1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=908933
-->
<head>
<title>Test Bug 908933</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body>
<script class="testbody" type="text/javascript">
/*
* Description of the test:
* We load variations of 'objects' and make sure all the
* resource loads are correctly blocked by CSP.
* For all the testing we use a CSP with "object-src 'none'"
* so that all the loads are either blocked by
* shouldProcess or shouldLoad.
*/
const POLICY = "default-src http://mochi.test:8888; object-src 'none'";
const TESTFILE = "tests/dom/security/test/csp/file_shouldprocess.html";
SimpleTest.waitForExplicitFinish();
var tests = [
// Note that the files listed below don't actually exist.
// Since loading of them should be blocked by shouldProcess, we don't
// really need these files.
// blocked by shouldProcess
"http://mochi.test:8888/tests/dom/security/test/csp/test1",
"http://mochi.test:8888/tests/dom/security/test/csp/test2",
"http://mochi.test:8888/tests/dom/security/test/csp/test3",
"http://mochi.test:8888/tests/dom/security/test/csp/test4",
"http://mochi.test:8888/tests/dom/security/test/csp/test5",
"http://mochi.test:8888/tests/dom/security/test/csp/test6",
// blocked by shouldLoad
"http://mochi.test:8888/tests/dom/security/test/csp/test7.class",
"http://mochi.test:8888/tests/dom/security/test/csp/test8.class",
];
function checkResults(aURI) {
var index = tests.indexOf(aURI);
if (index > -1) {
tests.splice(index, 1);
ok(true, "ShouldLoad or ShouldProcess blocks TYPE_OBJECT with uri: " + aURI + "!");
}
else {
ok(false, "ShouldLoad or ShouldProcess incorreclty blocks TYPE_OBJECT with uri: " + aURI + "!");
}
if (tests.length == 0) {
window.examiner.remove();
SimpleTest.finish();
}
}
// used to watch that shouldProcess blocks TYPE_OBJECT
function examiner() {
SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
if (topic === "csp-on-violate-policy") {
var asciiSpec =
SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
checkResults(asciiSpec);
}
},
remove: function() {
SpecialPowers.removeObserver(this, "csp-on-violate-policy");
}
}
window.examiner = new examiner();
function loadFrame() {
var src = "file_testserver.sjs";
// append the file that should be served
src += "?file=" + escape(TESTFILE);
// append the CSP that should be used to serve the file
src += "&csp=" + escape(POLICY);
var iframe = document.createElement("iframe");
iframe.src = src;
document.body.appendChild(iframe);
}
SpecialPowers.pushPrefEnv(
{ "set": [['plugin.java.mime', 'application/x-java-test']] },
loadFrame);
</script>
</pre>
</body>
</html>
|
