test_docwrite_meta.html (3297B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Bug 663570 - Implement Content Security Policy via meta tag</title> 6 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> 7 <script src="/tests/SimpleTest/SimpleTest.js"></script> 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 9 </head> 10 <body> 11 <p id="display"></p> 12 <iframe style="width:100%;" id="writemetacspframe"></iframe> 13 <iframe style="width:100%;" id="commentmetacspframe"></iframe> 14 15 16 <script class="testbody" type="text/javascript"> 17 /* Description of the test: 18 * We load two frames, where the first frame does doc.write(meta csp) and 19 * the second does doc.write(comment out meta csp). 20 * We make sure to reuse/invalidate preloads depending on the policy. 21 */ 22 23 SimpleTest.waitForExplicitFinish(); 24 25 var writemetacspframe = document.getElementById("writemetacspframe"); 26 var commentmetacspframe = document.getElementById("commentmetacspframe"); 27 var seenResults = 0; 28 29 function checkTestsDone() { 30 seenResults++; 31 if (seenResults < 2) { 32 return; 33 } 34 SimpleTest.finish(); 35 } 36 37 // document.write(<meta csp ...>) should block resources from being included in the doc 38 function checkResultsBlocked() { 39 writemetacspframe.removeEventListener('load', checkResultsBlocked); 40 41 // stylesheet: default background color within FF is transparent 42 var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body) 43 .getPropertyValue("background-color"); 44 is(bgcolor, "rgba(0, 0, 0, 0)", "inital background value in FF should be 'transparent'"); 45 46 // image: make sure image is blocked 47 var img = writemetacspframe.contentDocument.getElementById("testimage"); 48 is(img.naturalWidth, 0, "image width should be 0"); 49 is(img.naturalHeight, 0, "image height should be 0"); 50 51 // script: make sure defined variable in external script is undefined 52 is(writemetacspframe.contentDocument.myMetaCSPScript, undefined, "myMetaCSPScript should be 'undefined'"); 53 54 checkTestsDone(); 55 } 56 57 // document.write(<--) to comment out meta csp should allow resources to be loaded 58 // after the preload failed 59 function checkResultsAllowed() { 60 commentmetacspframe.removeEventListener('load', checkResultsAllowed); 61 62 // stylesheet: should be applied; bgcolor should be red 63 var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue("background-color"); 64 is(bgcolor, "rgb(255, 0, 0)", "background should be red/rgb(255, 0, 0)"); 65 66 // image: should be completed 67 var img = commentmetacspframe.contentDocument.getElementById("testimage"); 68 ok(img.complete, "image should not be loaded"); 69 70 // script: defined variable in external script should be accessible 71 is(commentmetacspframe.contentDocument.myMetaCSPScript, "external-JS-loaded", "myMetaCSPScript should be 'external-JS-loaded'"); 72 73 checkTestsDone(); 74 } 75 76 // doc.write(meta csp) should should allow preloads but should block actual loads 77 writemetacspframe.src = 'file_docwrite_meta.html'; 78 writemetacspframe.addEventListener('load', checkResultsBlocked); 79 80 // commenting out a meta CSP should result in loaded image, script, style 81 commentmetacspframe.src = 'file_doccomment_meta.html'; 82 commentmetacspframe.addEventListener('load', checkResultsAllowed); 83 84 </script> 85 </body> 86 </html>