1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
<!DOCTYPE HTML>
<html>
<head>
<title>Test for X-Frame-Options response header</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:100%;height:300px;" id="harness"></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/dom/base/test/";
var testFramesLoaded = function() {
var harness = SpecialPowers.wrap(document).getElementById("harness");
// iframe from same origin, no X-F-O header - should load
var frame = harness.contentDocument.getElementById("control1");
var test1 = frame.contentDocument.getElementById("test").textContent;
is(test1, "control1", "test control1");
// iframe from different origin, no X-F-O header - should load
frame = harness.contentDocument.getElementById("control2");
var test2 = frame.contentDocument.getElementById("test").textContent;
is(test2, "control2", "test control2");
// iframe from same origin, X-F-O: DENY - should not load
frame = harness.contentDocument.getElementById("deny");
var test3 = frame.contentDocument.getElementById("test");
is(test3, null, "test deny");
// iframe from same origin, X-F-O: SAMEORIGIN - should load
frame = harness.contentDocument.getElementById("sameorigin1");
var test4 = frame.contentDocument.getElementById("test").textContent;
is(test4, "sameorigin1", "test sameorigin1");
// iframe from different origin, X-F-O: SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("sameorigin2");
var test5 = frame.contentDocument.getElementById("test");
is(test5, null, "test sameorigin2");
// iframe from different origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("sameorigin5");
var test6 = frame.contentDocument.getElementById("test");
is(test6, null, "test sameorigin5");
// iframe from same origin, X-F-O: SAMEORIGIN, SAMEORIGIN - should load
frame = harness.contentDocument.getElementById("sameorigin6");
var test7 = frame.contentDocument.getElementById("test").textContent;
is(test7, "sameorigin6", "test sameorigin6");
// iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should load
frame = harness.contentDocument.getElementById("sameorigin7");
var test8 = frame.contentDocument.getElementById("test").textContent;
is(test8, "sameorigin7", "test sameorigin7");
// iframe from same origin, X-F-O: SAMEORIGIN,SAMEORIGIN, SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("sameorigin8");
var test9 = frame.contentDocument.getElementById("test");
is(test9, null, "test sameorigin8");
// iframe from same origin, X-F-O: DENY,SAMEORIGIN - should not load
frame = harness.contentDocument.getElementById("mixedpolicy");
var test10 = frame.contentDocument.getElementById("test");
is(test10, null, "test mixedpolicy");
// iframe from different origin, allow-from: this origin - should load
frame = harness.contentDocument.getElementById("allow-from-allow");
var test11 = frame.contentDocument.getElementById("test").textContent;
is(test11, "allow-from-allow", "test allow-from-allow");
// iframe from different origin, with allow-from: other - should not load
frame = harness.contentDocument.getElementById("allow-from-deny");
var test12 = frame.contentDocument.getElementById("test");
is(test12, null, "test allow-from-deny");
// iframe from different origin, X-F-O: SAMEORIGIN, multipart - should not load
frame = harness.contentDocument.getElementById("sameorigin-multipart");
var test13 = frame.contentDocument.getElementById("test");
is(test13, null, "test sameorigin-multipart");
// iframe from same origin, X-F-O: SAMEORIGIN, multipart - should load
frame = harness.contentDocument.getElementById("sameorigin-multipart2");
var test14 = frame.contentDocument.getElementById("test").textContent;
is(test14, "sameorigin-multipart2", "test sameorigin-multipart2");
// frames from bug 836132 tests
{
frame = harness.contentDocument.getElementById("allow-from-allow-1");
var theTestResult = frame.contentDocument.getElementById("test");
isnot(theTestResult, null, "test afa1 should have been allowed");
if(theTestResult) {
is(theTestResult.textContent, "allow-from-allow-1", "test allow-from-allow-1");
}
}
for (var i = 1; i<=14; i++) {
frame = harness.contentDocument.getElementById("allow-from-deny-" + i);
var theTestResult = frame.contentDocument.getElementById("test");
is(theTestResult, null, "test allow-from-deny-" + i);
}
// call tests to check principal comparison, e.g. a document can open a window
// to a data: or javascript: document which frames an
// X-Frame-Options: SAMEORIGIN document and the frame should load
testFrameInJSURI();
}
// test that a document can be framed under a javascript: URL opened by the
// same site as the frame
// We can't set a load event listener before calling document.open/document.write, because those will remove such listeners. So we need to define a function that the new window will be able to call.
function frameInJSURILoaded(win) {
var test = win.document.getElementById("sameorigin3")
.contentDocument.getElementById("test");
ok(test != null, "frame under javascript: URL should have loaded.");
win.close();
// run last test
if (!isUnique) {
testFrameInDataURI();
} else {
testFrameNotLoadedInDataURI();
}
}
var testFrameInJSURI = function() {
var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
var win = window.open();
win.location.href = "javascript:document.open(); onload = opener.frameInJSURILoaded.bind(null, window); document.write('"+html+"');document.close();";
}
// test that a document can be framed under a data: URL opened by the
// same site as the frame
var testFrameInDataURI = function() {
var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
var win = window.open();
win.onload = function() {
var test = win.document.getElementById("sameorigin4")
.contentDocument.getElementById("test");
ok(test != null, "frame under data: URL should have loaded.");
win.close();
SimpleTest.finish();
}
win.location.href = "data:text/html,"+html;
}
SimpleTest.waitForExplicitFinish();
// load the test harness
SpecialPowers.pushPrefEnv({
"set": [["security.data_uri.block_toplevel_data_uri_navigations", false],]
}, function() {
document.getElementById("harness").src = "file_x-frame-options_main.html";
});
</script>
</pre>
</body>
</html>
|