test_warning_for_blocked_cross_site_request.html (3903B)
1 <!DOCTYPE HTML> 2 <html> 3 <!-- 4 https://bugzilla.mozilla.org/show_bug.cgi?id=713980 5 --> 6 <head> 7 <meta charset="utf-8"> 8 <title>Test for Bug 713980</title> 9 <script src="/tests/SimpleTest/SimpleTest.js"></script> 10 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 11 12 <!-- Load a cross-origin webfont without CORS (common pain point) and some 13 other styles that require anonymous CORS --> 14 <style> 15 @font-face { 16 font-family: "bad_cross_origin_webfont"; 17 src: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream'); 18 } 19 div#bad_webfont { font-family: "bad_cross_origin_webfont"; } 20 21 div#bad_shape_outside { shape-outside: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=bad_shape_outside&type=image/png'); } 22 23 div#bad_mask_image { mask-image: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=bad_mask_image&type=image/svg+xml'); } 24 </style> 25 </head> 26 <body> 27 <pre id="test"> 28 29 <script class="testbody" type="text/javascript"> 30 SimpleTest.waitForExplicitFinish(); 31 32 var tests = { 33 xhr : { 34 uri_test : "http://invalid", 35 result : null, 36 category: "CORSAllowOriginNotMatchingOrigin" 37 }, 38 font : { 39 uri_test : "font_bad", 40 result : null, 41 category: "CORSMissingAllowOrigin2", 42 }, 43 shape_outside : { 44 uri_test : "bad_shape_outside", 45 result : null, 46 category: "CORSMissingAllowOrigin2", 47 ignore_windowID: true, 48 }, 49 mask_image : { 50 uri_test : "bad_mask_image", 51 result : null, 52 category: "CORSMissingAllowOrigin2", 53 ignore_windowID: true, 54 }, 55 } 56 57 function testsComplete() { 58 for (var testName in tests) { 59 var test = tests[testName]; 60 if (test.result == null) { 61 info("Still waiting on (at least) " + testName + "."); 62 return false; 63 } 64 } 65 return true; 66 } 67 68 SpecialPowers.registerConsoleListener(function CORSMsgListener(aMsg) { 69 if (!/Cross-Origin Request Blocked/.test(aMsg.message)) 70 return; 71 72 for (var testName in tests) { 73 var test = tests[testName]; 74 var category = test.category; 75 if (test.result != null) 76 continue; 77 78 var testRegexp = new RegExp(test.uri_test); 79 if (testRegexp.test(aMsg.message)) { 80 test.result = true; 81 ok(true, "Got \"Cross-site request blocked\" warning message for " + testName); 82 ok(aMsg.category == category, 83 "Got warning message with category \"" + aMsg.category + "\", expected \"" + category + "\""); 84 // Got the message we wanted - make sure it is destined for a valid inner window 85 if(!test.ignore_windowID) { 86 ok(aMsg.windowID != 0, "Valid (non-zero) windowID for the cross-site request blocked message."); 87 } 88 break; 89 } 90 } 91 92 if (testsComplete()) { 93 SimpleTest.executeSoon(cleanup); 94 } 95 }); 96 97 function cleanup() { 98 SpecialPowers.postConsoleSentinel(); 99 SimpleTest.finish(); 100 } 101 102 // Send a cross-origin XHR request without CORS 103 var xhr = new XMLHttpRequest(); 104 xhr.open("GET", "http://example.org/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?allowOrigin=http://invalid", true); 105 xhr.send(null); 106 107 let badDiv; 108 109 // Create a div that triggers a cross-origin webfont request 110 // We do this in Javascript in order to guarantee the console listener has 111 // already been registered; otherwise, there could be a race. 112 badDiv = document.createElement('div'); 113 badDiv.setAttribute('id', 'bad_webfont'); 114 document.body.appendChild(badDiv); 115 116 // Create a div that triggers a cross-origin request for a shape-outside image 117 badDiv = document.createElement('div'); 118 badDiv.setAttribute('id', 'bad_shape_outside'); 119 document.body.appendChild(badDiv); 120 121 // Create a div that triggers a cross-origin request for a mask-image 122 badDiv = document.createElement('div'); 123 badDiv.setAttribute('id', 'bad_mask_image'); 124 document.body.appendChild(badDiv); 125 </script> 126 127 </pre> 128 </body> 129 </html>