2013-08-12 14:54:12 -07:00
|
|
|
<!DOCTYPE HTML>
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
<title>Test if XSLT stylesheet is subject to document's CSP</title>
|
|
|
|
|
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
|
|
|
|
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
|
|
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
|
|
|
|
</head>
|
|
|
|
|
<body>
|
|
|
|
|
<p id="display"></p>
|
|
|
|
|
<div id="content" style="display: none"></div>
|
|
|
|
|
<iframe style="width:100%;" id='xsltframe'></iframe>
|
|
|
|
|
<iframe style="width:100%;" id='xsltframe2'></iframe>
|
|
|
|
|
|
|
|
|
|
<script class="testbody" type="text/javascript">
|
|
|
|
|
|
|
|
|
|
SimpleTest.waitForExplicitFinish();
|
|
|
|
|
|
|
|
|
|
// define the expected output of this test
|
|
|
|
|
var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
|
|
|
|
|
|
|
|
|
|
var finishedTests = 0;
|
|
|
|
|
var numberOfTests = 2;
|
|
|
|
|
|
|
|
|
|
var checkExplicitFinish = function() {
|
|
|
|
|
finishedTests++;
|
|
|
|
|
if (finishedTests == numberOfTests) {
|
|
|
|
|
SimpleTest.finish();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function checkAllowed () {
|
|
|
|
|
/* The policy for this test is:
|
|
|
|
|
* Content-Security-Policy: default-src 'self'
|
|
|
|
|
*
|
|
|
|
|
* we load the xsl file using:
|
2013-09-04 09:36:00 -07:00
|
|
|
* <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467.xsl"?>
|
2013-08-12 14:54:12 -07:00
|
|
|
*/
|
|
|
|
|
try {
|
|
|
|
|
var cspframe = document.getElementById('xsltframe');
|
|
|
|
|
var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
|
|
|
|
|
is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
|
|
|
|
|
}
|
|
|
|
|
catch (e) {
|
|
|
|
|
ok(false, "Error: could not access content in xsltframe!")
|
|
|
|
|
}
|
|
|
|
|
checkExplicitFinish();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function checkBlocked () {
|
|
|
|
|
/* The policy for this test is:
|
2013-09-04 09:36:00 -07:00
|
|
|
* Content-Security-Policy: default-src *.example.com
|
2013-08-12 14:54:12 -07:00
|
|
|
*
|
|
|
|
|
* we load the xsl file using:
|
2013-09-04 09:36:00 -07:00
|
|
|
* <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467.xsl"?>
|
2013-08-12 14:54:12 -07:00
|
|
|
*/
|
|
|
|
|
try {
|
|
|
|
|
var cspframe = document.getElementById('xsltframe2');
|
|
|
|
|
var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
|
|
|
|
|
is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
|
|
|
|
|
}
|
|
|
|
|
catch (e) {
|
|
|
|
|
ok(false, "Error: could not access content in xsltframe2!")
|
|
|
|
|
}
|
|
|
|
|
checkExplicitFinish();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SpecialPowers.pushPrefEnv(
|
|
|
|
|
{'set':[["security.csp.speccompliant", true]]},
|
|
|
|
|
function () {
|
|
|
|
|
document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
|
|
|
|
|
document.getElementById('xsltframe').src = 'file_CSP_bug663567_allows.xml';
|
|
|
|
|
|
|
|
|
|
document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
|
|
|
|
|
document.getElementById('xsltframe2').src = 'file_CSP_bug663567_blocks.xml';
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
</script>
|
|
|
|
|
</body>
|
|
|
|
|
</html>
|
