File: browser_911547.js

package info (click to toggle)
icedove 31.6.0-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-kfreebsd
  • size: 1,007,612 kB
  • sloc: cpp: 3,959,977; ansic: 1,866,528; java: 219,720; python: 200,664; xml: 142,383; asm: 133,557; sh: 75,814; makefile: 27,028; perl: 26,849; objc: 4,014; yacc: 1,995; pascal: 1,024; lex: 950; exp: 449; lisp: 228; awk: 211; php: 113; sed: 43; csh: 31; ada: 16; ruby: 3
file content (70 lines) | stat: -rw-r--r-- 2,444 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
/* Any copyright is dedicated to the Public Domain.
   http://creativecommons.org/publicdomain/zero/1.0/ */

// This tests that session restore component does restore the right content
// security policy with the document.
// The policy being tested disallows inline scripts

function test() {
  TestRunner.run();
}

function runTests() {
  // create a tab that has a CSP
  let testURL = "http://mochi.test:8888/browser/browser/components/sessionstore/test/browser_911547_sample.html";
  let tab = gBrowser.selectedTab = gBrowser.addTab(testURL);
  gBrowser.selectedTab = tab;

  let browser = tab.linkedBrowser;
  yield waitForLoad(browser);

  // this is a baseline to ensure CSP is active
  // attempt to inject and run a script via inline (pre-restore, allowed)
  injectInlineScript(browser,'document.getElementById("test_id").value = "fail";');
  is(browser.contentDocument.getElementById("test_id").value, "ok",
     "CSP should block the inline script that modifies test_id");

  // attempt to click a link to a data: URI (will inherit the CSP of the
  // origin document) and navigate to the data URI in the link.
  browser.contentDocument.getElementById("test_data_link").click();
  yield waitForLoad(browser);

  is(browser.contentDocument.getElementById("test_id2").value, "ok",
     "CSP should block the script loaded by the clicked data URI");

  // close the tab
  gBrowser.removeTab(tab);

  // open new tab and recover the state
  tab = ss.undoCloseTab(window, 0);
  yield waitForTabRestored(tab);
  browser = tab.linkedBrowser;

  is(browser.contentDocument.getElementById("test_id2").value, "ok",
     "CSP should block the script loaded by the clicked data URI after restore");

  // clean up
  gBrowser.removeTab(tab);
}

function waitForLoad(aElement) {
  aElement.addEventListener("load", function onLoad() {
    aElement.removeEventListener("load", onLoad, true);
    executeSoon(next);
  }, true);
}

function waitForTabRestored(aElement) {
  aElement.addEventListener("SSTabRestored", function tabRestored(e) {
    aElement.removeEventListener("SSTabRestored", tabRestored, true);
    executeSoon(next);
  }, true);
}

// injects an inline script element (with a text body)
function injectInlineScript(browser, scriptText) {
  let scriptElt = browser.contentDocument.createElement("script");
  scriptElt.type = 'text/javascript';
  scriptElt.text = scriptText;
  browser.contentDocument.body.appendChild(scriptElt);
}