wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 949533 - Remove files that test only x-csp (pre-spec-compliant) CSP implementation. r=grobinson

Browse Source 
--HG--
extra : rebase_source : 54222391dd28863512cc0b6b0052904162a43180
This commit is contained in:
Sid Stamm 2014-06-25 12:07:37 -07:00
parent ed2555fe27
commit 6fab94397d
75 changed files with 0 additions and 3468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
browser/devtools/webconsole/test/browser_webconsole_bug_770099_bad_policyuri.js
View File

@ -1,40 +0,0 @@
/* vim:set ts=2 sw=2 sts=2 et: */
/* ***** BEGIN LICENSE BLOCK *****
* Any copyright is dedicated to the Public Domain.
* http://creativecommons.org/publicdomain/zero/1.0/
*
* ***** END LICENSE BLOCK ***** */
// Tests that the Web Console CSP messages are displayed
const TEST_BAD_POLICY_URI = "https://example.com/browser/browser/devtools/webconsole/test/test_bug_770099_bad_policy_uri.html";
let hud = undefined;
function test() {
addTab("data:text/html;charset=utf8,Web Console CSP bad policy URI test");
browser.addEventListener("load", function _onLoad() {
browser.removeEventListener("load", _onLoad, true);
openConsole(null, loadDocument);
}, true);
}
function loadDocument(theHud) {
hud = theHud;
hud.jsterm.clearOutput();
browser.addEventListener("load", onLoad, true);
content.location = TEST_BAD_POLICY_URI;
}
function onLoad(aEvent) {
browser.removeEventListener("load", onLoad, true);
waitForMessages({
webconsole: hud,
messages: [{
text: "can't fetch policy",
category: CATEGORY_SECURITY,
severity: SEVERITY_ERROR,
}],
}).then(finishTest);
}

28
browser/devtools/webconsole/test/browser_webconsole_bug_821877_csp_errors.js
View File

@ -1,28 +0,0 @@
// Tests that CSP errors from nsDocument::InitCSP are logged to the Web Console
/* Any copyright is dedicated to the Public Domain.
* http://creativecommons.org/publicdomain/zero/1.0/ */
const TEST_URI = "https://example.com/browser/browser/devtools/webconsole/test/test-bug-821877-csperrors.html";
const CSP_DEPRECATED_HEADER_MSG = "The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.";
function test()
{
addTab(TEST_URI);
browser.addEventListener("load", function onLoad(aEvent) {
browser.removeEventListener(aEvent.type, onLoad, true);
openConsole(null, function testCSPErrorLogged (hud) {
waitForMessages({
webconsole: hud,
messages: [
{
name: "Deprecated CSP header error displayed successfully",
text: CSP_DEPRECATED_HEADER_MSG,
category: CATEGORY_SECURITY,
severity: SEVERITY_WARNING
},
],
}).then(finishTest);
});
}, true);
}

12
browser/devtools/webconsole/test/test-bug-821877-csperrors.html
View File

@ -1,12 +0,0 @@
<!doctype html>
<html>
<head>
<meta charset="utf8">
<title>Bug 821877 - Log CSP Errors to Web Console</title>
<!-- Any copyright is dedicated to the Public Domain.
- http://creativecommons.org/publicdomain/zero/1.0/ -->
</head>
<body>
<p>This page is served with a deprecated CSP header.</p>
</body>
</html>

1
browser/devtools/webconsole/test/test-bug-821877-csperrors.html^headers^
View File

@ -1 +0,0 @@
X-Content-Security-Policy: default-src *; options inline-script

12
browser/devtools/webconsole/test/test_bug_770099_bad_policy_uri.html
View File

@ -1,12 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>Test for Bug 770099 - bad policy-uri</title>
<!-- Any copyright is dedicated to the Public Domain.
http://creativecommons.org/publicdomain/zero/1.0/ -->
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=770099">Mozilla Bug 770099</a>
</body>
</html>

2
browser/devtools/webconsole/test/test_bug_770099_bad_policy_uri.html^headers^
View File

@ -1,2 +0,0 @@
X-Content-Security-Policy: policy-uri http://example.com/some_policy
Content-type: text/html; charset=utf-8

163
content/base/test/unit/test_bug558431.js
View File

@ -1,163 +0,0 @@
const Cc = Components.classes;
const Ci = Components.interfaces;
const Cu = Components.utils;
const Cr = Components.results;
Cu.import('resource://gre/modules/CSPUtils.jsm');
var httpserv = null;
const POLICY_FROM_URI = "allow 'self'; img-src *";
const POLICY_PORT = 9000;
const POLICY_URI = "http://localhost:" + POLICY_PORT + "/policy";
const POLICY_URI_RELATIVE = "/policy";
const DOCUMENT_URI = "http://localhost:" + POLICY_PORT + "/document";
const CSP_DOC_BODY = "CSP doc content";
const SD = CSPRep.SRC_DIRECTIVES;
// this will get populated by run_tests()
var TESTS = [];
// helper to make URIs
function mkuri(foo) {
return Cc["@mozilla.org/network/io-service;1"]
.getService(Ci.nsIIOService)
.newURI(foo, null, null);
}
// helper to use .equals on stuff
function do_check_equivalent(foo, bar, stack) {
if (!stack)
stack = Components.stack.caller;
var text = foo + ".equals(" + bar + ")";
if (foo.equals && foo.equals(bar)) {
dump("TEST-PASS | " + stack.filename + " | [" + stack.name + " : " +
stack.lineNumber + "] " + text + "\n");
return;
}
do_throw(text, stack);
}
function listener(csp, cspr_static) {
this.buffer = "";
this._csp = csp;
this._cspr_static = cspr_static;
}
listener.prototype = {
onStartRequest: function (request, ctx) {
},
onDataAvailable: function (request, ctx, stream, offset, count) {
var sInputStream = Cc["@mozilla.org/scriptableinputstream;1"]
.createInstance(Ci.nsIScriptableInputStream);
sInputStream.init(stream);
this.buffer = this.buffer.concat(sInputStream.read(count));
},
onStopRequest: function (request, ctx, status) {
// make sure that we have the full document content, guaranteeing that
// the document channel has been resumed, before we do the comparisons
if (this.buffer == CSP_DOC_BODY) {
// need to re-grab cspr since it may have changed inside the document's
// nsIContentSecurityPolicy instance. The problem is, this cspr_str is a
// string and not a policy due to the way it's exposed from
// nsIContentSecurityPolicy, so we have to re-parse it.
let cspr_str = this._csp.getPolicy(0);
let cspr = CSPRep.fromString(cspr_str, mkuri(DOCUMENT_URI));
// and in reparsing it, we lose the 'self' relationships, so need to also
// reparse the static one (or find a way to resolve 'self' in the parsed
// policy when doing comparisons).
let cspr_static_str = this._cspr_static.toString();
let cspr_static_reparse = CSPRep.fromString(cspr_static_str, mkuri(DOCUMENT_URI));
// not null, and one policy .equals the other one
do_check_neq(null, cspr);
do_check_true(cspr.equals(cspr_static_reparse));
// final teardown
if (TESTS.length == 0) {
httpserv.stop(do_test_finished);
} else {
do_test_finished();
(TESTS.shift())();
}
}
}
};
function run_test() {
httpserv = new HttpServer();
httpserv.registerPathHandler("/document", csp_doc_response);
httpserv.registerPathHandler("/policy", csp_policy_response);
httpserv.start(POLICY_PORT);
TESTS = [ test_CSPRep_fromPolicyURI, test_CSPRep_fromRelativePolicyURI ];
// when this triggers the "onStopRequest" callback, it'll
// go to the next test.
(TESTS.shift())();
}
function makeChan(url) {
var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
var chan = ios.newChannel(url, null, null).QueryInterface(Ci.nsIHttpChannel);
return chan;
}
function csp_doc_response(metadata, response) {
response.setStatusLine(metadata.httpVersion, 200, "OK");
response.setHeader("Content-Type", "text/html", false);
response.bodyOutputStream.write(CSP_DOC_BODY, CSP_DOC_BODY.length);
}
function csp_policy_response(metadata, response) {
response.setStatusLine(metadata.httpVersion, 200, "OK");
response.setHeader("Content-Type", "text/csp", false);
response.bodyOutputStream.write(POLICY_FROM_URI, POLICY_FROM_URI.length);
}
///////////////////// TEST POLICY_URI //////////////////////
function test_CSPRep_fromPolicyURI() {
do_test_pending();
let csp = Cc["@mozilla.org/contentsecuritypolicy;1"]
.createInstance(Ci.nsIContentSecurityPolicy);
// once the policy-uri is returned we will compare our static CSPRep with one
// we generated from the content we got back from the network to make sure
// they are equivalent
let cspr_static = CSPRep.fromString(POLICY_FROM_URI, mkuri(DOCUMENT_URI));
// simulates the request for the parent document
var docChan = makeChan(DOCUMENT_URI);
docChan.asyncOpen(new listener(csp, cspr_static), null);
// the resulting policy here can be discarded, since it's going to be
// "allow *"; when the policy-uri fetching call-back happens, the *real*
// policy will be in csp.policy
CSPRep.fromString("policy-uri " + POLICY_URI,
mkuri(DOCUMENT_URI), false, docChan, csp);
}
function test_CSPRep_fromRelativePolicyURI() {
do_test_pending();
let csp = Cc["@mozilla.org/contentsecuritypolicy;1"]
.createInstance(Ci.nsIContentSecurityPolicy);
// once the policy-uri is returned we will compare our static CSPRep with one
// we generated from the content we got back from the network to make sure
// they are equivalent
let cspr_static = CSPRep.fromString(POLICY_FROM_URI, mkuri(DOCUMENT_URI));
// simulates the request for the parent document
var docChan = makeChan(DOCUMENT_URI);
docChan.asyncOpen(new listener(csp, cspr_static), null);
// the resulting policy here can be discarded, since it's going to be
// "allow *"; when the policy-uri fetching call-back happens, the *real*
// policy will be in csp.policy
CSPRep.fromString("policy-uri " + POLICY_URI_RELATIVE,
mkuri(DOCUMENT_URI), false, docChan, csp);
}

4
content/base/test/xcsp/chrome.ini
View File

@ -1,4 +0,0 @@
[DEFAULT]
[test_csp_bug768029.html]
[test_csp_bug773891.html]

