| blob | d0b92084ec4c3c8ab7592e8adf97da46a927a155 |
1 /* Any copyright is dedicated to the Public Domain.
2 http://creativecommons.org/publicdomain/zero/1.0/ */
4 "use strict";
6 const TEST_PATH = getRootDirectory(gTestPath).replace(
7 "chrome://mochitests/content",
8 "https://example.com"
9 );
11 /**
12 * Test that javascript URIs in CSP-sandboxed contexts can't be used to bypass
13 * script restrictions.
14 */
15 add_task(async function test_csp_sandbox_no_script_js_uri() {
16 await BrowserTestUtils.withNewTab(
17 TEST_PATH + "dummy_page.html",
18 async browser => {
19 info("Register observer and wait for javascript-uri-blocked message.");
20 let observerPromise = SpecialPowers.spawn(browser, [], () => {
21 return new Promise(resolve => {
22 SpecialPowers.addObserver(function obs(subject) {
23 ok(
24 subject == content,
25 "Should block script spawned via javascript uri"
26 );
27 SpecialPowers.removeObserver(
28 obs,
29 "javascript-uri-blocked-by-sandbox"
30 );
31 resolve();
32 }, "javascript-uri-blocked-by-sandbox");
33 });
34 });
36 info("Spawn csp-sandboxed iframe with javascript URI");
37 let frameBC = await SpecialPowers.spawn(
38 browser,
39 [TEST_PATH + "file_csp_sandbox_no_script_js_uri.html"],
40 async url => {
41 let frame = content.document.createElement("iframe");
42 let loadPromise = ContentTaskUtils.waitForEvent(frame, "load", true);
43 frame.src = url;
44 content.document.body.appendChild(frame);
45 await loadPromise;
46 return frame.browsingContext;
47 }
48 );
50 info("Click javascript URI link in iframe");
51 BrowserTestUtils.synthesizeMouseAtCenter("a", {}, frameBC);
52 await observerPromise;
53 }
54 );
55 });