tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_x-frame-options.html (8189B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test for X-Frame-Options response header</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      7 </head>
      8 <body>
      9 <p id="display"></p>
     10 <div id="content" style="display: none">
     11 
     12 </div>
     13 
     14 <iframe style="width:100%;height:300px;" id="harness"></iframe>
     15 <script class="testbody" type="text/javascript">
     16 
     17 var path = "/tests/dom/base/test/";
     18 
     19 var testFramesLoaded = async function() {
     20  var harness = document.getElementById("harness").contentDocument;
     21 
     22  // iframe from same origin, no X-F-O header - should load
     23  var frame = harness.getElementById("control1");
     24  await SpecialPowers.spawn(frame, [], () => {
     25    var test1 = this.content.document.getElementById("test").textContent;
     26    Assert.equal(test1, "control1", "test control1");
     27  });
     28 
     29  // iframe from different origin, no X-F-O header - should load
     30  frame = harness.getElementById("control2");
     31  await SpecialPowers.spawn(frame, [], () => {
     32    var test2 = this.content.document.getElementById("test").textContent;
     33    Assert.equal(test2, "control2", "test control2");
     34  });
     35 
     36  // iframe from same origin, X-F-O: DENY - should not load
     37  frame = harness.getElementById("deny");
     38  await SpecialPowers.spawn(frame, [], () => {
     39    var test3 = this.content.document.getElementById("test");
     40    Assert.equal(test3, null, "test deny");
     41  });
     42 
     43  // iframe from same origin, X-F-O: SAMEORIGIN - should load
     44  frame = harness.getElementById("sameorigin1");
     45  await SpecialPowers.spawn(frame, [], () => {
     46    var test4 = this.content.document.getElementById("test").textContent;
     47    Assert.equal(test4, "sameorigin1", "test sameorigin1");
     48  });
     49 
     50  // iframe from different origin, X-F-O: SAMEORIGIN - should not load
     51  frame = harness.getElementById("sameorigin2");
     52  await SpecialPowers.spawn(frame, [], () => {
     53    var test5 = this.content.document.getElementById("test");
     54    Assert.equal(test5, null, "test sameorigin2");
     55  });
     56 
     57  // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
     58  frame = harness.getElementById("sameorigin5");
     59  await SpecialPowers.spawn(frame, [], () => {
     60    var test6 = this.content.document.getElementById("test");
     61    Assert.equal(test6, null, "test sameorigin5");
     62  });
     63 
     64  // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
     65  frame = harness.getElementById("sameorigin6");
     66  await SpecialPowers.spawn(frame, [], () => {
     67    var test7 = this.content.document.getElementById("test").textContent;
     68    Assert.equal(test7, "sameorigin6", "test sameorigin6");
     69  });
     70 
     71  // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
     72  frame = harness.getElementById("sameorigin7");
     73  await SpecialPowers.spawn(frame, [], () => {
     74    var test8 = this.content.document.getElementById("test").textContent;
     75    Assert.equal(test8, "sameorigin7", "test sameorigin7");
     76  });
     77 
     78  // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
     79  frame = harness.getElementById("sameorigin8");
     80  await SpecialPowers.spawn(frame, [], () => {
     81    var test9 = this.content.document.getElementById("test");
     82    Assert.equal(test9, null, "test sameorigin8");
     83  });
     84 
     85  // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
     86  frame = harness.getElementById("mixedpolicy");
     87  await SpecialPowers.spawn(frame, [], () => {
     88    var test10 = this.content.document.getElementById("test");
     89    Assert.equal(test10, null, "test mixedpolicy");
     90  });
     91 
     92  // iframe from different origin, allow-from: this origin - should load
     93  frame = harness.getElementById("allow-from-allow");
     94  await SpecialPowers.spawn(frame, [], () => {
     95    var test11 = this.content.document.getElementById("test").textContent;
     96    Assert.equal(test11, "allow-from-allow", "test allow-from-allow");
     97  });
     98 
     99  // iframe from different origin, with allow-from: other - should load as we no longer support allow-from (Bug 1301529)
    100  frame = harness.getElementById("allow-from-deny");
