1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Bug 1331351 - Block top level window data: URI navigations</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
SpecialPowers.setBoolPref("security.data_uri.block_toplevel_data_uri_navigations", true);
SimpleTest.registerCleanupFunction(() => {
SpecialPowers.clearUserPref("security.data_uri.block_toplevel_data_uri_navigations");
});
SimpleTest.waitForExplicitFinish();
SimpleTest.requestFlakyTimeout("have to test that top level data: URI navgiation is blocked");
function test1() {
// simple data: URI click navigation should be prevented
let TEST_FILE = "file_block_toplevel_data_navigation.html";
let win1 = window.open(TEST_FILE);
var readyStateCheckInterval = setInterval(function() {
let state = win1.document.readyState;
if (state === "interactive" || state === "complete") {
clearInterval(readyStateCheckInterval);
ok(win1.document.body.innerHTML.indexOf("test1:") !== -1,
"toplevel data: URI navigation through click() should be blocked");
win1.close();
test2();
}
}, 200);
}
function test2() {
// data: URI in iframe which opens data: URI in _blank should be blocked
let win2 = window.open("file_block_toplevel_data_navigation2.html");
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
window.removeEventListener("message", receiveMessage);
is(event.data, "blocked",
"data: URI navigation using _blank from data: URI should be blocked");
win2.close();
test3();
}
}
function test3() {
// navigating to a data: URI using window.location.href should be blocked
let win3 = window.open("file_block_toplevel_data_navigation3.html");
setTimeout(function () {
ok(win3.document.body.innerHTML.indexOf("test3:") !== -1,
"data: URI navigation through win.loc.href should be blocked");
win3.close();
test4();
}, 1000);
}
function test4() {
// navigating to a data: URI using window.open() should be blocked
let win4 = window.open("data:text/html,<body>toplevel data: URI navigations should be blocked</body>");
setTimeout(function () {
// Please note that the data: URI will be displayed in the URL-Bar but not
// loaded, hence we rather rely on document.body than document.location
is(win4.document.body.innerHTML, "",
"navigating to a data: URI using window.open() should be blocked");
test5();
}, 1000);
}
function test5() {
// navigating to a URI which redirects to a data: URI using window.open() should be blocked
let win5 = window.open("file_block_toplevel_data_redirect.sjs");
setTimeout(function () {
// Please note that the data: URI will be displayed in the URL-Bar but not
// loaded, hence we rather rely on document.body than document.location
is(SpecialPowers.wrap(win5).document.body.innerHTML, "",
"navigating to URI which redirects to a data: URI using window.open() should be blocked");
win5.close();
SimpleTest.finish();
}, 1000);
}
// fire up the tests
test1();
</script>
</body>
</html>
|