1 files changed, 156 insertions, 0 deletions

diff --git a/dom/base/test/test_x-frame-options.html b/dom/base/test/test_x-frame-options.html
new file mode 100644
index 000000000..8e24d8a78
--- /dev/null
+++ b/dom/base/test/test_x-frame-options.html
@@ -0,0 +1,156 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for X-Frame-Options response header</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+
+<iframe style="width:100%;height:300px;" id="harness"></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/dom/base/test/";
+
+var testFramesLoaded = function() {
+  var harness = SpecialPowers.wrap(document).getElementById("harness");
+
+  // iframe from same origin, no X-F-O header - should load
+  var frame = harness.contentDocument.getElementById("control1");
+  var test1 = frame.contentDocument.getElementById("test").textContent;
+  is(test1, "control1", "test control1");
+
+  // iframe from different origin, no X-F-O header - should load
+  frame = harness.contentDocument.getElementById("control2");
+  var test2 = frame.contentDocument.getElementById("test").textContent;
+  is(test2, "control2", "test control2");
+
+  // iframe from same origin, X-F-O: DENY - should not load
+  frame = harness.contentDocument.getElementById("deny");
+  var test3 = frame.contentDocument.getElementById("test");
+  is(test3, null, "test deny");
+
+  // iframe from same origin, X-F-O: SAMEORIGIN - should load
+  frame = harness.contentDocument.getElementById("sameorigin1");
+  var test4 = frame.contentDocument.getElementById("test").textContent;
+  is(test4, "sameorigin1", "test sameorigin1");
+
+  // iframe from different origin, X-F-O: SAMEORIGIN - should not load
+  frame = harness.contentDocument.getElementById("sameorigin2");
+  var test5 = frame.contentDocument.getElementById("test");
+  is(test5, null, "test sameorigin2");
+
+  // iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
+  frame = harness.contentDocument.getElementById("sameorigin5");
+  var test6 = frame.contentDocument.getElementById("test");
+  is(test6, null, "test sameorigin5");
+
+  // iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
+  frame = harness.contentDocument.getElementById("sameorigin6");
+  var test7 = frame.contentDocument.getElementById("test").textContent;
+  is(test7, "sameorigin6", "test sameorigin6");
+
+  // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
+  frame = harness.contentDocument.getElementById("sameorigin7");
+  var test8 = frame.contentDocument.getElementById("test").textContent;
+  is(test8, "sameorigin7", "test sameorigin7");
+
+  // iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
+  frame = harness.contentDocument.getElementById("sameorigin8");
+  var test9 = frame.contentDocument.getElementById("test");
+  is(test9, null, "test sameorigin8");
+
+  // iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
+  frame = harness.contentDocument.getElementById("mixedpolicy");
+  var test10 = frame.contentDocument.getElementById("test");
+  is(test10, null, "test mixedpolicy");
+
+  // iframe from different origin, allow-from: this origin - should load
+  frame = harness.contentDocument.getElementById("allow-from-allow");
+  var test11 = frame.contentDocument.getElementById("test").textContent;
+  is(test11, "allow-from-allow", "test allow-from-allow");
+
+  // iframe from different origin, with allow-from: other - should not load
+  frame = harness.contentDocument.getElementById("allow-from-deny");
+  var test12 = frame.contentDocument.getElementById("test");
+  is(test12, null, "test allow-from-deny");
+
+  // iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
+  frame = harness.contentDocument.getElementById("sameorigin-multipart");
+  var test13 = frame.contentDocument.getElementById("test");
+  is(test13, null, "test sameorigin-multipart");
+
+  // iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
+  frame = harness.contentDocument.getElementById("sameorigin-multipart2");
+  var test14 = frame.contentDocument.getElementById("test").textContent;
+  is(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
+
+
+  // frames from bug 836132 tests
+  {
+    frame = harness.contentDocument.getElementById("allow-from-allow-1");
+    var theTestResult = frame.contentDocument.getElementById("test");
+    isnot(theTestResult, null, "test afa1 should have been allowed");
+    if(theTestResult) {
+      is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
+    }
+  }
+  for (var i = 1; i<=14; i++) {
+    frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
+    var theTestResult = frame.contentDocument.getElementById("test");
+    is(theTestResult, null, "test allow-from-deny-" + i);
+  }
+
+  // call tests to check principal comparison, e.g. a document can open a window
+  // to a data: or javascript: document which frames an
+  // X-Frame-Options: SAMEORIGIN document and the frame should load
+  testFrameInJSURI();
+}
+
+// test that a document can be framed under a javascript: URL opened by the
+// same site as the frame
+var testFrameInJSURI = function() {
+  var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
+  var win = window.open();
+  win.onload = function() {
+    var test = win.document.getElementById("sameorigin3")
+              .contentDocument.getElementById("test");
+    ok(test != null, "frame under javascript: URL should have loaded.");
+    win.close();
+
+    // run last test
+    testFrameInDataURI();
+   }
+  win.location.href = "javascript:document.write('"+html+"');document.close();";
+}
+
+// test that a document can be framed under a data: URL opened by the
+// same site as the frame
+var testFrameInDataURI = function() {
+  var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
+  var win = window.open();
+  win.onload = function() {
+    var test = win.document.getElementById("sameorigin4")
+              .contentDocument.getElementById("test");
+    ok(test != null, "frame under data: URL should have loaded.");
+    win.close();
+
+    SimpleTest.finish();
+   }
+  win.location.href = "data:text/html,"+html;
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// load the test harness
+document.getElementById("harness").src = "file_x-frame-options_main.html";
+
+</script>
+</pre>
+
+</body>
+</html>