test_redirects.html (5566B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Tests for Content Security Policy during redirects</title> 5 <script src="/tests/SimpleTest/SimpleTest.js"></script> 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 7 </head> 8 <body> 9 <p id="display"></p> 10 <div id="content" style="display: none"> 11 12 </div> 13 14 <iframe style="width:100%;height:300px;" id="harness"></iframe> 15 <pre id="log"></pre> 16 <script class="testbody" type="text/javascript"> 17 18 var path = "/tests/dom/security/test/csp/"; 19 20 // debugging 21 function log(s) { 22 // dump("**" + s + "\n"); 23 // var log = document.getElementById("log"); 24 // log.textContent = log.textContent+s+"\n"; 25 } 26 27 SpecialPowers.registerObservers("csp-on-violate-policy"); 28 29 // used to watch if requests are blocked by CSP or allowed through 30 function examiner() { 31 SpecialPowers.addObserver(this, "csp-on-violate-policy"); 32 SpecialPowers.addObserver(this, "specialpowers-csp-on-violate-policy"); 33 SpecialPowers.addObserver(this, "specialpowers-http-notify-request"); 34 } 35 examiner.prototype = { 36 observe(subject, topic, data) { 37 var testpat = new RegExp("testid=([a-z0-9-]+)"); 38 var asciiSpec; 39 var testid; 40 41 if (topic === "specialpowers-http-notify-request") { 42 // request was sent 43 var allowedUri = data; 44 if (!testpat.test(allowedUri)) return; 45 testid = testpat.exec(allowedUri)[1]; 46 if (testExpectedResults[testid] == "completed") return; 47 log("allowed: "+allowedUri); 48 window.testResult(testid, allowedUri, true); 49 } 50 51 else if (topic === "csp-on-violate-policy" || topic === "specialpowers-csp-on-violate-policy") { 52 // request was blocked 53 asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec"); 54 if (!testpat.test(asciiSpec)) return; 55 testid = testpat.exec(asciiSpec)[1]; 56 // had to add this check because http-on-modify-request can fire after 57 // csp-on-violate-policy, apparently, even though the request does 58 // not hit the wire. 59 if (testExpectedResults[testid] == "completed") return; 60 log("BLOCKED: "+asciiSpec); 61 window.testResult(testid, asciiSpec, false); 62 } 63 }, 64 65 remove() { 66 SpecialPowers.removeObserver(this, "csp-on-violate-policy"); 67 SpecialPowers.removeObserver(this, "specialpowers-csp-on-violate-policy"); 68 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request"); 69 } 70 } 71 window.examiner = new examiner(); 72 73 // contains { test_frame_id : expected_result } 74 var testExpectedResults = { "font-src": true, 75 "font-src-redir": false, 76 "frame-src": true, 77 "frame-src-redir": false, 78 "img-src": true, 79 "img-src-redir": false, 80 "media-src": true, 81 "media-src-redir": false, 82 "object-src": true, 83 "object-src-redir": false, 84 "script-src": true, 85 "script-src-redir": false, 86 "style-src": true, 87 "style-src-redir": false, 88 "xhr-src": true, 89 "xhr-src-redir": false, 90 "from-worker": true, 91 "script-src-redir-from-worker": true, // redir is allowed since policy isn't inherited 92 "xhr-src-redir-from-worker": true, // redir is allowed since policy isn't inherited 93 "fetch-src-redir-from-worker": true, // redir is allowed since policy isn't inherited 94 "from-blob-worker": true, 95 "script-src-redir-from-blob-worker": false, 96 "xhr-src-redir-from-blob-worker": false, 97 "fetch-src-redir-from-blob-worker": false, 98 "img-src-from-css": true, 99 "img-src-redir-from-css": false, 100 }; 101 102 // takes the name of the test, the URL that was tested, and whether the 103 // load occurred 104 var testResult = function(testName, url, result) { 105 log(" testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n"); 106 is(result, testExpectedResults[testName], testName+" test: "+url); 107 108 // mark test as completed 109 testExpectedResults[testName] = "completed"; 110 111 // don't finish until we've run all the tests 112 for (var t in testExpectedResults) { 113 if (testExpectedResults[t] != "completed") { 114 return; 115 } 116 } 117 118 window.examiner.remove(); 119 SimpleTest.finish(); 120 } 121 122 SimpleTest.waitForExplicitFinish(); 123 124 SpecialPowers.pushPrefEnv( 125 {'set':[// On a cellular connection the default preload value is 0 ("preload 126 // none"). Our Android emulators emulate a cellular connection, and 127 // so by default preload no media data. This causes the media_* tests 128 // to timeout. We set the default used by cellular connections to the 129 // same as used by non-cellular connections in order to get 130 // consistent behavior across platforms/devices. 131 ["media.preload.default", 2], 132 ["media.preload.default.cellular", 2]]}, 133 function() { 134 // save this for last so that our listeners are registered. 135 // ... this loads the testbed of good and bad requests. 136 document.getElementById("harness").src = "file_redirects_main.html"; 137 }); 138 </script> 139 </pre> 140 141 </body> 142 </html>