20
content/base/test/xcsp/file_CSP.css
View File

@ -1,20 +0,0 @@
/*
* Moved this CSS from an inline stylesheet to an external file when we added
* inline-style blocking in bug 763879.
* This test may hang if the load for this .css file is blocked due to a
* malfunction of CSP, but should pass if the style_good test passes.
*/
/* CSS font embedding tests */
@font-face {
font-family: "arbitrary_good";
src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
}
@font-face {
font-family: "arbitrary_bad";
src: url('http://example.org/tests/content/base/test/xcsp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
}
.div_arbitrary_good { font-family: "arbitrary_good"; }
.div_arbitrary_bad { font-family: "arbitrary_bad"; }

26
content/base/test/xcsp/file_CSP.sjs
View File

@ -1,26 +0,0 @@
// SJS file for CSP mochitests
function handleRequest(request, response)
{
var query = {};
request.queryString.split('&').forEach(function (val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
var isPreflight = request.method == "OPTIONS";
//avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
if ("type" in query) {
response.setHeader("Content-Type", unescape(query['type']), false);
} else {
response.setHeader("Content-Type", "text/html", false);
}
if ("content" in query) {
response.write(unescape(query['content']));
}
}

16
content/base/test/xcsp/file_CSP_bug916446.html
View File

@ -1,16 +0,0 @@
<!doctype html>
<html>
<body>
<ol>
<li id="inline-script">Inline script (green if allowed, black if blocked)</li>
</ol>
<script>
// Use inline script to set a style attribute
document.getElementById("inline-script").style.color = "rgb(0, 128, 0)";
</script>
<img src="file_CSP.sjs?testid=img_bad&type=img/png"></img>
</body>
</html>

1
content/base/test/xcsp/file_CSP_bug916446.html^headers^
View File

@ -1 +0,0 @@
x-content-security-policy-report-only: options eval-script; script-src 'self' ; report-uri /csp_report

12
content/base/test/xcsp/file_CSP_evalscript_main.html
View File

@ -1,12 +0,0 @@
<html>
<head>
<title>CSP eval script tests</title>
<script type="application/javascript"
src="file_CSP_evalscript_main.js"></script>
</head>
<body>
Foo.
</body>
</html>

2
content/base/test/xcsp/file_CSP_evalscript_main.html^headers^
View File

@ -1,2 +0,0 @@
Cache-Control: no-cache
X-Content-Security-Policy: default-src 'self'

126
content/base/test/xcsp/file_CSP_evalscript_main.js
View File

@ -1,126 +0,0 @@
// some javascript for the CSP eval() tests
function logResult(str, passed) {
var elt = document.createElement('div');
var color = passed ? "#cfc;" : "#fcc";
elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
elt.innerHTML = str;
document.body.appendChild(elt);
}
window._testResults = {};
// callback for when stuff is allowed by CSP
var onevalexecuted = (function(window) {
return function(shouldrun, what, data) {
window._testResults[what] = "ran";
window.parent.scriptRan(shouldrun, what, data);
logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
};})(window);
// callback for when stuff is blocked
var onevalblocked = (function(window) {
return function(shouldrun, what, data) {
window._testResults[what] = "blocked";
window.parent.scriptBlocked(shouldrun, what, data);
logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
};})(window);
// Defer until document is loaded so that we can write the pretty result boxes
// out.
addEventListener('load', function() {
// setTimeout(String) test -- mutate something in the window._testResults
// obj, then check it.
{
var str_setTimeoutWithStringRan = 'onevalexecuted(false, "setTimeout(String)", "setTimeout with a string was enabled.");';
function fcn_setTimeoutWithStringCheck() {
if (this._testResults["setTimeout(String)"] !== "ran") {
onevalblocked(false, "setTimeout(String)",
"setTimeout with a string was blocked");
}
}
setTimeout(fcn_setTimeoutWithStringCheck.bind(window), 10);
setTimeout(str_setTimeoutWithStringRan, 10);
}
// setTimeout(function) test -- mutate something in the window._testResults
// obj, then check it.
{
function fcn_setTimeoutWithFunctionRan() {
onevalexecuted(true, "setTimeout(function)",
"setTimeout with a function was enabled.")
}
function fcn_setTimeoutWithFunctionCheck() {
if (this._testResults["setTimeout(function)"] !== "ran") {
onevalblocked(true, "setTimeout(function)",
"setTimeout with a function was blocked");
}
}
setTimeout(fcn_setTimeoutWithFunctionRan.bind(window), 10);
setTimeout(fcn_setTimeoutWithFunctionCheck.bind(window), 10);
}
// eval() test -- should throw exception as per spec
try {
eval('onevalexecuted(false, "eval(String)", "eval() was enabled.");');
} catch (e) {
onevalblocked(false, "eval(String)",
"eval() was blocked");
}
// eval(foo,bar) test -- should throw exception as per spec
try {
eval('onevalexecuted(false, "eval(String,scope)", "eval() was enabled.");',1);
} catch (e) {
onevalblocked(false, "eval(String,object)",
"eval() with scope was blocked");
}
// [foo,bar].sort(eval) test -- should throw exception as per spec
try {
['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
} catch (e) {
onevalblocked(false, "[String, obj].sort(eval)",
"eval() with scope via sort was blocked");
}
// [].sort.call([foo,bar], eval) test -- should throw exception as per spec
try {
[].sort.call(['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
} catch (e) {
onevalblocked(false, "[].sort.call([String, obj], eval)",
"eval() with scope via sort/call was blocked");
}
// new Function() test -- should throw exception as per spec
try {
var fcn = new Function('onevalexecuted(false, "new Function(String)", "new Function(String) was enabled.");');
fcn();
} catch (e) {
onevalblocked(false, "new Function(String)",
"new Function(String) was blocked.");
}
// setTimeout(eval, 0, str)
{
// error is not catchable here, instead, we're going to side-effect
// 'worked'.
var worked = false;
setTimeout(eval, 0, 'worked = true');
setTimeout(function(worked) {
if (worked) {
onevalexecuted(false, "setTimeout(eval, 0, str)",
"setTimeout(eval, 0, string) was enabled.");
} else {
onevalblocked(false, "setTimeout(eval, 0, str)",
"setTimeout(eval, 0, str) was blocked.");
}
}, 0, worked);
}
}, false);

12
content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html
View File

@ -1,12 +0,0 @@
<html>
<head>
<title>CSP eval script tests</title>
<script type="application/javascript"
src="file_CSP_evalscript_main_getCRMFRequest.js"></script>
</head>
<body>
Foo.
</body>
</html>

2
content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
View File

@ -1,2 +0,0 @@
Cache-Control: no-cache
X-Content-Security-Policy: default-src 'self'

48
content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js
View File

@ -1,48 +0,0 @@
// some javascript for the CSP eval() tests
function logResult(str, passed) {
var elt = document.createElement('div');
var color = passed ? "#cfc;" : "#fcc";
elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
elt.innerHTML = str;
document.body.appendChild(elt);
}
window._testResults = {};
// callback for when stuff is allowed by CSP
var onevalexecuted = (function(window) {
return function(shouldrun, what, data) {
window._testResults[what] = "ran";
window.parent.scriptRan(shouldrun, what, data);
logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
};})(window);
// callback for when stuff is blocked
var onevalblocked = (function(window) {
return function(shouldrun, what, data) {
window._testResults[what] = "blocked";
window.parent.scriptBlocked(shouldrun, what, data);
logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
};})(window);
// Defer until document is loaded so that we can write the pretty result boxes
// out.
addEventListener('load', function() {
// generateCRMFRequest test -- make sure we cannot eval the callback if CSP is in effect
try {
var script = 'console.log("dynamic script eval\'d in crypto.generateCRMFRequest should be disallowed")';
crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
onevalexecuted(false, "crypto.generateCRMFRequest()",
"crypto.generateCRMFRequest() should not run!");
} catch (e) {
onevalblocked(false, "eval(script) inside crypto.generateCRMFRequest",
"eval was blocked during crypto.generateCRMFRequest");
}
}, false);

12
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html
View File

@ -1,12 +0,0 @@
<html>
<head>
<title>CSP eval script tests: no CSP specified</title>
<script type="application/javascript"
src="file_CSP_evalscript_no_CSP_at_all.js"></script>
</head>
<body>
Foo. See bug 824652
</body>
</html>

1
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^
View File

@ -1 +0,0 @@
Cache-Control: no-cache

42
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
View File

@ -1,42 +0,0 @@
// some javascript for the CSP eval() tests
// all of these evals should succeed, as the document loading this script
// has script-src 'self' 'unsafe-eval'
function logResult(str, passed) {
var elt = document.createElement('div');
var color = passed ? "#cfc;" : "#fcc";
elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
elt.innerHTML = str;
document.body.appendChild(elt);
}
// callback for when stuff is allowed by CSP
var onevalexecuted = (function(window) {
return function(shouldrun, what, data) {
window.parent.scriptRan(shouldrun, what, data);
logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
};})(window);
// callback for when stuff is blocked
var onevalblocked = (function(window) {
return function(shouldrun, what, data) {
window.parent.scriptBlocked(shouldrun, what, data);
logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
};})(window);
// Defer until document is loaded so that we can write the pretty result boxes
// out.
addEventListener('load', function() {
// test that allows crypto.generateCRMFRequest eval to run when there is no CSP at all in place
try {
var script =
'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest: no CSP at all",
"eval executed during crypto.generateCRMFRequest where no CSP is set at all");
} catch (e) {
onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
"eval was blocked during crypto.generateCRMFRequest");
}
}, false);

54
content/base/test/xcsp/file_CSP_frameancestors.sjs
View File

@ -1,54 +0,0 @@
// SJS file for CSP frame ancestor mochitests
function handleRequest(request, response)
{
var query = {};
request.queryString.split('&').forEach(function (val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
var isPreflight = request.method == "OPTIONS";
//avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
// grab the desired policy from the query, and then serve a page
if (query['csp'])
response.setHeader("X-Content-Security-Policy",
unescape(query['csp']),
false);
if (query['scriptedreport']) {
// spit back a script that records that the page loaded
response.setHeader("Content-Type", "text/javascript", false);
if (query['double'])
response.write('window.parent.parent.parent.postMessage({call: "frameLoaded", testname: "' + query['scriptedreport'] + '", uri: "window.location.toString()"}, "*");');
else
response.write('window.parent.parent.postMessage({call: "frameLoaded", testname: "' + query['scriptedreport'] + '", uri: "window.location.toString()"}, "*");');
} else if (query['internalframe']) {
// spit back an internal iframe (one that might be blocked)
response.setHeader("Content-Type", "text/html", false);
response.write('<html><head>');
if (query['double'])
response.write('<script src="file_CSP_frameancestors.sjs?double=1&scriptedreport=' + query['testid'] + '"></script>');
else
response.write('<script src="file_CSP_frameancestors.sjs?scriptedreport=' + query['testid'] + '"></script>');
response.write('</head><body>');
response.write(unescape(query['internalframe']));
response.write('</body></html>');
} else if (query['externalframe']) {
// spit back an internal iframe (one that won't be blocked, and probably
// has no CSP)
response.setHeader("Content-Type", "text/html", false);
response.write('<html><head>');
response.write('</head><body>');
response.write(unescape(query['externalframe']));
response.write('</body></html>');
} else {
// default case: error.
response.setHeader("Content-Type", "text/html", false);
response.write('<html><body>');
response.write("ERROR: not sure what to serve.");
response.write('</body></html>');
}
}

