test_image_nonce.html (1699B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title> 6 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> 7 <script src="/tests/SimpleTest/SimpleTest.js"></script> 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 9 </head> 10 <body> 11 <iframe style="width:100%;" id="testframe"></iframe> 12 13 <script class="testbody" type="text/javascript"> 14 15 /* Description of the test: 16 * We load three images: (a) with a matching nonce, 17 (b) with a non matching nonce, 18 * (c) with no nonce 19 * and make sure that all three images get blocked because 20 * "img-src nonce-bla" should not allow an image load, not 21 * even if the nonce matches*. 22 */ 23 24 SimpleTest.waitForExplicitFinish(); 25 26 var counter = 0; 27 28 function finishTest() { 29 window.removeEventListener("message", receiveMessage); 30 SimpleTest.finish(); 31 } 32 33 function checkResults(aResult) { 34 counter++; 35 if (aResult === "img-with-matching-nonce-blocked" || 36 aResult === "img-with_non-matching-nonce-blocked" || 37 aResult === "img-without-nonce-blocked") { 38 ok (true, "correct result for: " + aResult); 39 } 40 else { 41 ok(false, "unexpected result: " + aResult + "\n\n"); 42 } 43 if (counter < 3) { 44 return; 45 } 46 finishTest(); 47 } 48 49 // a postMessage handler that is used by sandboxed iframes without 50 // 'allow-same-origin' to bubble up results back to this main page. 51 window.addEventListener("message", receiveMessage); 52 function receiveMessage(event) { 53 checkResults(event.data.result); 54 } 55 56 document.getElementById("testframe").src = "file_image_nonce.html"; 57 58 </script> 59 </body> 60 </html>