| blob | 1ae4482dd8ca01bd1856d4e32c8c0438529d665e |
2 <html>
3 <head>
4 <title>Bug 1031530 and Bug 1139667 - Test mapping of XMLHttpRequest and fetch() to connect-src</title>
5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
8 </head>
9 <body>
13 </div>
17 /*
18 * Description of the test:
19 * We load a page with a given CSP and verify that XMLHttpRequests and fetches are correctly
20 * evaluated through the "connect-src" directive. All XMLHttpRequests are served
21 * using http://mochi.test:8888, which allows the requests to succeed for the first
22 * two policies and to fail for the last policy. Please note that we have to add
23 * 'unsafe-inline' so we can run the JS test code in file_connect-src.html.
24 */
26 SimpleTest.waitForExplicitFinish();
28 var tests = [
29 {
30 file: "file_connect-src.html",
31 result : "allowed",
32 policy : "default-src 'none' script-src 'unsafe-inline'; connect-src http://mochi.test:8888"
33 },
34 {
35 file: "file_connect-src.html",
36 result : "allowed",
37 policy : "default-src 'none'; script-src 'unsafe-inline'; connect-src *"
38 },
39 {
40 file: "file_connect-src.html",
41 result : "blocked",
42 policy : "default-src 'none'; script-src 'unsafe-inline'; connect-src http://www.example.com"
43 },
44 {
45 file: "file_connect-src-fetch.html",
46 result : "allowed",
47 policy : "default-src 'none' script-src 'unsafe-inline'; connect-src http://mochi.test:8888"
48 },
49 {
50 file: "file_connect-src-fetch.html",
51 result : "allowed",
52 policy : "default-src 'none'; script-src 'unsafe-inline'; connect-src *"
53 },
54 {
55 file: "file_connect-src-fetch.html",
56 result : "blocked",
57 policy : "default-src 'none'; script-src 'unsafe-inline'; connect-src http://www.example.com"
58 }
59 ];
62 var counter = -1;
64 function checkResult(aResult) {
65 is(aResult, tests[counter].result, "should be " + tests[counter].result + " in test " + counter + "!");
66 loadNextTest();
67 }
69 // We use the examiner to identify requests that hit the wire and requests
70 // that are blocked by CSP and bubble up the result to the including iframe
71 // document (parent).
72 function examiner() {
73 SpecialPowers.addObserver(this, "csp-on-violate-policy");
74 SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
75 }
76 examiner.prototype = {
77 observe(subject, topic, data) {
78 if (topic === "specialpowers-http-notify-request") {
79 // making sure we do not bubble a result for something other
80 // then the request in question.
81 if (!data.includes("file_testserver.sjs?foo")) {
82 return;
83 }
84 checkResult("allowed");
85 }
87 if (topic === "csp-on-violate-policy") {
88 // making sure we do not bubble a result for something other
89 // then the request in question.
90 var asciiSpec = SpecialPowers.getPrivilegedProps(
91 SpecialPowers.do_QueryInterface(subject, "nsIURI"),
92 "asciiSpec");
94 if (!asciiSpec.includes("file_testserver.sjs?foo")) {
95 return;
96 }
97 checkResult("blocked");
98 }
99 },
100 remove() {
101 SpecialPowers.removeObserver(this, "csp-on-violate-policy");
102 SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
103 }
104 }
105 window.ConnectSrcExaminer = new examiner();
107 function loadNextTest() {
108 counter++;
109 if (counter == tests.length) {
110 window.ConnectSrcExaminer.remove();
111 SimpleTest.finish();
112 return;
113 }
115 var src = "file_testserver.sjs";
116 // append the file that should be served
118 // append the CSP that should be used to serve the file
119 src += "&csp=" + escape(tests[counter].policy);
121 document.getElementById("testframe").src = src;
122 }
124 // start running the tests
125 loadNextTest();
127 </script>
128 </body>
129 </html>