44
content/base/test/xcsp/file_CSP_frameancestors_main.html
View File

@ -1,44 +0,0 @@
<html>
<head>
<title>CSP frame ancestors tests</title>
<!-- this page shouldn't have a CSP, just the sub-pages. -->
<script src='file_CSP_frameancestors_main.js'></script>
</head>
<body>
<!-- These iframes will get populated by the attached javascript. -->
<tt> aa_allow: /* innermost frame allows a */</tt><br/>
<iframe id='aa_allow'></iframe><br/>
<tt> aa_block: /* innermost frame denies a */</tt><br/>
<iframe id='aa_block'></iframe><br/>
<tt> ab_allow: /* innermost frame allows a */</tt><br/>
<iframe id='ab_allow'></iframe><br/>
<tt> ab_block: /* innermost frame denies a */</tt><br/>
<iframe id='ab_block'></iframe><br/>
<tt> aba_allow: /* innermost frame allows b,a */</tt><br/>
<iframe id='aba_allow'></iframe><br/>
<tt> aba_block: /* innermost frame denies b */</tt><br/>
<iframe id='aba_block'></iframe><br/>
<tt> aba2_block: /* innermost frame denies a */</tt><br/>
<iframe id='aba2_block'></iframe><br/>
<tt> abb_allow: /* innermost frame allows b,a */</tt><br/>
<iframe id='abb_allow'></iframe><br/>
<tt> abb_block: /* innermost frame denies b */</tt><br/>
<iframe id='abb_block'></iframe><br/>
<tt> abb2_block: /* innermost frame denies a */</tt><br/>
<iframe id='abb2_block'></iframe><br/>
</body>
</html>

65
content/base/test/xcsp/file_CSP_frameancestors_main.js
View File

@ -1,65 +0,0 @@
// Script to populate the test frames in the frame ancestors mochitest.
//
function setupFrames() {
var $ = function(v) { return document.getElementById(v); }
var base = {
self: '/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
a: 'http://mochi.test:8888/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
b: 'http://example.com/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs'
};
var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };
var innerframeuri = null;
var elt = null;
elt = $('aa_allow');
elt.src = base.a + "?testid=aa_allow&internalframe=aa_a&csp=" +
escape("allow 'none'; frame-ancestors " + host.a + "; script-src 'self'");
elt = $('aa_block');
elt.src = base.a + "?testid=aa_block&internalframe=aa_b&csp=" +
escape("allow 'none'; frame-ancestors 'none'; script-src 'self'");
elt = $('ab_allow');
elt.src = base.b + "?testid=ab_allow&internalframe=ab_a&csp=" +
escape("allow 'none'; frame-ancestors " + host.a + "; script-src 'self'");
elt = $('ab_block');
elt.src = base.b + "?testid=ab_block&internalframe=ab_b&csp=" +
escape("allow 'none'; frame-ancestors 'none'; script-src 'self'");
/* .... two-level framing */
elt = $('aba_allow');
innerframeuri = base.a + "?testid=aba_allow&double=1&internalframe=aba_a&csp=" +
escape("allow 'none'; frame-ancestors " + host.a + " " + host.b + "; script-src 'self'");
elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $('aba_block');
innerframeuri = base.a + "?testid=aba_allow&double=1&internalframe=aba_b&csp=" +
escape("allow 'none'; frame-ancestors " + host.a + "; script-src 'self'");
elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $('aba2_block');
innerframeuri = base.a + "?testid=aba_allow&double=1&internalframe=aba2_b&csp=" +
escape("allow 'none'; frame-ancestors " + host.b + "; script-src 'self'");
elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $('abb_allow');
innerframeuri = base.b + "?testid=abb_allow&double=1&internalframe=abb_a&csp=" +
escape("allow 'none'; frame-ancestors " + host.a + " " + host.b + "; script-src 'self'");
elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $('abb_block');
innerframeuri = base.b + "?testid=abb_allow&double=1&internalframe=abb_b&csp=" +
escape("allow 'none'; frame-ancestors " + host.a + "; script-src 'self'");
elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
elt = $('abb2_block');
innerframeuri = base.b + "?testid=abb_allow&double=1&internalframe=abb2_b&csp=" +
escape("allow 'none'; frame-ancestors " + host.b + "; script-src 'self'");
elt.src = base.b + "?externalframe=" + escape('<iframe src="' + innerframeuri + '"></iframe>');
}
window.addEventListener('load', setupFrames, false);

20
content/base/test/xcsp/file_CSP_inlinescript_main.html
View File

@ -1,20 +0,0 @@
<!--
-- The original CSP implementation predates the CSP 1.0 spec and didn't
-- block inline styles, so when the prefixed X-Content-Security-Policy header is used,
-- as it is for this file, inline styles should be allowed.
-->
<html>
<head>
<title>CSP inline script tests</title>
</head>
<body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">
<script type="text/javascript">
window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");
</script>
<iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")'></iframe>
<a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
</body>
</html>

2
content/base/test/xcsp/file_CSP_inlinescript_main.html^headers^
View File

@ -1,2 +0,0 @@
X-Content-Security-Policy: allow 'self'
Cache-Control: no-cache

63
content/base/test/xcsp/file_CSP_inlinestyle_main.html
View File

@ -1,63 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<html>
<head>
<title>CSP inline script tests</title>
<!-- content= "div#linkstylediv { color: #0f0; }" -->
<link rel="stylesheet" type="text/css"
href='file_CSP.sjs?type=text/css&content=div%23linkstylediv%20%7B%20color%3A%20%230f0%3B%20%7D' />
</head>
<body>
<style type="text/css">
div#inlinestylediv {
color: #00ff00;
}
</style>
<div id='linkstylediv'>Link tag (external) stylesheet test (should be green)</div>
<div id='attrstylediv' style="color: #00ff00;">Attribute stylesheet test (should be green)</div>
<div id='inlinestylediv'>Inline stylesheet test (should be green)</div>
<!-- tests for SMIL stuff - animations -->
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100%"
height="100px">
<!-- Animates XML attribute, which is mapped into style. -->
<text id="xmlTest" x="0" y="15">
This should be green since the animation should be allowed by CSP.
<animate attributeName="fill" attributeType="XML"
values="lime;green;lime" dur="2s"
repeatCount="indefinite" />
</text>
<!-- Animates override value for CSS property. -->
<text id="cssOverrideTest" x="0" y="35">
This should be green since the animation should be allowed by CSP.
<animate attributeName="fill" attributeType="CSS"
values="lime;green;lime" dur="2s"
repeatCount="indefinite" />
</text>
<!-- Animates override value for CSS property targeted via ID. -->
<text id="cssOverrideTestById" x="0" y="55">
This should be green since the animation should be allowed by CSP.
</text>
<animate xlink:href="#cssOverrideTestById"
attributeName="fill"
values="lime;green;lime"
dur="2s" repeatCount="indefinite" />
<!-- Sets value for CSS property targeted via ID. -->
<text id="cssSetTestById" x="0" y="75">
This should be green since the &lt;set&gt; should be allowed by CSP.
</text>
<set xlink:href="#cssSetTestById"
attributeName="fill"
to="lime" />
</svg>
</body>
</html>

2
content/base/test/xcsp/file_CSP_inlinestyle_main.html^headers^
View File

@ -1,2 +0,0 @@
X-Content-Security-Policy: default-src 'self'
Cache-Control: no-cache

45
content/base/test/xcsp/file_CSP_main.html
View File

@ -1,45 +0,0 @@
<html>
<head>
<link rel='stylesheet' type='text/css'
href='http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=style_bad&type=text/css' />
<link rel='stylesheet' type='text/css'
href='file_CSP.sjs?testid=style_good&type=text/css' />
<!-- Used to embed inline styles here for testing fonts, but can't do that -->
<!-- due to bug 763879 (block inline styles). Moved these to an external, CSS -->
<!-- file (file_CSP.css). -->
<link rel='stylesheet' type='text/css' href='file_CSP.css' />
</head>
<body>
<!-- these should be stopped by CSP. :) -->
<img src="http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
<audio src="http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=media_bad&type=audio/vorbis"></audio>
<script src='http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
<iframe src='http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=frame_bad&content=FAIL'></iframe>
<object width="10" height="10">
<param name="movie" value="http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash">
<embed src="http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"></embed>
</object>
<!-- these should load ok. :) -->
<img src="file_CSP.sjs?testid=img_good&type=img/png" />
<audio src="file_CSP.sjs?testid=media_good&type=audio/vorbis"></audio>
<script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
<iframe src='file_CSP.sjs?testid=frame_good&content=PASS'></iframe>
<object width="10" height="10">
<param name="movie" value="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash">
<embed src="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"></embed>
</object>
<!-- XHR tests... they're taken care of in this script,
and since the URI doesn't have any 'testid' values,
it will just be ignored by the test framework. -->
<script src='file_CSP_main.js'></script>
<!-- Support elements for the @font-face test -->
<div class="div_arbitrary_good">arbitrary good</div>
<div class="div_arbitrary_bad">arbitrary_bad</div>
</body>
</html>

1
content/base/test/xcsp/file_CSP_main.html^headers^
View File

@ -1 +0,0 @@
X-Content-Security-Policy: default-src 'self'

16
content/base/test/xcsp/file_CSP_main.js
View File

@ -1,16 +0,0 @@
// some javascript for the CSP XHR tests
//
try {
var xhr_good = new XMLHttpRequest();
var xhr_good_uri ="http://mochi.test:8888/tests/content/base/test/csp/file_CSP.sjs?testid=xhr_good";
xhr_good.open("GET", xhr_good_uri, true);
xhr_good.send(null);
} catch(e) {}
try {
var xhr_bad = new XMLHttpRequest();
var xhr_bad_uri ="http://example.com/tests/content/base/test/csp/file_CSP.sjs?testid=xhr_bad";
xhr_bad.open("GET", xhr_bad_uri, true);
xhr_bad.send(null);
} catch(e) {}

