1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1288361 - Block scripts with incorrect MIME type</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
const MIMETypes = [
["application/javascript", true],
["text/javascript", true],
["audio/mpeg", false],
["audio/", false],
["image/jpeg", false],
["image/", false],
["video/mpeg", false],
["video/", false],
["text/csv", false],
];
// <script src="">
function testScript([mime, shouldLoad]) {
return new Promise((resolve, reject) => {
let script = document.createElement("script");
script.onload = () => {
document.body.removeChild(script);
ok(shouldLoad, `script with mime '${mime}' should load`);
resolve();
};
script.onerror = () => {
document.body.removeChild(script);
ok(!shouldLoad, `script with wrong mime '${mime}' should be blocked`);
resolve();
};
script.src = "file_block_script_wrong_mime_server.sjs?type=script&mime="+mime;
document.body.appendChild(script);
});
}
// new Worker()
function testWorker([mime, shouldLoad]) {
return new Promise((resolve, reject) => {
let worker = new Worker("file_block_script_wrong_mime_server.sjs?type=worker&mime="+mime);
worker.onmessage = (event) => {
ok(shouldLoad, `worker with mime '${mime}' should load`)
is(event.data, "worker-loaded", "worker should send correct message");
resolve();
};
worker.onerror = (error) => {
ok(!shouldLoad, `worker with wrong mime '${mime}' should be blocked`);
error.preventDefault();
resolve();
}
worker.postMessage("dummy");
});
}
// new Worker() with importScripts()
function testWorkerImportScripts([mime, shouldLoad]) {
return new Promise((resolve, reject) => {
let worker = new Worker("file_block_script_wrong_mime_server.sjs?type=worker-import&mime="+mime);
worker.onmessage = (event) => {
ok(shouldLoad, `worker/importScripts with mime '${mime}' should load`)
is(event.data, "worker-loaded", "worker should send correct message");
resolve();
};
worker.onerror = (error) => {
ok(!shouldLoad, `worker/importScripts with wrong mime '${mime}' should be blocked`);
error.preventDefault();
resolve();
}
worker.postMessage("dummy");
});
}
SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv({set: [["security.block_script_with_wrong_mime", true]]}, function() {
Promise.all(MIMETypes.map(testScript)).then(() => {
return Promise.all(MIMETypes.map(testWorker));
}).then(() => {
return Promise.all(MIMETypes.map(testWorkerImportScripts));
}).then(() => {
SpecialPowers.popPrefEnv(SimpleTest.finish);
});
});
</script>
</body>
</html>
|