Bug 1195173 - Test asyncopen2 security checks for stylesheets (r=bz,ehsan)

devtools/client/inspector/shared/test/browser_styleinspector_csslogic-content-stylesheets.js

@@ -21,6 +21,8 @@ var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
 const XUL_PRINCIPAL = ssm.createCodebasePrincipal(XUL_URI, {});
 
 add_task(function*() {
+  requestLongerTimeout(2);
+
   info("Checking stylesheets on HTML document");
   yield addTab(TEST_URI_HTML);
   let target = getNode("#target");

layout/style/test/mochitest.ini

@@ -293,3 +293,4 @@ skip-if = buildapp == 'b2g' || toolkit == 'android' #TIMED_OUT # b2g(bug 870262,
 skip-if = buildapp == 'b2g' || toolkit == 'android' #TIMED_OUT # b2g(bug 870262, :visited support) b2g-debug(bug 870262, :visited support) b2g-desktop(bug 870262, :visited support)
 [test_webkit_box_orient.html]
 [test_webkit_device_pixel_ratio.html]
+[test_asyncopen2.html]

layout/style/test/test_asyncopen2.html

@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1195173
+-->
+<head>
+  <title>Bug 1195173 - Test asyncOpen2 security exception</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+  <!-- Note: the following stylesheet does not exist -->
+  <link rel="stylesheet" id="myCSS" type="text/css" href="file:///home/foo/bar.css">
+
+</head>
+<body onload="checkCSS()">
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1195173">Mozilla Bug 1195173</a>
+<p id="display"></p>
+<div id="content" style="display: none"></div>
+
+<script type="application/javascript">
+/*
+ * Description of the test:
+ * Accessing a stylesheet that got blocked by asyncOpen2 should
+ * throw an exception.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function checkCSS()
+{
+  try {
+    // accessing tests/SimpleTest/test.css should not throw
+    var goodCSS = document.styleSheets[0].cssRules
+    ok(true, "accessing test.css should be allowed");
+  }
+  catch(e) {
+    ok(false, "accessing test.css should be allowed");
+  }
+
+  try {
+    // accessing file:///home/foo/bar.css should throw
+    var badCSS = document.styleSheets[1].cssRules
+    ok(false, "accessing bar.css should throw");
+  }
+  catch(e) {
+    ok(true, "accessing bar.css should throw");
+  }
+
+  SimpleTest.finish();
+}
+
+</script>
+</body>
+</html>

testing/web-platform/mozilla/tests/service-workers/service-worker/fetch-request-resources.https.html

@@ -109,12 +109,12 @@ async_test(function(t) {
       .then(function(f) {
         frame = f;
 
-        // TODO: Disable 'no-cors' tests for image and stylesheet until
+        // TODO: Disable 'no-cors' tests for image until
         //       AsyncOpen2 and cookie policy is supported.
         // image_test(f, LOCAL_URL, '', 'no-cors', 'include');
         // image_test(f, REMOTE_URL, '', 'no-cors', 'include');
-        // css_test(f, LOCAL_URL, '', 'no-cors', 'include');
-        // css_test(f, REMOTE_URL, '', 'no-cors', 'include');
+        css_test(f, LOCAL_URL, '', 'no-cors', 'include');
+        css_test(f, REMOTE_URL, '', 'no-cors', 'include');
 
         image_test(f, LOCAL_URL, 'anonymous', 'cors', 'same-origin');
         image_test(f, LOCAL_URL, 'use-credentials', 'cors', 'include');
@@ -130,7 +130,7 @@ async_test(function(t) {
 
         css_test(f, LOCAL_URL, 'anonymous', 'cors', 'same-origin');
         css_test(f, LOCAL_URL, 'use-credentials', 'cors', 'include');
-        css_test(f, REMOTE_URL, 'anonymous', 'cors', 'omit');
+        css_test(f, REMOTE_URL, 'anonymous', 'cors', 'same-origin');
         css_test(f, REMOTE_URL, 'use-credentials', 'cors', 'include');
 
         font_face_test(f, LOCAL_URL, 'cors', 'same-origin');