test_base-uri.html (3769B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Bug 1045897 - Test CSP base-uri directive</title> 5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 8 </head> 9 <body> 10 <p id="display"></p> 11 <div id="content" style="visibility: hidden"> 12 <iframe style="width:100%;" id="testframe"></iframe> 13 </div> 14 15 <script class="testbody" type="text/javascript"> 16 17 /* 18 * Description of the test: 19 * We load a page in an iframe (served over http://example.com) that tries to 20 * modify the 'base' either through setting or also removing the base-uri. We 21 * load that page using different policies and verify that setting the base-uri 22 * is correctly blocked by CSP. 23 */ 24 25 SimpleTest.waitForExplicitFinish(); 26 27 var tests = [ 28 { csp: "base-uri http://mochi.test;", 29 base1: "http://mochi.test", 30 base2: "", 31 action: "enforce-csp", 32 result: "http://mochi.test", 33 desc: "CSP allows base uri" 34 }, 35 { csp: "base-uri http://example.com;", 36 base1: "http://mochi.test", 37 base2: "", 38 action: "enforce-csp", 39 result: "http://example.com", 40 desc: "CSP blocks base uri" 41 }, 42 { csp: "base-uri https:", 43 base1: "http://mochi.test", 44 base2: "", 45 action: "enforce-csp", 46 result: "http://example.com", 47 desc: "CSP blocks http base" 48 }, 49 { csp: "base-uri 'none'", 50 base1: "http://mochi.test", 51 base2: "", 52 action: "enforce-csp", 53 result: "http://example.com", 54 desc: "CSP allows no base modification" 55 }, 56 { csp: "", 57 base1: "http://foo:foo/", 58 base2: "", 59 action: "enforce-csp", 60 result: "http://example.com", 61 desc: "Invalid base should be ignored" 62 }, 63 { csp: "base-uri http://mochi.test", 64 base1: "http://mochi.test", 65 base2: "http://test1.example.com", 66 action: "remove-base1", 67 result: "http://example.com", 68 desc: "Removing first base should result in fallback base" 69 }, 70 { csp: "", 71 base1: "http://mochi.test", 72 base2: "http://test1.example.com", 73 action: "remove-base1", 74 result: "http://test1.example.com", 75 desc: "Removing first base should result in the second base" 76 }, 77 ]; 78 79 // initializing to -1 so we start at index 0 when we start the test 80 var counter = -1; 81 82 function finishTest() { 83 window.removeEventListener("message", receiveMessage); 84 SimpleTest.finish(); 85 } 86 87 // a postMessage handler that is used by sandboxed iframes without 88 // 'allow-same-origin' to bubble up results back to this main page. 89 window.addEventListener("message", receiveMessage); 90 function receiveMessage(event) { 91 var result = event.data.result; 92 // we only care about the base uri, so instead of comparing the complete uri 93 // we just make sure that the base is correct which is sufficient here. 94 ok(result.startsWith(tests[counter].result), 95 `${tests[counter].desc}: Expected a base URI that starts 96 with ${tests[counter].result} but got ${result}`); 97 loadNextTest(); 98 } 99 100 function loadNextTest() { 101 counter++; 102 if (counter == tests.length) { 103 finishTest(); 104 return; 105 } 106 var src = "http://example.com/tests/dom/security/test/csp/file_base_uri_server.sjs"; 107 // append the CSP that should be used to serve the file 108 // please note that we have to include 'unsafe-inline' to permit sending the postMessage 109 src += "?csp=" + escape("script-src 'unsafe-inline'; " + tests[counter].csp); 110 // append potential base tags 111 src += "&base1=" + escape(tests[counter].base1); 112 src += "&base2=" + escape(tests[counter].base2); 113 // append potential action 114 src += "&action=" + escape(tests[counter].action); 115 116 document.getElementById("testframe").src = src; 117 } 118 119 // start running the tests 120 loadNextTest(); 121 122 </script> 123 </body> 124 </html>