mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 663567 - Mochitest verifying that content added by XSLT stylesheet is subject to document's CSP. r=grobinson, r=sstamm
This commit is contained in:
parent
0b00e4ef84
commit
b6efcb3d21
@ -651,6 +651,12 @@ MOCHITEST_FILES_C= \
|
||||
test_CSP_bug888172.html \
|
||||
file_CSP_bug888172.html \
|
||||
file_CSP_bug888172.sjs \
|
||||
test_CSP_bug663567.html \
|
||||
file_CSP_bug663567_allows.xml \
|
||||
file_CSP_bug663567_allows.xml^headers^ \
|
||||
file_CSP_bug663567_allows.xsl \
|
||||
file_CSP_bug663567_blocks.xml \
|
||||
file_CSP_bug663567_blocks.xml^headers^ \
|
||||
$(NULL)
|
||||
|
||||
# OOP tests don't work on Windows (bug 763081) or native-fennec
|
||||
|
28
content/base/test/file_CSP_bug663567_allows.xml
Normal file
28
content/base/test/file_CSP_bug663567_allows.xml
Normal file
@ -0,0 +1,28 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<?xml-stylesheet type="text/xsl" href="file_CSP_bug663567_allows.xsl"?>
|
||||
<catalog>
|
||||
<cd>
|
||||
<title>Empire Burlesque</title>
|
||||
<artist>Bob Dylan</artist>
|
||||
<country>USA</country>
|
||||
<company>Columbia</company>
|
||||
<price>10.90</price>
|
||||
<year>1985</year>
|
||||
</cd>
|
||||
<cd>
|
||||
<title>Hide your heart</title>
|
||||
<artist>Bonnie Tyler</artist>
|
||||
<country>UK</country>
|
||||
<company>CBS Records</company>
|
||||
<price>9.90</price>
|
||||
<year>1988</year>
|
||||
</cd>
|
||||
<cd>
|
||||
<title>Greatest Hits</title>
|
||||
<artist>Dolly Parton</artist>
|
||||
<country>USA</country>
|
||||
<company>RCA</company>
|
||||
<price>9.90</price>
|
||||
<year>1982</year>
|
||||
</cd>
|
||||
</catalog>
|
1
content/base/test/file_CSP_bug663567_allows.xml^headers^
Normal file
1
content/base/test/file_CSP_bug663567_allows.xml^headers^
Normal file
@ -0,0 +1 @@
|
||||
Content-Security-Policy: default-src 'self'
|
27
content/base/test/file_CSP_bug663567_allows.xsl
Normal file
27
content/base/test/file_CSP_bug663567_allows.xsl
Normal file
@ -0,0 +1,27 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!-- Edited by XMLSpy® -->
|
||||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
|
||||
<xsl:template match="/">
|
||||
<html>
|
||||
<body>
|
||||
<h2 id="xsltheader">this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!</h2>
|
||||
<table border="1">
|
||||
<tr bgcolor="#990099">
|
||||
<th>Title</th>
|
||||
<th>Artist</th>
|
||||
<th>Price</th>
|
||||
</tr>
|
||||
<xsl:for-each select="catalog/cd">
|
||||
<tr>
|
||||
<td><xsl:value-of select="title"/></td>
|
||||
<td><xsl:value-of select="artist"/></td>
|
||||
<td><xsl:value-of select="price"/></td>
|
||||
</tr>
|
||||
</xsl:for-each>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
||||
</xsl:template>
|
||||
</xsl:stylesheet>
|
||||
|
28
content/base/test/file_CSP_bug663567_blocks.xml
Normal file
28
content/base/test/file_CSP_bug663567_blocks.xml
Normal file
@ -0,0 +1,28 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<?xml-stylesheet type="text/xsl" href="http://example.org/tests/content/base/test/file_CSP_bug663567_blocks.xsl"?>
|
||||
<catalog>
|
||||
<cd>
|
||||
<title>Empire Burlesque</title>
|
||||
<artist>Bob Dylan</artist>
|
||||
<country>USA</country>
|
||||
<company>Columbia</company>
|
||||
<price>10.90</price>
|
||||
<year>1985</year>
|
||||
</cd>
|
||||
<cd>
|
||||
<title>Hide your heart</title>
|