6
content/base/test/xcsp/file_bothCSPheaders.html
View File

@ -1,6 +0,0 @@
<html>
<body>
<img src="http://example.org/prefixed.jpg"></img>
<img src="/unprefixed.jpg"></img>
</body>
</html>

2
content/base/test/xcsp/file_bothCSPheaders.html^headers^
View File

@ -1,2 +0,0 @@
X-Content-Security-Policy: default-src 'none' ; img-src http://example.org
Content-Security-Policy: default-src 'self'

25
content/base/test/xcsp/file_csp_bug768029.html
View File

@ -1,25 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
-->
<head>
<meta charset="utf-8">
<title>This is an app for testing</title>
<link rel="stylesheet" type="text/css"
href="file_csp_bug768029.sjs?type=style&origin=same_origin" />
<link rel="stylesheet" type="text/css"
href="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=style&origin=cross_origin" />
</head>
<body>
<script src="file_csp_bug768029.sjs?type=script&origin=same_origin"></script>
<script src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=script&origin=cross_origin"></script>
<img src="file_csp_bug768029.sjs?type=img&origin=same_origin" />
<img src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=img&origin=cross_origin" />
Test for CSP applied to (simulated) app.
</body>
</html>

29
content/base/test/xcsp/file_csp_bug768029.sjs
View File

@ -1,29 +0,0 @@
function handleRequest(request, response) {
var query = {};
request.queryString.split('&').forEach(function(val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
response.setHeader("Cache-Control", "no-cache", false);
if ("type" in query) {
switch (query.type) {
case "script":
response.setHeader("Content-Type", "application/javascript");
response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
return;
case "style":
response.setHeader("Content-Type", "text/css");
response.write("\n\n.cspfoo { color:red; }\n\n");
return;
case "img":
response.setHeader("Content-Type", "image/png");
return;
}
}
response.setHeader("Content-Type", "text/plain");
response.write("ohnoes!");
}

25
content/base/test/xcsp/file_csp_bug773891.html
View File

@ -1,25 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=773891
-->
<head>
<meta charset="utf-8">
<title>This is an app for csp testing</title>
<link rel="stylesheet" type="text/css"
href="file_csp_bug773891.sjs?type=style&origin=same_origin" />
<link rel="stylesheet" type="text/css"
href="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=style&origin=cross_origin" />
</head>
<body>
<script src="file_csp_bug773891.sjs?type=script&origin=same_origin"></script>
<script src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=script&origin=cross_origin"></script>
<img src="file_csp_bug773891.sjs?type=img&origin=same_origin" />
<img src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=img&origin=cross_origin" />
Test for CSP applied to (simulated) app.
</body>
</html>

29
content/base/test/xcsp/file_csp_bug773891.sjs
View File

@ -1,29 +0,0 @@
function handleRequest(request, response) {
var query = {};
request.queryString.split('&').forEach(function(val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
response.setHeader("Cache-Control", "no-cache", false);
if ("type" in query) {
switch (query.type) {
case "script":
response.setHeader("Content-Type", "application/javascript");
response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
return;
case "style":
response.setHeader("Content-Type", "text/css");
response.write("\n\n.cspfoo { color:red; }\n\n");
return;
case "img":
response.setHeader("Content-Type", "image/png");
return;
}
}
response.setHeader("Content-Type", "text/plain");
response.write("ohnoes!");
}

35
content/base/test/xcsp/file_csp_redirects_main.html
View File

@ -1,35 +0,0 @@
<html>
<head>
<title>CSP redirect tests</title>
</head>
<body>
<div id="container"></div>
</body>
<script>
var thisSite = "http://mochi.test:8888";
var otherSite = "http://example.com";
var page = "/tests/content/base/test/xcsp/file_csp_redirects_page.sjs";
var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
"frame-src": thisSite+page+"?testid=frame-src&csp=1",
"img-src": thisSite+page+"?testid=img-src&csp=1",
"media-src": thisSite+page+"?testid=media-src&csp=1",
"object-src": thisSite+page+"?testid=object-src&csp=1",
"script-src": thisSite+page+"?testid=script-src&csp=1",
"style-src": thisSite+page+"?testid=style-src&csp=1",
"worker": thisSite+page+"?testid=worker&csp=1",
"xhr-src": thisSite+page+"?testid=xhr-src&csp=1",
};
var container = document.getElementById("container");
// load each test in its own iframe
for (tid in tests) {
var i = document.createElement("iframe");
i.id = tid;
i.src = tests[tid];
container.appendChild(i);
}
</script>
</html>

133
content/base/test/xcsp/file_csp_redirects_page.sjs
View File

@ -1,133 +0,0 @@
// SJS file for CSP redirect mochitests
// This file serves pages which can optionally specify a Content Security Policy
function handleRequest(request, response)
{
var query = {};
request.queryString.split('&').forEach(function (val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
response.setHeader("Cache-Control", "no-cache", false);
response.setHeader("Content-Type", "text/html", false);
var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
// CSP header value
if (query["csp"] == 1) {
if (query["spec"] == 1) {
response.setHeader("Content-Security-Policy", "default-src 'self' ; style-src 'self' 'unsafe-inline'", false);
} else {
response.setHeader("X-Content-Security-Policy", "allow 'self'", false);
}
}
// downloadable font that redirects to another site
if (query["testid"] == "font-src") {
var resp = '<style type="text/css"> @font-face { font-family:' +
'"Redirecting Font"; src: url("' + resource +
'?res=font&redir=other&id=font-src-redir")} #test{font-family:' +
'"Redirecting Font"}</style></head><body>' +
'<div id="test">test</div></body>';
response.write(resp);
return;
}
if (query["testid"] == "font-src-spec-compliant") {
var resp = '<style type="text/css"> @font-face { font-family:' +
'"Redirecting Font Spec Compliant"; src: url("' + resource +
'?res=font-spec-compliant&redir=other&id=font-src-redir-spec-compliant")} #test{font-family:' +
'"Redirecting Font Spec Compliant"}</style></head><body>' +
'<div id="test">test</div></body>';
response.write(resp);
return;
}
// iframe that redirects to another site
if (query["testid"] == "frame-src") {
response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir"></iframe>');
return;
}
if (query["testid"] == "frame-src-spec-compliant") {
response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir-spec-compliant"></iframe>');
return;
}
// image that redirects to another site
if (query["testid"] == "img-src") {
response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir" />');
return;
}
if (query["testid"] == "img-src-spec-compliant") {
response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir-spec-compliant" />');
return;
}
// video content that redirects to another site
if (query["testid"] == "media-src") {
response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir"></video>');
return;
}
if (query["testid"] == "media-src-spec-compliant") {
response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir-spec-compliant"></video>');
return;
}
// object content that redirects to another site
if (query["testid"] == "object-src") {
response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir"></object>');
return;
}
if (query["testid"] == "object-src-spec-compliant") {
response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir-spec-compliant"></object>');
return;
}
// external script that redirects to another site
if (query["testid"] == "script-src") {
response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir"></script>');
return;
}
if (query["testid"] == "script-src-spec-compliant") {
response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir-spec-compliant"></script>');
return;
}
// external stylesheet that redirects to another site
if (query["testid"] == "style-src") {
response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir"></script>');
return;
}
if (query["testid"] == "style-src-spec-compliant") {
response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir-spec-compliant"></script>');
return;
}
// worker script resource that redirects to another site
if (query["testid"] == "worker") {
response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir"></script>');
return;
}
if (query["testid"] == "worker-spec-compliant") {
response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir-spec-compliant"></script>');
return;
}
// script that XHR's to a resource that redirects to another site
if (query["testid"] == "xhr-src") {
response.write('<script src="'+resource+'?res=xhr"></script>');
return;
}
if (query["testid"] == "xhr-src-spec-compliant") {
response.write('<script src="'+resource+'?res=xhr-spec-compliant"></script>');
return;
}
}

128
content/base/test/xcsp/file_csp_redirects_resource.sjs
View File

@ -1,128 +0,0 @@
// SJS file to serve resources for CSP redirect tests
// This file mimics serving resources, e.g. fonts, images, etc., which a CSP
// can include. The resource may redirect to a different resource, if specified.
function handleRequest(request, response)
{
var query = {};
request.queryString.split('&').forEach(function (val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
var thisSite = "http://mochi.test:8888";
var otherSite = "http://example.com";
var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
response.setHeader("Cache-Control", "no-cache", false);
// redirect to a resource on this site
if (query["redir"] == "same") {
var loc = thisSite+resource+"?res="+query["res"]+"&testid="+query["id"];
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", loc, false);
return;
}
// redirect to a resource on a different site
else if (query["redir"] == "other") {
var loc = otherSite+resource+"?res="+query["res"]+"&testid="+query["id"];
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", loc, false);
return;
}
// not a redirect. serve some content.
// the content doesn't have to be valid, since we're only checking whether
// the request for the content was sent or not.
// downloadable font
if (query["res"] == "font") {
response.setHeader("Access-Control-Allow-Origin", "*", false);
response.setHeader("Content-Type", "text/plain", false);
response.write("font data...");
return;
}
if (query["res"] == "font-spec-compliant") {
response.setHeader("Access-Control-Allow-Origin", "*", false);
response.setHeader("Content-Type", "text/plain", false);
response.write("font data...");
return;
}
// iframe with arbitrary content
if (query["res"] == "iframe") {
response.setHeader("Content-Type", "text/html", false);
response.write("iframe content...");
return;
}
// image
if (query["res"] == "image") {
response.setHeader("Content-Type", "image/gif", false);
response.write("image data...");
return;
}
// media content, e.g. Ogg video
if (query["res"] == "media") {
response.setHeader("Content-Type", "video/ogg", false);
response.write("video data...");
return;
}
// plugin content, e.g. <object>
if (query["res"] == "object") {
response.setHeader("Content-Type", "text/html", false);
response.write("object data...");
return;
}
// script
if (query["res"] == "script") {
response.setHeader("Content-Type", "application/javascript", false);
response.write("some script...");
return;
}
// external stylesheet
if (query["res"] == "style") {
response.setHeader("Content-Type", "text/css", false);
response.write("css data...");
return;
}
// web worker resource
if (query["res"] == "worker") {
response.setHeader("Content-Type", "application/javascript", false);
response.write("worker script data...");
return;
}
// script that invokes XHR
if (query["res"] == "xhr") {
response.setHeader("Content-Type", "text/html", false);
var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
resource+'?res=xhr-resp&testid=xhr-src-redir", false); ' +
'x.send(null);';
response.write(resp);
return;
}
if (query["res"] == "xhr-spec-compliant") {
response.setHeader("Content-Type", "text/html", false);
var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
resource+'?res=xhr-resp-spec-compliant&testid=xhr-src-redir-spec-compliant", false); ' +
'x.send(null);';
response.write(resp);
return;
}
// response to XHR
if (query["res"] == "xhr-resp-spec-compliant") {
response.setHeader("Access-Control-Allow-Origin", "*", false);
response.setHeader("Content-Type", "text/html", false);
response.write('XHR response...');
return;
}
}

