browser_csp_sandbox_no_script_js_uri.js (1814B)
1 /* Any copyright is dedicated to the Public Domain. 2 http://creativecommons.org/publicdomain/zero/1.0/ */ 3 4 "use strict"; 5 6 const TEST_PATH = getRootDirectory(gTestPath).replace( 7 "chrome://mochitests/content", 8 "https://example.com" 9 ); 10 11 /** 12 * Test that javascript URIs in CSP-sandboxed contexts can't be used to bypass 13 * script restrictions. 14 */ 15 add_task(async function test_csp_sandbox_no_script_js_uri() { 16 await BrowserTestUtils.withNewTab( 17 TEST_PATH + "dummy_page.html", 18 async browser => { 19 info("Register observer and wait for javascript-uri-blocked message."); 20 let observerPromise = SpecialPowers.spawn(browser, [], () => { 21 return new Promise(resolve => { 22 SpecialPowers.addObserver(function obs(subject) { 23 Assert.equal( 24 subject, 25 content, 26 "Should block script spawned via javascript uri" 27 ); 28 SpecialPowers.removeObserver( 29 obs, 30 "javascript-uri-blocked-by-sandbox" 31 ); 32 resolve(); 33 }, "javascript-uri-blocked-by-sandbox"); 34 }); 35 }); 36 37 info("Spawn csp-sandboxed iframe with javascript URI"); 38 let frameBC = await SpecialPowers.spawn( 39 browser, 40 [TEST_PATH + "file_csp_sandbox_no_script_js_uri.html"], 41 async url => { 42 let frame = content.document.createElement("iframe"); 43 let loadPromise = ContentTaskUtils.waitForEvent(frame, "load", true); 44 frame.src = url; 45 content.document.body.appendChild(frame); 46 await loadPromise; 47 return frame.browsingContext; 48 } 49 ); 50 51 info("Click javascript URI link in iframe"); 52 BrowserTestUtils.synthesizeMouseAtCenter("a", {}, frameBC); 53 await observerPromise; 54 } 55 ); 56 });