Bug 663567 - Mochitest verifying that content added by XSLT stylesheet is subject to document's CSP. r=grobinson, r=sstamm

This commit is contained in:
Christoph Kerschbaumer 2013-08-12 14:54:12 -07:00
parent 0b00e4ef84
commit b6efcb3d21
7 changed files with 190 additions and 0 deletions

View File

@ -651,6 +651,12 @@ MOCHITEST_FILES_C= \
test_CSP_bug888172.html \ test_CSP_bug888172.html \
file_CSP_bug888172.html \ file_CSP_bug888172.html \
file_CSP_bug888172.sjs \ file_CSP_bug888172.sjs \
test_CSP_bug663567.html \
file_CSP_bug663567_allows.xml \
file_CSP_bug663567_allows.xml^headers^ \
file_CSP_bug663567_allows.xsl \
file_CSP_bug663567_blocks.xml \
file_CSP_bug663567_blocks.xml^headers^ \
$(NULL) $(NULL)
# OOP tests don't work on Windows (bug 763081) or native-fennec # OOP tests don't work on Windows (bug 763081) or native-fennec

View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="file_CSP_bug663567_allows.xsl"?>
<catalog>
<cd>
<title>Empire Burlesque</title>
<artist>Bob Dylan</artist>
<country>USA</country>
<company>Columbia</company>
<price>10.90</price>
<year>1985</year>
</cd>
<cd>
<title>Hide your heart</title>
<artist>Bonnie Tyler</artist>
<country>UK</country>
<company>CBS Records</company>
<price>9.90</price>
<year>1988</year>
</cd>
<cd>
<title>Greatest Hits</title>
<artist>Dolly Parton</artist>
<country>USA</country>
<company>RCA</company>
<price>9.90</price>
<year>1982</year>
</cd>
</catalog>

View File

@ -0,0 +1 @@
Content-Security-Policy: default-src 'self'

View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- Edited by XMLSpy® -->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<body>
<h2 id="xsltheader">this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!</h2>
<table border="1">
<tr bgcolor="#990099">
<th>Title</th>
<th>Artist</th>
<th>Price</th>
</tr>
<xsl:for-each select="catalog/cd">
<tr>
<td><xsl:value-of select="title"/></td>
<td><xsl:value-of select="artist"/></td>
<td><xsl:value-of select="price"/></td>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="http://example.org/tests/content/base/test/file_CSP_bug663567_blocks.xsl"?>
<catalog>
<cd>
<title>Empire Burlesque</title>
<artist>Bob Dylan</artist>
<country>USA</country>
<company>Columbia</company>
<price>10.90</price>
<year>1985</year>
</cd>
<cd>
<title>Hide your heart</title>
<artist>Bonnie Tyler</artist>
<country>UK</country>
<company>CBS Records</company>
<price>9.90</price>
<year>1988</year>
</cd>
<cd>
<title>Greatest Hits</title>
<artist>Dolly Parton</artist>
<country>USA</country>
<company>RCA</company>
<price>9.90</price>
<year>1982</year>
</cd>
</catalog>

View File

@ -0,0 +1 @@
Content-Security-Policy: default-src 'self'

View File

@ -0,0 +1,99 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test if XSLT stylesheet is subject to document's CSP</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;" id='xsltframe'></iframe>
<iframe style="width:100%;" id='xsltframe2'></iframe>
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
// define the expected output of this test
var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
var index = 0;
function checkAllowed () {
/* The policy for this test is:
* Content-Security-Policy: default-src 'self'
*
* we load the xsl file using:
* <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467_allows.xsl"?>
*/
try {
var cspframe = document.getElementById('xsltframe');
var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
}
catch (e) {
ok(false, "Error: could not access content in xsltframe!")
}
next();
}
function checkBlocked () {
/* The policy for this test is:
* Content-Security-Policy: default-src 'self'
*
* we load the xsl file using:
* <?xml-stylesheet type="text/xsl"
* href="http://example.org/tests/content/base/test/file_CSP_bug663467_blocks.xsl"?>
*/
try {
var cspframe = document.getElementById('xsltframe2');
var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
}
catch (e) {
ok(false, "Error: could not access content in xsltframe2!")
}
next();
}
var steps = [
function() {
document.getElementById('xsltframe').src = 'file_CSP_bug663567_allows.xml';
document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
},
function() {
document.getElementById('xsltframe2').src = 'file_CSP_bug663567_blocks.xml';
document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
},
function () {
SimpleTest.finish();
}
];
function next() {
if (index >= steps.length) {
ok(false, "Shouldn't get here!");
return;
}
try {
var i = index++;
steps[i]();
} catch(ex) {
ok(false, "Caught exception", ex);
}
}
SpecialPowers.pushPrefEnv(
{'set':[["security.csp.speccompliant", true]]},
function () {
SimpleTest.waitForExplicitFinish();
addLoadEvent(next);
}
);
</script>
</body>
</html>