Quelle  test_iframe_srcdoc.html   Sprache: HTML

<!DOCTYPE HTML>
<html>
<head>
  <title>Bug 1073952 - Test CSP enforcement within iframe srcdoc</title>
  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/*
 * Description of the test:
 * (1) We serve a site which makes use of script-allowed sandboxed iframe srcdoc
 *     and make sure that CSP applies to the nested browsing context
 *     within the iframe.
 *     [PAGE WITH CSP [IFRAME SANDBOX SRCDOC [SCRIPT]]]
 *
 * (2) We serve a site which nests script within an script-allowed sandboxed
 *     iframe srcdoc within another script-allowed sandboxed iframe srcdoc and
 *     make sure that CSP applies to the nested browsing context
 *     within the iframe*s*.
 *     [PAGE WITH CSP [IFRAME SANDBOX SRCDOC [IFRAME SANDBOX SRCDOC [SCRIPT]]]]
 *
 * Please note that the test relies on the "csp-on-violate-policy" observer.
 * Whenever the script within the iframe is blocked observers are notified.
 * In turn, this renders the 'result' within tests[] unused. In case the script
 * would execute however, the postMessageHandler would bubble up 'allowed' and
 * the test would fail.
 */

SimpleTest.waitForExplicitFinish();

var tests = [
  // [PAGE *WITHOUT* CSP [IFRAME SRCDOC [SCRIPT]]]
  { csp: "",
    result: "allowed",
    query: "simple_iframe_srcdoc",
    desc: "No CSP should run script within script-allowed sandboxed iframe srcdoc"
  },
  { csp: "script-src https://test1.com",
    result: "blocked",
    query: "simple_iframe_srcdoc",
    desc: "CSP should block script within script-allowed sandboxediframe srcdoc"
  },
  // [PAGE *WITHOUT* CSP [IFRAME SRCDOC [IFRAME SRCDOC [SCRIPT]]]]
  { csp: "",
    result: "allowed",
    query: "nested_iframe_srcdoc",
    desc: "No CSP should run script within script-allowed sandboxed iframe srcdoc nested within another script-allowed sandboxed iframe srcdoc"
  },
  // [PAGE WITH CSP [IFRAME SRCDOC ]]
  { csp: "script-src https://test2.com",
    result: "blocked",
    query: "nested_iframe_srcdoc",
    desc: "CSP should block script within script-allowed sandboxed iframe srcdoc nested within another script-allowed sandboxed iframe srcdoc"
  },
  { csp: "",
    result: "allowed",
    query: "nested_iframe_srcdoc_datauri",
    desc: "No CSP, should run script within script-allowed sandboxed iframe src with data URL nested within another script-allowed sandboxed iframe srcdoc"
  },
  { csp: "script-src https://test3.com",
    result: "blocked",
    query: "nested_iframe_srcdoc_datauri",
    desc: "CSP should block script within script-allowed sandboxed iframe src with data URL nested within another script-allowed sandboxed iframe srcdoc"
  },

];

// initializing to -1 so we start at index 0 when we start the test
var counter = -1;

function finishTest() {
  window.removeEventListener("message", receiveMessage);
  window.examiner.remove();
  SimpleTest.finish();
}

window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
  var result = event.data.result;
  testComplete(result, tests[counter].result, tests[counter].desc);
}

function examiner() {
  SpecialPowers.addObserver(this, "csp-on-violate-policy");
}

examiner.prototype  = {
  observe(subject, topic, data) {
    if (topic === "csp-on-violate-policy") {
      var violationString = SpecialPowers.getPrivilegedProps(SpecialPowers.
                             do_QueryInterface(subject, "nsISupportsCString"), "data");
      // the violation subject for inline script violations is unfortunately vague,
      // all we can do is match the string.
      if (!violationString.includes("Inline Script")) {
        return
      }
      testComplete("blocked", tests[counter].result, tests[counter].desc);
    }
  },
  remove() {
    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
  }
}

function testComplete(result, expected, desc) {
  is(result, expected, desc);
  // ignore cases when we get csp violations and postMessage from  the same frame.
  var frameURL = new URL(document.getElementById("testframe").src);
  var params = new URLSearchParams(frameURL.search);
  var counterInFrame = params.get("counter");
  if (counterInFrame == counter) {
    loadNextTest();
  }
}

function loadNextTest() {
  counter++;
  if (counter == tests.length) {
    finishTest();
    return;
  }
  var src = "file_iframe_srcdoc.sjs";
  src += "?csp=" + escape(tests[counter].csp);
  src += "&action=" + escape(tests[counter].query);
  src += "&counter=" + counter;
  document.getElementById("testframe").src = src;
}

// start running the tests
window.examiner = new examiner();
loadNextTest();

</script>
</body>
</html>