summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_image_nonce.html
diff options
context:
space:
mode:
authorjanekptacijarabaci <janekptacijarabaci@seznam.cz>2017-08-25 09:36:20 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-02-22 11:20:38 +0100
commitb4dac5093a75a024643b93aef88758770df73c55 (patch)
tree52b65bf6c091687f9e123c65db45a6f9de17fcec /dom/security/test/csp/test_image_nonce.html
parenta06ce3f03b260d59199dba7e01ea8afb3de1ef59 (diff)
downloadUXP-b4dac5093a75a024643b93aef88758770df73c55.tar
UXP-b4dac5093a75a024643b93aef88758770df73c55.tar.gz
UXP-b4dac5093a75a024643b93aef88758770df73c55.tar.lz
UXP-b4dac5093a75a024643b93aef88758770df73c55.tar.xz
UXP-b4dac5093a75a024643b93aef88758770df73c55.zip
CSP: Ignore nonces on <img> per spec
Diffstat (limited to 'dom/security/test/csp/test_image_nonce.html')
-rw-r--r--dom/security/test/csp/test_image_nonce.html60
1 files changed, 60 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_image_nonce.html b/dom/security/test/csp/test_image_nonce.html
new file mode 100644
index 000000000..ff6d636b6
--- /dev/null
+++ b/dom/security/test/csp/test_image_nonce.html
@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta charset="utf-8">
+ <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+ <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load three images: (a) with a matching nonce,
+ (b) with a non matching nonce,
+ * (c) with no nonce
+ * and make sure that all three images get blocked because
+ * "img-src nonce-bla" should not allow an image load, not
+ * even if the nonce matches*.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+var counter = 0;
+
+function finishTest() {
+ window.removeEventListener("message", receiveMessage);
+ SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+ counter++;
+ if (aResult === "img-with-matching-nonce-blocked" ||
+ aResult === "img-with_non-matching-nonce-blocked" ||
+ aResult === "img-without-nonce-blocked") {
+ ok (true, "correct result for: " + aResult);
+ }
+ else {
+ ok(false, "unexpected result: " + aResult + "\n\n");
+ }
+ if (counter < 3) {
+ return;
+ }
+ finishTest();
+}
+
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin' to bubble up results back to this main page.
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+ checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_image_nonce.html";
+
+</script>
+</body>
+</html>