Bug 836132 - add more tests for x-frame-options ALLOW-FROM. (r=bz)

2024-09-13 09:24:08 -07:00 · 2013-04-10 10:08:49 -07:00 · 2013-04-10 10:08:49 -07:00 · c3a9c1e37a
commit c3a9c1e37a
parent c5dd1b5b27
3 changed files with 60 additions and 21 deletions
--- a/content/base/test/file_x-frame-options_main.html
+++ b/content/base/test/file_x-frame-options_main.html
@ -22,5 +22,21 @@ window.addEventListener('load', parent.testFramesLoaded, false);
 <iframe id="allow-from-allow" src="http://example.com/tests/content/base/test/file_x-frame-options_page.sjs?testid=allow-from-allow&xfo=afa"></iframe><br>
 <iframe id="allow-from-deny" src="http://example.com/tests/content/base/test/file_x-frame-options_page.sjs?testid=allow-from-deny&xfo=afd"></iframe><br>

+<!-- added for bug 836132 -->
+<script type="text/javascript">
+
+  function addFrame(test, xfo) {
+    var baseurl = "http://mochi.test:8888/tests/content/base/test/file_x-frame-options_page.sjs";
+    var ifr = "<iframe id='" + test + "'" + "src='" + baseurl + "?testid=" + test + "&xfo=" + xfo + "' style='border:2px solid red;'></iframe>";
+    document.write(ifr);
+  }
+
+  addFrame("allow-from-allow-1", "afa1");
+  for (var i = 1; i<=14; i++)
+    addFrame("allow-from-deny-"+i, "afd"+i);
+
+</script>
+
+
 </body>
 </html>
--- a/content/base/test/file_x-frame-options_page.sjs
+++ b/content/base/test/file_x-frame-options_page.sjs
@ -10,27 +10,35 @@ function handleRequest(request, response)
  response.setHeader("Cache-Control", "no-cache", false);
  response.setHeader("Content-Type", "text/html", false);

-  // X-Frame-Options header value
-  if (query['xfo'] == "deny") {
-    response.setHeader("X-Frame-Options", "DENY", false);
-  }
-  else if (query['xfo'] == "sameorigin") {
-    response.setHeader("X-Frame-Options", "SAMEORIGIN", false);
-  }
-  else if (query['xfo'] == "sameorigin2") {
-    response.setHeader("X-Frame-Options", "SAMEORIGIN, SAMEORIGIN", false);
-  }
-  else if (query['xfo'] == "sameorigin3") {
-    response.setHeader("X-Frame-Options", "SAMEORIGIN,SAMEORIGIN , SAMEORIGIN", false);
-  }
-  else if (query['xfo'] == "mixedpolicy") {
-    response.setHeader("X-Frame-Options", "DENY,SAMEORIGIN", false);
-  }
-  else if (query['xfo'] == "afa") {
-    response.setHeader("X-Frame-Options", "ALLOW-FROM http://mochi.test:8888/", false);
-  }
-  else if (query['xfo'] == "afd") {
-    response.setHeader("X-Frame-Options", "ALLOW-FROM http://example.com/", false);
+  var testHeaders = {
+    "deny": "DENY",
+    "sameorigin": "SAMEORIGIN",
+    "sameorigin2": "SAMEORIGIN, SAMEORIGIN",
+    "sameorigin3": "SAMEORIGIN,SAMEORIGIN , SAMEORIGIN",
+    "mixedpolicy": "DENY,SAMEORIGIN",
+
+    /* added for bug 836132 */
+    "afa": "ALLOW-FROM http://mochi.test:8888/",
+    "afd": "ALLOW-FROM http://example.com/",
+    "afa1": "ALLOW-FROM http://mochi.test:8888",
+    "afd1": "ALLOW-FROM:example.com",
+    "afd2": "ALLOW-FROM: example.com",
+    "afd3": "ALLOW-FROM example.com",
+    "afd4": "ALLOW-FROM:http://example.com",
+    "afd5": "ALLOW-FROM: http://example.com",
+    "afd6": "ALLOW-FROM http://example.com",
+    "afd7": "ALLOW-FROM:mochi.test:8888",
+    "afd8": "ALLOW-FROM: mochi.test:8888",
+    "afd9": "ALLOW-FROM:http://mochi.test:8888",
+    "afd10": "ALLOW-FROM: http://mochi.test:8888",
+    "afd11": "ALLOW-FROM mochi.test:8888",
+    "afd12": "ALLOW-FROM",
+    "afd13": "ALLOW-FROM ",
+    "afd14": "ALLOW-FROM:"
+  };
+
+  if (testHeaders.hasOwnProperty(query['xfo'])) {
+    response.setHeader("X-Frame-Options", testHeaders[query['xfo']], false);
  }

  // from the test harness we'll be checking for the presence of this element
--- a/content/base/test/test_x-frame-options.html
+++ b/content/base/test/test_x-frame-options.html
@ -118,6 +118,21 @@ var testFramesLoaded = function() {
  var test12 = frame.contentDocument.getElementById("test");
  is(test12, null, "test allow-from-deny");

+  // frames from bug 836132 tests
+  {
+    frame = harness.contentDocument.getElementById("allow-from-allow-1");
+    var theTestResult = frame.contentDocument.getElementById("test");
+    isnot(theTestResult, null, "test afa1 should have been allowed");
+    if(theTestResult) {
+      is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
+    }
+  }
+  for (var i = 1; i<=14; i++) {
+    frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
+    var theTestResult = frame.contentDocument.getElementById("test");
+    is(theTestResult, null, "test allow-from-deny-" + i);
+  }
+
  // call tests to check principal comparison, e.g. a document can open a window
  // to a data: or javascript: document which frames an
  // X-Frame-Options: SAMEORIGIN document and the frame should load