tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_bug663567.html (2430B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Test if XSLT stylesheet is subject to document's CSP</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10  <p id="display"></p>
     11  <div id="content" style="display: none"></div>
     12  <iframe style="width:100%;" id='xsltframe'></iframe>
     13  <iframe style="width:100%;" id='xsltframe2'></iframe>
     14 
     15 <script class="testbody" type="text/javascript">
     16 
     17 SimpleTest.waitForExplicitFinish();
     18 
     19 // define the expected output of this test
     20 var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
     21 
     22 var finishedTests = 0;
     23 var numberOfTests = 2;
     24 
     25 var checkExplicitFinish = function() {
     26  finishedTests++;
     27  if (finishedTests == numberOfTests) {
     28     SimpleTest.finish();
     29  }
     30 }
     31 
     32 function checkAllowed () {
     33  /*   The policy for this test is:
     34   *   Content-Security-Policy: default-src 'self'
     35   *
     36   *   we load the xsl file using:
     37   *   <?xml-stylesheet type="text/xsl" href="file_bug663467.xsl"?>
     38   */
     39  try {
     40    var cspframe = document.getElementById('xsltframe');
     41    var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
     42    is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
     43  }
     44  catch (e) {
     45    ok(false, "Error: could not access content in xsltframe!")
     46  }
     47  checkExplicitFinish();
     48 }
     49 
     50 function checkBlocked () {
     51  /*   The policy for this test is:
     52   *   Content-Security-Policy: default-src *.example.com
     53   *
     54   *   we load the xsl file using:
     55   *   <?xml-stylesheet type="text/xsl" href="file_bug663467.xsl"?>
     56   */
     57  try {
     58    var cspframe = document.getElementById('xsltframe2');
     59    var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
     60    is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
     61  }
     62  catch (e) {
     63    ok(false, "Error: could not access content in xsltframe2!")
     64  }
     65  checkExplicitFinish();
     66 }
     67 
     68 document.getElementById('xsltframe').addEventListener('load', checkAllowed);
     69 document.getElementById('xsltframe').src = 'file_bug663567_allows.xml';
     70 
     71 document.getElementById('xsltframe2').addEventListener('load', checkBlocked);
     72 document.getElementById('xsltframe2').src = 'file_bug663567_blocks.xml';
     73 
     74 </script>
     75 </body>
     76 </html>