<!DOCTYPE HTML> <html> <head> <title>Test if XSLT stylesheet is subject to document's CSP</title> <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> </head> <body> <p id="display"></p> <div id="content" style="display: none"></div> <iframe style="width:100%;" id='xsltframe'></iframe> <iframe style="width:100%;" id='xsltframe2'></iframe> <script class="testbody" type="text/javascript"> SimpleTest.waitForExplicitFinish(); // define the expected output of this test var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!"; var finishedTests = 0; var numberOfTests = 2; var checkExplicitFinish = function() { finishedTests++; if (finishedTests == numberOfTests) { SimpleTest.finish(); } } function checkAllowed () { /* The policy for this test is: * Content-Security-Policy: default-src 'self' * * we load the xsl file using: * <?xml-stylesheet type="text/xsl" href="file_bug663467.xsl"?> */ try { var cspframe = document.getElementById('xsltframe'); var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML; is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!"); } catch (e) { ok(false, "Error: could not access content in xsltframe!") } checkExplicitFinish(); } function checkBlocked () { /* The policy for this test is: * Content-Security-Policy: default-src *.example.com * * we load the xsl file using: * <?xml-stylesheet type="text/xsl" href="file_bug663467.xsl"?> */ try { var cspframe = document.getElementById('xsltframe2'); var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader'); is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!"); } catch (e) { ok(false, "Error: could not access content in xsltframe2!") } checkExplicitFinish(); } document.getElementById('xsltframe').addEventListener('load', checkAllowed, false); document.getElementById('xsltframe').src = 'file_bug663567_allows.xml'; document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false); document.getElementById('xsltframe2').src = 'file_bug663567_blocks.xml'; </script> </body> </html>