tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_meta_element.html (2901B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <meta charset="utf-8">
      5  <title>Bug 663570 - Implement Content Security Policy via <meta> tag</title>
      6  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      7  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      8  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      9 </head>
     10 <body>
     11 <p id="display"></p>
     12 <iframe style="width:100%;" id="testframe" src="file_meta_element.html"></iframe>
     13 
     14 <script class="testbody" type="text/javascript">
     15 
     16 /* Description of the test:
     17 * The test is twofold:
     18 * First, by loading a page using meta csp (into an iframe) we make sure that
     19 * images get correctly blocked as the csp policy includes "img-src 'none'";
     20 *
     21 * Second, we make sure meta csp ignores the following directives:
     22 *   * report-uri
     23 *   * frame-ancestors
     24 *   * sandbox
     25 *
     26 * Please note that the CSP sanbdox directive (bug 671389) has not landed yet.
     27 * Once bug 671389 lands this test will fail and needs to be updated.
     28 */
     29 
     30 SimpleTest.waitForExplicitFinish();
     31 const EXPECTED_DIRS = ["img-src", "script-src"];
     32 
     33 function finishTest() {
     34  window.removeEventListener("message", receiveMessage);
     35  SimpleTest.finish();
     36 }
     37 
     38 function checkResults(result) {
     39  is(result, "img-blocked", "loading images should be blocked by meta csp");
     40 
     41  try {
     42    // get the csp in JSON notation from the principal
     43    var frame = document.getElementById("testframe");
     44    var contentDoc = SpecialPowers.wrap(frame.contentDocument);
     45    var cspJSON = contentDoc.cspJSON;
     46    
     47    ok(cspJSON, "CSP applied through meta element");
     48 
     49    // parse the cspJSON in a csp-object
     50    var cspOBJ = JSON.parse(cspJSON);
     51    ok(cspOBJ, "was able to parse the JSON");
     52 
     53    // make sure we only got one policy
     54    var policies = cspOBJ["csp-policies"];
     55    is(policies.length, 1, "there should be one policy applied");
     56 
     57    // iterate the policy and make sure to only encounter
     58    // expected directives.
     59    var policy = policies[0];
     60    for (var dir in policy) {
     61      // special case handling for report-only which is not a directive
     62      // but present in the JSON notation of the CSP.
     63      if (dir === "report-only") {
     64        continue;
     65      }
     66      var index = EXPECTED_DIRS.indexOf(dir);
     67      isnot(index, -1, "meta csp contains directive: " + dir + "!");
     68 
     69      // take the element out of the array so we can make sure
     70      // that we have seen all the expected values in the end.
     71      EXPECTED_DIRS.splice(index, 1);
     72    }
     73    is(EXPECTED_DIRS.length, 0, "have seen all the expected values");
     74  }
     75  catch (e) {
     76    ok(false, "uuh, something went wrong within meta csp test");
     77  }
     78 
     79  finishTest();
     80 }
     81 
     82 // a postMessage handler used to bubble up the onsuccess/onerror state
     83 // from within the iframe.
     84 window.addEventListener("message", receiveMessage);
     85 function receiveMessage(event) {
     86  checkResults(event.data.result);
     87 }
     88 
     89 </script>
     90 </body>
     91 </html>