25
content/base/test/xcsp/file_csp_report.sjs
View File

@ -1,25 +0,0 @@
// SJS file for CSP violation report test
// https://bugzilla.mozilla.org/show_bug.cgi?id=548193
function handleRequest(request, response)
{
var query = {};
request.queryString.split('&').forEach(function (val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
response.setHeader("Content-Type", "text/html", false);
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
// set CSP header
response.setHeader("X-Content-Security-Policy",
"allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
false);
// content which will trigger a violation report
response.write('<html><body>');
response.write('<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>');
response.write('</body></html>');
}

0
content/base/test/xcsp/file_dual_headers_warning.html
View File

2
content/base/test/xcsp/file_dual_headers_warning.html^headers^
View File

@ -1,2 +0,0 @@
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Content-Security-Policy: allow 'self' 'inline-script';

15
content/base/test/xcsp/file_multi_policy_injection_bypass.html
View File

@ -1,15 +0,0 @@
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
-->
<body>
<!-- these should be stopped by CSP after fixing bug 717511. :) -->
<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
<script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
<!-- these should load ok after fixing bug 717511. :) -->
<img src="file_CSP.sjs?testid=img_good&type=img/png" />
<script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
</body>
</html>

1
content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^
View File

@ -1 +0,0 @@
X-Content-Security-Policy: default-src 'self', allow *

15
content/base/test/xcsp/file_multi_policy_injection_bypass_2.html
View File

@ -1,15 +0,0 @@
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
-->
<body>
<!-- these should be stopped by CSP after fixing bug 717511. :) -->
<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img2_bad&type=img/png"> </img>
<script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script2_bad&type=text/javascript'></script>
<!-- these should load ok after fixing bug 717511. :) -->
<img src="file_CSP.sjs?testid=img2_good&type=img/png" />
<script src='file_CSP.sjs?testid=script2_good&type=text/javascript'></script>
</body>
</html>

1
content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^
View File

@ -1 +0,0 @@
X-Content-Security-Policy: default-src 'self' , allow *

5
content/base/test/xcsp/file_policyuri_async_fetch.html
View File

@ -1,5 +0,0 @@
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=558431
-->
<iframe id="inner"
src="/tests/content/base/test/file_CSP.sjs?content=%3Cdiv%20id%3D%22test%22%3Etest%20558431%3C/div%3E"></iframe>

1
content/base/test/xcsp/file_policyuri_async_fetch.html^headers^
View File

@ -1 +0,0 @@
X-Content-Security-Policy: invalid-uri

38
content/base/test/xcsp/file_redirect_content.sjs
View File

@ -1,38 +0,0 @@
// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
// This SJS file serves file_redirect_content.html
// with a CSP that will trigger a violation and that will report it
// to file_redirect_report.sjs
//
// This handles 301, 302, 303 and 307 redirects. The HTTP status code
// returned/type of redirect to do comes from the query string
// parameter passed in from the test_bug650386_* files and then also
// uses that value in the report-uri parameter of the CSP
function handleRequest(request, response) {
response.setHeader("Cache-Control", "no-cache", false);
// this gets used in the CSP as part of the report URI.
var redirect = request.queryString;
if (redirect < 301 || (redirect > 303 && redirect <= 306) || redirect > 307) {
// if we somehow got some bogus redirect code here,
// do a 302 redirect to the same URL as the report URI
// redirects to - this will fail the test.
var loc = "http://example.com/some/fake/path";
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", loc, false);
return;
}
var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
response.setHeader("X-Content-Security-Policy", csp, false);
// the actual file content.
// this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
// specified by the CSP string above.
var content = "<!DOCTYPE HTML><html><body><img src = \"http://some.other.domain.example.com\"></body></html>";
response.write(content);
return;
}

17
content/base/test/xcsp/file_redirect_report.sjs
View File

@ -1,17 +0,0 @@
// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
// This SJS file serves as CSP violation report target
// and issues a redirect, to make sure the browser does not post to the target
// of the redirect, per CSP spec.
// This handles 301, 302, 303 and 307 redirects. The HTTP status code
// returned/type of redirect to do comes from the query string
// parameter
function handleRequest(request, response) {
response.setHeader("Cache-Control", "no-cache", false);
var redirect = request.queryString;
var loc = "http://example.com/some/fake/path";
response.setStatusLine("1.1", redirect, "Found");
response.setHeader("Location", loc, false);
return;
}

13
content/base/test/xcsp/file_subframe_run_js_if_allowed.html
View File

@ -1,13 +0,0 @@
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=702439
This document is a child frame of a CSP document and the
test verifies that it is permitted to run javascript: URLs
if the parent has a policy that allows them.
-->
<body onload="document.getElementById('a').click()">
<a id="a" href="javascript:parent.javascript_link_ran = true;
parent.checkResult();">click</a>
</body>
</html>

1
content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^
View File

@ -1 +0,0 @@
X-Content-Security-Policy: default-src *; options inline-script

69
content/base/test/xcsp/mochitest.ini
View File

@ -1,69 +0,0 @@
[DEFAULT]
support-files =
file_CSP.css
file_CSP.sjs
file_CSP_bug916446.html
file_CSP_bug916446.html^headers^
file_CSP_evalscript_main.html
file_CSP_evalscript_main.html^headers^
file_CSP_evalscript_main.js
file_CSP_evalscript_main_getCRMFRequest.html
file_CSP_evalscript_main_getCRMFRequest.html^headers^
file_CSP_evalscript_main_getCRMFRequest.js
file_CSP_evalscript_no_CSP_at_all.html
file_CSP_evalscript_no_CSP_at_all.html^headers^
file_CSP_evalscript_no_CSP_at_all.js
file_CSP_frameancestors.sjs
file_CSP_frameancestors_main.html
file_CSP_frameancestors_main.js
file_CSP_inlinescript_main.html
file_CSP_inlinescript_main.html^headers^
file_CSP_inlinestyle_main.html
file_CSP_inlinestyle_main.html^headers^
file_CSP_main.html
file_CSP_main.html^headers^
file_CSP_main.js
file_bothCSPheaders.html
file_bothCSPheaders.html^headers^
file_csp_bug768029.html
file_csp_bug768029.sjs
file_csp_bug773891.html
file_csp_bug773891.sjs
file_csp_redirects_main.html
file_csp_redirects_page.sjs
file_csp_redirects_resource.sjs
file_dual_headers_warning.html
file_dual_headers_warning.html^headers^
file_csp_report.sjs
file_policyuri_async_fetch.html
file_policyuri_async_fetch.html^headers^
file_redirect_content.sjs
file_redirect_report.sjs
file_subframe_run_js_if_allowed.html
file_subframe_run_js_if_allowed.html^headers^
file_multi_policy_injection_bypass.html
file_multi_policy_injection_bypass.html^headers^
file_multi_policy_injection_bypass_2.html
file_multi_policy_injection_bypass_2.html^headers^
[test_CSP.html]
[test_CSP_bug916446.html]
[test_CSP_evalscript.html]
[test_CSP_evalscript_getCRMFRequest.html]
skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
[test_CSP_frameancestors.html]
skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
[test_CSP_inlinescript.html]
[test_CSP_inlinestyle.html]
[test_bothCSPheaders.html]
[test_csp_redirects.html]
[test_dual_headers_warning.html]
[test_csp_report.html]
skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
[test_policyuri_async_fetch.html]
[test_301_redirect.html]
[test_302_redirect.html]
[test_303_redirect.html]
[test_307_redirect.html]
[test_subframe_run_js_if_allowed.html]
[test_multi_policy_injection_bypass.html]

10
content/base/test/xcsp/moz.build
View File

@ -1,10 +0,0 @@
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
MOCHITEST_MANIFESTS += ['mochitest.ini']
MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']

73
content/base/test/xcsp/test_301_redirect.html
View File

@ -1,73 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
Test that CSP violation reports are not sent when a 301 redirect is encountered
-->
<head>
<title>Test for Bug 650386</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
<p id="display"></p>
<div id="content" style="display: none">
<iframe id = "content_iframe"></iframe>
</div>
<pre id="test">
<script type="application/javascript">
/** Test for Bug 650386 **/
// This is used to watch the redirect of the report POST get blocked
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
if (topic === "specialpowers-http-notify-request") {
// this is used to fail the test - if we see the POST to the target of the redirect
// we know this is a fail
var uri = data;
if (uri == "http://example.com/some/fake/path")
window.done(false);
}
if(topic === "csp-on-violate-policy") {
// something was blocked, but we are looking specifically for the redirect being blocked
if (data == "denied redirect while sending violation report")
window.done(true);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
// result == true if we saw the redirect blocked notify, false if we saw the post
// to the redirect target go out
window.done = function(result) {
ok(result, "a 301 redirect when posting violation report should be blocked");
// clean up observers and finish the test
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?301';
</script>
</pre>
</body>
</html>

73
content/base/test/xcsp/test_302_redirect.html
View File

@ -1,73 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
Test that CSP violation reports are not sent when a 302 redirect is encountered
-->
<head>
<title>Test for Bug 650386</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
<p id="display"></p>
<div id="content" style="display: none">
<iframe id = "content_iframe"></iframe>
</div>
<pre id="test">
<script type="application/javascript">
/** Test for Bug 650386 **/
// This is used to watch the redirect of the report POST get blocked
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
if (topic === "specialpowers-http-notify-request") {
// this is used to fail the test - if we see the POST to the target of the redirect
// we know this is a fail
var uri = data;
if (uri == "http://example.com/some/fake/path")
window.done(false);
}
if(topic === "csp-on-violate-policy") {
// something was blocked, but we are looking specifically for the redirect being blocked
if (data == "denied redirect while sending violation report")
window.done(true);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
// result == true if we saw the redirect blocked notify, false if we saw the post
// to the redirect target go out
window.done = function(result) {
ok(result, "a 302 redirect when posting violation report should be blocked");
// clean up observers and finish the test
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?302';
</script>
</pre>
</body>
</html>

