Bug 1173708 - Fix intermittent test_inlinescript error. r=dveditz

dom/security/test/csp/file_inlinescript.html

@@ -0,0 +1,15 @@
+<html>
+<head>
+  <title>CSP inline script tests</title>
+</head>
+<body onload="window.parent.postMessage('body-onload-fired', '*')">
+  <script type="text/javascript">
+    window.parent.postMessage("text-node-fired", "*");
+  </script>
+
+  <iframe src='javascript:window.parent.parent.postMessage("javascript-uri-fired", "*")'></iframe>
+
+  <a id='anchortoclick' href='javascript:window.parent.postMessage("javascript-uri-anchor-fired", "*")'>testlink</a>
+
+</body>
+</html>

dom/security/test/csp/file_inlinescript_main.html

@@ -1,15 +0,0 @@
-<html>
-  <head>
-    <title>CSP inline script tests</title>
-  </head>
-  <body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">
-
-    <script type="text/javascript">
-      window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");
-    </script>
-
-    <iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")' ></iframe>
-
-    <a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
-  </body>
-</html>

dom/security/test/csp/file_inlinescript_main.html^headers^

@@ -1,2 +0,0 @@
-Content-Security-Policy: default-src 'self'
-Cache-Control: no-cache

dom/security/test/csp/file_inlinescript_main_allowed.html

@@ -1,16 +0,0 @@
-<html>
-  <head>
-    <title>CSP inline script tests</title>
-  </head>
-  <body onload="window.parent.scriptRan(true, 'eventattr', 'event attribute in body tag fired')">
-
-    <script type="text/javascript">
-      //alert(window.parent.scriptRan);
-      window.parent.scriptRan(true, "textnode", "text node in a script tag executed.");
-    </script>
-
-    <iframe src='javascript:window.parent.parent.scriptRan(true, "jsuri", "javascript: uri in image tag")'></iframe>
-
-    <a id='anchortoclick' href='javascript:window.parent.scriptRan(true, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
-  </body>
-</html>

dom/security/test/csp/file_inlinescript_main_allowed.html^headers^

@@ -1,2 +0,0 @@
-Content-Security-Policy: default-src 'self' ; script-src 'self' 'unsafe-inline'
-Cache-Control: no-cache

dom/security/test/csp/mochitest.ini

@@ -31,10 +31,7 @@ support-files =
   file_frameancestors_main.html
   file_frameancestors_main.js
   file_frameancestors.sjs
-  file_inlinescript_main.html
-  file_inlinescript_main.html^headers^
-  file_inlinescript_main_allowed.html
-  file_inlinescript_main_allowed.html^headers^
+  file_inlinescript.html
   file_inlinestyle_main.html
   file_inlinestyle_main.html^headers^
   file_inlinestyle_main_allowed.html

dom/security/test/csp/test_inlinescript.html

@@ -1,6 +1,7 @@
 <!DOCTYPE HTML>
 <html>
 <head>
+  <meta charset="utf-8">
   <title>Test for Content Security Policy Frame Ancestors directive</title>
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
@@ -10,14 +11,30 @@
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
+<iframe style="width:100%;height:300px;" id='testframe'></iframe>
 
-<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var inlineScriptsThatRan = 0;
-var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 8;
+var tests = [
+  {
+    /* test allowed */
+    csp: "default-src 'self'; script-src 'self' 'unsafe-inline'",
+    results: ["body-onload-fired", "text-node-fired",
+              "javascript-uri-fired", "javascript-uri-anchor-fired"],
+    desc: "allow inline scripts",
+    received: 0, // counter to make sure we received all 4 reports
+  },
+  {
+    /* test blocked */
+    csp: "default-src 'self'",
+    results: ["inline-script-blocked"],
+    desc: "block inline scripts",
+    received: 0, // counter to make sure we received all 4 reports
+  }
+];
+
+var counter = 0;
+var curTest;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
@@ -26,88 +43,81 @@ function examiner() {
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
-    // subject should be an nsURI, and should be either allowed or blocked.
-    if (!SpecialPowers.can_QI(subject))
+    if (topic !== "csp-on-violate-policy") {
       return;
-
-    if (topic === "csp-on-violate-policy") {
-      var what = null;
-      try {
-        //these were blocked... record that they were blocked
-        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      } catch(e) {
-        //if that fails, the subject is probably a string
-        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
-      }
-      window.scriptBlocked(what, data);
     }
-  },
 
