File: test_frameancestors_userpass.html

package info (click to toggle)
firefox-esr 128.14.0esr-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,230,248 kB
  • sloc: cpp: 7,104,262; javascript: 6,088,450; ansic: 3,654,017; python: 1,212,326; xml: 594,604; asm: 420,654; java: 182,969; sh: 71,124; makefile: 20,739; perl: 13,449; objc: 12,399; yacc: 4,583; cs: 3,846; pascal: 2,973; lex: 1,720; ruby: 1,194; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10
file content (148 lines) | stat: -rw-r--r-- 4,889 bytes parent folder | download | duplicates (26) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
<!DOCTYPE HTML>
<html>
<head>
  <title>Test for Userpass in Frame Ancestors directive</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">

// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
var framesThatShouldLoad = {
  frame_a: -1,    /* frame a allowed */
  frame_b: -1,    /* frame b allowed */
};

// Number of tests that pass for this file should be 1
var expectedViolationsLeft = 1;

// CSP frame-ancestor checks happen in the parent, hence we have to
// proxy the csp violation notifications.
SpecialPowers.registerObservers("csp-on-violate-policy");

// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
  SpecialPowers.addObserver(this, "specialpowers-csp-on-violate-policy");
}
examiner.prototype  = {
  observe(subject, topic, data) {
    // subject should be an nsURI... though could be null since CSP
    // prohibits cross-origin URI reporting during frame ancestors checks.
    if (subject && !SpecialPowers.can_QI(subject))
      return;

    var asciiSpec = subject;

    try {
      asciiSpec = SpecialPowers.getPrivilegedProps(
                    SpecialPowers.do_QueryInterface(subject, "nsIURI"),
                    "asciiSpec");

      // skip checks on the test harness -- can't do this skipping for
      // cross-origin blocking since the observer doesn't get the URI.  This
      // can cause this test to over-succeed (but only in specific cases).
      if (asciiSpec.includes("test_frameancestors_userpass.html")) {
        return;
      }
    } catch (ex) {
      // was not an nsIURI, so it was probably a cross-origin report.
    }

    if (topic === "specialpowers-csp-on-violate-policy") {
      //these were blocked... record that they were blocked
      window.frameBlocked(asciiSpec, data);
    }
  },

  // must eventually call this to remove the listener,
  // or mochitests might get borked.
  remove() {
    SpecialPowers.removeObserver(this, "specialpowers-csp-on-violate-policy");
  }
}

// called when a frame is loaded
// -- if it's not enumerated above, it should not load!
var frameLoaded = function(testname, uri) {
  //test already complete.... forget it... remember the first result.
  if (window.framesThatShouldLoad[testname] != -1)
    return;

  if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
    // uh-oh, we're not expecting this frame to load!
    ok(false, testname + ' framed site should not have loaded: ' + uri);
  } else {
    //Check if @ symbol is there in URI.
    if (uri.includes('@')) {
      ok(false, ' URI contains userpass. Fetched URI is ' + uri);
    } else {
      framesThatShouldLoad[testname] = true;
      ok(true, ' URI doesn\'t contain userpass. Fetched URI is ' + uri);
    }
  }
  checkTestResults();
}

// called when a frame is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var frameBlocked = function(uri, policy) {

  //Check if @ symbol is there in URI or in csp policy.
  // Bug 1557712: Intermittent failure -> not sure why the 'uri' might ever
  // be non existing at this point, however if there is no uri, there can
  // also be no userpass!
  if (policy.includes('@') ||
      (typeof uri === 'string' && uri.includes('@'))) {
    ok(false, ' a CSP policy blocked frame from being loaded. But contains' +
      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );
  } else {
    ok(true, ' a CSP policy blocked frame from being loaded. Doesn\'t contain'+
      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );
  }
  expectedViolationsLeft--;
  checkTestResults();
}


// Check to see if all the tests have run
var checkTestResults = function() {
  // if any test is incomplete, keep waiting
  for (var v in framesThatShouldLoad)
    if(window.framesThatShouldLoad[v] == -1)
      return;

  if (window.expectedViolationsLeft > 0)
    return;

  // ... otherwise, finish
  window.examiner.remove();
  SimpleTest.finish();
}

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {
  if (event.data.call && event.data.call == 'frameLoaded')
    frameLoaded(event.data.testname, event.data.uri);
}

//////////////////////////////////////////////////////////////////////
// set up and go
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();

// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_frameancestors_userpass.html';

</script>
</pre>
</body>
</html>