summaryrefslogtreecommitdiffstats
path: root/dom/base/test/test_x-frame-options.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/base/test/test_x-frame-options.html')
-rw-r--r--dom/base/test/test_x-frame-options.html156
1 files changed, 156 insertions, 0 deletions
diff --git a/dom/base/test/test_x-frame-options.html b/dom/base/test/test_x-frame-options.html
new file mode 100644
index 000000000..8e24d8a78
--- /dev/null
+++ b/dom/base/test/test_x-frame-options.html
@@ -0,0 +1,156 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test for X-Frame-Options response header</title>
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+
+<iframe style="width:100%;height:300px;" id="harness"></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/dom/base/test/";
+
+var testFramesLoaded = function() {
+ var harness = SpecialPowers.wrap(document).getElementById("harness");
+
+ // iframe from same origin, no X-F-O header - should load
+ var frame = harness.contentDocument.getElementById("control1");
+ var test1 = frame.contentDocument.getElementById("test").textContent;
+ is(test1, "control1", "test control1");
+
+ // iframe from different origin, no X-F-O header - should load
+ frame = harness.contentDocument.getElementById("control2");
+ var test2 = frame.contentDocument.getElementById("test").textContent;
+ is(test2, "control2", "test control2");
+
+ // iframe from same origin, X-F-O: DENY - should not load
+ frame = harness.contentDocument.getElementById("deny");
+ var test3 = frame.contentDocument.getElementById("test");
+ is(test3, null, "test deny");
+
+ // iframe from same origin, X-F-O: SAMEORIGIN - should load
+ frame = harness.contentDocument.getElementById("sameorigin1");
+ var test4 = frame.contentDocument.getElementById("test").textContent;
+ is(test4, "sameorigin1", "test sameorigin1");
+
+ // iframe from different origin, X-F-O: SAMEORIGIN - should not load
+ frame = harness.contentDocument.getElementById("sameorigin2");
+ var test5 = frame.contentDocument.getElementById("test");
+ is(test5, null, "test sameorigin2");
+
+ // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
+ frame = harness.contentDocument.getElementById("sameorigin5");
+ var test6 = frame.contentDocument.getElementById("test");
+ is(test6, null, "test sameorigin5");
+
+ // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
+ frame = harness.contentDocument.getElementById("sameorigin6");
+ var test7 = frame.contentDocument.getElementById("test").textContent;
+ is(test7, "sameorigin6", "test sameorigin6");
+
+ // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
+ frame = harness.contentDocument.getElementById("sameorigin7");
+ var test8 = frame.contentDocument.getElementById("test").textContent;
+ is(test8, "sameorigin7", "test sameorigin7");
+
+ // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
+ frame = harness.contentDocument.getElementById("sameorigin8");
+ var test9 = frame.contentDocument.getElementById("test");
+ is(test9, null, "test sameorigin8");
+
+ // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
+ frame = harness.contentDocument.getElementById("mixedpolicy");
+ var test10 = frame.contentDocument.getElementById("test");
+ is(test10, null, "test mixedpolicy");
+
+ // iframe from different origin, allow-from: this origin - should load
+ frame = harness.contentDocument.getElementById("allow-from-allow");
+ var test11 = frame.contentDocument.getElementById("test").textContent;
+ is(test11, "allow-from-allow", "test allow-from-allow");
+
+ // iframe from different origin, with allow-from: other - should not load
+ frame = harness.contentDocument.getElementById("allow-from-deny");
+ var test12 = frame.contentDocument.getElementById("test");
+ is(test12, null, "test allow-from-deny");
+
+ // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
+ frame = harness.contentDocument.getElementById("sameorigin-multipart");
+ var test13 = frame.contentDocument.getElementById("test");
+ is(test13, null, "test sameorigin-multipart");
+
+ // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
+ frame = harness.contentDocument.getElementById("sameorigin-multipart2");
+ var test14 = frame.contentDocument.getElementById("test").textContent;
+ is(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
+
+
+ // frames from bug 836132 tests
+ {
+ frame = harness.contentDocument.getElementById("allow-from-allow-1");
+ var theTestResult = frame.contentDocument.getElementById("test");
+ isnot(theTestResult, null, "test afa1 should have been allowed");
+ if(theTestResult) {
+ is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
+ }
+ }
+ for (var i = 1; i<=14; i++) {
+ frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
+ var theTestResult = frame.contentDocument.getElementById("test");
+ is(theTestResult, null, "test allow-from-deny-" + i);
+ }
+
+ // call tests to check principal comparison, e.g. a document can open a window
+ // to a data: or javascript: document which frames an
+ // X-Frame-Options: SAMEORIGIN document and the frame should load
+ testFrameInJSURI();
+}
+
+// test that a document can be framed under a javascript: URL opened by the
+// same site as the frame
+var testFrameInJSURI = function() {
+ var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
+ var win = window.open();
+ win.onload = function() {
+ var test = win.document.getElementById("sameorigin3")
+ .contentDocument.getElementById("test");
+ ok(test != null, "frame under javascript: URL should have loaded.");
+ win.close();
+
+ // run last test
+ testFrameInDataURI();
+ }
+ win.location.href = "javascript:document.write('"+html+"');document.close();";
+}
+
+// test that a document can be framed under a data: URL opened by the
+// same site as the frame
+var testFrameInDataURI = function() {
+ var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
+ var win = window.open();
+ win.onload = function() {
+ var test = win.document.getElementById("sameorigin4")
+ .contentDocument.getElementById("test");
+ ok(test != null, "frame under data: URL should have loaded.");
+ win.close();
+
+ SimpleTest.finish();
+ }
+ win.location.href = "data:text/html,"+html;
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// load the test harness
+document.getElementById("harness").src = "file_x-frame-options_main.html";
+
+</script>
+</pre>
+
+</body>
+</html>