diff options
Diffstat (limited to 'dom/security/test/csp/test_bug910139.html')
-rw-r--r-- | dom/security/test/csp/test_bug910139.html | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_bug910139.html b/dom/security/test/csp/test_bug910139.html new file mode 100644 index 000000000..63a7f77d1 --- /dev/null +++ b/dom/security/test/csp/test_bug910139.html @@ -0,0 +1,66 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>CSP should block XSLT as script, not as style</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + <p id="display"></p> + <div id="content" style="display: none"></div> + <iframe style="width:100%;" id='xsltframe'></iframe> + <iframe style="width:100%;" id='xsltframe2'></iframe> + +<script class="testbody" type="text/javascript"> + +SimpleTest.waitForExplicitFinish(); + +// define the expected output of this test +var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!"; + +function checkAllowed () { + /* The policy for this test is: + * Content-Security-Policy: default-src 'self'; script-src 'self' + * + * we load the xsl file using: + * <?xml-stylesheet type="text/xsl" href="file_bug910139.xsl"?> + */ + try { + var cspframe = document.getElementById('xsltframe'); + var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML; + is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!"); + } + catch (e) { + ok(false, "Error: could not access content in xsltframe!") + } + + // continue with the next test + document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false); + document.getElementById('xsltframe2').src = 'file_bug910139.sjs'; +} + +function checkBlocked () { + /* The policy for this test is: + * Content-Security-Policy: default-src 'self'; script-src *.example.com + * + * we load the xsl file using: + * <?xml-stylesheet type="text/xsl" href="file_bug910139.xsl"?> + */ + try { + var cspframe = document.getElementById('xsltframe2'); + var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader'); + is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!"); + } + catch (e) { + ok(false, "Error: could not access content in xsltframe2!") + } + SimpleTest.finish(); +} + +document.getElementById('xsltframe').addEventListener('load', checkAllowed, false); +document.getElementById('xsltframe').src = 'file_bug910139.sjs'; + +</script> +</body> +</html> |