<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>Bug 663570 - Implement Content Security Policy via meta tag</title> <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> </head> <body> <p id="display"></p> <iframe style="width:100%;" id="writemetacspframe"></iframe> <iframe style="width:100%;" id="commentmetacspframe"></iframe> <script class="testbody" type="text/javascript"> /* Description of the test: * We load two frames, where the first frame does doc.write(meta csp) and * the second does doc.write(comment out meta csp). * We make sure to reuse/invalidate preloads depending on the policy. */ SimpleTest.waitForExplicitFinish(); var writemetacspframe = document.getElementById("writemetacspframe"); var commentmetacspframe = document.getElementById("commentmetacspframe"); var seenResults = 0; function checkTestsDone() { seenResults++; if (seenResults < 2) { return; } SimpleTest.finish(); } // document.write(<meta csp ...>) should block resources from being included in the doc function checkResultsBlocked() { writemetacspframe.removeEventListener('load', checkResultsBlocked, false); // stylesheet: default background color within FF is transparent var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body) .getPropertyValue("background-color"); is(bgcolor, "transparent", "inital background value in FF should be 'transparent'"); // image: make sure image is blocked var img = writemetacspframe.contentDocument.getElementById("testimage"); is(img.width, 0, "image widht should be 0"); is(img.height, 0, "image widht should be 0"); // script: make sure defined variable in external script is undefined is(writemetacspframe.contentDocument.myMetaCSPScript, undefined, "myMetaCSPScript should be 'undefined'"); checkTestsDone(); } // document.write(<--) to comment out meta csp should allow resources to be loaded // after the preload failed function checkResultsAllowed() { commentmetacspframe.removeEventListener('load', checkResultsAllowed, false); // stylesheet: should be applied; bgcolor should be red var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue("background-color"); is(bgcolor, "rgb(255, 0, 0)", "background should be red/rgb(255, 0, 0)"); // image: should be completed var img = commentmetacspframe.contentDocument.getElementById("testimage"); ok(img.complete, "image should not be loaded"); // script: defined variable in external script should be accessible is(commentmetacspframe.contentDocument.myMetaCSPScript, "external-JS-loaded", "myMetaCSPScript should be 'external-JS-loaded'"); checkTestsDone(); } // doc.write(meta csp) should should allow preloads but should block actual loads writemetacspframe.src = 'file_docwrite_meta.html'; writemetacspframe.addEventListener('load', checkResultsBlocked, false); // commenting out a meta CSP should result in loaded image, script, style commentmetacspframe.src = 'file_doccomment_meta.html'; commentmetacspframe.addEventListener('load', checkResultsAllowed, false); </script> </body> </html>