browser_data_load_inherit_csp.js (3734B)
1 "use strict"; 2 3 const TEST_PATH = getRootDirectory(gTestPath).replace( 4 "chrome://mochitests/content", 5 // eslint-disable-next-line @microsoft/sdl/no-insecure-url 6 "http://example.com" 7 ); 8 const HTML_URI = TEST_PATH + "file_data_load_inherit_csp.html"; 9 const DATA_URI = "data:text/html;html,<html><body>foo</body></html>"; 10 11 function setDataHrefOnLink(aBrowser, aDataURI) { 12 return SpecialPowers.spawn(aBrowser, [aDataURI], function (uri) { 13 let link = content.document.getElementById("testlink"); 14 link.href = uri; 15 }); 16 } 17 18 function verifyCSP(aTestName, aBrowser, aDataURI) { 19 return SpecialPowers.spawn( 20 aBrowser, 21 [{ aTestName, aDataURI }], 22 async function ({ aTestName, aDataURI }) { 23 let channel = content.docShell.currentDocumentChannel; 24 is(channel.URI.spec, aDataURI, "testing CSP for " + aTestName); 25 let cspJSON = content.document.cspJSON; 26 let cspOBJ = JSON.parse(cspJSON); 27 let policies = cspOBJ["csp-policies"]; 28 is(policies.length, 1, "should be one policy"); 29 let policy = policies[0]; 30 is( 31 policy["script-src"], 32 "'unsafe-inline'", 33 "script-src directive matches" 34 ); 35 } 36 ); 37 } 38 39 add_setup(async function () { 40 // allow top level data: URI navigations, otherwise clicking data: link fails 41 await SpecialPowers.pushPrefEnv({ 42 set: [["security.data_uri.block_toplevel_data_uri_navigations", false]], 43 }); 44 }); 45 46 add_task(async function test_data_csp_inheritance_regular_click() { 47 await BrowserTestUtils.withNewTab(HTML_URI, async function (browser) { 48 let loadPromise = BrowserTestUtils.browserLoaded(browser, false, DATA_URI); 49 // set the data href + simulate click 50 await setDataHrefOnLink(gBrowser.selectedBrowser, DATA_URI); 51 BrowserTestUtils.synthesizeMouseAtCenter( 52 "#testlink", 53 {}, 54 gBrowser.selectedBrowser 55 ); 56 await loadPromise; 57 await verifyCSP("click()", gBrowser.selectedBrowser, DATA_URI); 58 }); 59 }); 60 61 add_task(async function test_data_csp_inheritance_ctrl_click() { 62 await BrowserTestUtils.withNewTab(HTML_URI, async function () { 63 let loadPromise = BrowserTestUtils.waitForNewTab(gBrowser, DATA_URI, true); 64 // set the data href + simulate ctrl+click 65 await setDataHrefOnLink(gBrowser.selectedBrowser, DATA_URI); 66 BrowserTestUtils.synthesizeMouseAtCenter( 67 "#testlink", 68 { ctrlKey: true, metaKey: true }, 69 gBrowser.selectedBrowser 70 ); 71 let tab = await loadPromise; 72 gBrowser.selectTabAtIndex(2); 73 await verifyCSP("ctrl-click()", gBrowser.selectedBrowser, DATA_URI); 74 await BrowserTestUtils.removeTab(tab); 75 }); 76 }); 77 78 add_task( 79 async function test_data_csp_inheritance_right_click_open_link_in_new_tab() { 80 await BrowserTestUtils.withNewTab(HTML_URI, async function () { 81 let loadPromise = BrowserTestUtils.waitForNewTab( 82 gBrowser, 83 DATA_URI, 84 true 85 ); 86 // set the data href + simulate right-click open link in tab 87 await setDataHrefOnLink(gBrowser.selectedBrowser, DATA_URI); 88 BrowserTestUtils.waitForEvent(document, "popupshown", false, event => { 89 // These are operations that must be executed synchronously with the event. 90 document.getElementById("context-openlinkintab").doCommand(); 91 event.target.hidePopup(); 92 return true; 93 }); 94 BrowserTestUtils.synthesizeMouseAtCenter( 95 "#testlink", 96 { type: "contextmenu", button: 2 }, 97 gBrowser.selectedBrowser 98 ); 99 100 let tab = await loadPromise; 101 gBrowser.selectTabAtIndex(2); 102 await verifyCSP( 103 "right-click-open-in-new-tab()", 104 gBrowser.selectedBrowser, 105 DATA_URI 106 ); 107 await BrowserTestUtils.removeTab(tab); 108 }); 109 } 110 );