Bug 663567 - Mochitest verifying that content added by XSLT stylesheet is subject to document's CSP. r=grobinson, r=sstamm

content/base/test/Makefile.in

@@ -651,6 +651,12 @@ MOCHITEST_FILES_C= \
 		test_CSP_bug888172.html \
 		file_CSP_bug888172.html \
 		file_CSP_bug888172.sjs \
+		test_CSP_bug663567.html \
+		file_CSP_bug663567_allows.xml \
+		file_CSP_bug663567_allows.xml^headers^ \
+		file_CSP_bug663567_allows.xsl \
+		file_CSP_bug663567_blocks.xml \
+		file_CSP_bug663567_blocks.xml^headers^ \
 		$(NULL)
 
 # OOP tests don't work on Windows (bug 763081) or native-fennec

content/base/test/file_CSP_bug663567_allows.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml-stylesheet type="text/xsl" href="file_CSP_bug663567_allows.xsl"?>
+<catalog>
+	<cd>
+		<title>Empire Burlesque</title>
+		<artist>Bob Dylan</artist>
+		<country>USA</country>
+		<company>Columbia</company>
+		<price>10.90</price>
+		<year>1985</year>
+	</cd>
+	<cd>
+		<title>Hide your heart</title>
+		<artist>Bonnie Tyler</artist>
+		<country>UK</country>
+		<company>CBS Records</company>
+		<price>9.90</price>
+		<year>1988</year>
+	</cd>
+	<cd>
+		<title>Greatest Hits</title>
+		<artist>Dolly Parton</artist>
+		<country>USA</country>
+		<company>RCA</company>
+		<price>9.90</price>
+		<year>1982</year>
+	</cd>
+</catalog>

content/base/test/file_CSP_bug663567_allows.xml^headers^

@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'

content/base/test/file_CSP_bug663567_allows.xsl

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!-- Edited by XMLSpy® -->
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:template match="/">
+  <html>
+  <body>
+  <h2 id="xsltheader">this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!</h2>
+    <table border="1">
+      <tr bgcolor="#990099">
+        <th>Title</th>
+        <th>Artist</th>
+        <th>Price</th>
+      </tr>
+      <xsl:for-each select="catalog/cd">
+      <tr>
+        <td><xsl:value-of select="title"/></td>
+        <td><xsl:value-of select="artist"/></td>
+        <td><xsl:value-of select="price"/></td>
+      </tr>
+      </xsl:for-each>
+    </table>
+  </body>
+  </html>
+</xsl:template>
+</xsl:stylesheet>
+

content/base/test/file_CSP_bug663567_blocks.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml-stylesheet type="text/xsl" href="http://example.org/tests/content/base/test/file_CSP_bug663567_blocks.xsl"?>
+<catalog>
+	<cd>
+		<title>Empire Burlesque</title>
+		<artist>Bob Dylan</artist>
+		<country>USA</country>
+		<company>Columbia</company>
+		<price>10.90</price>
+		<year>1985</year>
+	</cd>
+	<cd>
+		<title>Hide your heart</title>
+		<artist>Bonnie Tyler</artist>
+		<country>UK</country>
+		<company>CBS Records</company>
+		<price>9.90</price>
+		<year>1988</year>
+	</cd>
+	<cd>
+		<title>Greatest Hits</title>
+		<artist>Dolly Parton</artist>
+		<country>USA</country>
+		<company>RCA</company>
+		<price>9.90</price>
+		<year>1982</year>
+	</cd>
+</catalog>

content/base/test/file_CSP_bug663567_blocks.xml^headers^

@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'

content/base/test/test_CSP_bug663567.html

@@ -0,0 +1,99 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test if XSLT stylesheet is subject to document's CSP</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+
+<iframe style="width:100%;" id='xsltframe'></iframe>
+<iframe style="width:100%;" id='xsltframe2'></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+// define the expected output of this test
+var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
+
+var index = 0;
+
+function checkAllowed () {
+  /*   The policy for this test is:
+   *   Content-Security-Policy: default-src 'self'
+   *
+   *   we load the xsl file using:
+   *   <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467_allows.xsl"?>
+   */
+  try {
+    var cspframe = document.getElementById('xsltframe');
+    var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
+    is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
+  }
+  catch (e) {
+    ok(false, "Error: could not access content in xsltframe!")
+  }
+  next();
+}
+
+function checkBlocked () {
+  /*   The policy for this test is:
+   *   Content-Security-Policy: default-src 'self'
+   *
+   *   we load the xsl file using:
+   *   <?xml-stylesheet type="text/xsl"
+   *    href="http://example.org/tests/content/base/test/file_CSP_bug663467_blocks.xsl"?>
+   */
+  try {
+    var cspframe = document.getElementById('xsltframe2');
+    var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
+    is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
+  }
+  catch (e) {
+    ok(false, "Error: could not access content in xsltframe2!")
+  }
+  next();
+}
+
+var steps = [
+  function() {
+    document.getElementById('xsltframe').src = 'file_CSP_bug663567_allows.xml';
+    document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
+  },
+  function() {
+    document.getElementById('xsltframe2').src = 'file_CSP_bug663567_blocks.xml';
+    document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
+  },
+  function () {
+    SimpleTest.finish();
+  }
+];
+
+function next() {
+  if (index >= steps.length) {
+    ok(false, "Shouldn't get here!");
+    return;
+  }
+  try {
+    var i = index++;
+    steps[i]();
+  } catch(ex) {
+    ok(false, "Caught exception", ex);
+  }
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function () {
+    SimpleTest.waitForExplicitFinish();
+    addLoadEvent(next);
+  }
+);
+
+</script>
+</body>
+</html>