tor-browser

test_meta_header_dual.html (3989B)

---

<!DOCTYPE HTML>
<html>
<head>
 <meta charset="utf-8">
 <title>Bug 663570 - Implement Content Security Policy via meta tag</title>
 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
 <script src="/tests/SimpleTest/SimpleTest.js"></script>
 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:
* We test all sorts of CSPs on documents, including documents with no
* CSP, with meta CSP and with meta CSP in combination with a CSP header.
*/

const TESTS = [
 {
   /* load image without any CSP */
   query: "test1",
   result: "img-loaded",
   policyLen: 0,
   desc: "no CSP should allow load",
 },
 {
   /* load image where meta denies load */
   query: "test2",
   result: "img-blocked",
   policyLen: 1,
   desc: "meta (img-src 'none') should block load"
 },
 {
   /* load image where meta allows load */
   query: "test3",
   result: "img-loaded",
   policyLen: 1,
   desc: "meta (img-src http://mochi.test) should allow load"
 },
 {
   /* load image where meta allows but header blocks */
   query: "test4", // triggers speculative load
   result: "img-blocked",
   policyLen: 2,
   desc: "meta (img-src http://mochi.test), header (img-src 'none') should block load"
 },
 {
   /* load image where meta blocks but header allows */
   query: "test5", // triggers speculative load
   result: "img-blocked",
   policyLen: 2,
   desc: "meta (img-src 'none'), header (img-src http://mochi.test) should block load"
 },
 {
   /* load image where meta allows and header allows */
   query: "test6", // triggers speculative load
   result: "img-loaded",
   policyLen: 2,
   desc: "meta (img-src http://mochi.test), header (img-src http://mochi.test) should allow load"
 },
 {
   /* load image where meta1 allows but meta2 blocks */
   query: "test7",
   result: "img-blocked",
   policyLen: 2,
   desc: "meta1 (img-src http://mochi.test), meta2 (img-src 'none') should allow blocked"
 },
 {
   /* load image where meta1 allows and meta2 allows */
   query: "test8",
   result: "img-loaded",
   policyLen: 2,
   desc: "meta1 (img-src http://mochi.test), meta2 (img-src http://mochi.test) should allow allowed"
 },
];

var curTest;
var counter = -1;

function finishTest() {
 window.removeEventListener("message", receiveMessage);
 SimpleTest.finish();
}

function checkResults(result) {
 // make sure the image got loaded or blocked
 is(result, curTest.result, curTest.query + ": " + curTest.desc);

 if (curTest.policyLen != 0) {
   // make sure that meta policy got not parsed and appended twice
   try {
     // get the csp in JSON notation from the principal
     var frame = document.getElementById("testframe");
     var contentDoc = SpecialPowers.wrap(frame.contentDocument);
     var cspOBJ = JSON.parse(contentDoc.cspJSON);
     // make sure that the speculative policy and the actual policy
     // are not appended twice.
     var policies = cspOBJ["csp-policies"];
     is(policies.length, curTest.policyLen, curTest.query + " should have: " + curTest.policyLen + " policies");
   }
   catch (e) {
     ok(false, "uuh, something went wrong within cspToJSON in " + curTest.query);
   }
 }
 // move on to the next test
 runNextTest();
}

// a postMessage handler used to bubble up the
// onsuccess/onerror state from within the iframe.
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
 checkResults(event.data.result);
}

function runNextTest() {
 if (++counter == TESTS.length) {
   finishTest();
   return;
 }
 curTest = TESTS[counter];
 // load next test
 document.getElementById("testframe").src = "file_meta_header_dual.sjs?" + curTest.query;
}

// start the test
SimpleTest.waitForExplicitFinish();
runNextTest();

</script>
</body>
</html>