73
content/base/test/xcsp/test_303_redirect.html
View File

@ -1,73 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
Test that CSP violation reports are not sent when a 303 redirect is encountered
-->
<head>
<title>Test for Bug 650386</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
<p id="display"></p>
<div id="content" style="display: none">
<iframe id = "content_iframe"></iframe>
</div>
<pre id="test">
<script type="application/javascript">
/** Test for Bug 650386 **/
// This is used to watch the redirect of the report POST get blocked
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
if (topic === "specialpowers-http-notify-request") {
// this is used to fail the test - if we see the POST to the target of the redirect
// we know this is a fail
var uri = data;
if (uri == "http://example.com/some/fake/path")
window.done(false);
}
if(topic === "csp-on-violate-policy") {
// something was blocked, but we are looking specifically for the redirect being blocked
if (data == "denied redirect while sending violation report")
window.done(true);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
// result == true if we saw the redirect blocked notify, false if we saw the post
// to the redirect target go out
window.done = function(result) {
ok(result, "a 303 redirect when posting violation report should be blocked");
// clean up observers and finish the test
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?303';
</script>
</pre>
</body>
</html>

73
content/base/test/xcsp/test_307_redirect.html
View File

@ -1,73 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=650386
Test that CSP violation reports are not sent when a 307 redirect is encountered
-->
<head>
<title>Test for Bug 650386</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
<p id="display"></p>
<div id="content" style="display: none">
<iframe id = "content_iframe"></iframe>
</div>
<pre id="test">
<script type="application/javascript">
/** Test for Bug 650386 **/
// This is used to watch the redirect of the report POST get blocked
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
if (topic === "specialpowers-http-notify-request") {
// this is used to fail the test - if we see the POST to the target of the redirect
// we know this is a fail
var uri = data;
if (uri == "http://example.com/some/fake/path")
window.done(false);
}
if(topic === "csp-on-violate-policy") {
// something was blocked, but we are looking specifically for the redirect being blocked
if (data == "denied redirect while sending violation report")
window.done(true);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
// result == true if we saw the redirect blocked notify, false if we saw the post
// to the redirect target go out
window.done = function(result) {
ok(result, "a 307 redirect when posting violation report should be blocked");
// clean up observers and finish the test
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
document.getElementById('content_iframe').src = 'file_redirect_content.sjs?307';
</script>
</pre>
</body>
</html>

119
content/base/test/xcsp/test_CSP.html
View File

@ -1,119 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy Connections</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
window.tests = {
img_good: -1,
img_bad: -1,
style_good: -1,
style_bad: -1,
frame_good: -1,
frame_bad: -1,
script_good: -1,
script_bad: -1,
xhr_good: -1,
xhr_bad: -1,
media_good: -1,
media_bad: -1,
font_good: -1,
font_bad: -1,
object_good: -1,
object_bad: -1,
};
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
var testpat = new RegExp("testid=([a-z0-9_]+)");
//_good things better be allowed!
//_bad things better be stopped!
// This is a special observer topic that is proxied from
// http-on-modify-request in the parent process to inform us when a URI is
// loaded
if (topic === "specialpowers-http-notify-request") {
var uri = data;
if (!testpat.test(uri)) return;
var testid = testpat.exec(uri)[1];
window.testResult(testid,
/_good/.test(testid),
uri + " allowed by csp");
}
if (topic === "csp-on-violate-policy") {
// these were blocked... record that they were blocked
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (!testpat.test(asciiSpec)) return;
var testid = testpat.exec(asciiSpec)[1];
window.testResult(testid,
/_bad/.test(testid),
asciiSpec + " blocked by \"" + data + "\"");
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
window.testResult = function(testname, result, msg) {
//test already complete.... forget it... remember the first result.
if (window.tests[testname] != -1)
return;
window.tests[testname] = result;
is(result, true, testname + ' test: ' + msg);
// if any test is incomplete, keep waiting
for (var v in window.tests)
if(tests[v] == -1)
return;
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true],
// This defaults to 0 ("preload none") on mobile (B2G/Android), which
// blocks loading the resource until the user interacts with a
// corresponding widget, which breaks the media_* tests. We set it
// back to the default used by desktop Firefox to get consistent
// behavior.
["media.preload.default", 2]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_main.html';
});
</script>
</pre>
</body>
</html>

114
content/base/test/xcsp/test_CSP_bug916446.html
View File

@ -1,114 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Bug 916446</title>
<!--
test that an invalid report-only policy (a stripped down version of what
web.tweetdeck.com was serving) defaults to "default-src 'none'" but only
sends reports and is not accidentally enforced
-->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:200px;height:200px;" id='testframe'></iframe>
<script class="testbody" type="text/javascript">
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
completedTests: 0,
totalTests: 4,
observe: function(subject, topic, data) {
var testpat = new RegExp("testid=([a-z0-9_]+)");
if (topic === "specialpowers-http-notify-request") {
// these things were allowed by CSP
var uri = data;
if (!testpat.test(uri)) return;
var testid = testpat.exec(uri)[1];
if (testid === "img_bad") {
// img_bad should be *allowed* because the policy is report-only
ok(true, "External loads should be allowed because the policy is report-only");
this.completedTests++;
}
}
if(topic === "csp-on-violate-policy") {
// these were blocked
try {
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (!testpat.test(asciiSpec)) return;
var testid = testpat.exec(asciiSpec)[1];
if (testid === "img_bad") {
ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
this.completedTests++;
}
} catch (e) {
// if that fails, the subject is probably a string
violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
if (/Inline Scripts will not execute/.test(violation_msg)) {
ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
this.completedTests++;
}
}
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
function checkInlineScriptExecuted() {
var green = 'rgb(0, 128, 0)';
var black = 'rgb(0, 0, 0)';
var that = this;
function getElementColorById(id) {
return window.getComputedStyle(that.contentDocument.getElementById(id)).color;
}
if (getElementColorById('inline-script') === green) {
ok(true, "Inline scripts should execute (because the policy is report-only)");
window.examiner.completedTests++;
}
waitToFinish();
}
function waitToFinish() {
setTimeout(function wait() {
if (window.examiner.completedTests < window.examiner.totalTests) {
waitToFinish();
} else {
// Cleanup
window.examiner.remove();
SimpleTest.finish();
}
}, 10);
}
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", false]]},
function() {
var testframe = document.getElementById('testframe');
testframe.src = 'file_CSP_bug916446.html';
testframe.addEventListener('load', checkInlineScriptExecuted);
}
);
</script>
</pre>
</body>
</html>

58
content/base/test/xcsp/test_CSP_evalscript.html
View File

@ -1,58 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy "no eval" base restriction</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
var evalScriptsThatRan = 0;
var evalScriptsBlocked = 0;
var evalScriptsTotal = 8;
// called by scripts that run
var scriptRan = function(shouldrun, testname, data) {
evalScriptsThatRan++;
ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
checkTestResults();
}
// called when a script is blocked
var scriptBlocked = function(shouldrun, testname, data) {
evalScriptsBlocked++;
ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
// if any test is incomplete, keep waiting
if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
return;
// ... otherwise, finish
SimpleTest.finish();
}
//////////////////////////////////////////////////////////////////////
// set up and go
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
});
</script>
</pre>
</body>
</html>

61
content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
View File

@ -1,61 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy "no eval" in crypto.getCRMFRequest()</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
var evalScriptsThatRan = 0;
var evalScriptsBlocked = 0;
var evalScriptsTotal = 2;
// called by scripts that run
var scriptRan = function(shouldrun, testname, data) {
evalScriptsThatRan++;
ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
checkTestResults();
}
// called when a script is blocked
var scriptBlocked = function(shouldrun, testname, data) {
evalScriptsBlocked++;
ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
// if any test is incomplete, keep waiting
if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
return;
// ... otherwise, finish
SimpleTest.finish();
}
//////////////////////////////////////////////////////////////////////
// set up and go
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
document.getElementById('cspframe2').src = 'file_CSP_evalscript_no_CSP_at_all.html';
});
</script>
</pre>
</body>
</html>

131
content/base/test/xcsp/test_CSP_frameancestors.html
View File

@ -1,131 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy Frame Ancestors directive</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
var framesThatShouldLoad = {
aa_allow: -1, /* innermost frame allows a */
//aa_block: -1, /* innermost frame denies a */
ab_allow: -1, /* innermost frame allows a */
//ab_block: -1, /* innermost frame denies a */
aba_allow: -1, /* innermost frame allows b,a */
//aba_block: -1, /* innermost frame denies b */
//aba2_block: -1, /* innermost frame denies a */
abb_allow: -1, /* innermost frame allows b,a */
//abb_block: -1, /* innermost frame denies b */
//abb2_block: -1, /* innermost frame denies a */
};
var expectedViolationsLeft = 6;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
// subject should be an nsURI, and should be either allowed or blocked.
if (!SpecialPowers.can_QI(subject))
return;
if (topic === "csp-on-violate-policy") {
//these were blocked... record that they were blocked
var asciiSpec = subject;
// Except CSP prohibits cross-origin URI reporting during frame ancestors
// checks so this may not be an nsIURI.
try {
asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
} catch (ex) {
// was not an nsIURI, so it was probably a cross-origin report.
}
window.frameBlocked(asciiSpec, data);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
}
}
// called when a frame is loaded
// -- if it's not enumerated above, it should not load!
var frameLoaded = function(testname, uri) {
//test already complete.... forget it... remember the first result.
if (window.framesThatShouldLoad[testname] != -1)
return;
if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
// uh-oh, we're not expecting this frame to load!
ok(false, testname + ' framed site should not have loaded: ' + uri);
} else {
framesThatShouldLoad[testname] = true;
ok(true, testname + ' framed site when allowed by csp (' + uri + ')');
}
checkTestResults();
}
// called when a frame is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var frameBlocked = function(uri, policy) {
ok(true, 'a CSP policy blocked frame from being loaded: ' + policy);
expectedViolationsLeft--;
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
// if any test is incomplete, keep waiting
for (var v in framesThatShouldLoad)
if(window.framesThatShouldLoad[v] == -1)
return;
if (window.expectedViolationsLeft > 0)
return;
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event) {
if (event.data.call && event.data.call == 'frameLoaded')
frameLoaded(event.data.testname, event.data.uri);
}
//////////////////////////////////////////////////////////////////////
// set up and go
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
// added this so the tests run even if we don't flip the pref on by default.
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
});
</script>
</pre>
</body>
</html>

