tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_svg_inline_style.html (4269B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1262842: Test CSP inline style within svg image</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <script src="/tests/SimpleTest/WindowSnapshot.js"></script>
      7  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      8 </head>
      9 <body>
     10 <iframe id="img_base"></iframe>
     11 <iframe id="img_csp"></iframe>
     12 <iframe id="img_base_srcset"></iframe>
     13 <iframe id="img_csp_srcset"></iframe>
     14 <iframe id="doc_base"></iframe>
     15 <iframe id="doc_csp"></iframe>
     16 
     17 <script class="testbody" type="text/javascript">
     18 
     19 // Description of the two tests:
     20 //  * CSP should not apply to SVGs loaded as images (in src or srcset)
     21 //  * CSP should apply to SVGs loaded as document
     22 // Since we have to test inline styles within SVGs, we loaded the SVGs
     23 // and then take screenshots to comopare that the two SVGs are identical.
     24 
     25 SimpleTest.waitForExplicitFinish();
     26 
     27 let img_base = document.getElementById("img_base");
     28 let img_csp = document.getElementById("img_csp");
     29 let img_base_srcset = document.getElementById("img_base_srcset");
     30 let img_csp_srcset = document.getElementById("img_csp_srcset");
     31 let doc_base = document.getElementById("doc_base");
     32 let doc_csp = document.getElementById("doc_csp");
     33 
     34 let loadedFrames = 0;
     35 
     36 async function compareSVGs() {
     37  loadedFrames++;
     38  if (loadedFrames != 6) {
     39    return;
     40  }
     41  // compare the two iframes where SVGs are loaded as images
     42  try {
     43    let img_base_snap = await snapshotWindow(img_base.contentWindow);
     44    let img_csp_snap = await snapshotWindow(img_csp.contentWindow);
     45 
     46    ok(compareSnapshots(img_base_snap, img_csp_snap, true)[0],
     47       "CSP should not apply to SVG loaded as image");
     48  } catch(err) {
     49    ok(false, "img error: " + err.message);
     50  }
     51 
     52  // compare the two iframes where SVGs are loaded as images with srcset
     53  try {
     54    let img_base_snap_srcset = await snapshotWindow(img_base_srcset.contentWindow);
     55    let img_csp_snap_srcset = await snapshotWindow(img_csp_srcset.contentWindow);
     56 
     57    ok(compareSnapshots(img_base_snap_srcset, img_csp_snap_srcset, true)[0],
     58       "CSP should not apply to SVG loaded as image with srcset");
     59  } catch(err) {
     60    ok(false, "img error: " + err.message);
     61  }
     62 
     63  // compare the two iframes where SVGs are loaded as documents
     64  try {
     65    let doc_base_snap = await snapshotWindow(doc_base.contentWindow);
     66    let doc_csp_snap = await snapshotWindow(doc_csp.contentWindow);
     67 
     68    ok(compareSnapshots(doc_base_snap, doc_csp_snap, true)[0],
     69       "CSP should apply to SVG loaded as document");
     70  } catch(err) {
     71    ok(false, "doc error: " + err.message);
     72  }
     73 
     74  SimpleTest.finish();
     75 }
     76 
     77 // load SVG as images
     78 img_base.onerror = function() {
     79  ok(false, "sanity: img_base onerror should not fire");
     80 }
     81 img_base.onload = function() {
     82  ok(true, "sanity: img_base onload should fire");
     83  compareSVGs();
     84 }
     85 img_base.src = "file_svg_inline_style_base.html";
     86 
     87 img_csp.onerror = function() {
     88  ok(false, "sanity: img_csp onerror should not fire");
     89 }
     90 img_csp.onload = function() {
     91  ok(true, "sanity: img_csp onload should fire");
     92  compareSVGs();
     93 }
     94 img_csp.src = "file_svg_inline_style_csp.html";
     95 
     96 img_base_srcset.onerror = function() {
     97  ok(false, "sanity: img_base_srcset onerror should not fire");
     98 }
     99 img_base_srcset.onload = function() {
    100  ok(true, "sanity: img_base_srcset onload should fire");
    101  compareSVGs();
    102 }
    103 img_base_srcset.src = "file_svg_srcset_inline_style_base.html";
    104 
    105 img_csp_srcset.onerror = function() {
    106  ok(false, "sanity: img_csp_srcset onerror should not fire");
    107 }
    108 img_csp_srcset.onload = function() {
    109  ok(true, "sanity: img_csp_srcset onload should fire");
    110  compareSVGs();
    111 }
    112 img_csp_srcset.src = "file_svg_srcset_inline_style_csp.html";
    113 
    114 // load SVG as documnents
    115 doc_base.onerror = function() {
    116  ok(false, "sanity: doc_base onerror should not fire");
    117 }
    118 doc_base.onload = function() {
    119  ok(true, "sanity: doc_base onload should fire");
    120  compareSVGs();
    121 }
    122 doc_base.src = "file_svg_inline_style_server.sjs?svg_no_inline_style&5";
    123 
    124 doc_csp.onerror = function() {
    125  ok(false, "sanity: doc_csp onerror should not fire");
    126 }
    127 doc_csp.onload = function() {
    128  ok(true, "sanity: doc_csp onload should fire");
    129  compareSVGs();
    130 }
    131 doc_csp.src = "file_svg_inline_style_server.sjs?svg_inline_style_csp&6";
    132 
    133 </script>
    134 </body>
    135 </html>