test_inlinescript.html (3508B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Test for Content Security Policy Frame Ancestors directive</title> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <script src="/tests/SimpleTest/EventUtils.js"></script> 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 9 </head> 10 <body> 11 <p id="display"></p> 12 <div id="content" style="display: none"> 13 </div> 14 <iframe style="width:100%;height:300px;" id='testframe'></iframe> 15 16 <script class="testbody" type="text/javascript"> 17 18 var tests = [ 19 { 20 /* test allowed */ 21 csp: "default-src 'self'; script-src 'self' 'unsafe-inline'", 22 results: ["body-onload-fired", "text-node-fired", 23 "javascript-uri-fired", "javascript-uri-anchor-fired"], 24 desc: "allow inline scripts", 25 received: 0, // counter to make sure we received all 4 reports 26 }, 27 { 28 /* test blocked */ 29 csp: "default-src 'self'", 30 results: ["inline-script-blocked"], 31 desc: "block inline scripts", 32 received: 0, // counter to make sure we received all 4 reports 33 } 34 ]; 35 36 var counter = 0; 37 var curTest; 38 39 // This is used to watch the blocked data bounce off CSP and allowed data 40 // get sent out to the wire. 41 function examiner() { 42 SpecialPowers.addObserver(this, "csp-on-violate-policy"); 43 } 44 examiner.prototype = { 45 observe(subject, topic, data) { 46 if (topic !== "csp-on-violate-policy") { 47 return; 48 } 49 50 var what = SpecialPowers.getPrivilegedProps(SpecialPowers. 51 do_QueryInterface(subject, "nsISupportsCString"), "data"); 52 53 if (!what.includes("Inline Script had invalid hash") && 54 !what.includes("Inline Scripts will not execute")) { 55 return; 56 } 57 window.checkResults("inline-script-blocked"); 58 }, 59 remove() { 60 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); 61 } 62 } 63 64 function finishTest() { 65 window.examiner.remove(); 66 window.removeEventListener("message", receiveMessage); 67 SimpleTest.finish(); 68 } 69 70 // Check to see if all the tests have run 71 var checkResults = function(result) { 72 var index = curTest.results.indexOf(result); 73 isnot(index, -1, "should find result (" + result +") within test: " + curTest.desc); 74 if (index > -1) { 75 curTest.received += 1; 76 } 77 78 // make sure we receive all the 4 reports for the 4 inline scripts 79 if (curTest.received < 4) { 80 return; 81 } 82 83 if (counter < tests.length) { 84 loadNextTest(); 85 return; 86 } 87 finishTest(); 88 } 89 90 // a postMessage handler that is used to bubble up results from the testframe 91 window.addEventListener("message", receiveMessage); 92 function receiveMessage(event) { 93 checkResults(event.data); 94 } 95 96 function clickit() { 97 document.getElementById("testframe").removeEventListener('load', clickit); 98 var testframe = document.getElementById('testframe'); 99 var a = testframe.contentDocument.getElementById('anchortoclick'); 100 sendMouseEvent({type:'click'}, a, testframe.contentWindow); 101 } 102 103 function loadNextTest() { 104 curTest = tests[counter++]; 105 var src = "file_testserver.sjs?file="; 106 // append the file that should be served 107 src += escape("tests/dom/security/test/csp/file_inlinescript.html"); 108 // append the CSP that should be used to serve the file 109 src += "&csp=" + escape(curTest.csp); 110 111 document.getElementById("testframe").src = src; 112 document.getElementById("testframe").addEventListener("load", clickit); 113 } 114 115 // set up the test and go 116 window.examiner = new examiner(); 117 SimpleTest.waitForExplicitFinish(); 118 loadNextTest(); 119 120 </script> 121 122 </body> 123 </html>