diff options
Diffstat (limited to 'dom/security/test/csp/test_meta_element.html')
-rw-r--r-- | dom/security/test/csp/test_meta_element.html | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_meta_element.html b/dom/security/test/csp/test_meta_element.html new file mode 100644 index 000000000..98c12fce8 --- /dev/null +++ b/dom/security/test/csp/test_meta_element.html @@ -0,0 +1,90 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta charset="utf-8"> + <title>Bug 663570 - Implement Content Security Policy via <meta> tag</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<p id="display"></p> +<iframe style="width:100%;" id="testframe" src="file_meta_element.html"></iframe> + +<script class="testbody" type="text/javascript"> + +/* Description of the test: + * The test is twofold: + * First, by loading a page using meta csp (into an iframe) we make sure that + * images get correctly blocked as the csp policy includes "img-src 'none'"; + * + * Second, we make sure meta csp ignores the following directives: + * * report-uri + * * frame-ancestors + * * sandbox + * + * Please note that the CSP sanbdox directive (bug 671389) has not landed yet. + * Once bug 671389 lands this test will fail and needs to be updated. + */ + +SimpleTest.waitForExplicitFinish(); +const EXPECTED_DIRS = ["img-src", "script-src"]; + +function finishTest() { + window.removeEventListener("message", receiveMessage, false); + SimpleTest.finish(); +} + +function checkResults(result) { + is(result, "img-blocked", "loading images should be blocked by meta csp"); + + try { + // get the csp in JSON notation from the principal + var frame = document.getElementById("testframe"); + var principal = SpecialPowers.wrap(frame.contentDocument).nodePrincipal; + var cspJSON = principal.cspJSON; + ok(cspJSON, "CSP applied through meta element"); + + // parse the cspJSON in a csp-object + var cspOBJ = JSON.parse(cspJSON); + ok(cspOBJ, "was able to parse the JSON"); + + // make sure we only got one policy + var policies = cspOBJ["csp-policies"]; + is(policies.length, 1, "there should be one policy applied"); + + // iterate the policy and make sure to only encounter + // expected directives. + var policy = policies[0]; + for (var dir in policy) { + // special case handling for report-only which is not a directive + // but present in the JSON notation of the CSP. + if (dir === "report-only") { + continue; + } + var index = EXPECTED_DIRS.indexOf(dir); + isnot(index, -1, "meta csp contains directive: " + dir + "!"); + + // take the element out of the array so we can make sure + // that we have seen all the expected values in the end. + EXPECTED_DIRS.splice(index, 1); + } + is(EXPECTED_DIRS.length, 0, "have seen all the expected values"); + } + catch (e) { + ok(false, "uuh, something went wrong within meta csp test"); + } + + finishTest(); +} + +// a postMessage handler used to bubble up the onsuccess/onerror state +// from within the iframe. +window.addEventListener("message", receiveMessage, false); +function receiveMessage(event) { + checkResults(event.data.result); +} + +</script> +</body> +</html> |