    101  await SpecialPowers.spawn(frame, [], () => {
    102    var test12 = this.content.document.getElementById("test");
    103    Assert.notEqual(test12, null, "test allow-from-deny");
    104  });
    105 
    106  // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
    107  frame = harness.getElementById("sameorigin-multipart");
    108  await SpecialPowers.spawn(frame, [], () => {
    109    var test13 = this.content.document.getElementById("test");
    110    Assert.equal(test13, null, "test sameorigin-multipart");
    111  });
    112 
    113  // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
    114  frame = harness.getElementById("sameorigin-multipart2");
    115  await SpecialPowers.spawn(frame, [], () => {
    116    var test14 = this.content.document.getElementById("test").textContent;
    117    Assert.equal(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
    118  });
    119 
    120 
    121  // frames from bug 836132 tests, no longer supported allow-from
    122  {
    123    frame = harness.getElementById("allow-from-allow-1");
    124    var theTestResult = frame.contentDocument.getElementById("test");
    125    isnot(theTestResult, null, "test afa1 should have been allowed");
    126    if(theTestResult) {
    127      is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
    128    }
    129  }
    130  // Verify allow-from no longer works
    131  for (var i = 1; i<=14; i++) {
    132    frame = harness.getElementById("allow-from-deny-" + i);
    133    var theTestResult = frame.contentDocument.getElementById("test");
    134    isnot(theTestResult, null, "test allow-from-deny-" + i);
    135  }
    136 
    137  // call tests to check principal comparison, e.g. a document can open a window
    138  // to a data: or javascript: document which frames an
    139  // X-Frame-Options: SAMEORIGIN document and the frame should load
    140  testFrameInJSURI();
    141 };
    142 
    143 // test that a document can be framed under a javascript: URL opened by the
    144 // same site as the frame
    145 // We can't set a load event listener before calling document.open/document.write, because those will remove such listeners.  So we need to define a function that the new window will be able to call.
    146 function frameInJSURILoaded(win) {
    147  var test = win.document.getElementById("sameorigin3")
    148                .contentDocument.getElementById("test");
    149  ok(test != null, "frame under javascript: URL should have loaded.");
    150  win.close();
    151 
    152  testFrameNotLoadedInDataURI();
    153 }
    154 
    155 var testFrameInJSURI = function() {
    156  var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
    157  var win = window.open();
    158  win.location.href = "javascript:document.open(); onload = opener.frameInJSURILoaded.bind(null, window); document.write('"+html+"');document.close();";
    159 };
    160 
    161 // test an iframe with X-FRAME-OPTIONS shouldn't be loaded in a cross-origin window,
    162 var testFrameNotLoadedInDataURI = function() {
    163  // In this case we load two iframes, one is sameorigin4, which will have X-FRAME-OPTIONS,
    164  // the other is postmessage, which won't get the XFO header.
    165  // And because now window is navigated to a data: URI, which is considered as cross origin,
    166  // So win.onload won't be fired, so we use the iframe 'postmessage' to know the iframes
    167  // have been loaded.
    168  var html = `<iframe id="sameorigin4" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>
    169              <iframe id="postmessage" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=postmessage"></iframe>`;
    170  var win = window.open();
    171  window.onmessage = function(evt) {
    172    var iframe = SpecialPowers.wrap(win).document.getElementById("sameorigin4");
    173    var test = iframe.contentDocument.getElementById("test");
    174    ok(test == null, "frame under data: URL should have blocked.");
    175    win.close();
    176 
    177    SimpleTest.finish();
    178  };
    179  win.location.href = "data:text/html,"+html;
    180 };
    181 
    182 SimpleTest.waitForExplicitFinish();
    183 
    184 // load the test harness
    185 SpecialPowers.pushPrefEnv({
    186  "set": [["security.data_uri.block_toplevel_data_uri_navigations", false],]
    187 }, function() {
    188  document.getElementById("harness").src = "file_x-frame-options_main.html";
    189 });
    190 
    191 </script>
    192 </pre>
    193 
    194 </body>
    195 </html>