test_bug886164.html (5073B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Bug 886164 - Enforce CSP in sandboxed iframe</title> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 8 </head> 9 <body> 10 <p id="display"></p> 11 <div id="content" style="display: none"> 12 </div> 13 <iframe style="width:200px;height:200px;" id='cspframe' sandbox="allow-same-origin"></iframe> 14 <iframe style="width:200px;height:200px;" id='cspframe2' sandbox></iframe> 15 <iframe style="width:200px;height:200px;" id='cspframe3' sandbox="allow-same-origin"></iframe> 16 <iframe style="width:200px;height:200px;" id='cspframe4' sandbox></iframe> 17 <iframe style="width:200px;height:200px;" id='cspframe5' sandbox="allow-scripts"></iframe> 18 <iframe style="width:200px;height:200px;" id='cspframe6' sandbox="allow-same-origin allow-scripts"></iframe> 19 <script class="testbody" type="text/javascript"> 20 21 22 var path = "/tests/dom/security/test/csp/"; 23 24 // These are test results: -1 means it hasn't run, 25 // true/false is the pass/fail result. 26 window.tests = { 27 // sandbox allow-same-origin; 'self' 28 img_good: -1, // same origin 29 img_bad: -1, //example.com 30 31 // sandbox; 'self' 32 img2_bad: -1, //example.com 33 img2a_good: -1, // same origin & is image 34 35 // sandbox allow-same-origin; 'none' 36 img3_bad: -1, 37 img3a_bad: -1, 38 39 // sandbox; 'none' 40 img4_bad: -1, 41 img4a_bad: -1, 42 43 // sandbox allow-scripts; 'none' 'unsafe-inline' 44 img5_bad: -1, 45 img5a_bad: -1, 46 script5_bad: -1, 47 script5a_bad: -1, 48 49 // sandbox allow-same-origin allow-scripts; 'self' 'unsafe-inline' 50 img6_bad: -1, 51 script6_bad: -1, 52 }; 53 54 // a postMessage handler that is used by sandboxed iframes without 55 // 'allow-same-origin' to communicate pass/fail back to this main page. 56 // it expects to be called with an object like {ok: true/false, desc: 57 // <description of the test> which it then forwards to ok() 58 window.addEventListener("message", receiveMessage); 59 60 function receiveMessage(event) 61 { 62 ok_wrapper(event.data.ok, event.data.desc); 63 } 64 65 var cspTestsDone = false; 66 var iframeSandboxTestsDone = false; 67 68 // iframe related 69 var completedTests = 0; 70 var passedTests = 0; 71 72 function ok_wrapper(result, desc) { 73 ok(result, desc); 74 75 completedTests++; 76 77 if (result) { 78 passedTests++; 79 } 80 81 if (completedTests === 5) { 82 iframeSandboxTestsDone = true; 83 if (cspTestsDone) { 84 SimpleTest.finish(); 85 } 86 } 87 } 88 89 90 //csp related 91 92 // This is used to watch the blocked data bounce off CSP and allowed data 93 // get sent out to the wire. 94 function examiner() { 95 SpecialPowers.addObserver(this, "csp-on-violate-policy"); 96 SpecialPowers.addObserver(this, "specialpowers-http-notify-request"); 97 } 98 examiner.prototype = { 99 observe(subject, topic, data) { 100 var testpat = new RegExp("testid=([a-z0-9_]+)"); 101 102 //_good things better be allowed! 103 //_bad things better be stopped! 104 105 if (topic === "specialpowers-http-notify-request") { 106 //these things were allowed by CSP 107 var uri = data; 108 if (!testpat.test(uri)) return; 109 var testid = testpat.exec(uri)[1]; 110 111 window.testResult(testid, 112 /_good/.test(testid), 113 uri + " allowed by csp"); 114 } 115 116 if(topic === "csp-on-violate-policy") { 117 //these were blocked... record that they were blocked 118 var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); 119 if (!testpat.test(asciiSpec)) return; 120 var testid = testpat.exec(asciiSpec)[1]; 121 window.testResult(testid, 122 /_bad/.test(testid), 123 asciiSpec + " blocked by \"" + data + "\""); 124 } 125 }, 126 127 // must eventually call this to remove the listener, 128 // or mochitests might get borked. 129 remove() { 130 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); 131 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); 132 } 133 } 134 135 window.examiner = new examiner(); 136 137 window.testResult = function(testname, result, msg) { 138 //test already complete.... forget it... remember the first result. 139 if (window.tests[testname] != -1) 140 return; 141 142 window.tests[testname] = result; 143 ok(result, testname + ' test: ' + msg); 144 145 // if any test is incomplete, keep waiting 146 for (var v in window.tests) 147 if(tests[v] == -1) 148 return; 149 150 // ... otherwise, finish 151 window.examiner.remove(); 152 cspTestsDone = true; 153 if (iframeSandboxTestsDone) { 154 SimpleTest.finish(); 155 } 156 } 157 158 SimpleTest.waitForExplicitFinish(); 159 160 // save this for last so that our listeners are registered. 161 // ... this loads the testbed of good and bad requests. 162 document.getElementById('cspframe').src = 'file_bug886164.html'; 163 document.getElementById('cspframe2').src = 'file_bug886164_2.html'; 164 document.getElementById('cspframe3').src = 'file_bug886164_3.html'; 165 document.getElementById('cspframe4').src = 'file_bug886164_4.html'; 166 document.getElementById('cspframe5').src = 'file_bug886164_5.html'; 167 document.getElementById('cspframe6').src = 'file_bug886164_6.html'; 168 169 </script> 170 </pre> 171 </body> 172 </html>