95
content/base/test/xcsp/test_CSP_inlinescript.html
View File

@ -1,95 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy Frame Ancestors directive</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
var inlineScriptsBlocked = 0;
var inlineScriptsTotal = 4;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
// subject should be an nsURI, and should be either allowed or blocked.
if (!SpecialPowers.can_QI(subject))
return;
if (topic === "csp-on-violate-policy") {
var what = null;
try {
//these were blocked... record that they were blocked
what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
} catch(e) {
//if that fails, the subject is probably a string
what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
}
window.scriptBlocked(what, data);
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
}
}
// called when a script is blocked
// -- we can't determine *which* frame was blocked, but at least we can count them
var scriptBlocked = function(testname, data) {
inlineScriptsBlocked++;
ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
checkTestResults();
}
// Check to see if all the tests have run
var checkTestResults = function() {
// if any test is incomplete, keep waiting
if (inlineScriptsBlocked < inlineScriptsTotal)
return;
// The other four scripts in the other two pages should be blocked.
is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
//////////////////////////////////////////////////////////////////////
// set up and go
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
function clickit() {
var cspframe = document.getElementById('cspframe');
var a = cspframe.contentDocument.getElementById('anchortoclick');
sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
document.getElementById('cspframe').addEventListener('load', clickit, false);
});
</script>
</pre>
</body>
</html>

65
content/base/test/xcsp/test_CSP_inlinestyle.html
View File

@ -1,65 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy inline stylesheets stuff</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
//////////////////////////////////////////////////////////////////////
// set up and go
SimpleTest.waitForExplicitFinish();
var done = 0;
// Our original CSP implementation does not block inline styles.
function checkStyles(evt) {
var cspframe = document.getElementById('cspframe');
var color;
// black means the style wasn't applied. green colors are used for styles
//expected to be applied. A color is red if a style is erroneously applied
color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
// SMIL tests
color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
checkIfDone();
}
function checkIfDone() {
done++;
if (done == 1)
SimpleTest.finish();
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
document.getElementById('cspframe').addEventListener('load', checkStyles, false);
}
);
</script>
</pre>
</body>
</html>

79
content/base/test/xcsp/test_bothCSPheaders.html
View File

@ -1,79 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>
<!-- When both headers are present, we should ignore the pre-1.0 header and
only recognize the 1.0 spec-compliant header. -->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";
var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";
var testsRun = 0;
var totalTests = 2;
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
if (topic === "specialpowers-http-notify-request") {
var allowedUri = data;
if (allowedUri == prefixedHeaderImgURL || allowedUri == unprefixedHeaderImgURL) {
is(allowedUri, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");
testRan();
}
}
if (topic === "csp-on-violate-policy") {
// the load was blocked, this is a pass, the Content-Security-Policy
// header doesn't allow the load, but the X-Content-Security-Header does
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
testRan();
}
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
function testRan() {
testsRun++;
if (testsRun == totalTests) {
window.examiner.remove();
SimpleTest.finish();
}
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function loadTestRequests() {
var cspframe = document.getElementById('cspframe');
cspframe.src = 'file_bothCSPheaders.html';
}
);
</script>
</pre>
</body>
</html>

223
content/base/test/xcsp/test_csp_bug768029.html
View File

@ -1,223 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
-->
<head>
<meta charset="utf-8">
<title>Test for CSP on trusted/certified apps -- bug 768029</title>
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=768029">Mozilla Bug 768029</a>
<p id="display"></p>
<div id="content">
</div>
<pre id="test">
<script type="application/javascript;version=1.7">
Components.utils.import("resource://gre/modules/Services.jsm");
/** Test for Bug 768029 **/
// Note: we don't have to inspect all the different operations of CSP,
// we're just looking for specific differences in behavior that indicate
// a default CSP got applied.
const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'";
SimpleTest.waitForExplicitFinish();
var gData = [
{
app: "https://example.com/manifest.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
statusString: "installed app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: true, style: true },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_priv.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
statusString: "privileged app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_cert.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
statusString: "certified app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
];
// Observer for watching allowed loads and blocked attempts
function ThingyListener(app, iframe) {
Services.obs.addObserver(this, "csp-on-violate-policy", false);
Services.obs.addObserver(this, "http-on-modify-request", false);
dump("added observers\n");
// keep track of which app ID this test is monitoring.
this._testData = app;
this._expectedResults = app.expectedTestResults;
this._resultsRecorded = { cross_origin: {}, same_origin: {}};
this._iframe = iframe;
this._countedTests = 0;
}
ThingyListener.prototype = {
observe: function(subject, topic, data) {
// make sure to only observe app-generated calls to the helper for this test.
var testpat = new RegExp("file_csp_bug768029\\.sjs");
// used to extract which kind of load this is (img, script, etc).
var typepat = new RegExp("type=([\\_a-z0-9]+)");
// used to identify whether it's cross-origin or same-origin loads
// (the applied CSP allows same-origin loads).
var originpat = new RegExp("origin=([\\_a-z0-9]+)");
if (topic === "http-on-modify-request") {
// Matching requests on this topic were allowed by the csp
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var uri = chan.URI;
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == true, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else if (topic === "csp-on-violate-policy") {
// Matching hits on this topic were blocked by the csp
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == false, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else {
// wrong topic! Nothing to do.
return;
}
this._checkForFinish();
},
_checkForFinish: function() {
// check to see if there are load tests still pending.
// (All requests triggered by the app should hit one of the
// two observer topics.)
if (this._countedTests == this._expectedResults.max_tests) {
Services.obs.removeObserver(this, "csp-on-violate-policy");
Services.obs.removeObserver(this, "http-on-modify-request");
dump("removed observers\n");
checkedCount++;
if (checkedCount == checksTodo) {
SpecialPowers.removePermission("browser", "https://example.com");
SimpleTest.finish();
} else {
gTestRunner.next();
}
}
},
// verify the status of the app
checkAppStatus: function() {
var principal = this._iframe.contentDocument.nodePrincipal;
if (this._testData.app) {
is(principal.appStatus, this._testData.appStatus,
"iframe principal's app status doesn't match the expected app status.");
this._countedTests++;
this._checkForFinish();
}
}
}
var content = document.getElementById('content');
var checkedCount = 0; // number of apps checked
var checksTodo = gData.length;
// quick check to make sure we can test apps:
is('appStatus' in document.nodePrincipal, true,
'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
function runTest() {
for (var i = 0; i < gData.length; i++) {
let data = gData[i];
var iframe = document.createElement('iframe');
// watch for successes and failures
var examiner = new ThingyListener(data, iframe);
iframe.setAttribute('mozapp', data.app);
iframe.setAttribute('mozbrowser', 'true');
iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
iframe.src = data.uri;
content.appendChild(iframe);
yield undefined;
}
}
var gTestRunner = runTest();
// load the default CSP and pref it on
SpecialPowers.addPermission("browser", true, "https://example.com");
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
["security.mixed_content.block_active_content", false],
["security.mixed_content.block_display_content", false]]},
function() { gTestRunner.next(); });
</script>
</pre>
</body>
</html>

228
content/base/test/xcsp/test_csp_bug773891.html
View File

@ -1,228 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
-->
<head>
<meta charset="utf-8">
<title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=773891">Mozilla Bug 773891</a>
<p id="display"></p>
<div id="content">
</div>
<pre id="test">
<script type="application/javascript;version=1.7">
Components.utils.import("resource://gre/modules/Services.jsm");
/** Test for Bug 773891 **/
// Note: we don't have to inspect all the different operations of CSP,
// we're just looking for specific differences in behavior that indicate
// a default CSP got applied.
const DEFAULT_CSP_PRIV = "default-src *; script-src *; style-src 'self' 'unsafe-inline'; object-src 'none'";
const DEFAULT_CSP_CERT = "default-src *; script-src *; style-src 'self'; object-src 'none'";
const MANIFEST_CSP_PRIV = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
const MANIFEST_CSP_INST = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
const MANIFEST_CSP_CERT = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
SimpleTest.waitForExplicitFinish();
var gData = [
{
app: "https://example.com/manifest_csp_inst.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
csp: MANIFEST_CSP_INST,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
statusString: "installed app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_csp_cert.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
csp: MANIFEST_CSP_CERT,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
statusString: "certified app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_csp_priv.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
csp: MANIFEST_CSP_PRIV,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
statusString: "privileged app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
];
// Observer for watching allowed loads and blocked attempts
function ThingyListener(app, iframe) {
Services.obs.addObserver(this, "csp-on-violate-policy", false);
Services.obs.addObserver(this, "http-on-modify-request", false);
dump("added observers\n");
// keep track of which app ID this test is monitoring.
this._testData = app;
this._expectedResults = app.expectedTestResults;
this._resultsRecorded = { cross_origin: {}, same_origin: {}};
this._iframe = iframe;
this._countedTests = 0;
}
ThingyListener.prototype = {
observe: function(subject, topic, data) {
// make sure to only observe app-generated calls to the helper for this test.
var testpat = new RegExp("file_csp_bug773891\\.sjs");
// used to extract which kind of load this is (img, script, etc).
var typepat = new RegExp("type=([\\_a-z0-9]+)");
// used to identify whether it's cross-origin or same-origin loads
// (the applied CSP allows same-origin loads).
var originpat = new RegExp("origin=([\\_a-z0-9]+)");
if (topic === "http-on-modify-request") {
// Matching requests on this topic were allowed by the csp
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var uri = chan.URI;
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == true, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else if (topic === "csp-on-violate-policy") {
// Matching hits on this topic were blocked by the csp
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == false, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else {
// wrong topic! Nothing to do.
return;
}
this._checkForFinish();
},
_checkForFinish: function() {
// check to see if there are load tests still pending.
// (All requests triggered by the app should hit one of the
// two observer topics.)
if (this._countedTests == this._expectedResults.max_tests) {
Services.obs.removeObserver(this, "csp-on-violate-policy");
Services.obs.removeObserver(this, "http-on-modify-request");
dump("removed observers\n");
checkedCount++;
if (checkedCount == checksTodo) {
SpecialPowers.removePermission("browser", "https://example.com");
SimpleTest.finish();
} else {
gTestRunner.next();
}
}
},
// verify the status of the app
checkAppStatus: function() {
var principal = this._iframe.contentDocument.nodePrincipal;
if (this._testData.app) {
is(principal.appStatus, this._testData.appStatus,
"iframe principal's app status doesn't match the expected app status.");
this._countedTests++;
this._checkForFinish();
}
}
}
var content = document.getElementById('content');
var checkedCount = 0; // number of apps checked
var checksTodo = gData.length;
// quick check to make sure we can test apps:
is('appStatus' in document.nodePrincipal, true,
'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
function runTest() {
for (var i = 0; i < gData.length; i++) {
let data = gData[i];
var iframe = document.createElement('iframe');
// watch for successes and failures
var examiner = new ThingyListener(data, iframe);
iframe.setAttribute('mozapp', data.app);
iframe.setAttribute('mozbrowser', 'true');
iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
iframe.src = data.uri;
content.appendChild(iframe);
yield undefined;
}
}
var gTestRunner = runTest();
// load the default CSP and pref it on
SpecialPowers.addPermission("browser", true, "https://example.com");
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
function() { gTestRunner.next(); });
</script>
</pre>
</body>
</html>

