<!
DOCTYPE HTML>
<
html>
<
head>
<
meta charset=
"utf-8">
<
title>Bug 663570 - Implement Content Security Policy via <
meta> tag</
title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<
script src=
"/tests/SimpleTest/SimpleTest.js"></
script>
<
link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
</
head>
<
body>
<p id=
"display"></p>
<
iframe style=
"width:100%;" id=
"testframe" src=
"file_meta_element.html"></
iframe>
<
script class=
"testbody" type=
"text/javascript">
/* Description of the test:
* The test is twofold:
* First, by loading a page using
meta csp (into an
iframe) we make sure that
* images get correctly blocked as the csp policy includes
"img-src 'none'";
*
* Second, we make sure
meta csp ignores the following directives:
* * report-uri
* * frame-ancestors
* * sandbox
*
* Please note that the CSP sanbdox directive (bug 671389) has not landed yet.
* Once bug 671389 lands this test will fail and needs to be updated.
*/
SimpleTest.waitForExplicitFinish();
const EXPECTED_DIRS = [
"img-src",
"script-src"];
function finishTest() {
window.removeEventListener(
"message", receiveMessage);
SimpleTest.finish();
}
function checkResults(result) {
is(result,
"img-blocked",
"loading images should be blocked by meta csp");
try {
// get the csp in JSON notation from the principal
var frame = document.getElementById(
"testframe");
var contentDoc = SpecialPowers.wrap(
frame.contentDocument);
var cspJSON = contentDoc.cspJSON;
ok(cspJSON,
"CSP applied through meta element");
// parse the cspJSON in a csp-object
var cspOBJ = JSON.parse(cspJSON);
ok(cspOBJ,
"was able to parse the JSON");
// make sure we only got one policy
var policies = cspOBJ[
"csp-policies"];
is(policies.length, 1,
"there should be one policy applied");
// iterate the policy and make sure to only encounter
// expected directives.
var policy = policies[0];
for (
var dir in policy) {
// special case handling for report-only which is not a directive
// but present in the JSON notation of the CSP.
if (
dir ===
"report-only") {
continue;
}
var index = EXPECTED_DIRS.indexOf(
dir);
isnot(index, -1,
"meta csp contains directive: " +
dir +
"!");
// take the element out of the array so we can make sure
// that we have seen all the expected values in the end.
EXPECTED_DIRS.splice(index, 1);
}
is(EXPECTED_DIRS.length, 0,
"have seen all the expected values");
}
catch (e) {
ok(false,
"uuh, something went wrong within meta csp test");
}
finishTest();
}
// a postMessage handler used to bubble up the onsuccess/onerror state
// from within the
iframe.
window.addEventListener(
"message", receiveMessage);
function receiveMessage(event) {
checkResults(event.data.result);
}
</
script>
</
body>
</
html>
