2010-07-21 08:51:09 -07:00
<!DOCTYPE HTML>
< html >
< head >
< title > Test for X-Frame-Options response header< / title >
< script type = "text/javascript" src = "/tests/SimpleTest/SimpleTest.js" > < / script >
< link rel = "stylesheet" type = "text/css" href = "/tests/SimpleTest/test.css" / >
< / head >
< body >
< p id = "display" > < / p >
< div id = "content" style = "display: none" >
< / div >
< iframe style = "width:100%;height:300px;" id = "harness" > < / iframe >
< script class = "testbody" type = "text/javascript" >
2011-01-11 18:59:23 -08:00
function examiner() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var obsvc = Components.classes['@mozilla.org/observer-service;1']
.getService(Components.interfaces.nsIObserverService);
obsvc.addObserver(this, "http-on-examine-response", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
if(!subject.QueryInterface)
return;
if (topic == "http-on-examine-response") {
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var uri = chan.URI
if (!uri.path.match(/^\/tests\/content\/base\/test\/file_x-frame-options_page\.sjs/))
return;
dump(">>>> PATH: "+uri.path+"\n");
dump(">>> REQUEST:\n>>> "+chan.requestMethod+" "+uri.asciiSpec+"\n");
dump(">>> RESPONSE HEADERS:\n");
chan.visitResponseHeaders({
visitHeader: function(header, value) {
dump(">>> "+header+": "+value+"\n");
}
});
}
},
remove: function() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var obsvc = Components.classes['@mozilla.org/observer-service;1']
.getService(Components.interfaces.nsIObserverService);
obsvc.removeObserver(this, "http-on-examine-response");
}
}
window.examiner = new examiner();
2010-07-21 08:51:09 -07:00
var path = "/tests/content/base/test/";
var testFramesLoaded = function() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var harness = document.getElementById("harness");
2010-11-05 09:33:08 -07:00
// iframe from same origin, no X-F-O header - should load
var frame = harness.contentDocument.getElementById("control1");
var test1 = frame.contentDocument.getElementById("test").textContent;
is(test1, "control1", "test control1");
// iframe from different origin, no X-F-O header - should load
frame = harness.contentDocument.getElementById("control2");
var test2 = frame.contentDocument.getElementById("test").textContent;
is(test2, "control2", "test control2");
// iframe from same origin, X-F-O: DENY - should not load
frame = harness.contentDocument.getElementById("deny");
var test3 = frame.contentDocument.getElementById("test");
is(test3, null, "test deny");
// iframe from same origin, X-F-O: SAMEORIGIN - should load
frame = harness.contentDocument.getElementById("sameorigin1");
var test4 = frame.contentDocument.getElementById("test").textContent;
is(test4, "sameorigin1", "test sameorigin1");
// iframe from different origin, X-F-O: SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("sameorigin2");
var test5 = frame.contentDocument.getElementById("test");
is(test5, null, "test sameorigin2");
2010-07-21 08:51:09 -07:00
2012-06-11 09:17:35 -07:00
// iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("sameorigin5");
var test6 = frame.contentDocument.getElementById("test");
is(test6, null, "test sameorigin5");
// iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
frame = harness.contentDocument.getElementById("sameorigin6");
var test7 = frame.contentDocument.getElementById("test").textContent;
is(test7, "sameorigin6", "test sameorigin6");
// iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
frame = harness.contentDocument.getElementById("sameorigin7");
var test8 = frame.contentDocument.getElementById("test").textContent;
is(test8, "sameorigin7", "test sameorigin7");
// iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("sameorigin8");
var test9 = frame.contentDocument.getElementById("test");
is(test9, null, "test sameorigin8");
// iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("mixedpolicy");
var test10 = frame.contentDocument.getElementById("test");
is(test10, null, "test mixedpolicy");
2010-10-14 15:26:59 -07:00
// call tests to check principal comparison, e.g. a document can open a window
// to a data: or javascript: document which frames an
// X-Frame-Options: SAMEORIGIN document and the frame should load
testFrameInJSURI();
}
// test that a document can be framed under a javascript: URL opened by the
// same site as the frame
var testFrameInJSURI = function() {
var html = '< iframe id = "sameorigin3" src = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin" > < / iframe > ';
var win = window.open();
win.onload = function() {
var test = win.document.getElementById("sameorigin3")
.contentDocument.getElementById("test");
ok(test != null, "frame under javascript: URL should have loaded.");
win.close();
// run last test
testFrameInDataURI();
}
win.location.href = "javascript:document.write('"+html+"');document.close();";
}
// test that a document can be framed under a data: URL opened by the
// same site as the frame
var testFrameInDataURI = function() {
var html = '< iframe id = "sameorigin4" src = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin" > < / iframe > ';
var win = window.open();
win.onload = function() {
var test = win.document.getElementById("sameorigin4")
.contentDocument.getElementById("test");
ok(test != null, "frame under data: URL should have loaded.");
win.close();
// finalize test
2011-01-11 18:59:23 -08:00
window.examiner.remove();
2010-10-14 15:26:59 -07:00
SimpleTest.finish();
}
win.location.href = "data:text/html,"+html;
2010-07-21 08:51:09 -07:00
}
SimpleTest.waitForExplicitFinish();
// load the test harness
document.getElementById("harness").src = "file_x-frame-options_main.html";
< / script >
< / pre >
< / body >
< / html >