summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_form_action_blocks_url.html
blob: ef5c8d9b4f9fe74697298defbd46b8b258a2a00a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<!DOCTYPE html>
<html>
<head>
  <title>Bug 1251043 - Test form-action blocks URL</title>
  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
 <iframe id="testframe"></iframe>

<script class="testbody" type="text/javascript">
/*
 * Description of the test:
 * 1) Let's load a form into an iframe which uses a CSP of: form-action 'none';
 * 2) Let's hit the submit button and make sure the form is not submitted.
 *
 * Since a blocked form submission does not fire any event handler, we have to
 * use timeout triggered function that verifies that the form didn't get submitted.
 */

SimpleTest.requestFlakyTimeout(
  "Form submission blocked by CSP does not fire any events " +
  "hence we have to check back after 300ms to make sure the form " +
  "is not submitted");
SimpleTest.waitForExplicitFinish();

const FORM_SUBMITTED = "form submission succeeded";
var timeOutId;
var testframe = document.getElementById("testframe");

// In case the form gets submitted, the test would receive an 'load'
// event and would trigger the test to fail early.
function logFormSubmittedError() {
  clearTimeout(timeOutId);
  testframe.removeEventListener('load', logFormSubmittedError, false);
  ok(false, "form submission should be blocked");
  SimpleTest.finish();
}

// After 300ms we verify the form did not get submitted.
function verifyFormNotSubmitted() {
  clearTimeout(timeOutId);
  var frameContent = testframe.contentWindow.document.body.innerHTML;
  isnot(frameContent.indexOf("CONTROL-TEXT"), -1,
       "form should not be submitted and still contain the control text");
  SimpleTest.finish();
}

function submitForm() {
  // Part 1: The form has loaded in the testframe
  // unregister the current event handler
  testframe.removeEventListener('load', submitForm, false);

  // Part 2: Register a new load event handler. In case the
  // form gets submitted, this load event fires and we can
  // fail the test right away.
  testframe.addEventListener("load", logFormSubmittedError, false);

  // Part 3: Since blocking the form does not throw any kind of error;
  // Firefox just logs the CSP error to the console we have to register
  // this timeOut function which then verifies that the form didn't
  // get submitted.
  timeOutId = setTimeout(verifyFormNotSubmitted, 300);

  // Part 4: We are ready, let's hit the submit button of the form.
  var submitButton = testframe.contentWindow.document.getElementById('submitButton');
  submitButton.click();
}

testframe.addEventListener("load", submitForm, false);
testframe.src = "file_form_action_server.sjs?loadframe";

</script>
</body>
</html>