<!
DOCTYPE HTML>
<
html>
<
head>
<
meta charset=
"utf-8">
<
title>Bug 663570 - Implement Content Security Policy via
meta tag</
title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<
script src=
"/tests/SimpleTest/SimpleTest.js"></
script>
<
link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
</
head>
<
body>
<p id=
"display"></p>
<
iframe style=
"width:100%;" id=
"testframe"></
iframe>
<
script class=
"testbody" type=
"text/javascript">
/* Description of the test:
* We test all sorts of CSPs on documents, including documents with no
* CSP, with
meta CSP and with
meta CSP in combination with a CSP
header.
*/
const TESTS = [
{
/* load image without any CSP */
query:
"test1",
result:
"img-loaded",
policyLen: 0,
desc:
"no CSP should allow load",
},
{
/* load image where
meta denies load */
query:
"test2",
result:
"img-blocked",
policyLen: 1,
desc:
"meta (img-src 'none') should block load"
},
{
/* load image where
meta allows load */
query:
"test3",
result:
"img-loaded",
policyLen: 1,
desc:
"meta (img-src http://mochi.test) should allow load"
},
{
/* load image where
meta allows but
header blocks */
query:
"test4", // triggers speculative load
result:
"img-blocked",
policyLen: 2,
desc:
"meta (img-src http://mochi.test), header (img-src 'none') should block load"
},
{
/* load image where
meta blocks but
header allows */
query:
"test5", // triggers speculative load
result:
"img-blocked",
policyLen: 2,
desc:
"meta (img-src 'none'), header (img-src http://mochi.test) should block load"
},
{
/* load image where
meta allows and
header allows */
query:
"test6", // triggers speculative load
result:
"img-loaded",
policyLen: 2,
desc:
"meta (img-src http://mochi.test), header (img-src http://mochi.test) should allow load"
},
{
/* load image where meta1 allows but meta2 blocks */
query:
"test7",
result:
"img-blocked",
policyLen: 2,
desc:
"meta1 (img-src http://mochi.test), meta2 (img-src 'none') should allow blocked"
},
{
/* load image where meta1 allows and meta2 allows */
query:
"test8",
result:
"img-loaded",
policyLen: 2,
desc:
"meta1 (img-src http://mochi.test), meta2 (img-src http://mochi.test) should allow allowed"
},
];
var curTest;
var counter = -1;
function finishTest() {
window.removeEventListener(
"message", receiveMessage);
SimpleTest.finish();
}
function checkResults(result) {
// make sure the image got loaded or blocked
is(result, curTest.result, curTest.query +
": " + curTest.desc);
if (curTest.policyLen != 0) {
// make sure that
meta policy got not parsed and appended twice
try {
// get the csp in JSON notation from the principal
var frame = document.getElementById(
"testframe");
var contentDoc = SpecialPowers.wrap(
frame.contentDocument);
var cspOBJ = JSON.parse(contentDoc.cspJSON);
// make sure that the speculative policy and the actual policy
// are not appended twice.
var policies = cspOBJ[
"csp-policies"];
is(policies.length, curTest.policyLen, curTest.query +
" should have: " + curTest.poli
cyLen + " policies");
}
catch (e) {
ok(false, "uuh, something went wrong within cspToJSON in " + curTest.query);
}
}
// move on to the next test
runNextTest();
}
// a postMessage handler used to bubble up the
// onsuccess/onerror state from within the iframe.
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
checkResults(event.data.result);
}
function runNextTest() {
if (++counter == TESTS.length) {
finishTest();
return;
}
curTest = TESTS[counter];
// load next test
document.getElementById("testframe").src = "file_meta_header_dual.sjs?" + curTest.query;
}
// start the test
SimpleTest.waitForExplicitFinish();
runNextTest();
</script>
</body>
</html>
