1 /* Any copyright is dedicated to the Public Domain.
2 http://creativecommons.org/publicdomain/zero/1.0/ */
6 const TEST_PATH = getRootDirectory(gTestPath).replace(
7 "chrome://mochitests/content",
12 * Test that javascript URIs in CSP-sandboxed contexts can't be used to bypass
13 * script restrictions.
15 add_task(async function test_csp_sandbox_no_script_js_uri() {
16 await BrowserTestUtils.withNewTab(
17 TEST_PATH + "dummy_page.html",
19 info("Register observer and wait for javascript-uri-blocked message.");
20 let observerPromise = SpecialPowers.spawn(browser, [], () => {
21 return new Promise(resolve => {
22 SpecialPowers.addObserver(function obs(subject) {
25 "Should block script spawned via javascript uri"
27 SpecialPowers.removeObserver(
29 "javascript-uri-blocked-by-sandbox"
32 }, "javascript-uri-blocked-by-sandbox");
36 info("Spawn csp-sandboxed iframe with javascript URI");
37 let frameBC = await SpecialPowers.spawn(
39 [TEST_PATH + "file_csp_sandbox_no_script_js_uri.html"],
41 let frame = content.document.createElement("iframe");
42 let loadPromise = ContentTaskUtils.waitForEvent(frame, "load", true);
44 content.document.body.appendChild(frame);
46 return frame.browsingContext;
50 info("Click javascript URI link in iframe");
51 BrowserTestUtils.synthesizeMouseAtCenter("a", {}, frameBC);
52 await observerPromise;