||||
<artist>Bonnie Tyler</artist>
|
||||
<country>UK</country>
|
||||
<company>CBS Records</company>
|
||||
<price>9.90</price>
|
||||
<year>1988</year>
|
||||
</cd>
|
||||
<cd>
|
||||
<title>Greatest Hits</title>
|
||||
<artist>Dolly Parton</artist>
|
||||
<country>USA</country>
|
||||
<company>RCA</company>
|
||||
<price>9.90</price>
|
||||
<year>1982</year>
|
||||
</cd>
|
||||
</catalog>
|
1
content/base/test/file_CSP_bug663567_blocks.xml^headers^
Normal file
1
content/base/test/file_CSP_bug663567_blocks.xml^headers^
Normal file
@ -0,0 +1 @@
|
||||
Content-Security-Policy: default-src 'self'
|
99
content/base/test/test_CSP_bug663567.html
Normal file
99
content/base/test/test_CSP_bug663567.html
Normal file
@ -0,0 +1,99 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test if XSLT stylesheet is subject to document's CSP</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
|
||||
<iframe style="width:100%;" id='xsltframe'></iframe>
|
||||
<iframe style="width:100%;" id='xsltframe2'></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// define the expected output of this test
|
||||
var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
|
||||
|
||||
var index = 0;
|
||||
|
||||
function checkAllowed () {
|
||||
/* The policy for this test is:
|
||||
* Content-Security-Policy: default-src 'self'
|
||||
*
|
||||
* we load the xsl file using:
|
||||
* <?xml-stylesheet type="text/xsl" href="file_CSP_bug663467_allows.xsl"?>
|
||||
*/
|
||||
try {
|
||||
var cspframe = document.getElementById('xsltframe');
|
||||
var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
|
||||
is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
|
||||
}
|
||||
catch (e) {
|
||||
ok(false, "Error: could not access content in xsltframe!")
|
||||
}
|
||||
next();
|
||||
}
|
||||
|
||||
function checkBlocked () {
|
||||
/* The policy for this test is:
|
||||
* Content-Security-Policy: default-src 'self'
|
||||
*
|
||||
* we load the xsl file using:
|
||||
* <?xml-stylesheet type="text/xsl"
|
||||
* href="http://example.org/tests/content/base/test/file_CSP_bug663467_blocks.xsl"?>
|
||||
*/
|
||||
try {
|
||||
var cspframe = document.getElementById('xsltframe2');
|
||||
var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
|
||||
is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
|
||||
}
|
||||
catch (e) {
|
||||
ok(false, "Error: could not access content in xsltframe2!")
|
||||
}
|
||||
next();
|
||||
}
|
||||
|
||||
var steps = [
|
||||
function() {
|
||||
document.getElementById('xsltframe').src = 'file_CSP_bug663567_allows.xml';
|
||||
document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
|
||||
},
|
||||
function() {
|
||||
document.getElementById('xsltframe2').src = 'file_CSP_bug663567_blocks.xml';
|
||||
document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
|
||||
},
|
||||
function () {
|
||||
SimpleTest.finish();
|
||||
}
|
||||
];
|
||||
|
||||
function next() {
|
||||
if (index >= steps.length) {
|
||||
ok(false, "Shouldn't get here!");
|
||||
return;
|
||||
}
|
||||
try {
|
||||
var i = index++;
|
||||
steps[i]();
|
||||
} catch(ex) {
|
||||
ok(false, "Caught exception", ex);
|
||||
}
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function () {
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
addLoadEvent(next);
|
||||
}
|
||||
);
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user