From 62d535967977ea64884e4418d78f1dc245e682e1 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Fri, 25 Aug 2017 09:18:29 +0200
Subject: CSP 2 - ignore (x-)frame-options if CSP with frame-ancestors
 directive exists

---
 dom/security/test/csp/file_ignore_xfo.html         | 10 ++++
 .../test/csp/file_ignore_xfo.html^headers^         |  3 ++
 dom/security/test/csp/file_ro_ignore_xfo.html      | 10 ++++
 .../test/csp/file_ro_ignore_xfo.html^headers^      |  3 ++
 dom/security/test/csp/mochitest.ini                |  5 ++
 dom/security/test/csp/test_ignore_xfo.html         | 59 ++++++++++++++++++++++
 6 files changed, 90 insertions(+)
 create mode 100644 dom/security/test/csp/file_ignore_xfo.html
 create mode 100644 dom/security/test/csp/file_ignore_xfo.html^headers^
 create mode 100644 dom/security/test/csp/file_ro_ignore_xfo.html
 create mode 100644 dom/security/test/csp/file_ro_ignore_xfo.html^headers^
 create mode 100644 dom/security/test/csp/test_ignore_xfo.html

(limited to 'dom/security/test/csp')

diff --git a/dom/security/test/csp/file_ignore_xfo.html b/dom/security/test/csp/file_ignore_xfo.html
new file mode 100644
index 000000000..6746a3adb
--- /dev/null
+++ b/dom/security/test/csp/file_ignore_xfo.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title>
+</head>
+<body>
+<div id="cspmessage">Ignoring XFO because of CSP</div>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_ignore_xfo.html^headers^ b/dom/security/test/csp/file_ignore_xfo.html^headers^
new file mode 100644
index 000000000..e93f9e3ec
--- /dev/null
+++ b/dom/security/test/csp/file_ignore_xfo.html^headers^
@@ -0,0 +1,3 @@
+Content-Security-Policy: frame-ancestors http://mochi.test:8888
+X-Frame-Options: deny
+Cache-Control: no-cache
diff --git a/dom/security/test/csp/file_ro_ignore_xfo.html b/dom/security/test/csp/file_ro_ignore_xfo.html
new file mode 100644
index 000000000..85e7f0092
--- /dev/null
+++ b/dom/security/test/csp/file_ro_ignore_xfo.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title>
+</head>
+<body>
+<div id="cspmessage">Ignoring XFO because of CSP_RO</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/dom/security/test/csp/file_ro_ignore_xfo.html^headers^ b/dom/security/test/csp/file_ro_ignore_xfo.html^headers^
new file mode 100644
index 000000000..ab8366f06
--- /dev/null
+++ b/dom/security/test/csp/file_ro_ignore_xfo.html^headers^
@@ -0,0 +1,3 @@
+Content-Security-Policy-Report-Only: frame-ancestors http://mochi.test:8888
+X-Frame-Options: deny
+Cache-Control: no-cache
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 8add999c3..535109752 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -206,6 +206,10 @@ support-files =
   file_iframe_srcdoc.sjs
   file_iframe_sandbox_srcdoc.html
   file_iframe_sandbox_srcdoc.html^headers^
+  file_ignore_xfo.html
+  file_ignore_xfo.html^headers^
+  file_ro_ignore_xfo.html
+  file_ro_ignore_xfo.html^headers^
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -298,3 +302,4 @@ tags = mcb
 support-files =
   file_sandbox_allow_scripts.html
   file_sandbox_allow_scripts.html^headers^
+[test_ignore_xfo.html]
diff --git a/dom/security/test/csp/test_ignore_xfo.html b/dom/security/test/csp/test_ignore_xfo.html
new file mode 100644
index 000000000..fb3aadc6c
--- /dev/null
+++ b/dom/security/test/csp/test_ignore_xfo.html
@@ -0,0 +1,59 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="csp_testframe"></iframe>
+<iframe style="width:100%;" id="csp_ro_testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/*
+ * We load two frames using:
+ *   x-frame-options: deny
+ * where the first frame uses a csp and the second a csp_ro including frame-ancestors.
+ * We make sure that xfo is ignored for regular csp but not for csp_ro.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+var testcounter = 0;
+function checkFinished() {
+  testcounter++;
+  if (testcounter < 2) {
+  	return;
+  }
+  SimpleTest.finish();
+}
+
+// 1) test XFO with CSP
+var csp_testframe = document.getElementById("csp_testframe");
+csp_testframe.onload = function() {
+  var msg = csp_testframe.contentWindow.document.getElementById("cspmessage");
+  is(msg.innerHTML, "Ignoring XFO because of CSP", "Loading frame with with XFO and CSP");
+  checkFinished();
+}
+csp_testframe.onerror = function() {
+  ok(false, "sanity: should not fire onerror for csp_testframe");
+}
+csp_testframe.src = "file_ignore_xfo.html";
+
+// 2) test XFO with CSP_RO
+var csp_ro_testframe = document.getElementById("csp_ro_testframe");
+csp_ro_testframe.onload = function() {
+  var msg = csp_ro_testframe.contentWindow.document.getElementById("cspmessage");
+  is(msg, null, "Blocking frame with with XFO and CSP_RO");
+  checkFinished();
+}
+csp_ro_testframe.onerror = function() {
+  ok(false, "sanity: should not fire onerror for csp_ro_testframe");
+}
+csp_ro_testframe.src = "file_ro_ignore_xfo.html";
+
+</script>
+</body>
+</html>
-- 
cgit v1.2.3