File: test_CSP_inlinescript.html

package info (click to toggle)
iceweasel 38.8.0esr-1~deb7u1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 1,578,008 kB
  • sloc: cpp: 4,134,345; ansic: 1,765,754; python: 324,651; java: 233,700; asm: 138,937; xml: 98,298; sh: 82,895; makefile: 21,621; perl: 17,235; objc: 4,014; yacc: 1,968; lex: 1,179; exp: 499; pascal: 479; lisp: 228; awk: 152; ruby: 82; sed: 43; csh: 31; ada: 16; php: 1
file content (113 lines) | stat: -rw-r--r-- 3,996 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
<!DOCTYPE HTML>
<html>
<head>
  <title>Test for Content Security Policy Frame Ancestors directive</title>
  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>

<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">

var inlineScriptsThatRan = 0;
var inlineScriptsBlocked = 0;
var inlineScriptsTotal = 8;

// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
}
examiner.prototype  = {
  observe: function(subject, topic, data) {
    // subject should be an nsURI, and should be either allowed or blocked.
    if (!SpecialPowers.can_QI(subject))
      return;

    if (topic === "csp-on-violate-policy") {
      var what = null;
      try {
        //these were blocked... record that they were blocked
        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
      } catch(e) {
        //if that fails, the subject is probably a string
        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
      }
      window.scriptBlocked(what, data);
    }
  },

  // must eventually call this to remove the listener,
  // or mochitests might get borked.
  remove: function() {
    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
  }
}

// called by scripts that run
// the first argument is whether the script expects to be allowed or not.
var scriptRan = function(result, testname, data) {
  inlineScriptsThatRan++;
  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
  checkTestResults();
}

// called when a script is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var scriptBlocked = function(testname, data) {
  inlineScriptsBlocked++;
  ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
  checkTestResults();
}


// Check to see if all the tests have run
var checkTestResults = function() {
  // if any test is incomplete, keep waiting
  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
    return;

  // The four scripts in the page with 'unsafe-inline' should run.
  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");

  // The four scripts in the other page should be blocked.
  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");

  // ... otherwise, finish
  window.examiner.remove();
  SimpleTest.finish();
}

//////////////////////////////////////////////////////////////////////
// set up and go
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();

function clickit1() {
  var cspframe1 = document.getElementById('cspframe1');
  var a = cspframe1.contentDocument.getElementById('anchortoclick');
  sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
}

function clickit2() {
  var cspframe2 = document.getElementById('cspframe2');
  var a = cspframe2.contentDocument.getElementById('anchortoclick');
  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
}

// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe1').src = 'file_CSP_inlinescript_main.html';
document.getElementById('cspframe1').addEventListener('load', clickit1, false);
document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_allowed.html';
document.getElementById('cspframe2').addEventListener('load', clickit2, false);
</script>
</pre>
</body>
</html>