should fire onload for csp_ro_testframe");
checkFinished();
}
csp_ro_testframe.onerror = function() {
ok(false, "sanity: should not fire onerror for csp_ro_testframe");
checkFinished();
}
csp_ro_testframe.src = "file_ro_ignore_xfo.html";
var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo");
csp_testframe_no_xfo.onload = function() {
var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage");
is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP");
checkFinished();
}
csp_testframe_no_xfo.onerror = function() {
ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo");
checkFinished();
}
csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html";
</script>
</body>
</html>
