mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 663570 - Test 1: baseline tests (r=sicking)
This commit is contained in:
Christoph Kerschbaumer
parent
dd2a72fcb9
commit
9076e4ef5d
25
dom/security/test/csp/file_meta_element.html
Normal file
25
dom/security/test/csp/file_meta_element.html
Normal file
@ -0,0 +1,25 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="Content-Security-Policy"
|
||||
content= "img-src 'none'; script-src 'unsafe-inline'; report-uri http://www.example.com; frame-ancestors https:; sandbox allow-scripts">
|
||||
<title>Bug 663570 - Implement Content Security Policy via meta tag</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<!-- try to load an image which is forbidden by meta CSP -->
|
||||
<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>
|
||||
|
||||
<script type="application/javascript">
|
||||
var myImg = document.getElementById("testimage");
|
||||
myImg.onload = function(e) {
|
||||
window.parent.postMessage({result: "img-loaded"}, "*");
|
||||
};
|
||||
myImg.onerror = function(e) {
|
||||
window.parent.postMessage({result: "img-blocked"}, "*");
|
||||
};
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
@ -145,6 +145,7 @@ support-files =
|
||||
file_child-src_shared_worker-redirect.html
|
||||
file_child-src_shared_worker.js
|
||||
file_redirect_worker.sjs
|
||||
file_meta_element.html
|
||||
|
||||
[test_base-uri.html]
|
||||
[test_blob_data_schemes.html]
|
||||
@ -216,3 +217,4 @@ skip-if = buildapp == 'b2g' #investigate in bug 1222904
|
||||
[test_child-src_worker_data.html]
|
||||
[test_child-src_worker-redirect.html]
|
||||
[test_child-src_iframe.html]
|
||||
[test_meta_element.html]
|
||||
|
||||
90
dom/security/test/csp/test_meta_element.html
Normal file
90
dom/security/test/csp/test_meta_element.html
Normal file
@ -0,0 +1,90 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 663570 - Implement Content Security Policy via <meta> tag</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<iframe style="width:100%;" id="testframe" src="file_meta_element.html"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/* Description of the test:
|
||||
* The test is twofold:
|
||||
* First, by loading a page using meta csp (into an iframe) we make sure that
|
||||
* images get correctly blocked as the csp policy includes "img-src 'none'";
|
||||
*
|
||||
* Second, we make sure meta csp ignores the following directives:
|
||||
* * report-uri
|
||||
* * frame-ancestors
|
||||
* * sandbox
|
||||
*
|
||||
* Please note that the CSP sanbdox directive (bug 671389) has not landed yet.
|
||||
* Once bug 671389 lands this test will fail and needs to be updated.
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
const EXPECTED_DIRS = ["img-src", "script-src"];
|
||||
|
||||
function finishTest() {
|
||||
window.removeEventListener("message", receiveMessage, false);
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
function checkResults(result) {
|
||||
is(result, "img-blocked", "loading images should be blocked by meta csp");
|
||||
|
||||
try {
|
||||
// get the csp in JSON notation from the principal
|
||||
var frame = document.getElementById("testframe");
|
||||
var principal = SpecialPowers.wrap(frame.contentDocument).nodePrincipal;
|
||||
var cspJSON = principal.cspJSON;
|
||||
ok(cspJSON, "CSP applied through meta element");
|
||||
|
||||
// parse the cspJSON in a csp-object
|
||||
var cspOBJ = JSON.parse(cspJSON);
|
||||
ok(cspOBJ, "was able to parse the JSON");
|
||||
|
||||
// make sure we only got one policy
|
||||
var policies = cspOBJ["csp-policies"];
|
||||
is(policies.length, 1, "there should be one policy applied");
|
||||
|
||||
// iterate the policy and make sure to only encounter
|
||||
// expected directives.
|
||||
var policy = policies[0];
|
||||
for (var dir in policy) {
|
||||
// special case handling for report-only which is not a directive
|
||||
// but present in the JSON notation of the CSP.
|
||||
if (dir === "report-only") {
|
||||
continue;
|
||||
}
|
||||
var index = EXPECTED_DIRS.indexOf(dir);
|
||||
isnot(index, -1, "meta csp contains directive: " + dir + "!");
|
||||
|
||||
// take the element out of the array so we can make sure
|
||||
// that we have seen all the expected values in the end.
|
||||
EXPECTED_DIRS.splice(index, 1);
|
||||
}
|
||||
is(EXPECTED_DIRS.length, 0, "have seen all the expected values");
|
||||
}
|
||||
catch (e) {
|
||||
ok(false, "uuh, something went wrong within meta csp test");
|
||||
}
|
||||
|
||||
finishTest();
|
||||
}
|
||||
|
||||
// a postMessage handler used to bubble up the onsuccess/onerror state
|
||||
// from within the iframe.
|
||||
window.addEventListener("message", receiveMessage, false);
|
||||
function receiveMessage(event) {
|
||||
checkResults(event.data.result);
|
||||
}
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
Loading…
Reference in New Issue
Block a user