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
+    var what = SpecialPowers.getPrivilegedProps(SpecialPowers.
+                             do_QueryInterface(subject, "nsISupportsCString"), "data");
+
+    if (!what.includes("Inline Script had invalid hash") &&
+        !what.includes("Inline Scripts will not execute")) {
+      return;
+    }
+    window.checkResults("inline-script-blocked");
+  },
   remove: function() {
     SpecialPowers.removeObserver(this, "csp-on-violate-policy");
   }
 }
 
-// called by scripts that run
-// the first argument is whether the script expects to be allowed or not.
-var scriptRan = function(result, testname, data) {
-  inlineScriptsThatRan++;
-  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// called when a script is blocked
-// -- we can't determine *which* frame was blocked, but at least we can count them
-var scriptBlocked = function(testname, data) {
-  inlineScriptsBlocked++;
-  ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-
-// Check to see if all the tests have run
-var checkTestResults = function() {
-  // if any test is incomplete, keep waiting
-  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
-    return;
-
-  // The four scripts in the page with 'unsafe-inline' should run.
-  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
-
-  // The four scripts in the other page should be blocked.
-  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
-
-  // ... otherwise, finish
+function finishTest() {
   window.examiner.remove();
+  window.removeEventListener("message", receiveMessage, false);
   SimpleTest.finish();
 }
 
-//////////////////////////////////////////////////////////////////////
-// set up and go
+// Check to see if all the tests have run
+var checkResults = function(result) {
+  var index = curTest.results.indexOf(result);
+  isnot(index, -1, "should find result (" + result +") within test: " + curTest.desc);
+  if (index > -1) {
+    curTest.received += 1;
+  }
+
+  // make sure we receive all the 4 reports for the 4 inline scripts
+  if (curTest.received < 4) {
+    return;
+  }
+
+  if (counter < tests.length) {
+    loadNextTest();
+    return;
+  }
+  finishTest();
+}
+
+// a postMessage handler that is used to bubble up results from the testframe
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  checkResults(event.data);
+}
+
+function clickit() {
+  document.getElementById("testframe").removeEventListener('load', clickit, false);
+  var testframe = document.getElementById('testframe');
+  var a = testframe.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, testframe.contentWindow);
+}
+
+function loadNextTest() {
+  curTest = tests[counter++];
+  var src = "file_testserver.sjs?file=";
+  // append the file that should be served
+  src += escape("tests/dom/security/test/csp/file_inlinescript.html");
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(curTest.csp);
+
+  document.getElementById("testframe").src = src;
+  document.getElementById("testframe").addEventListener("load", clickit, false);
+}
+
+// set up the test and go
 window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
+loadNextTest();
 
-function clickit1() {
-  var cspframe1 = document.getElementById('cspframe1');
-  var a = cspframe1.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
-}
-
-function clickit2() {
-  var cspframe2 = document.getElementById('cspframe2');
-  var a = cspframe2.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
-}
-
-// save this for last so that our listeners are registered.
-// ... this loads the testbed of good and bad requests.
-document.getElementById('cspframe1').src = 'file_inlinescript_main.html';
-document.getElementById('cspframe1').addEventListener('load', clickit1, false);
-document.getElementById('cspframe2').src = 'file_inlinescript_main_allowed.html';
-document.getElementById('cspframe2').addEventListener('load', clickit2, false);
 </script>
-</pre>
+
 </body>
 </html>