130
content/base/test/xcsp/test_csp_redirects.html
View File

@ -1,130 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Tests for Content Security Policy during redirects</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id="harness"></iframe>
<pre id="log"></pre>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/csp/";
// debugging
function log(s) {
return;
dump("**" + s + "\n");
var log = document.getElementById("log");
log.textContent = log.textContent+s+"\n";
}
// used to watch if requests are blocked by CSP or allowed through
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
var testpat = new RegExp("testid=([a-z0-9-]+)");
var asciiSpec;
var testid;
if (topic === "specialpowers-http-notify-request") {
// request was sent
var allowedUri = data;
if (!testpat.test(allowedUri)) return;
testid = testpat.exec(allowedUri)[1];
if (testExpectedResults[testid] == "completed") return;
log("allowed: "+allowedUri);
window.testResult(testid, allowedUri, true);
}
else if (topic === "csp-on-violate-policy") {
// request was blocked
asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
if (!testpat.test(asciiSpec)) return;
testid = testpat.exec(asciiSpec)[1];
// had to add this check because http-on-modify-request can fire after
// csp-on-violate-policy, apparently, even though the request does
// not hit the wire.
if (testExpectedResults[testid] == "completed") return;
log("BLOCKED: "+asciiSpec);
window.testResult(testid, asciiSpec, false);
}
},
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
// contains { test_frame_id : expected_result }
var testExpectedResults = { "font-src": true,
"font-src-redir": false,
"frame-src": true,
"frame-src-redir": false,
"img-src": true,
"img-src-redir": false,
"media-src": true,
"media-src-redir": false,
"object-src": true,
"object-src-redir": false,
"script-src": true,
"script-src-redir": false,
"style-src": true,
"style-src-redir": false,
"worker": true,
"worker-redir": false,
"xhr-src": true,
"xhr-src-redir": false,
};
// takes the name of the test, the URL that was tested, and whether the
// load occurred
var testResult = function(testName, url, result) {
log(" testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
is(result, testExpectedResults[testName], testName+" test: "+url);
// mark test as completed
testExpectedResults[testName] = "completed";
// don't finish until we've run all the tests
for (var t in testExpectedResults) {
if (testExpectedResults[t] != "completed") {
return;
}
}
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true],
// This defaults to 0 ("preload none") on mobile (B2G/Android), which
// blocks loading the resource until the user interacts with a
// corresponding widget, which breaks the media_* tests. We set it
// back to the default used by desktop Firefox to get consistent
// behavior.
["media.preload.default", 2]]},
function() {
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById("harness").src = "file_csp_redirects_main.html";
});
</script>
</pre>
</body>
</html>

108
content/base/test/xcsp/test_csp_report.html
View File

@ -1,108 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=548193
-->
<head>
<title>Test for Bug 548193</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
// This is used to watch requests go out so we can see if the report is
// sent correctly
function examiner() {
SpecialPowers.addObserver(this, "http-on-opening-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
// subject should be an nsURI
if (!SpecialPowers.can_QI(subject))
return;
const reportURI = "http://mochi.test:8888/csp-report.cgi";
if (topic === "http-on-opening-request") {
var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
if (asciiSpec !== reportURI) return;
// Verify that the report was properly formatted.
// We'll parse the report text as JSON and verify that the properties
// have expected values.
var reportText = "{}";
try {
var uploadStream = SpecialPowers.wrap(SpecialPowers.do_QueryInterface(subject, "nsIUploadChannel")).uploadStream;
if (uploadStream) {
// get the bytes from the request body
var binstream = SpecialPowers.Cc["@mozilla.org/binaryinputstream;1"]
.createInstance(SpecialPowers.Ci.nsIBinaryInputStream);
binstream.setInputStream(uploadStream);
var segments = [];
for (var count = uploadStream.available(); count; count = uploadStream.available()) {
var data = binstream.readBytes(count);
segments.push(data);
}
var reportText = segments.join("");
// rewind stream as we are supposed to - there will be an assertion later if we don't.
SpecialPowers.do_QueryInterface(uploadStream, "nsISeekableStream").seek(SpecialPowers.Ci.nsISeekableStream.NS_SEEK_SET, 0);
}
}
catch(e) {}
var reportObj = JSON.parse(reportText);
// test for the proper values in the report object
window.checkResults(reportObj);
// finish up
window.examiner.remove();
SimpleTest.finish();
}
},
// remove the listener
remove: function() {
SpecialPowers.removeObserver(this, "http-on-opening-request");
}
}
// content file that triggers a violation report
var testFile = "file_csp_report.sjs";
window.checkResults = function(reportObj) {
var cspReport = reportObj["csp-report"];
// correct violating request
is(cspReport["document-uri"],
"http://mochi.test:8888/tests/content/base/test/xcsp/" + testFile,
"Incorrect violating request");
// correct blocked-uri
is(cspReport["blocked-uri"],
"http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png",
"Incorrect blocked uri");
// correct violated-directive
is(cspReport["violated-directive"], "default-src http://mochi.test:8888",
"Incorrect violated directive");
// not practical to test request-headers as header names and values will
// change with the trunk
}
window.examiner = new examiner();
SimpleTest.waitForExplicitFinish();
// load the resource which will generate a CSP violation report
document.getElementById("cspframe").src = testFile;
</script>
</pre>
</body>
</html>

59
content/base/test/xcsp/test_dual_headers_warning.html
View File

@ -1,59 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=918397
-->
<head>
<meta charset="utf-8">
<title>Test for Bug 918397</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=918397">Mozilla Bug 918397</a>
<p id="display"></p>
<iframe id="cspframe"></iframe>
<pre id="test">
<script class="testbody" type="text/javascript">
// Load locale strings during mochitest
var stringBundleService = SpecialPowers.Cc["@mozilla.org/intl/stringbundle;1"]
.getService(SpecialPowers.Ci.nsIStringBundleService);
var localizer = stringBundleService.createBundle("chrome://global/locale/security/security.properties");
var depreHeadersMsg = localizer.GetStringFromName("OldCSPHeaderDeprecated", 0)
var dualHeadersMsg = localizer.GetStringFromName("BothCSPHeadersPresent", 0)
function cleanup() {
SpecialPowers.postConsoleSentinel();
SimpleTest.finish();
}
// listen on the console before loading the iframe
SpecialPowers.registerConsoleListener(function ConsoleMsgListener(aMsg) {
// Note: We do not want to see the deprecation warning appear in the console.
// This test can only be sure that the deprecation warning does not appear
// iff the deprecation warning appears before the dual header warning appears
// in the console.
if (aMsg.message.indexOf(depreHeadersMsg) > -1) {
ok(false, "Deprecated CSP header warning should not be present.");
return;
} else if (aMsg.message.indexOf(dualHeadersMsg) > -1) {
ok(true, "Dual CSP header warning present.");
SimpleTest.executeSoon(cleanup);
} else {
// if some other console message is present, we wait
return;
}
});
// get ready and test
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv(
{'set': [["security.csp.speccompliant", true]]},
function() {
document.getElementById('cspframe').src = 'file_dual_headers_warning.html';
});
</script>
</body>
</html>

121
content/base/test/xcsp/test_multi_policy_injection_bypass.html
View File

@ -1,121 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
-->
<head>
<title>Test for Bug 717511</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/";
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
// This is not exhaustive, just double-checking the 'self' vs * policy conflict in the two HTTP headers.
window.tests = {
img_good: -1,
img_bad: -1,
script_good: -1,
script_bad: -1,
img2_good: -1,
img2_bad: -1,
script2_good: -1,
script2_bad: -1,
};
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
var testpat = new RegExp("testid=([a-z0-9_]+)");
//_good things better be allowed!
//_bad things better be stopped!
if (topic === "specialpowers-http-notify-request") {
//these things were allowed by CSP
var asciiSpec = data;
if (!testpat.test(asciiSpec)) return;
var testid = testpat.exec(asciiSpec)[1];
window.testResult(testid,
/_good/.test(testid),
asciiSpec + " allowed by csp");
}
if(topic === "csp-on-violate-policy") {
// subject should be an nsIURI for csp-on-violate-policy
if (!SpecialPowers.can_QI(subject)) {
return;
}
//these were blocked... record that they were blocked
var asciiSpec = SpecialPowers.getPrivilegedProps(
SpecialPowers.do_QueryInterface(subject, "nsIURI"),
"asciiSpec");
if (!testpat.test(asciiSpec)) return;
var testid = testpat.exec(asciiSpec)[1];
window.testResult(testid,
/_bad/.test(testid),
asciiSpec + " blocked by \"" + data + "\"");
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
}
}
window.examiner = new examiner();
window.testResult = function(testname, result, msg) {
//test already complete.... forget it... remember the first result.
if (window.tests[testname] != -1)
return;
window.tests[testname] = result;
is(result, true, testname + ' test: ' + msg);
// if any test is incomplete, keep waiting
for (var v in window.tests)
if(tests[v] == -1)
return;
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html';
document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html';
</script>
</pre>
</body>
</html>

34
content/base/test/xcsp/test_policyuri_async_fetch.html
View File

@ -1,34 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=558431
-->
<head>
<title>Test for Bug 558431</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe id="cspframe"></iframe>
<script type="text/javascript">
// This tests that a policy is still attempted to be fetched
// asynchronously (bug 558431) and that a default policy of
// |allow 'none'| is applied when the fetching fails.
var f = document.getElementById("cspframe");
// run our test functions when the inner frame is finished loading
f.addEventListener('load', function() {
var inner = this.contentDocument.getElementById("inner");
var test = inner.contentDocument.getElementById("test");
// the inner document should not exist because it has an invalid
// policy-uri and should have been blocked by the default
// |allow 'none'| policy that was applied
is(test, null, "test inner document");
SimpleTest.finish();
}, false);
// load the test frame
f.src = "file_policyuri_async_fetch.html";
SimpleTest.waitForExplicitFinish();
</script>
</body>
</html>

32
content/base/test/xcsp/test_subframe_run_js_if_allowed.html
View File

@ -1,32 +0,0 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=702439
This test verifies that child iframes of CSP documents are
permitted to execute javascript: URLs assuming the policy
allows this.
-->
<head>
<title>Test for Bug 702439</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
var javascript_link_ran = false;
// check that the script in the child frame's javascript: URL ran
function checkResult()
{
is(javascript_link_ran, true,
"javascript URL didn't execute");
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
</script>
<iframe id="i" src="file_subframe_run_js_if_allowed.html"></iframe>
</body>
</html>