tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_bug910139.html (2279B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>CSP should block XSLT as script, not as style</title>
      5  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      6  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10  <p id="display"></p>
     11  <div id="content" style="display: none"></div>
     12  <iframe style="width:100%;" id='xsltframe'></iframe>
     13  <iframe style="width:100%;" id='xsltframe2'></iframe>
     14 
     15 <script class="testbody" type="text/javascript">
     16 
     17 SimpleTest.waitForExplicitFinish();
     18 
     19 // define the expected output of this test
     20 var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
     21 
     22 function checkAllowed () {
     23  /*   The policy for this test is:
     24   *   Content-Security-Policy: default-src 'self'; script-src 'self'
     25   *
     26   *   we load the xsl file using:
     27   *   <?xml-stylesheet type="text/xsl" href="file_bug910139.xsl"?>
     28   */
     29  try {
     30    var cspframe = document.getElementById('xsltframe');
     31    var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
     32    is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
     33  }
     34  catch (e) {
     35    ok(false, "Error: could not access content in xsltframe!")
     36  }
     37 
     38  // continue with the next test
     39  document.getElementById('xsltframe2').addEventListener('load', checkBlocked);
     40  document.getElementById('xsltframe2').src = 'file_bug910139.sjs';
     41 }
     42 
     43 function checkBlocked () {
     44  /*   The policy for this test is:
     45   *   Content-Security-Policy: default-src 'self'; script-src *.example.com
     46   *
     47   *   we load the xsl file using:
     48   *   <?xml-stylesheet type="text/xsl" href="file_bug910139.xsl"?>
     49   */
     50  try {
     51    var cspframe = document.getElementById('xsltframe2');
     52    var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
     53    is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
     54  }
     55  catch (e) {
     56    ok(false, "Error: could not access content in xsltframe2!")
     57  }
     58  SimpleTest.finish();
     59 }
     60 
     61 document.getElementById('xsltframe').addEventListener('load', checkAllowed);
     62 document.getElementById('xsltframe').src = 'file_bug910139.sjs';
     63 
     64 </script>
     65 </body>
     66 </html>